1IP-LINK(8)                           Linux                          IP-LINK(8)
2
3
4

NAME

6       ip-link - network device configuration
7

SYNOPSIS

9       ip link  { COMMAND | help }
10
11
12       ip link add [ link DEVICE ] [ name ] NAME
13               [ txqueuelen PACKETS ]
14               [ address LLADDR ] [ broadcast LLADDR ]
15               [ mtu MTU ] [ index IDX ]
16               [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17               [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18               type TYPE [ ARGS ]
19
20       ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21
22       ip link set { DEVICE | group GROUP }
23               [ { up | down } ]
24               [ type ETYPE TYPE_ARGS ]
25               [ arp { on | off } ]
26               [ dynamic { on | off } ]
27               [ multicast { on | off } ]
28               [ allmulticast { on | off } ]
29               [ promisc { on | off } ]
30               [ protodown { on | off } ]
31               [ trailers { on | off } ]
32               [ txqueuelen PACKETS ]
33               [ name NEWNAME ]
34               [ address LLADDR ]
35               [ broadcast LLADDR ]
36               [ mtu MTU ]
37               [ netns { PID | NETNSNAME } ]
38               [ link-netnsid ID ]
39               [ alias NAME ]
40               [ vf NUM [ mac LLADDR ]
41                        [ VFVLAN-LIST ]
42                        [ rate TXRATE ]
43                        [ max_tx_rate TXRATE ]
44                        [ min_tx_rate TXRATE ]
45                        [ spoofchk { on | off } ]
46                        [ query_rss { on | off } ]
47                        [ state { auto | enable | disable } ]
48                        [ trust { on | off } ]
49                        [ node_guid eui64 ]
50                        [ port_guid eui64 ] ]
51               [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52                       object FILE [ section NAME ] [ verbose ] |
53                       pinned FILE } ]
54               [ master DEVICE ]
55               [ nomaster ]
56               [ vrf NAME ]
57               [ addrgenmode { eui64 | none | stable_secret | random } ]
58               [ macaddr { flush | { add | del } MACADDR | set [ MACADDR [
59               MACADDR [ ... ] ] ] } ]
60
61       ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE ] [ type
62               ETYPE ] [ vrf NAME ]
63
64       ip link xstats type TYPE [ ARGS ]
65
66       ip link afstats [ dev DEVICE ]
67
68       ip link help [ TYPE ]
69
70       TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib | macvlan |
71               macvtap | vcan | vxcan | veth | vlan | vxlan | ip6tnl | ipip |
72               sit | gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |
73               vti | nlmon | ipvlan | ipvtap | lowpan | geneve | vrf | macsec
74               | netdevsim | rmnet ]
75
76       ETYPE := [ TYPE | bridge_slave | bond_slave ]
77
78       VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
79
80       VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ]
81
82

DESCRIPTION

84   ip link add - add virtual link
85       link DEVICE
86              specifies the physical device to act operate on.
87
88              NAME specifies the name of the new virtual device.
89
90              TYPE specifies the type of the new device.
91
92              Link types:
93
94                      bridge - Ethernet Bridge device
95
96                      bond - Bonding device
97
98                      dummy - Dummy network interface
99
100                      hsr - High-availability Seamless Redundancy device
101
102                      ifb - Intermediate Functional Block device
103
104                      ipoib - IP over Infiniband device
105
106                      macvlan - Virtual interface base on link layer address
107                      (MAC)
108
109                      macvtap - Virtual interface based on link layer address
110                      (MAC) and TAP.
111
112                      vcan - Virtual Controller Area Network interface
113
114                      vxcan - Virtual Controller Area Network tunnel interface
115
116                      veth - Virtual ethernet interface
117
118                      vlan - 802.1q tagged virtual LAN interface
119
120                      vxlan - Virtual eXtended LAN
121
122                      ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
123
124                      ipip - Virtual tunnel interface IPv4 over IPv4
125
126                      sit - Virtual tunnel interface IPv6 over IPv4
127
128                      gre - Virtual tunnel interface GRE over IPv4
129
130                      gretap - Virtual L2 tunnel interface GRE over IPv4
131
132                      erspan - Encapsulated Remote SPAN over GRE and IPv4
133
134                      ip6gre - Virtual tunnel interface GRE over IPv6
135
136                      ip6gretap - Virtual L2 tunnel interface GRE over IPv6
137
138                      ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
139
140                      vti - Virtual tunnel interface
141
142                      nlmon - Netlink monitoring device
143
144                      ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
145
146                      ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
147                      TAP
148
149                      lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
150                      / Bluetooth
151
152                      geneve - GEneric NEtwork Virtualization Encapsulation
153
154                      macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
155                      sec)
156
157                      vrf - Interface for L3 VRF domains
158
159                      netdevsim - Interface for netdev API tests
160
161                      rmnet - Qualcomm rmnet device
162
163
164       numtxqueues QUEUE_COUNT
165              specifies the number of transmit queues for new device.
166
167
168       numrxqueues QUEUE_COUNT
169              specifies the number of receive queues for new device.
170
171
172       gso_max_size BYTES
173              specifies the recommended maximum size of a Generic Segment Off‐
174              load packet the new device should accept.
175
176
177       gso_max_segs SEGMENTS
178              specifies the recommended maximum number of a Generic Segment
179              Offload segments the new device should accept.
180
181
182       index IDX
183              specifies the desired index of the new virtual device. The link
184              creation fails, if the index is busy.
185
186
187       VLAN Type Support
188              For a link of type VLAN the following additional arguments are
189              supported:
190
191              ip link add link DEVICE name NAME type vlan [ protocol
192              VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
193              | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
194              ingress-qos-map QOS-MAP ] [ egress-qos-map QOS-MAP ]
195
196
197                      protocol VLAN_PROTO - either 802.1Q or 802.1ad.
198
199                      id VLANID - specifies the VLAN Identifer to use. Note
200                      that numbers with a leading " 0 " or " 0x " are inter‐
201                      preted as octal or hexadeimal, respectively.
202
203                      reorder_hdr { on | off } - specifies whether ethernet
204                      headers are reordered or not (default is on).
