1SYSTEMD.NETWORK(5)              systemd.network             SYSTEMD.NETWORK(5)
2
3
4

NAME

6       systemd.network - Network configuration
7

SYNOPSIS

9       network.network
10

DESCRIPTION

12       Network setup is performed by systemd-networkd(8).
13
14       The main network file must have the extension .network; other
15       extensions are ignored. Networks are applied to links whenever the
16       links appear.
17
18       The .network files are read from the files located in the system
19       network directory /usr/lib/systemd/network, the volatile runtime
20       network directory /run/systemd/network and the local administration
21       network directory /etc/systemd/network. All configuration files are
22       collectively sorted and processed in lexical order, regardless of the
23       directories in which they live. However, files with identical filenames
24       replace each other. Files in /etc have the highest priority, files in
25       /run take precedence over files with the same name in /usr/lib. This
26       can be used to override a system-supplied configuration file with a
27       local file if needed. As a special case, an empty file (file size 0) or
28       symlink with the same name pointing to /dev/null disables the
29       configuration file entirely (it is "masked").
30
31       Along with the network file foo.network, a "drop-in" directory
32       foo.network.d/ may exist. All files with the suffix ".conf" from this
33       directory will be parsed after the file itself is parsed. This is
34       useful to alter or add configuration settings, without having to modify
35       the main configuration file. Each drop-in file must have appropriate
36       section headers.
37
38       In addition to /etc/systemd/network, drop-in ".d" directories can be
39       placed in /usr/lib/systemd/network or /run/systemd/network directories.
40       Drop-in files in /etc take precedence over those in /run which in turn
41       take precedence over those in /usr/lib. Drop-in files under any of
42       these directories take precedence over the main netdev file wherever
43       located. (Of course, since /run is temporary and /usr/lib is for
44       vendors, it is unlikely drop-ins should be used in either of those
45       places.)
46
47       Note that an interface without any static IPv6 addresses configured,
48       and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no
49       IPv6 support. IPv6 will be automatically disabled for that interface by
50       writing "1" to /proc/sys/net/ipv6/conf/ifname/disable_ipv6.
51

[MATCH] SECTION OPTIONS

53       The network file contains a "[Match]" section, which determines if a
54       given network file may be applied to a given device; and a "[Network]"
55       section specifying how the device should be configured. The first (in
56       lexical order) of the network files that matches a given device is
57       applied, all later files are ignored, even if they match as well.
58
59       A network file is said to match a device if each of the entries in the
60       "[Match]" section matches, or if the section is empty. The following
61       keys are accepted:
62
63       MACAddress=
64           A whitespace-separated list of hardware addresses. Use full colon-,
65           hyphen- or dot-delimited hexadecimal. See the example below. This
66           option may appear more than one, in which case the lists are
67           merged. If the empty string is assigned to this option, the list of
68           hardware addresses defined prior to this is reset.
69
70           Example:
71
72               MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
73
74       Path=
75           A whitespace-separated list of shell-style globs matching the
76           persistent path, as exposed by the udev property "ID_PATH". If the
77           list is prefixed with a "!", the test is inverted; i.e. it is true
78           when "ID_PATH" does not match any item in the list.
79
80       Driver=
81           A whitespace-separated list of shell-style globs matching the
82           driver currently bound to the device, as exposed by the udev
83           property "DRIVER" of its parent device, or if that is not set the
84           driver as exposed by "ethtool -i" of the device itself. If the list
85           is prefixed with a "!", the test is inverted.
86
87       Type=
88           A whitespace-separated list of shell-style globs matching the
89           device type, as exposed by the udev property "DEVTYPE". If the list
90           is prefixed with a "!", the test is inverted.
91
92       Name=
93           A whitespace-separated list of shell-style globs matching the
94           device name, as exposed by the udev property "INTERFACE". If the
95           list is prefixed with a "!", the test is inverted.
96
97       Host=
98           Matches against the hostname or machine ID of the host. See
99           "ConditionHost=" in systemd.unit(5) for details.
100
101       Virtualization=
102           Checks whether the system is executed in a virtualized environment
103           and optionally test whether it is a specific implementation. See
104           "ConditionVirtualization=" in systemd.unit(5) for details.
105
106       KernelCommandLine=
107           Checks whether a specific kernel command line option is set (or if
108           prefixed with the exclamation mark unset). See
109           "ConditionKernelCommandLine=" in systemd.unit(5) for details.
110
111       KernelVersion=
112           Checks whether the kernel version (as reported by uname -r) matches
113           a certain expression (or if prefixed with the exclamation mark does
114           not match it). See "ConditionKernelVersion=" in systemd.unit(5) for
115           details.
116
117       Architecture=
118           Checks whether the system is running on a specific architecture.
119           See "ConditionArchitecture=" in systemd.unit(5) for details.
120

[LINK] SECTION OPTIONS

122       The "[Link]" section accepts the following keys:
123
124       MACAddress=
125           The hardware address to set for the device.
126
127       MTUBytes=
128           The maximum transmission unit in bytes to set for the device. The
129           usual suffixes K, M, G, are supported and are understood to the
130           base of 1024.
131
132           Note that if IPv6 is enabled on the interface, and the MTU is
133           chosen below 1280 (the minimum MTU for IPv6) it will automatically
134           be increased to this value.
135
136       ARP=
137           A boolean. Enables or disables the ARP (low-level Address
138           Resolution Protocol) for this interface. Defaults to unset, which
139           means that the kernel default will be used.
140
141           For example, disabling ARP is useful when creating multiple MACVLAN
142           or VLAN virtual interfaces atop a single lower-level physical
143           interface, which will then only serve as a link/"bridge" device
144           aggregating traffic to the same physical link and not participate
145           in the network otherwise.
146
147       Multicast=
148           A boolean. Enables or disables the multicast flag on the device.
149
150       AllMulticast=
151           A boolean. When this flag is set the driver retrieves all multicast
152           packets from the network. This happens when multicast routing is
153           enabled.
154
155       Unmanaged=
156           A boolean. When "yes", no attempts are made to bring up or
157           configure matching links, equivalent to when there are no matching
158           network files. Defaults to "no".
159
160           This is useful for preventing later matching network files from
161           interfering with certain interfaces that are fully controlled by
162           other applications.
163
164       RequiredForOnline=
165           A boolean. When "yes", the network is deemed required when
166           determining whether the system is online when running
167           "systemd-networkd-wait-online". When "no", the network is ignored
168           when checking for online state. Defaults to "yes".
169
170           The network will be brought up normally in all cases, but in the
171           event that there is no address being assigned by DHCP or the cable
172           is not plugged in, the link will simply remain offline and be
173           skipped automatically by "systemd-networkd-wait-online" if
174           "RequiredForOnline=true".
175