205
206                          If reorder_hdr is on then VLAN header will be not
207                          inserted immediately but only before passing to the
208                          physical device (if this device does not support
209                          VLAN offloading), the similar on the RX direction -
210                          by default the packet will be untagged before being
211                          received by VLAN device. Reordering allows to accel‐
212                          erate tagging on egress and to hide VLAN header on
213                          ingress so the packet looks like regular Ethernet
214                          packet, at the same time it might be confusing for
215                          packet capture as the VLAN header does not exist
216                          within the packet.
217
218                          VLAN offloading can be checked by ethtool(8):
219
220                              ethtool -k <phy_dev> | grep tx-vlan-offload
221
222                          where <phy_dev> is the physical device to which VLAN
223                          device is bound.
224
225                      gvrp { on | off } - specifies whether this VLAN should
226                      be registered using GARP VLAN Registration Protocol.
227
228                      mvrp { on | off } - specifies whether this VLAN should
229                      be registered using Multiple VLAN Registration Protocol.
230
231                      loose_binding { on | off } - specifies whether the VLAN
232                      device state is bound to the physical device state.
233
234                      ingress-qos-map QOS-MAP - defines a mapping of VLAN
235                      header prio field to the Linux internal packet priority
236                      on incoming frames. The format is FROM:TO with multiple
237                      mappings separated by spaces.
238
239                      egress-qos-map QOS-MAP - defines a mapping of Linux
240                      internal packet priority to VLAN header prio field but
241                      for outgoing frames. The format is the same as for
242                      ingress-qos-map.
243
244                          Linux packet priority can be set by iptables(8):
245
246                              iptables -t mangle -A POSTROUTING [...] -j CLAS‐
247                              SIFY --set-class 0:4
248
249                          and this "4" priority can be used in the egress qos
250                          mapping to set VLAN prio "5":
251
252                              ip link set veth0.10 type vlan egress 4:5
253
254
255       VXLAN Type Support
256              For a link of type VXLAN the following additional arguments are
257              supported:
258
259              ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV  ] [ { group
260              | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
261              TOS ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ srcport MIN MAX
262              ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [ [no]l2miss ] [
263              [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
264              [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER ] [
265              [no]external ] [ gbp ] [ gpe ]
266
267
268                      id VNI - specifies the VXLAN Network Identifer (or VXLAN
269                      Segment Identifier) to use.
270
271                      dev PHYS_DEV - specifies the physical device to use for
272                      tunnel endpoint communication.
273
274
275                      group IPADDR - specifies the multicast IP address to
276                      join.  This parameter cannot be specified with the
277                      remote parameter.
278
279
280                      remote IPADDR - specifies the unicast destination IP
281                      address to use in outgoing packets when the destination
282                      link layer address is not known in the VXLAN device for‐
283                      warding database. This parameter cannot be specified
284                      with the group parameter.
285
286
287                      local IPADDR - specifies the source IP address to use in
288                      outgoing packets.
289
290
291                      ttl TTL - specifies the TTL value to use in outgoing
292                      packets.
293
294
295                      tos TOS - specifies the TOS value to use in outgoing
296                      packets.
297
298
299                      flowlabel FLOWLABEL - specifies the flow label to use in
300                      outgoing packets.
301
302
303                      dstport PORT - specifies the UDP destination port to
304                      communicate to the remote VXLAN tunnel endpoint.
305
306
307                      srcport MIN MAX - specifies the range of port numbers to
308                      use as UDP source ports to communicate to the remote
309                      VXLAN tunnel endpoint.
310
311
312                      [no]learning - specifies if unknown source link layer
313                      addresses and IP addresses are entered into the VXLAN
314                      device forwarding database.
315
316
317                      [no]rsc - specifies if route short circuit is turned on.
318
319
320                      [no]proxy - specifies ARP proxy is turned on.
321
322
323                      [no]l2miss - specifies if netlink LLADDR miss notifica‐
324                      tions are generated.
325
326
327                      [no]l3miss - specifies if netlink IP ADDR miss notifica‐
328                      tions are generated.
329
330
331                      [no]udpcsum - specifies if UDP checksum is calculated
332                      for transmitted packets over IPv4.
333
334
335                      [no]udp6zerocsumtx - skip UDP checksum calculation for
336                      transmitted packets over IPv6.
337
338
339                      [no]udp6zerocsumrx - allow incoming UDP packets over
340                      IPv6 with zero checksum field.
341
342
343                      ageing SECONDS - specifies the lifetime in seconds of
344                      FDB entries learnt by the kernel.
345
346
347                      maxaddress NUMBER - specifies the maximum number of FDB
348                      entries.
349
350
351                      [no]external - specifies whether an external control
352                      plane (e.g. ip route encap) or the internal FDB should
353                      be used.
354
355
356                      gbp - enables the Group Policy extension (VXLAN-GBP).
357
358                          Allows to transport group policy context across
359                          VXLAN network peers.  If enabled, includes the mark
360                          of a packet in the VXLAN header for outgoing packets
361                          and fills the packet mark based on the information
362                          found in the VXLAN header for incoming packets.
363
364                          Format of upper 16 bits of packet mark (flags);
365
366                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
367                            |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
368                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
369
370                            D := Don't Learn bit. When set, this bit indicates
371                            that the egress VTEP MUST NOT learn the source
372                            address of the encapsulated frame.
373
374                            A := Indicates that the group policy has already
375                            been applied to this packet. Policies MUST NOT be
376                            applied by devices when the A bit is set.
377
378                          Format of lower 16 bits of packet mark (policy ID):
379
380                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
381                            |        Group Policy ID        |
382                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
383
384                          Example:
385                            iptables -A OUTPUT [...] -j MARK --set-mark
386                          0x800FF
387
388
389
390                      gpe - enables the Generic Protocol extension (VXLAN-
391                      GPE). Currently, this is only supported together with
392                      the external keyword.
393
394
395
396       VETH, VXCAN Type Support
397              For a link of types VETH/VXCAN the following additional argu‐
398              ments are supported:
399
400              ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
401
402
403                      peer name NAME - specifies the virtual pair device name
404                      of the VETH/VXCAN tunnel.
405
406
407
408       IPIP, SIT Type Support
409              For a link of type IPIPorSIT the following additional arguments
410              are supported:
411
412              ip link add DEVICE type { ipip | sit }  remote ADDR local ADDR [
413              encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
414              encap-dport PORT ] [ [no]encap-csum ] [  [no]encap-remcsum ] [
415              mode  { ip6ip | ipip | mplsip | any } ] [ external ]
416
417
418                      remote ADDR - specifies the remote address of the tun‐
419                      nel.
420
421
422                      local ADDR - specifies the fixed local address for tun‐
423                      neled packets.  It must be an address on another inter‐
424                      face on this host.
425
426
427                      encap { fou | gue | none } - specifies type of secondary
428                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
429                      indicates Generic UDP Encapsulation.
430
431
432                      encap-sport { PORT | auto } - specifies the source port
433                      in UDP encapsulation.  PORT indicates the port by num‐
434                      ber, "auto" indicates that the port number should be
435                      chosen automatically (the kernel picks a flow based on
436                      the flow hash of the encapsulated packet).
437
438
439                      [no]encap-csum - specifies if UDP checksums are enabled
440                      in the secondary encapsulation.
441
442
443                      [no]encap-remcsum - specifies if Remote Checksum Offload
444                      is enabled. This is only applicable for Generic UDP
445                      Encapsulation.
446
447
448                      mode { ip6ip | ipip | mplsip | any } - specifies mode in
449                      which device should run. "ip6ip" indicates IPv6-Over-
450                      IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
451                      cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
452                      Over IPv4. Supported for SIT where the default is
453                      "ip6ip" and IPIP where the default is "ipip".
454                      IPv6-Over-IPv4 is not supported for IPIP.
455
456
457                      external - make this tunnel externally controlled (e.g.
458                      ip route encap).
459
460
461       GRE Type Support
462              For a link of type GRE or GRETAP the following additional argu‐
463              ments are supported:
464
465              ip link add DEVICE type { gre | gretap }  remote ADDR local ADDR
466              [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
467              [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
468              PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
469              auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
470              remcsum ] [ external ]
471
472
473                      remote ADDR - specifies the remote address of the tun‐
474                      nel.
475
476
477                      local ADDR - specifies the fixed local address for tun‐
478                      neled packets.  It must be an address on another inter‐
479                      face on this host.
480
481
482                      [no][i|o]seq - serialize packets.  The oseq flag enables
483                      sequencing of outgoing packets.  The iseq flag requires
484                      that all input packets are serialized.
485
486
487                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
488                      KEY is either a number or an IPv4 address-like dotted
489                      quad.  The key parameter specifies the same key to use
490                      in both directions.  The ikey and okey parameters spec‐
491                      ify different keys for input and output.
492
493
494                      [no][i|o]csum - generate/require checksums for tunneled
495                      packets.  The ocsum flag calculates checksums for outgo‐
496                      ing packets.  The icsum flag requires that all input
497                      packets have the correct checksum. The csum flag is
498                      equivalent to the combination icsum ocsum .
499
500
501                      ttl TTL - specifies the TTL value to use in outgoing
502                      packets.
503
504
505                      tos TOS - specifies the TOS value to use in outgoing
506                      packets.
507
508
509                      [no]pmtudisc - enables/disables Path MTU Discovery on
510                      this tunnel.  It is enabled by default. Note that a
511                      fixed ttl is incompatible with this option: tunneling
512                      with a fixed ttl always makes pmtu discovery.
513
514
515                      [no]ignore-df - enables/disables IPv4 DF suppression on
516                      this tunnel.  Normally datagrams that exceed the MTU
517                      will be fragmented; the presence of the DF flag inhibits
518                      this, resulting instead in an ICMP Unreachable (Fragmen‐
519                      tation Required) message.  Enabling this attribute
520                      causes the DF flag to be ignored.
521
522
523                      dev PHYS_DEV - specifies the physical device to use for
524                      tunnel endpoint communication.
525
526
527                      encap { fou | gue | none } - specifies type of secondary
528                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
529                      indicates Generic UDP Encapsulation.
530
531
532                      encap-sport { PORT | auto } - specifies the source port
533                      in UDP encapsulation.  PORT indicates the port by num‐
534                      ber, "auto" indicates that the port number should be
535                      chosen automatically (the kernel picks a flow based on
536                      the flow hash of the encapsulated packet).
537
538
539                      [no]encap-csum - specifies if UDP checksums are enabled
540                      in the secondary encapsulation.
541
542
543                      [no]encap-remcsum - specifies if Remote Checksum Offload
544                      is enabled. This is only applicable for Generic UDP
545                      Encapsulation.
546
547
548                      external - make this tunnel externally controlled (e.g.
549                      ip route encap).
550
551
552
553       IP6GRE/IP6GRETAP Type Support
554              For a link of type IP6GRE/IP6GRETAP the following additional
555              arguments are supported:
556
557              ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
558              ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
559              [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
560              TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
561              localremote ] [ dev PHYS_DEV ] [ external ]
562
563
564                      remote ADDR - specifies the remote IPv6 address of the
565                      tunnel.
566
567
568                      local ADDR - specifies the fixed local IPv6 address for
569                      tunneled packets.  It must be an address on another
570                      interface on this host.
571
572
573                      [no][i|o]seq - serialize packets.  The oseq flag enables
574                      sequencing of outgoing packets.  The iseq flag requires
575                      that all input packets are serialized.
576
577
578                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
579                      KEY is either a number or an IPv4 address-like dotted
580                      quad.  The key parameter specifies the same key to use
581                      in both directions.  The ikey and okey parameters spec‐
582                      ify different keys for input and output.
583
584
585                      [no][i|o]csum - generate/require checksums for tunneled
586                      packets.  The ocsum flag calculates checksums for outgo‐
587                      ing packets.  The icsum flag requires that all input
588                      packets have the correct checksum. The csum flag is
589                      equivalent to the combination icsum ocsum.
590
591
592                      hoplimit TTL - specifies Hop Limit value to use in out‐
593                      going packets.
594
595
596                      encaplimit ELIM - specifies a fixed encapsulation limit.