[NETWORK] SECTION OPTIONS

177       The "[Network]" section accepts the following keys:
178
179       Description=
180           A description of the device. This is only used for presentation
181           purposes.
182
183       DHCP=
184           Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
185           "ipv4", or "ipv6". Defaults to "no".
186
187           Note that DHCPv6 will by default be triggered by Router
188           Advertisement, if that is enabled, regardless of this parameter. By
189           enabling DHCPv6 support explicitly, the DHCPv6 client will be
190           started regardless of the presence of routers on the link, or what
191           flags the routers pass. See "IPv6AcceptRA=".
192
193           Furthermore, note that by default the domain name specified through
194           DHCP is not used for name resolution. See option UseDomains= below.
195
196           See the "[DHCP]" section below for further configuration options
197           for the DHCP client support.
198
199       DHCPServer=
200           A boolean. Enables DHCPv4 server support. Defaults to "no". Further
201           settings for the DHCP server may be set in the "[DHCPServer]"
202           section described below.
203
204       LinkLocalAddressing=
205           Enables link-local address autoconfiguration. Accepts "yes", "no",
206           "ipv4", or "ipv6". Defaults to "ipv6".
207
208       IPv4LLRoute=
209           A boolean. When true, sets up the route needed for non-IPv4LL hosts
210           to communicate with IPv4LL-only hosts. Defaults to false.
211
212       IPv6Token=
213           An IPv6 address with the top 64 bits unset. When set, indicates the
214           64-bit interface part of SLAAC IPv6 addresses for this link. Note
215           that the token is only ever used for SLAAC, and not for DHCPv6
216           addresses, even in the case DHCP is requested by router
217           advertisement. By default, the token is autogenerated.
218
219       LLMNR=
220           A boolean or "resolve". When true, enables Link-Local Multicast
221           Name Resolution[1] on the link. When set to "resolve", only
222           resolution is enabled, but not host registration and announcement.
223           Defaults to true. This setting is read by systemd-
224           resolved.service(8).
225
226       MulticastDNS=
227           A boolean or "resolve". When true, enables Multicast DNS[2] support
228           on the link. When set to "resolve", only resolution is enabled, but
229           not host or service registration and announcement. Defaults to
230           false. This setting is read by systemd-resolved.service(8).
231
232       DNSOverTLS=
233           Takes false or "opportunistic". When set to "opportunistic",
234           enables DNS-over-TLS[3] support on the link. This option defines a
235           per-interface setting for resolved.conf(5)'s global DNSOverTLS=
236           option. Defaults to false. This setting is read by systemd-
237           resolved.service(8).
238
239       DNSSEC=
240           A boolean or "allow-downgrade". When true, enables DNSSEC[4] DNS
241           validation support on the link. When set to "allow-downgrade",
242           compatibility with non-DNSSEC capable networks is increased, by
243           automatically turning off DNSSEC in this case. This option defines
244           a per-interface setting for resolved.conf(5)'s global DNSSEC=
245           option. Defaults to false. This setting is read by systemd-
246           resolved.service(8).
247
248       DNSSECNegativeTrustAnchors=
249           A space-separated list of DNSSEC negative trust anchor domains. If
250           specified and DNSSEC is enabled, look-ups done via the interface's
251           DNS server will be subject to the list of negative trust anchors,
252           and not require authentication for the specified domains, or
253           anything below it. Use this to disable DNSSEC authentication for
254           specific private domains, that cannot be proven valid using the
255           Internet DNS hierarchy. Defaults to the empty list. This setting is
256           read by systemd-resolved.service(8).
257
258       LLDP=
259           Controls support for Ethernet LLDP packet reception. LLDP is a
260           link-layer protocol commonly implemented on professional routers
261           and bridges which announces which physical port a system is
262           connected to, as well as other related data. Accepts a boolean or
263           the special value "routers-only". When true, incoming LLDP packets
264           are accepted and a database of all LLDP neighbors maintained. If
265           "routers-only" is set only LLDP data of various types of routers is
266           collected and LLDP data about other types of devices ignored (such
267           as stations, telephones and others). If false, LLDP reception is
268           disabled. Defaults to "routers-only". Use networkctl(1) to query
269           the collected neighbor data. LLDP is only available on Ethernet
270           links. See EmitLLDP= below for enabling LLDP packet emission from
271           the local system.
272
273       EmitLLDP=
274           Controls support for Ethernet LLDP packet emission. Accepts a
275           boolean parameter or the special values "nearest-bridge",
276           "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
277           turns off LLDP packet emission. If not false, a short LLDP packet
278           with information about the local system is sent out in regular
279           intervals on the link. The LLDP packet will contain information
280           about the local host name, the local machine ID (as stored in
281           machine-id(5)) and the local interface name, as well as the pretty
282           hostname of the system (as set in machine-info(5)). LLDP emission
283           is only available on Ethernet links. Note that this setting passes
284           data suitable for identification of host to the network and should
285           thus not be enabled on untrusted networks, where such
286           identification data should not be made available. Use this option
287           to permit other systems to identify on which interfaces they are
288           connected to this system. The three special values control
289           propagation of the LLDP packets. The "nearest-bridge" setting
290           permits propagation only to the nearest connected bridge,
291           "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
292           but not any other bridges, and "customer-bridge" permits
293           propagation until a customer bridge is reached. For details about
294           these concepts, see IEEE 802.1AB-2016[5]. Note that configuring
295           this setting to true is equivalent to "nearest-bridge", the
296           recommended and most restricted level of propagation. See LLDP=
297           above for an option to enable LLDP reception.
298
299       BindCarrier=
300           A link name or a list of link names. When set, controls the
301           behavior of the current link. When all links in the list are in an
302           operational down state, the current link is brought down. When at
303           least one link has carrier, the current interface is brought up.
304
305       Address=
306           A static IPv4 or IPv6 address and its prefix length, separated by a
307           "/" character. Specify this key more than once to configure several
308           addresses. The format of the address must be as described in
309           inet_pton(3). This is a short-hand for an [Address] section only
310           containing an Address key (see below). This option may be specified
311           more than once.
312
313           If the specified address is 0.0.0.0 (for IPv4) or [::] (for IPv6),
314           a new address range of the requested size is automatically
315           allocated from a system-wide pool of unused ranges. The allocated
316           range is checked against all current network interfaces and all
317           known network configuration files to avoid address range conflicts.
318           The default system-wide pool consists of 192.168.0.0/16,
319           172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fc00::/7 for IPv6. This
320           functionality is useful to manage a large number of dynamically
321           created network interfaces with the same network configuration and
322           automatic address range assignment.
323
324       Gateway=
325           The gateway address, which must be in the format described in
326           inet_pton(3). This is a short-hand for a [Route] section only
327           containing a Gateway key. This option may be specified more than
328           once.
329
330       DNS=
331           A DNS server address, which must be in the format described in
332           inet_pton(3). This option may be specified more than once. This
333           setting is read by systemd-resolved.service(8).
334
335       Domains=
336           A list of domains which should be resolved using the DNS servers on
337           this link. Each item in the list should be a domain name,
338           optionally prefixed with a tilde ("~"). The domains with the prefix
339           are called "routing-only domains". The domains without the prefix
340           are called "search domains" and are first used as search suffixes
341           for extending single-label host names (host names containing no
342           dots) to become fully qualified domain names (FQDNs). If a
343           single-label host name is resolved on this interface, each of the
344           specified search domains are appended to it in turn, converting it