597                      Default is 4.
598
599
600                      flowlabel FLOWLABEL - specifies a fixed flowlabel.
601
602
603                      [no]allow-localremote - specifies whether to allow
604                      remote endpoint to have an address configured on local
605                      host.
606
607
608                      tclass TCLASS - specifies the traffic class field on
609                      tunneled packets, which can be specified as either a
610                      two-digit hex value (e.g. c0) or a predefined string
611                      (e.g. internet).  The value inherit causes the field to
612                      be copied from the original IP header. The values
613                      inherit/STRING or inherit/00..ff will set the field to
614                      STRING or 00..ff when tunneling non-IP packets. The
615                      default value is 00.
616
617
618                      external - make this tunnel externally controlled (or
619                      not, which is the default).  In the kernel, this is
620                      referred to as collect metadata mode.  This flag is
621                      mutually exclusive with the remote, local, seq, key,
622                      csum, hoplimit, encaplimit, flowlabel and tclass
623                      options.
624
625
626
627       IPoIB Type Support
628              For a link of type IPoIB the following additional arguments are
629              supported:
630
631              ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
632              MODE ]
633
634
635                      pkey PKEY - specifies the IB P-Key to use.
636
637                      mode MODE - specifies the mode (datagram or connected)
638                      to use.
639
640
641       ERSPAN Type Support
642              For a link of type ERSPAN/IP6ERSPAN the following additional
643              arguments are supported:
644
645              ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
646              ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
647              { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
648              mote ] [ external ]
649
650
651                      remote ADDR - specifies the remote address of the tun‐
652                      nel.
653
654
655                      local ADDR - specifies the fixed local address for tun‐
656                      neled packets.  It must be an address on another inter‐
657                      face on this host.
658
659
660                      erspan_ver version - specifies the ERSPAN version num‐
661                      ber.  version indicates the ERSPAN version to be cre‐
662                      ated: 1 for version 1 (type II) or 2 for version 2 (type
663                      III).
664
665
666                      erspan IDX - specifies the ERSPAN v1 index field.  IDX
667                      indicates a 20 bit index/port number associated with the
668                      ERSPAN traffic's source port and direction.
669
670
671                      erspan_dir { ingress | egress } - specifies the ERSPAN
672                      v2 mirrored traffic's direction.
673
674
675                      erspan_hwid hwid - an unique identifier of an ERSPAN v2
676                      engine within a system.  hwid is a 6-bit value for users
677                      to configure.
678
679
680                      [no]allow-localremote - specifies whether to allow
681                      remote endpoint to have an address configured on local
682                      host.
683
684
685                      external - make this tunnel externally controlled (or
686                      not, which is the default).  In the kernel, this is
687                      referred to as collect metadata mode.  This flag is
688                      mutually exclusive with the remote, local, erspan_ver,
689                      erspan, erspan_dir and erspan_hwid options.
690
691
692
693       GENEVE Type Support
694              For a link of type GENEVE the following additional arguments are
695              supported:
696
697              ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
698              [ tos TOS ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
699              [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
700              [no]udp6zerocsumrx ]
701
702
703                      id VNI - specifies the Virtual Network Identifer to use.
704
705
706                      remote IPADDR - specifies the unicast destination IP
707                      address to use in outgoing packets.
708
709
710                      ttl TTL - specifies the TTL value to use in outgoing
711                      packets. "0" or "auto" means use whatever default value,
712                      "inherit" means inherit the inner protocol's ttl.
713                      Default option is "0".
714
715
716                      tos TOS - specifies the TOS value to use in outgoing
717                      packets.
718
719
720                      flowlabel FLOWLABEL - specifies the flow label to use in
721                      outgoing packets.
722
723
724                      dstport PORT - select a destination port other than the
725                      default of 6081.
726
727
728                      [no]external - make this tunnel externally controlled
729                      (or not, which is the default). This flag is mutually
730                      exclusive with the id, remote, ttl, tos and flowlabel
731                      options.
732
733
734                      [no]udpcsum - specifies if UDP checksum is calculated
735                      for transmitted packets over IPv4.
736
737
738                      [no]udp6zerocsumtx - skip UDP checksum calculation for
739                      transmitted packets over IPv6.
740
741
742                      [no]udp6zerocsumrx - allow incoming UDP packets over
743                      IPv6 with zero checksum field.
744
745
746
747       MACVLAN and MACVTAP Type Support
748              For a link of type MACVLAN or MACVTAP the following additional
749              arguments are supported:
750
751              ip link add link DEVICE name NAME type { macvlan | macvtap }
752              mode { private | vepa | bridge | passthru  [ nopromisc ] |
753              source }
754
755
756                      type { macvlan | macvtap } - specifies the link type to
757                      use.  macvlan creates just a virtual interface, while
758                      macvtap in addition creates a character device /dev/tapX
759                      to be used just like a tuntap device.
760
761                      mode private - Do not allow communication between
762                      macvlan instances on the same physical interface, even
763                      if the external switch supports hairpin mode.
764
765                      mode vepa - Virtual Ethernet Port Aggregator mode. Data
766                      from one macvlan instance to the other on the same phys‐
767                      ical interface is transmitted over the physical inter‐
768                      face. Either the attached switch needs to support hair‐
769                      pin mode, or there must be a TCP/IP router forwarding
770                      the packets in order to allow communication. This is the
771                      default mode.
772
773                      mode bridge - In bridge mode, all endpoints are directly
774                      connected to each other, communication is not redirected
775                      through the physical interface's peer.
776
777                      mode passthru [ nopromisc ] - This mode gives more power
778                      to a single endpoint, usually in macvtap mode. It is not
779                      allowed for more than one endpoint on the same physical
780                      interface. All traffic will be forwarded to this end‐
781                      point, allowing virtio guests to change MAC address or
782                      set promiscuous mode in order to bridge the interface or
783                      create vlan interfaces on top of it. By default, this
784                      mode forces the underlying interface into promiscuous
785                      mode. Passing the nopromisc flag prevents this, so the
786                      promisc flag may be controlled using standard tools.
787
788                      mode source - allows one to set a list of allowed mac
789                      address, which is used to match against source mac
790                      address from received frames on underlying interface.