345           into a fully qualified domain name, until one of them may be
346           successfully resolved.
347
348           Both "search" and "routing-only" domains are used for routing of
349           DNS queries: look-ups for host names ending in those domains (hence
350           also single label names, if any "search domains" are listed), are
351           routed to the DNS servers configured for this interface. The domain
352           routing logic is particularly useful on multi-homed hosts with DNS
353           servers serving particular private DNS zones on each interface.
354
355           The "routing-only" domain "~."  (the tilde indicating definition of
356           a routing domain, the dot referring to the DNS root domain which is
357           the implied suffix of all valid DNS names) has special effect. It
358           causes all DNS traffic which does not match another configured
359           domain routing entry to be routed to DNS servers specified for this
360           interface. This setting is useful to prefer a certain set of DNS
361           servers if a link on which they are connected is available.
362
363           This setting is read by systemd-resolved.service(8). "Search
364           domains" correspond to the domain and search entries in
365           resolv.conf(5). Domain name routing has no equivalent in the
366           traditional glibc API, which has no concept of domain name servers
367           limited to a specific link.
368
369       NTP=
370           An NTP server address. This option may be specified more than once.
371           This setting is read by systemd-timesyncd.service(8).
372
373       IPForward=
374           Configures IP packet forwarding for the system. If enabled,
375           incoming packets on any network interface will be forwarded to any
376           other interfaces according to the routing table. Takes either a
377           boolean argument, or the values "ipv4" or "ipv6", which only enable
378           IP packet forwarding for the specified address family. This
379           controls the net.ipv4.ip_forward and net.ipv6.conf.all.forwarding
380           sysctl options of the network interface (see ip-sysctl.txt[6] for
381           details about sysctl options). Defaults to "no".
382
383           Note: this setting controls a global kernel option, and does so one
384           way only: if a network that has this setting enabled is set up the
385           global setting is turned on. However, it is never turned off again,
386           even after all networks with this setting enabled are shut down
387           again.
388
389           To allow IP packet forwarding only between specific network
390           interfaces use a firewall.
391
392       IPMasquerade=
393           Configures IP masquerading for the network interface. If enabled,
394           packets forwarded from the network interface will be appear as
395           coming from the local host. Takes a boolean argument. Implies
396           IPForward=ipv4. Defaults to "no".
397
398       IPv6PrivacyExtensions=
399           Configures use of stateless temporary addresses that change over
400           time (see RFC 4941[7], Privacy Extensions for Stateless Address
401           Autoconfiguration in IPv6). Takes a boolean or the special values
402           "prefer-public" and "kernel". When true, enables the privacy
403           extensions and prefers temporary addresses over public addresses.
404           When "prefer-public", enables the privacy extensions, but prefers
405           public addresses over temporary addresses. When false, the privacy
406           extensions remain disabled. When "kernel", the kernel's default
407           setting will be left in place. Defaults to "no".
408
409       IPv6AcceptRA=
410           Enable or disable IPv6 Router Advertisement (RA) reception support
411           for the interface. Takes a boolean parameter. If true, RAs are
412           accepted; if false, RAs are ignored, independently of the local
413           forwarding state. When not set, the kernel default is used, and RAs
414           are accepted only when local forwarding is disabled for that
415           interface. When RAs are accepted, they may trigger the start of the
416           DHCPv6 client if the relevant flags are set in the RA data, or if
417           no routers are found on the link.
418
419           Further settings for the IPv6 RA support may be configured in the
420           "[IPv6AcceptRA]" section, see below.
421
422           Also see ip-sysctl.txt[6] in the kernel documentation regarding
423           "accept_ra", but note that systemd's setting of 1 (i.e. true)
424           corresponds to kernel's setting of 2.
425
426       IPv6DuplicateAddressDetection=
427           Configures the amount of IPv6 Duplicate Address Detection (DAD)
428           probes to send. Defaults to unset.
429
430       IPv6HopLimit=
431           Configures IPv6 Hop Limit. For each router that forwards the
432           packet, the hop limit is decremented by 1. When the hop limit field
433           reaches zero, the packet is discarded. Defaults to unset.
434
435       IPv4ProxyARP=
436           A boolean. Configures proxy ARP for IPv4. Proxy ARP is the
437           technique in which one host, usually a router, answers ARP requests
438           intended for another machine. By "faking" its identity, the router
439           accepts responsibility for routing packets to the "real"
440           destination. (see RFC 1027[8]. Defaults to unset.
441
442       IPv6ProxyNDP=
443           A boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
444           Discovery Protocol) is a technique for IPv6 to allow routing of
445           addresses to a different destination when peers expect them to be
446           present on a certain physical link. In this case a router answers
447           Neighbour Advertisement messages intended for another machine by
448           offering its own MAC address as destination. Unlike proxy ARP for
449           IPv4, it is not enabled globally, but will only send Neighbour
450           Advertisement messages for addresses in the IPv6 neighbor proxy
451           table, which can also be shown by ip -6 neighbour show proxy.
452           systemd-networkd will control the per-interface `proxy_ndp` switch
453           for each configured interface depending on this option. Defautls to
454           unset.
455
456       IPv6ProxyNDPAddress=
457           An IPv6 address, for which Neighbour Advertisement messages will be
458           proxied. This option may be specified more than once.
459           systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
460           kernel's IPv6 neighbor proxy table. This option implies
461           IPv6ProxyNDP=true but has no effect if IPv6ProxyNDP has been set to
462           false. Defaults to unset.
463
464       IPv6PrefixDelegation=
465           Whether to enable or disable Router Advertisement sending on a
466           link. Allowed values are "static" which distributes prefixes as
467           defined in the "[IPv6PrefixDelegation]" and any "[IPv6Prefix]"
468           sections, "dhcpv6" which requests prefixes using a DHCPv6 client
469           configured for another link and any values configured in the
470           "[IPv6PrefixDelegation]" section while ignoring all static prefix
471           configuration sections, "yes" which uses both static configuration
472           and DHCPv6, and "false" which turns off IPv6 prefix delegation
473           altogether. Defaults to "false". See the "[IPv6PrefixDelegation]"
474           and the "[IPv6Prefix]" sections for more configuration options.
475
476       IPv6MTUBytes=
477           Configures IPv6 maximum transmission unit (MTU). An integer greater
478           than or equal to 1280 bytes. Defaults to unset.
479
480       Bridge=
481           The name of the bridge to add the link to. See systemd.netdev(5).
482
483       Bond=
484           The name of the bond to add the link to. See systemd.netdev(5).
485
486       VRF=
487           The name of the VRF to add the link to. See systemd.netdev(5).
488
489       VLAN=
490           The name of a VLAN to create on the link. See systemd.netdev(5).
491           This option may be specified more than once.
492
493       MACVLAN=
494           The name of a MACVLAN to create on the link. See systemd.netdev(5).
495           This option may be specified more than once.
496
497       VXLAN=
498           The name of a VXLAN to create on the link. See systemd.netdev(5).
499           This option may be specified more than once.
500
501       Tunnel=
502           The name of a Tunnel to create on the link. See systemd.netdev(5).
503           This option may be specified more than once.
504
505       ActiveSlave=
506           A boolean. Specifies the new active slave. The "ActiveSlave="
507           option is only valid for following modes: "active-backup",
508           "balance-alb" and "balance-tlb". Defaults to false.
509
510       PrimarySlave=
511           A boolean. Specifies which slave is the primary device. The
512           specified device will always be the active slave while it is
513           available. Only when the primary is off-line will alternate devices
514           be used. This is useful when one slave is preferred over another,
515           e.g. when one slave has higher throughput than another. The
516           "PrimarySlave=" option is only valid for following modes:
517           "active-backup", "balance-alb" and "balance-tlb". Defaults to
518           false.
519
520       ConfigureWithoutCarrier=
521           A boolean. Allows networkd to configure a specific link even if it
522           has no carrier. Defaults to false.
523