791                      This allows creating mac based VLAN associations,
792                      instead of standard port or tag based. The feature is
793                      useful to deploy 802.1x mac based behavior, where driv‐
794                      ers of underlying interfaces doesn't allows that.
795
796
797       High-availability Seamless Redundancy (HSR) Support
798              For a link of type HSR the following additional arguments are
799              supported:
800
801              ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
802              slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
803
804
805                      type hsr - specifies the link type to use, here HSR.
806
807                      slave1 SLAVE1-IF - Specifies the physical device used
808                      for the first of the two ring ports.
809
810                      slave2 SLAVE2-IF - Specifies the physical device used
811                      for the second of the two ring ports.
812
813                      supervision ADDR-BYTE - The last byte of the multicast
814                      address used for HSR supervision frames.  Default option
815                      is "0", possible values 0-255.
816
817                      version { 0 | 1 } - Selects the protocol version of the
818                      interface. Default option is "0", which corresponds to
819                      the 2010 version of the HSR standard. Option "1" acti‐
820                      vates the 2012 version.
821
822
823       BRIDGE Type Support
824              For a link of type BRIDGE the following additional arguments are
825              supported:
826
827              ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
828              group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
829              FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
830              stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
831              VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
832              vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
833              VLAN_STATS_ENABLED ] [ mcast_snooping MULTICAST_SNOOPING ] [
834              mcast_router MULTICAST_ROUTER ] [ mcast_query_use_ifaddr
835              MCAST_QUERY_USE_IFADDR ] [ mcast_querier MULTICAST_QUERIER ] [
836              mcast_hash_elasticity HASH_ELASTICITY ] [ mcast_hash_max
837              HASH_MAX ] [ mcast_last_member_count LAST_MEMBER_COUNT ] [
838              mcast_startup_query_count STARTUP_QUERY_COUNT ] [
839              mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
840              bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
841              QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
842              mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
843              mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
844              mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
845              IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
846              bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
847              [ nf_call_arptables NF_CALL_ARPTABLES ]
848
849
850                      ageing_time AGEING_TIME - configure the bridge's FDB
851                      entries ageing time, ie the number of seconds a MAC
852                      address will be kept in the FDB after a packet has been
853                      received from that address. after this time has passed,
854                      entries are cleaned up.
855
856                      group_fwd_mask MASK - set the group forward mask. This
857                      is the bitmask that is applied to decide whether to for‐
858                      ward incoming frames destined to link-local addresses,
859                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
860                      0, ie the bridge does not forward any link-local
861                      frames).
862
863                      group_address ADDRESS - set the MAC address of the mul‐
864                      ticast group this bridge uses for STP.  The address must
865                      be a link-local address in standard Ethernet MAC address
866                      format, ie an address of the form 01:80:C2:00:00:0X,
867                      with X in [0, 4..f].
868
869                      forward_delay FORWARD_DELAY - set the forwarding delay
870                      in seconds, ie the time spent in LISTENING state (before
871                      moving to LEARNING) and in LEARNING state (before moving
872                      to FORWARDING). Only relevant if STP is enabled. Valid
873                      values are between 2 and 30.
874
875                      hello_time HELLO_TIME - set the time in seconds between
876                      hello packets sent by the bridge, when it is a root
877                      bridge or a designated bridges. Only relevant if STP is
878                      enabled. Valid values are between 1 and 10.
879
880                      max_age MAX_AGE - set the hello packet timeout, ie the
881                      time in seconds until another bridge in the spanning
882                      tree is assumed to be dead, after reception of its last
883                      hello message. Only relevant if STP is enabled. Valid
884                      values are between 6 and 40.
885
886                      stp_state STP_STATE - turn spanning tree protocol on
887                      (STP_STATE > 0) or off (STP_STATE == 0).  for this
888                      bridge.
889
890                      priority PRIORITY - set this bridge's spanning tree pri‐
891                      ority, used during STP root bridge election.  PRIORITY
892                      is a 16bit unsigned integer.
893
894                      vlan_filtering VLAN_FILTERING - turn VLAN filtering on
895                      (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0).  When
896                      disabled, the bridge will not consider the VLAN tag when
897                      handling packets.
898
899                      vlan_protocol { 802.1Q | 802.1ad } - set the protocol
900                      used for VLAN filtering.
901
902                      vlan_default_pvid VLAN_DEFAULT_PVID - set the default
903                      PVID (native/untagged VLAN ID) for this bridge.
904
905                      vlan_stats_enabled VLAN_STATS_ENABLED - enable
906                      (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
907                      == 0) per-VLAN stats accounting.
908
909                      mcast_snooping MULTICAST_SNOOPING - turn multicast
910                      snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
911                      CAST_SNOOPING == 0).
912
913                      mcast_router MULTICAST_ROUTER - set bridge's multicast
914                      router if IGMP snooping is enabled.  MULTICAST_ROUTER is
915                      an integer value having the following meaning:
916
917                              0 - disabled.
918
919                              1 - automatic (queried).
920
921                              2 - permanently enabled.
922
923                      mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
924                      to use the bridge's own IP address as source address for
925                      IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
926                      of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
927
928                      mcast_querier MULTICAST_QUERIER - enable (MULTI‐
929                      CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
930                      IGMP querier, ie sending of multicast queries by the
931                      bridge (default: disabled).
932
933                      mcast_querier_interval QUERIER_INTERVAL - interval
934                      between queries sent by other routers. if no queries are
935                      seen after this delay has passed, the bridge will start
936                      to send its own queries (as if mcast_querier was
937                      enabled).
938
939                      mcast_hash_elasticity HASH_ELASTICITY - set multicast
940                      database hash elasticity, ie the maximum chain length in
941                      the multicast hash table (defaults to 4).
942
943                      mcast_hash_max HASH_MAX - set maximum size of multicast
944                      hash table (defaults to 512, value must be a power of
945                      2).
946
947                      mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
948                      cast last member count, ie the number of queries the
949                      bridge will send before stopping forwarding a multicast
950                      group after a "leave" message has been received
951                      (defaults to 2).
952
953                      mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
954                      val between queries to find remaining members of a
955                      group, after a "leave" message is received.