[ADDRESS] SECTION OPTIONS

525       An "[Address]" section accepts the following keys. Specify several
526       "[Address]" sections to configure several addresses.
527
528       Address=
529           As in the "[Network]" section. This key is mandatory.
530
531       Peer=
532           The peer address in a point-to-point connection. Accepts the same
533           format as the "Address" key.
534
535       Broadcast=
536           The broadcast address, which must be in the format described in
537           inet_pton(3). This key only applies to IPv4 addresses. If it is not
538           given, it is derived from the "Address" key.
539
540       Label=
541           An address label.
542
543       PreferredLifetime=
544           Allows the default "preferred lifetime" of the address to be
545           overridden. Only three settings are accepted: "forever" or
546           "infinity" which is the default and means that the address never
547           expires, and "0" which means that the address is considered
548           immediately "expired" and will not be used, unless explicitly
549           requested. A setting of PreferredLifetime=0 is useful for addresses
550           which are added to be used only by a specific application, which is
551           then configured to use them explicitly.
552
553       Scope=
554           The scope of the address, which can be "global", "link" or "host"
555           or an unsigned integer ranges 0 to 255. Defaults to "global".
556
557       HomeAddress=
558           Takes a boolean argument. Designates this address the "home
559           address" as defined in RFC 6275[9]. Supported only on IPv6.
560           Defaults to false.
561
562       DuplicateAddressDetection=
563           Takes a boolean argument. Do not perform Duplicate Address
564           Detection RFC 4862[10] when adding this address. Supported only on
565           IPv6. Defaults to false.
566
567       ManageTemporaryAddress=
568           Takes a boolean argument. If true the kernel manage temporary
569           addresses created from this one as template on behalf of Privacy
570           Extensions RFC 3041[11]. For this to become active, the
571           use_tempaddr sysctl setting has to be set to a value greater than
572           zero. The given address needs to have a prefix length of 64. This
573           flag allows to use privacy extensions in a manually configured
574           network, just like if stateless auto-configuration was active.
575           Defaults to false.
576
577       PrefixRoute=
578           Takes a boolean argument. When adding or modifying an IPv6 address,
579           the userspace application needs a way to suppress adding a prefix
580           route. This is for example relevant together with
581           IFA_F_MANAGERTEMPADDR, where userspace creates autoconf generated
582           addresses, but depending on on-link, no route for the prefix should
583           be added. Defaults to false.
584
585       AutoJoin=
586           Takes a boolean argument. Joining multicast group on ethernet level
587           via ip maddr command would not work if we have an Ethernet switch
588           that does IGMP snooping since the switch would not replicate
589           multicast packets on ports that did not have IGMP reports for the
590           multicast addresses. Linux vxlan interfaces created via ip link add
591           vxlan or networkd's netdev kind vxlan have the group option that
592           enables then to do the required join. By extending ip address
593           command with option "autojoin" we can get similar functionality for
594           openvswitch (OVS) vxlan interfaces as well as other tunneling
595           mechanisms that need to receive multicast traffic. Defaults to
596           "no".
597

[IPV6ADDRESSLABEL] SECTION OPTIONS

599       An "[IPv6AddressLabel]" section accepts the following keys. Specify
600       several "[IPv6AddressLabel]" sections to configure several address
601       labels. IPv6 address labels are used for address selection. See RFC
602       3484[12]. Precedence is managed by userspace, and only the label itself
603       is stored in the kernel
604
605       Label=
606           The label for the prefix (an unsigned integer) ranges 0 to
607           4294967294. 0xffffffff is reserved. This key is mandatory.
608
609       Prefix=
610           IPv6 prefix is an address with a prefix length, separated by a
611           slash "/" character. This key is mandatory.
612

[ROUTINGPOLICYRULE] SECTION OPTIONS

614       An "[RoutingPolicyRule]" section accepts the following keys. Specify
615       several "[RoutingPolicyRule]" sections to configure several rules.
616
617       TypeOfService=
618           Specifies the type of service to match a number between 0 to 255.
619
620       From=
621           Specifies the source address prefix to match. Possibly followed by
622           a slash and the prefix length.
623
624       To=
625           Specifies the destination address prefix to match. Possibly
626           followed by a slash and the prefix length.
627
628       FirewallMark=
629           Specifies the iptables firewall mark value to match (a number
630           between 1 and 4294967295).
631
632       Table=
633           Specifies the routing table identifier to lookup if the rule
634           selector matches. The table identifier for a route (a number
635           between 1 and 4294967295).
636
637       Priority=
638           Specifies the priority of this rule.  Priority= is an unsigned
639           integer. Higher number means lower priority, and rules get
640           processed in order of increasing number.
641
642       IncomingInterface=
643           Specifies incoming device to match. If the interface is loopback,
644           the rule only matches packets originating from this host.
645
646       OutgoingInterface=
647           Specifies the outgoing device to match. The outgoing interface is
648           only available for packets originating from local sockets that are
649           bound to a device.
650