956
957                      mcast_startup_query_count STARTUP_QUERY_COUNT - set the
958                      number of IGMP queries to send during startup phase
959                      (defaults to 2).
960
961                      mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
962                      interval between queries in the startup phase.
963
964                      mcast_query_interval QUERY_INTERVAL - interval between
965                      queries sent by the bridge after the end of the startup
966                      phase.
967
968                      mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
969                      set the Max Response Time/Maximum Response Delay for
970                      IGMP/MLD queries sent by the bridge.
971
972                      mcast_membership_interval MEMBERSHIP_INTERVAL - delay
973                      after which the bridge will leave a group, if no member‐
974                      ship reports for this group are received.
975
976                      mcast_stats_enabled MCAST_STATS_ENABLED - enable
977                      (MCAST_STATS_ENABLED > 0) or disable
978                      (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
979                      accounting.
980
981                      mcast_igmp_version IGMP_VERSION - set the IGMP version.
982
983                      mcast_mld_version MLD_VERSION - set the MLD version.
984
985                      nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
986                      ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
987                      hooks on the bridge.
988
989                      nf_call_ip6tables NF_CALL_IP6TABLES - enable
990                      (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
991                      0) ip6tables hooks on the bridge.
992
993                      nf_call_arptables NF_CALL_ARPTABLES - enable
994                      (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
995                      0) arptables hooks on the bridge.
996
997
998
999
1000       MACsec Type Support
1001              For a link of type MACsec the following additional arguments are
1002              supported:
1003
1004              ip link add link DEVICE name NAME type macsec [ [ address
1005              <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1006              icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1007              off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1008              tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1009              [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1010              ]
1011
1012
1013                      address <lladdr> - sets the system identifier component
1014                      of secure channel for this MACsec device.
1015
1016
1017                      port PORT - sets the port number component of secure
1018                      channel for this MACsec device, in a range from 1 to
1019                      65535 inclusive. Numbers with a leading " 0 " or " 0x "
1020                      are interpreted as octal and hexadecimal, respectively.
1021
1022
1023                      sci SCI - sets the secure channel identifier for this
1024                      MACsec device.  SCI is a 64bit wide number in hexadeci‐
1025                      mal format.
1026
1027
1028                      cipher CIPHER_SUITE - defines the cipher suite to use.
1029
1030
1031                      icvlen LENGTH - sets the length of the Integrity Check
1032                      Value (ICV).
1033
1034
1035                      encrypt on or encrypt off - switches between authenti‐
1036                      cated encryption, or authenticity mode only.
1037
1038
1039                      send_sci on or send_sci off - specifies whether the SCI
1040                      is included in every packet, or only when it is neces‐
1041                      sary.
1042
1043
1044                      end_station on or end_station off - sets the End Station
1045                      bit.
1046
1047
1048                      scb on or scb off - sets the Single Copy Broadcast bit.
1049
1050
1051                      protect on or protect off - enables MACsec protection on
1052                      the device.
1053
1054
1055                      replay on or replay off - enables replay protection on
1056                      the device.
1057
1058
1059
1060                              window SIZE - sets the size of the replay win‐
1061                              dow.
1062
1063
1064
1065                      validate strict or validate check or validate disabled -
1066                      sets the validation mode on the device.
1067
1068
1069                      encodingsa AN - sets the active secure association for
1070                      transmission.
1071
1072
1073
1074       VRF Type Support
1075              For a link of type VRF the following additional arguments are
1076              supported:
1077
1078              ip link add DEVICE type vrf table TABLE
1079
1080
1081                      table table id associated with VRF device
1082
1083
1084
1085       RMNET Type Support
1086              For a link of type RMNET the following additional arguments are
1087              supported:
1088
1089              ip link add link DEVICE name NAME type rmnet mux_id MUXID
1090
1091
1092                      mux_id MUXID - specifies the mux identifier for the
1093                      rmnet device, possible values 1-254.
1094
1095
1096
1097   ip link delete - delete virtual link
1098       dev DEVICE
1099              specifies the virtual device to act operate on.
1100
1101
1102       group GROUP
1103              specifies the group of virtual links to delete. Group 0 is not
1104              allowed to be deleted since it is the default group.
1105
1106
1107       type TYPE
1108              specifies the type of the device.
1109
1110
1111   ip link set - change device attributes
1112       Warning: If multiple parameter changes are requested, ip aborts immedi‐
1113       ately after any of the changes have failed.  This is the only case when
1114       ip can move the system to an unpredictable state. The solution is to
1115       avoid changing several parameters with one ip link set call.
1116
1117
1118       dev DEVICE
1119              DEVICE specifies network device to operate on. When configuring
1120              SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1121              ify the associated Physical Function (PF) device.
1122
1123
1124       group GROUP
1125              GROUP has a dual role: If both group and dev are present, then
1126              move the device to the specified group. If only a group is spec‐
1127              ified, then the command operates on all devices in that group.
1128
1129
1130       up and down
1131              change the state of the device to UP or DOWN.
1132
1133
1134       arp on or arp off
1135              change the NOARP flag on the device.
1136
1137
1138       multicast on or multicast off
1139              change the MULTICAST flag on the device.
1140
1141
1142       protodown on or protodown off
1143              change the PROTODOWN state on the device. Indicates that a pro‐
1144              tocol error has been detected on the port. Switch drivers can
1145              react to this error by doing a phys down on the switch port.
1146
1147
1148       dynamic on or dynamic off
1149              change the DYNAMIC flag on the device. Indicates that address
1150              can change when interface goes down (currently NOT used by the
1151              Linux).
1152
1153
1154       name NAME
1155              change the name of the device. This operation is not recommended
1156              if the device is running or has some addresses already config‐
1157              ured.
1158
1159
1160       txqueuelen NUMBER
1161
1162       txqlen NUMBER
1163              change the transmit queue length of the device.
1164
1165
1166       mtu NUMBER
1167              change the MTU of the device.
1168
1169
1170       address LLADDRESS
1171              change the station address of the interface.
1172
1173
1174       broadcast LLADDRESS
1175
1176       brd LLADDRESS
1177
1178       peer LLADDRESS
1179              change the link layer broadcast address or the peer address when
1180              the interface is POINTOPOINT.
1181
1182
1183       netns NETNSNAME | PID
1184              move the device to the network namespace associated with name
1185              NETNSNAME or process PID.
1186
1187              Some devices are not allowed to change network namespace: loop‐
1188              back, bridge, ppp, wireless. These are network namespace local
1189              devices. In such case ip tool will return "Invalid argument"
1190              error. It is possible to find out if device is local to a single
1191              network namespace by checking netns-local flag in the output of
1192              the ethtool:
1193
1194                      ethtool -k DEVICE
1195
1196              To change network namespace for wireless devices the iw tool can
1197              be used. But it allows to change network namespace only for
1198              physical devices and by process PID.
1199
1200
1201       alias NAME
1202              give the device a symbolic name for easy reference.
1203
1204
1205       group GROUP
1206              specify the group the device belongs to.  The available groups
1207              are listed in file /etc/iproute2/group.
1208
1209
1210       vf NUM specify a Virtual Function device to be configured. The associ‐
1211              ated PF device must be specified using the dev parameter.
1212
1213                      mac LLADDRESS - change the station address for the spec‐
1214                      ified VF. The vf parameter must be specified.
1215
1216
1217                      vlan VLANID - change the assigned VLAN for the specified
1218                      VF. When specified, all traffic sent from the VF will be
1219                      tagged with the specified VLAN ID. Incoming traffic will
1220                      be filtered for the specified VLAN ID, and will have all
1221                      VLAN tags stripped before being passed to the VF. Set‐
1222                      ting this parameter to 0 disables VLAN tagging and fil‐
1223                      tering. The vf parameter must be specified.
1224
1225
1226                      qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1227                      VLAN tag. When specified, all VLAN tags transmitted by
1228                      the VF will include the specified priority bits in the
1229                      VLAN tag. If not specified, the value is assumed to be
1230                      0. Both the vf and vlan parameters must be specified.
1231                      Setting both vlan and qos as 0 disables VLAN tagging and
1232                      filtering for the VF.
1233
1234
1235                      proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1236                      tag, either 802.1Q or 802.1ad.  Setting to 802.1ad, all
1237                      traffic sent from the VF will be tagged with VLAN S-Tag.
1238                      Incoming traffic will have VLAN S-Tags stripped before
1239                      being passed to the VF.  Setting to 802.1ad also enables
1240                      an option to concatenate another VLAN tag, so both S-TAG
1241                      and C-TAG will be inserted/stripped for outgoing/incom‐
1242                      ing traffic, respectively.  If not specified, the value
1243                      is assumed to be 802.1Q. Both the vf and vlan parameters
1244                      must be specified.
1245
1246
1247                      rate TXRATE -- change the allowed transmit bandwidth, in
1248                      Mbps, for the specified VF.  Setting this parameter to 0
1249                      disables rate limiting.  vf parameter must be specified.
1250                      Please use new API max_tx_rate option instead.
1251
1252
1253                      max_tx_rate TXRATE - change the allowed maximum transmit
1254                      bandwidth, in Mbps, for the specified VF.  Setting this
1255                      parameter to 0 disables rate limiting.  vf parameter
1256                      must be specified.
1257
1258
1259                      min_tx_rate TXRATE - change the allowed minimum transmit
1260                      bandwidth, in Mbps, for the specified VF.  Minimum
1261                      TXRATE should be always <= Maximum TXRATE.  Setting this
1262                      parameter to 0 disables rate limiting.  vf parameter
1263                      must be specified.
1264
1265
1266                      spoofchk on|off - turn packet spoof checking on or off
1267                      for the specified VF.
1268
1269                      query_rss on|off - toggle the ability of querying the
1270                      RSS configuration of a specific VF. VF RSS information
1271                      like RSS hash key may be considered sensitive on some
1272                      devices where this information is shared between VF and
1273                      PF and thus its querying may be prohibited by default.
1274
1275                      state auto|enable|disable - set the virtual link state
1276                      as seen by the specified VF. Setting to auto means a
1277                      reflection of the PF link state, enable lets the VF to
1278                      communicate with other VFs on this host even if the PF
1279                      link state is down, disable causes the HW to drop any
1280                      packets sent by the VF.
1281
1282                      trust on|off - trust the specified VF user. This enables
1283                      that VF user can set a specific feature which may impact
1284                      security and/or performance. (e.g. VF multicast promis‐
1285                      cuous mode)
1286
1287                      node_guid eui64 - configure node GUID for Infiniband
1288                      VFs.
1289
1290                      port_guid eui64 - configure port GUID for Infiniband
1291                      VFs.
1292
1293
1294       xdp object | pinned | off
1295              set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1296              every packet at driver level.  ip link output will indicate a
1297              xdp flag for the networking device. If the driver does not have
1298              native XDP support, the kernel will fall back to a slower,
1299              driver-independent "generic" XDP variant. The ip link output
1300              will in that case indicate xdpgeneric instead of xdp only. If
1301              the driver does have native XDP support, but the program is
1302              loaded under xdpgeneric object | pinned then the kernel will use
1303              the generic XDP variant instead of the native one.  xdpdrv has
1304              the opposite effect of requestsing that the automatic fallback
1305              to the generic XDP variant be disabled and in case driver is not
1306              XDP-capable error should be returned.  xdpdrv also disables
1307              hardware offloads.  xdpoffload in ip link output indicates that
1308              the program has been offloaded to hardware and can also be used
1309              to request the "offload" mode, much like xdpgeneric it forces
1310              program to be installed specifically in HW/FW of the apater.
1311
1312              off (or none ) - Detaches any currently attached XDP/BPF program
1313              from the given device.
1314
1315              object FILE - Attaches a XDP/BPF program to the given device.
1316              The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1317              contains the BPF program code, map specifications, etc. If a
1318              XDP/BPF program is already attached to the given device, an
1319              error will be thrown. If no XDP/BPF program is currently
1320              attached, the device supports XDP and the program from the BPF
1321              ELF file passes the kernel verifier, then it will be attached to
1322              the device. If the option -force is passed to ip then any prior
1323              attached XDP/BPF program will be atomically overridden and no
1324              error will be thrown in this case. If no section option is
1325              passed, then the default section name ("prog") will be assumed,
1326              otherwise the provided section name will be used. If no verbose
1327              option is passed, then a verifier log will only be dumped on
1328              load error.  See also EXAMPLES section for usage examples.