[ROUTE] SECTION OPTIONS

652       The "[Route]" section accepts the following keys. Specify several
653       "[Route]" sections to configure several routes.
654
655       Gateway=
656           As in the "[Network]" section.
657
658       GatewayOnlink=
659           The "GatewayOnlink" option tells the kernel that it does not have
660           to check if the gateway is reachable directly by the current
661           machine (i.e., the kernel does not need to check if the gateway is
662           attached to the local network), so that we can insert the route in
663           the kernel table without it being complained about. A boolean,
664           defaults to "no".
665
666       Destination=
667           The destination prefix of the route. Possibly followed by a slash
668           and the prefix length. If omitted, a full-length host route is
669           assumed.
670
671       Source=
672           The source prefix of the route. Possibly followed by a slash and
673           the prefix length. If omitted, a full-length host route is assumed.
674
675       Metric=
676           The metric of the route (an unsigned integer).
677
678       IPv6Preference=
679           Specifies the route preference as defined in RFC4191[13] for Router
680           Discovery messages. Which can be one of "low" the route has a
681           lowest priority, "medium" the route has a default priority or
682           "high" the route has a highest priority.
683
684       Scope=
685           The scope of the route, which can be "global", "link" or "host".
686           Defaults to "global".
687
688       PreferredSource=
689           The preferred source address of the route. The address must be in
690           the format described in inet_pton(3).
691
692       Table=num
693           The table identifier for the route (a number between 1 and
694           4294967295, or 0 to unset). The table can be retrieved using ip
695           route show table num.
696
697       Protocol=
698           The protocol identifier for the route. Takes a number between 0 and
699           255 or the special values "kernel", "boot" and "static". Defaults
700           to "static".
701
702       Type=
703           The Type identifier for special route types, which can be "unicast"
704           route to a destination network address which describes the path to
705           the destination, "blackhole" packets are discarded silently,
706           "unreachable" packets are discarded and the ICMP message host
707           unreachable is generated, "prohibit" packets are discarded and the
708           ICMP message communication administratively prohibited is
709           generated. Defaults to "unicast".
710
711       InitialCongestionWindow=
712           The TCP initial congestion window is used during the start of a TCP
713           connection. During the start of a TCP session, when a client
714           requests a resource, the server's initial congestion window
715           determines how many data bytes will be sent during the initial
716           burst of data. Takes a size in bytes between 1 and 4294967295 (2^32
717           - 1). The usual suffixes K, M, G are supported and are understood
718           to the base of 1024. Defaults to unset.
719
720       InitialAdvertisedReceiveWindow=
721           The TCP initial advertised receive window is the amount of receive
722           data (in bytes) that can initally be buffered at one time on a
723           connection. The sending host can send only that amount of data
724           before waiting for an acknowledgment and window update from the
725           receiving host. Takes a size in bytes between 1 and 4294967295
726           (2^32 - 1). The usual suffixes K, M, G are supported and are
727           understood to the base of 1024. Defaults to unset.
728
729       QuickAck=
730           Takes a boolean argument. When true enables TCP quick ack mode for
731           the route. Defaults to unset.
732
733       MTUBytes=
734           The maximum transmission unit in bytes to set for the route. The
735           usual suffixes K, M, G, are supported and are understood to the
736           base of 1024.
737
738           Note that if IPv6 is enabled on the interface, and the MTU is
739           chosen below 1280 (the minimum MTU for IPv6) it will automatically
740           be increased to this value.
741

[DHCP] SECTION OPTIONS

743       The "[DHCP]" section configures the DHCPv4 and DHCP6 client, if it is
744       enabled with the DHCP= setting described above:
745
746       UseDNS=
747           When true (the default), the DNS servers received from the DHCP
748           server will be used and take precedence over any statically
749           configured ones.
750
751           This corresponds to the nameserver option in resolv.conf(5).
752
753       UseNTP=
754           When true (the default), the NTP servers received from the DHCP
755           server will be used by systemd-timesyncd and take precedence over
756           any statically configured ones.
757
758       UseMTU=
759           When true, the interface maximum transmission unit from the DHCP
760           server will be used on the current link. If MTUBytes= is set, then
761           this setting is ignored. Defaults to false.
762
763       Anonymize=
764           Takes a boolean argument. When true, the options sent to the DHCP
765           server will follow the RFC 7844[14] (Anonymity Profiles for DHCP
766           Clients) to minimize disclosure of identifying information.
767           Defaults to false.
768
769           This option should only be set to true when MACAddressPolicy= is
770           set to "random" (see systemd.link(5)).
771
772           Note that this configuration will overwrite others. In concrete,
773           the following variables will be ignored: SendHostname=,
774           ClientIdentifier=, UseRoutes=, SendHostname=, UseMTU=,
775           VendorClassIdentifier=, UseTimezone=.
776
777       SendHostname=
778           When true (the default), the machine's hostname will be sent to the
779           DHCP server.
780
781       UseHostname=
782           When true (the default), the hostname received from the DHCP server
783           will be set as the transient hostname of the system
784
785       Hostname=
786           Use this value for the hostname which is sent to the DHCP server,
787           instead of machine's hostname.
788
789       UseDomains=
790           Takes a boolean argument, or the special value "route". When true,
791           the domain name received from the DHCP server will be used as DNS
792           search domain over this link, similar to the effect of the Domains=
793           setting. If set to "route", the domain name received from the DHCP
794           server will be used for routing DNS queries only, but not for
795           searching, similar to the effect of the Domains= setting when the
796           argument is prefixed with "~". Defaults to false.
797
798           It is recommended to enable this option only on trusted networks,
799           as setting this affects resolution of all host names, in particular
800           of single-label names. It is generally safer to use the supplied
801           domain only as routing domain, rather than as search domain, in
802           order to not have it affect local resolution of single-label names.
803
804           When set to true, this setting corresponds to the domain option in
805           resolv.conf(5).
806
807       UseRoutes=
808           When true (the default), the static routes will be requested from
809           the DHCP server and added to the routing table with a metric of
810           1024, and a scope of "global", "link" or "host", depending on the
811           route's destination and gateway. If the destination is on the local
812           host, e.g., 127.x.x.x, or the same as the link's own address, the
813           scope will be set to "host". Otherwise if the gateway is null (a
814           direct route), a "link" scope will be used. For anything else,
815           scope defaults to "global".
816
817       UseTimezone=
818           When true, the timezone received from the DHCP server will be set
819           as timezone of the local system. Defaults to "no".
820
821       CriticalConnection=
822           When true, the connection will never be torn down even if the DHCP
823           lease expires. This is contrary to the DHCP specification, but may
824           be the best choice if, say, the root filesystem relies on this
825           connection. Defaults to false.
826
827       ClientIdentifier=
828           The DHCPv4 client identifier to use. Takes one of "mac", "duid" or
829           "duid-only". If set to "mac", the MAC address of the link is used.
830           If set to "duid", an RFC4361-compliant Client ID, which is the
831           combination of IAID and DUID (see below), is used. If set to
832           "duid-only", only DUID is used, this may not be RFC compliant, but
833           some setups may require to use this. Defaults to "duid".
834
835       VendorClassIdentifier=
836           The vendor class identifier used to identify vendor type and
837           configuration.
838
839       UserClass=
840           A DHCPv4 client can use UserClass option to identify the type or
841           category of user or applications it represents. The information
842           contained in this option is a string that represents the user class
843           of which the client is a member. Each class sets an identifying
844           string of information to be used by the DHCP service to classify
845           clients. Takes a whitespace-separated list of strings.
846
847       DUIDType=
848           Override the global DUIDType setting for this network. See
849           networkd.conf(5) for a description of possible values.
850
851       DUIDRawData=
852           Override the global DUIDRawData setting for this network. See
853           networkd.conf(5) for a description of possible values.
854
855       IAID=
856           The DHCP Identity Association Identifier (IAID) for the interface,
857           a 32-bit unsigned integer.
858
859       RequestBroadcast=
860           Request the server to use broadcast messages before the IP address
861           has been configured. This is necessary for devices that cannot
862           receive RAW packets, or that cannot receive packets at all before
863           an IP address has been configured. On the other hand, this must not
864           be enabled on networks where broadcasts are filtered out.
865
866       RouteMetric=
867           Set the routing metric for routes specified by the DHCP server.
868
869       RouteTable=num
870           The table identifier for DHCP routes (a number between 1 and
871           4294967295, or 0 to unset). The table can be retrieved using ip
872           route show table num.
873
874           When used in combination with VRF= the VRF's routing table is used
875           unless this parameter is specified.
876
877       ListenPort=
878           Allow setting custom port for the DHCP client to listen on.
879
880       RapidCommit=
881           A boolean. The DHCPv6 client can obtain configuration parameters
882           from a DHCPv6 server through a rapid two-message exchange (solicit
883           and reply). When the rapid commit option is enabled by both the
884           DHCPv6 client and the DHCPv6 server, the two-message exchange is
885           used, rather than the default four-method exchange (solicit,
886           advertise, request, and reply). The two-message exchange provides
887           faster client configuration and is beneficial in environments in
888           which networks are under a heavy load. See RFC 3315[15] for
889           details. Defaults to true.
890

[IPV6ACCEPTRA] SECTION OPTIONS

892       The "[IPv6AcceptRA]" section configures the IPv6 Router Advertisement
893       (RA) client, if it is enabled with the IPv6AcceptRA= setting described
894       above:
895
896       UseDNS=
897           When true (the default), the DNS servers received in the Router
898           Advertisement will be used and take precedence over any statically
899           configured ones.
900
901           This corresponds to the nameserver option in resolv.conf(5).
902
903       UseDomains=
904           Takes a boolean argument, or the special value "route". When true,
905           the domain name received via IPv6 Router Advertisement (RA) will be
906           used as DNS search domain over this link, similar to the effect of
907           the Domains= setting. If set to "route", the domain name received
908           via IPv6 RA will be used for routing DNS queries only, but not for
909           searching, similar to the effect of the Domains= setting when the
910           argument is prefixed with "~". Defaults to false.
911
912           It is recommended to enable this option only on trusted networks,
913           as setting this affects resolution of all host names, in particular
914           of single-label names. It is generally safer to use the supplied
915           domain only as routing domain, rather than as search domain, in
916           order to not have it affect local resolution of single-label names.
917
918           When set to true, this setting corresponds to the domain option in
919           resolv.conf(5).
920
921       RouteTable=num
922           The table identifier for the routes received in the Router
923           Advertisement (a number between 1 and 4294967295, or 0 to unset).
924           The table can be retrieved using ip route show table num.
925

[DHCPSERVER] SECTION OPTIONS

927       The "[DHCPServer]" section contains settings for the DHCP server, if
928       enabled via the DHCPServer= option described above:
929
930       PoolOffset=, PoolSize=
931           Configures the pool of addresses to hand out. The pool is a
932           contiguous sequence of IP addresses in the subnet configured for
933           the server address, which does not include the subnet nor the
934           broadcast address.  PoolOffset= takes the offset of the pool from
935           the start of subnet, or zero to use the default value.  PoolSize=
936           takes the number of IP addresses in the pool or zero to use the
937           default value. By default, the pool starts at the first address
938           after the subnet address and takes up the rest of the subnet,
939           excluding the broadcast address. If the pool includes the server
940           address (the default), this is reserved and not handed out to
941           clients.
942
943       DefaultLeaseTimeSec=, MaxLeaseTimeSec=
944           Control the default and maximum DHCP lease time to pass to clients.
945           These settings take time values in seconds or another common time
946           unit, depending on the suffix. The default lease time is used for
947           clients that did not ask for a specific lease time. If a client
948           asks for a lease time longer than the maximum lease time, it is
949           automatically shortened to the specified time. The default lease
950           time defaults to 1h, the maximum lease time to 12h. Shorter lease
951           times are beneficial if the configuration data in DHCP leases
952           changes frequently and clients shall learn the new settings with
953           shorter latencies. Longer lease times reduce the generated DHCP
954           network traffic.
955
956       EmitDNS=, DNS=
957           Configures whether the DHCP leases handed out to clients shall
958           contain DNS server information. The EmitDNS= setting takes a
959           boolean argument and defaults to "yes". The DNS servers to pass to
960           clients may be configured with the DNS= option, which takes a list
961           of IPv4 addresses. If the EmitDNS= option is enabled but no servers
962           configured, the servers are automatically propagated from an
963           "uplink" interface that has appropriate servers set. The "uplink"
964           interface is determined by the default route of the system with the
965           highest priority. Note that this information is acquired at the
966           time the lease is handed out, and does not take uplink interfaces
967           into account that acquire DNS or NTP server information at a later
968           point. DNS server propagation does not take /etc/resolv.conf into
969           account. Also, note that the leases are not refreshed if the uplink
970           network configuration changes. To ensure clients regularly acquire
971           the most current uplink DNS server information, it is thus
972           advisable to shorten the DHCP lease time via MaxLeaseTimeSec=
973           described above.
974
975       EmitNTP=, NTP=
976           Similar to the EmitDNS= and DNS= settings described above, these
977           settings configure whether and what NTP server information shall be
978           emitted as part of the DHCP lease. The same syntax, propagation
979           semantics and defaults apply as for EmitDNS= and DNS=.
980
981       EmitRouter=
982           Similar to the EmitDNS= setting described above, this setting
983           configures whether the DHCP lease should contain the router option.
984           The same syntax, propagation semantics and defaults apply as for
985           EmitDNS=.
986
987       EmitTimezone=, Timezone=
988           Configures whether the DHCP leases handed out to clients shall
989           contain timezone information. The EmitTimezone= setting takes a
990           boolean argument and defaults to "yes". The Timezone= setting takes
991           a timezone string (such as "Europe/Berlin" or "UTC") to pass to
992           clients. If no explicit timezone is set, the system timezone of the
993           local host is propagated, as determined by the /etc/localtime
994           symlink.
995

[IPV6PREFIXDELEGATION] SECTION OPTIONS

997       The "[IPv6PrefixDelegation]" section contains settings for sending IPv6
998       Router Advertisements and whether to act as a router, if enabled via
999       the IPv6PrefixDelegation= option described above. IPv6 network prefixes
1000       are defined with one or more "[IPv6Prefix]" sections.
1001
1002       Managed=, OtherInformation=
1003           Controls whether a DHCPv6 server is used to acquire IPv6 addresses
1004           on the network link when Managed= boolean is set to "true" or if
1005           only additional network information can be obtained via DHCPv6 for
1006           the network link when OtherInformation= boolean is set to "true".
1007           Both settings default to "false", which means that a DHCPv6 server
1008           is not being used.
1009
1010       RouterLifetimeSec=
1011           Configures the IPv6 router lifetime in seconds. If set, this host
1012           also announces itself in Router Advertisements as an IPv6 router
1013           for the network link. Defaults to unset, which means the host is
1014           not acting as a router.
1015
1016       RouterPreference=
1017           Configures IPv6 router preference if RouterLifetimeSec= is
1018           non-zero. Valid values are "high", "medium" and "low", with
1019           "normal" and "default" added as synonyms for "medium" just to make
1020           configuration easier. See RFC 4191[13] for details. Defaults to
1021           "medium".
1022
1023       EmitDNS=, DNS=
1024           DNS= specifies a list of recursive DNS server IPv6 addresses that
1025           distributed via Router Advertisement messages when EmitDNS= is
1026           true. If DNS= is empty, DNS servers are read from the "[Network]"
1027           section. If the "[Network]" section does not contain any DNS
1028           servers either, DNS servers from the uplink with the highest
1029           priority default route are used. When EmitDNS= is false, no DNS
1030           server information is sent in Router Advertisement messages.
1031           EmitDNS= defaults to true.
1032
1033       EmitDomains=, Domains=
1034           A list of DNS search domains distributed via Router Advertisement
1035           messages when EmitDomains= is true. If Domains= is empty, DNS
1036           search domains are read from the "[Network]" section. If the
1037           "[Network]" section does not contain any DNS search domains either,
1038           DNS search domains from the uplink with the highest priority
1039           default route are used. When EmitDomains= is false, no DNS search
1040           domain information is sent in Router Advertisement messages.
1041           EmitDomains= defaults to true.
1042
1043       DNSLifetimeSec=
1044           Lifetime in seconds for the DNS server addresses listed in DNS= and
1045           search domains listed in Domains=.
1046

[IPV6PREFIX] SECTION OPTIONS

1048       One or more "[IPv6Prefix]" sections contain the IPv6 prefixes that are
1049       announced via Router Advertisements. See RFC 4861[16] for further
1050       details.
1051
1052       AddressAutoconfiguration=, OnLink=
1053           Boolean values to specify whether IPv6 addresses can be
1054           autoconfigured with this prefix and whether the prefix can be used
1055           for onlink determination. Both settings default to "true" in order
1056           to ease configuration.
1057
1058       Prefix=
1059           The IPv6 prefix that is to be distributed to hosts. Similarly to
1060           configuring static IPv6 addresses, the setting is configured as an
1061           IPv6 prefix and its prefix length, separated by a "/" character.
1062           Use multiple "[IPv6Prefix]" sections to configure multiple IPv6
1063           prefixes since prefix lifetimes, address autoconfiguration and
1064           onlink status may differ from one prefix to another.
1065
1066       PreferredLifetimeSec=, ValidLifetimeSec=
1067           Preferred and valid lifetimes for the prefix measured in seconds.
1068           PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1069           ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1070

[BRIDGE] SECTION OPTIONS

1072       The "[Bridge]" section accepts the following keys.
1073
1074       UnicastFlood=
1075           A boolean. Controls whether the bridge should flood traffic for
1076           which an FDB entry is missing and the destination is unknown
1077           through this port. Defaults to unset.
1078
1079       HairPin=
1080           A boolean. Configures whether traffic may be sent back out of the
1081           port on which it was received. Defaults to unset. When this flag is
1082           false, and the bridge will not forward traffic back out of the
1083           receiving port.
1084
1085       UseBPDU=
1086           A boolean. Configures whether STP Bridge Protocol Data Units will
1087           be processed by the bridge port. Defaults to unset.
1088
1089       FastLeave=
1090           A boolean. This flag allows the bridge to immediately stop
1091           multicast traffic on a port that receives an IGMP Leave message. It
1092           is only used with IGMP snooping if enabled on the bridge. Defaults
1093           to unset.
1094
1095       AllowPortToBeRoot=
1096           A boolean. Configures whether a given port is allowed to become a
1097           root port. Only used when STP is enabled on the bridge. Defaults to
1098           unset.
1099
1100       Cost=
1101           Sets the "cost" of sending packets of this interface. Each port in
1102           a bridge may have a different speed and the cost is used to decide
1103           which link to use. Faster interfaces should have lower costs. It is
1104           an integer value between 1 and 65535.
1105
1106       Priority=
1107           Sets the "priority" of sending packets on this interface. Each port
1108           in a bridge may have a different priority which is used to decide
1109           which link to use. Lower value means higher priority. It is an
1110           integer value between 0 to 63. Networkd does not set any default,
1111           meaning the kernel default value of 32 is used.
1112

[BRIDGEFDB] SECTION OPTIONS

1114       The "[BridgeFDB]" section manages the forwarding database table of a
1115       port and accepts the following keys. Specify several "[BridgeFDB]"
1116       sections to configure several static MAC table entries.
1117
1118       MACAddress=
1119           As in the "[Network]" section. This key is mandatory.
1120
1121       VLANId=
1122           The VLAN ID for the new static MAC table entry. If omitted, no VLAN
1123           ID information is appended to the new static MAC table entry.
1124

[CAN] SECTION OPTIONS

1126       The "[CAN]" section manages the Controller Area Network (CAN bus) and
1127       accepts the following keys.
1128
1129       BitRate=
1130           The bitrate of CAN device in bits per second. The usual SI prefixes
1131           (K, M) with the base of 1000 can be used here.
1132
1133       SamplePoint=
1134           Optional sample point in percent with one decimal (e.g.  "75%",
1135           "87.5%") or permille (e.g.  "875‰").
1136
1137       RestartSec=
1138           Automatic restart delay time. If set to a non-zero value, a restart
1139           of the CAN controller will be triggered automatically in case of a
1140           bus-off condition after the specified delay time. Subsecond delays
1141           can be specified using decimals (e.g.  "0.1s") or a "ms" or "us"
1142           postfix. Using "infinity" or "0" will turn the automatic restart
1143           off. By default automatic restart is disabled.
1144

[BRIDGEVLAN] SECTION OPTIONS

1146       The "[BridgeVLAN]" section manages the VLAN ID configuration of a
1147       bridge port and accepts the following keys. Specify several
1148       "[BridgeVLAN]" sections to configure several VLAN entries. The
1149       VLANFiltering= option has to be enabled, see "[Bridge]" section in
1150       systemd.netdev(5).
1151
1152       VLAN=
1153           The VLAN ID allowed on the port. This can be either a single ID or
1154           a range M-N. VLAN IDs are valid from 1 to 4094.
1155
1156       EgressUntagged=
1157           The VLAN ID specified here will be used to untag frames on egress.
1158           Configuring EgressUntagged= implicates the use of VLAN= above and
1159           will enable the VLAN ID for ingress as well. This can be either a
1160           single ID or a range M-N.
1161
1162       PVID=
1163           The Port VLAN ID specified here is assigned to all untagged frames
1164           at ingress.  PVID= can be used only once. Configuring PVID=
1165           implicates the use of VLAN= above and will enable the VLAN ID for
1166           ingress as well.
1167

EXAMPLES

1169       Example 1. Static network configuration
1170
1171           # /etc/systemd/network/50-static.network
1172           [Match]
1173           Name=enp2s0
1174
1175           [Network]
1176           Address=192.168.0.15/24
1177           Gateway=192.168.0.1
1178
1179       This brings interface "enp2s0" up with a static address. The specified
1180       gateway will be used for a default route.
1181
1182       Example 2. DHCP on ethernet links
1183
1184           # /etc/systemd/network/80-dhcp.network
1185           [Match]
1186           Name=en*
1187
1188           [Network]
1189           DHCP=yes
1190
1191       This will enable DHCPv4 and DHCPv6 on all interfaces with names
1192       starting with "en" (i.e. ethernet interfaces).
1193
1194       Example 3. A bridge with two enslaved links
1195
1196           # /etc/systemd/network/25-bridge-static.network
1197           [Match]
1198           Name=bridge0
1199
1200           [Network]
1201           Address=192.168.0.15/24
1202           Gateway=192.168.0.1
1203           DNS=192.168.0.1
1204
1205           # /etc/systemd/network/25-bridge-slave-interface-1.network
1206           [Match]
1207           Name=enp2s0
1208
1209           [Network]
1210           Bridge=bridge0
1211
1212           # /etc/systemd/network/25-bridge-slave-interface-2.network
1213           [Match]
1214           Name=wlp3s0
1215
1216           [Network]
1217           Bridge=bridge0
1218
1219       This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
1220       The bridge will have the specified static address and network assigned,
1221       and a default route via the specified gateway will be added. The
1222       specified DNS server will be added to the global list of DNS resolvers.
1223
1224       Example 4.
1225
1226           # /etc/systemd/network/20-bridge-slave-interface-vlan.network
1227           [Match]
1228           Name=enp2s0
1229
1230           [Network]
1231           Bridge=bridge0
1232
1233           [BridgeVLAN]
1234           VLAN=1-32
1235           PVID=42
1236           EgressUntagged=42
1237
1238           [BridgeVLAN]
1239           VLAN=100-200
1240
1241           [BridgeVLAN]
1242           EgressUntagged=300-400
1243
1244       This overrides the configuration specified in the previous example for
1245       the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
1246       1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
1247       300-400 will be untagged when they leave on this interface. Untagged
1248       packets which arrive on this interface will be assigned VLAN ID 42.
1249
1250       Example 5. Various tunnels
1251
1252           /etc/systemd/network/25-tunnels.network
1253           [Match]
1254           Name=ens1
1255
1256           [Network]
1257           Tunnel=ipip-tun
1258           Tunnel=sit-tun
1259           Tunnel=gre-tun
1260           Tunnel=vti-tun
1261
1262
1263           /etc/systemd/network/25-tunnel-ipip.netdev
1264           [NetDev]
1265           Name=ipip-tun
1266           Kind=ipip
1267
1268
1269           /etc/systemd/network/25-tunnel-sit.netdev
1270           [NetDev]
1271           Name=sit-tun
1272           Kind=sit
1273
1274
1275           /etc/systemd/network/25-tunnel-gre.netdev
1276           [NetDev]
1277           Name=gre-tun
1278           Kind=gre
1279
1280
1281           /etc/systemd/network/25-tunnel-vti.netdev
1282           [NetDev]
1283           Name=vti-tun
1284           Kind=vti
1285
1286
1287       This will bring interface "ens1" up and create an IPIP tunnel, a SIT
1288       tunnel, a GRE tunnel, and a VTI tunnel using it.
1289
1290       Example 6. A bond device
1291
1292           # /etc/systemd/network/30-bond1.network
1293           [Match]
1294           Name=bond1
1295
1296           [Network]
1297           DHCP=ipv6
1298
1299           # /etc/systemd/network/30-bond1.netdev
1300           [NetDev]
1301           Name=bond1
1302           Kind=bond
1303
1304           # /etc/systemd/network/30-bond1-dev1.network
1305           [Match]
1306           MACAddress=52:54:00:e9:64:41
1307
1308           [Network]
1309           Bond=bond1
1310
1311           # /etc/systemd/network/30-bond1-dev2.network
1312           [Match]
1313           MACAddress=52:54:00:e9:64:42
1314
1315           [Network]
1316           Bond=bond1
1317
1318       This will create a bond device "bond1" and enslave the two devices with
1319       MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
1320       will be used to acquire an address.
1321
1322       Example 7. Virtual Routing and Forwarding (VRF)
1323
1324       Add the "bond1" interface to the VRF master interface "vrf1". This will
1325       redirect routes generated on this interface to be within the routing
1326       table defined during VRF creation. For kernels before 4.8 traffic won't
1327       be redirected towards the VRFs routing table unless specific ip-rules
1328       are added.
1329
1330           # /etc/systemd/network/25-vrf.network
1331           [Match]
1332           Name=bond1
1333
1334           [Network]
1335           VRF=vrf1
1336
1337       Example 8. MacVTap
1338
1339       This brings up a network interface "macvtap-test" and attaches it to
1340       "enp0s25".
1341
1342           # /usr/lib/systemd/network/25-macvtap.network
1343           [Match]
1344           Name=enp0s25
1345
1346           [Network]
1347           MACVTAP=macvtap-test
1348

SEE ALSO

1350       systemd(1), systemd-networkd.service(8), systemd.link(5),
1351       systemd.netdev(5), systemd-resolved.service(8)
1352

NOTES

1354        1. Link-Local Multicast Name Resolution
1355           https://tools.ietf.org/html/rfc4795
1356
1357        2. Multicast DNS
1358           https://tools.ietf.org/html/rfc6762
1359
1360        3. DNS-over-TLS
1361           https://tools.ietf.org/html/rfc7858
1362
1363        4. DNSSEC
1364           https://tools.ietf.org/html/rfc4033
1365
1366        5. IEEE 802.1AB-2016
1367           https://standards.ieee.org/findstds/standard/802.1AB-2016.html
1368
1369        6. ip-sysctl.txt
1370           https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
1371
1372        7. RFC 4941
1373           https://tools.ietf.org/html/rfc4941
1374
1375        8. RFC 1027
1376           https://tools.ietf.org/html/rfc1027
1377
1378        9. RFC 6275
1379           https://tools.ietf.org/html/rfc6275
1380
1381       10. RFC 4862
1382           https://tools.ietf.org/html/rfc4862
1383
1384       11. RFC 3041
1385           https://tools.ietf.org/html/rfc3041
1386
1387       12. RFC 3484
1388           https://tools.ietf.org/html/rfc3484
1389
1390       13. RFC4191
1391           https://tools.ietf.org/html/rfc4191
1392
1393       14. RFC 7844
1394           https://tools.ietf.org/html/rfc7844
1395
1396       15. RFC 3315
1397           https://tools.ietf.org/html/rfc3315#section-17.2.1
1398
1399       16. RFC 4861
1400           https://tools.ietf.org/html/rfc4861
1401
1402
1403
1404systemd 239                                                 SYSTEMD.NETWORK(5)
Impressum