1329
1330              section NAME - Specifies a section name that contains the BPF
1331              program code. If no section name is specified, the default one
1332              ("prog") will be used. This option is to be passed with the
1333              object option.
1334
1335              verbose - Act in verbose mode. For example, even in case of suc‐
1336              cess, this will print the verifier log in case a program was
1337              loaded from a BPF ELF file.
1338
1339              pinned FILE - Attaches a XDP/BPF program to the given device.
1340              The FILE points to an already pinned BPF program in the BPF file
1341              system. The option section doesn't apply here, but otherwise
1342              semantics are the same as with the option object described
1343              already.
1344
1345
1346       master DEVICE
1347              set master device of the device (enslave device).
1348
1349
1350       nomaster
1351              unset master device of the device (release device).
1352
1353
1354       addrgenmode eui64|none|stable_secret|random
1355              set the IPv6 address generation mode
1356
1357              eui64 - use a Modified EUI-64 format interface identifier
1358
1359              none - disable automatic address generation
1360
1361              stable_secret - generate the interface identifier based on a
1362              preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1363
1364              random - like stable_secret, but auto-generate a new random
1365              secret if none is set
1366
1367
1368       link-netnsid
1369              set peer netnsid for a cross-netns interface
1370
1371
1372       type ETYPE TYPE_ARGS
1373              Change type-specific settings. For a list of supported types and
1374              arguments refer to the description of ip link add above. In
1375              addition to that, it is possible to manipulate settings to slave
1376              devices:
1377
1378
1379       Bridge Slave Support
1380              For a link with master bridge the following additional arguments
1381              are supported:
1382
1383              ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1384              priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1385              on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1386              } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1387              { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1388              MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1389              mcast_flood { on | off } ] [ group_fwd_mask MASK ] [ neigh_sup‐
1390              press { on | off } ] [ vlan_tunnel { on | off } ] [ isolated {
1391              on | off } ] [ backup_port DEVICE ] [ nobackup_port ]
1392
1393
1394                      fdb_flush - flush bridge slave's fdb dynamic entries.
1395
1396                      state STATE - Set port state.  STATE is a number repre‐
1397                      senting the following states: 0 (disabled), 1 (listen‐
1398                      ing), 2 (learning), 3 (forwarding), 4 (blocking).
1399
1400                      priority PRIO - set port priority (allowed values are
1401                      between 0 and 63, inclusively).
1402
1403                      cost COST - set port cost (allowed values are between 1
1404                      and 65535, inclusively).
1405
1406                      guard { on | off } - block incoming BPDU packets on this
1407                      port.
1408
1409                      hairpin { on | off } - enable hairpin mode on this port.
1410                      This will allow incoming packets on this port to be
1411                      reflected back.
1412
1413                      fastleave { on | off } - enable multicast fast leave on
1414                      this port.
1415
1416                      root_block { on | off } - block this port from becoming
1417                      the bridge's root port.
1418
1419                      learning { on | off } - allow MAC address learning on
1420                      this port.
1421
1422                      flood { on | off } - open the flood gates on this port,
1423                      i.e. forward all unicast frames to this port also.
1424                      Requires proxy_arp and proxy_arp_wifi to be turned off.
1425
1426                      proxy_arp { on | off } - enable proxy ARP on this port.
1427
1428                      proxy_arp_wifi { on | off } - enable proxy ARP on this
1429                      port which meets extended requirements by IEEE 802.11
1430                      and Hotspot 2.0 specifications.
1431
1432                      mcast_router MULTICAST_ROUTER - configure this port for
1433                      having multicast routers attached. A port with a multi‐
1434                      cast router will receive all multicast traffic.  MULTI‐
1435                      CAST_ROUTER may be either 0 to disable multicast routers
1436                      on this port, 1 to let the system detect the presence of
1437                      of routers (this is the default), 2 to permanently
1438                      enable multicast traffic forwarding on this port or 3 to
1439                      enable multicast routers temporarily on this port, not
1440                      depending on incoming queries.
1441
1442                      mcast_fast_leave { on | off } - this is a synonym to the
1443                      fastleave option above.
1444
1445                      mcast_flood { on | off } - controls whether a given port
1446                      will be flooded with multicast traffic for which there
1447                      is no MDB entry.
1448
1449                      group_fwd_mask MASK - set the group forward mask. This
1450                      is the bitmask that is applied to decide whether to for‐
1451                      ward incoming frames destined to link-local addresses,
1452                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
1453                      0, ie the bridge does not forward any link-local frames
1454                      coming on this port).
1455
1456                      neigh_suppress { on | off } - controls whether neigh
1457                      discovery (arp and nd) proxy and suppression is enabled
1458                      on the port. By default this flag is off.
1459
1460                      vlan_tunnel { on | off } - controls whether vlan to tun‐
1461                      nel mapping is enabled on the port. By default this flag
1462                      is off.
1463
1464                      backup_port DEVICE - if the port loses carrier all traf‐
1465                      fic will be redirected to the configured backup port
1466
1467                      nobackup_port - removes the currently configured backup
1468                      port
1469
1470
1471
1472       Bonding Slave Support
1473              For a link with master bond the following additional arguments
1474              are supported:
1475
1476              ip link set type bond_slave [ queue_id ID ]
1477
1478
1479                      queue_id ID - set the slave's queue ID (a 16bit unsigned
1480                      value).
1481
1482
1483
1484       MACVLAN and MACVTAP Support
1485              Modify list of allowed macaddr for link in source mode.
1486
1487              ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1488              ...  ]
1489
1490              Commands:
1491                      add - add MACADDR to allowed list
1492
1493                      set - replace allowed list
1494
1495                      del - remove MACADDR from allowed list
1496
1497                      flush - flush whole allowed list
1498
1499
1500
1501
1502   ip link show - display device attributes
1503       dev NAME (default)
1504              NAME specifies the network device to show.  If this argument is
1505              omitted all devices in the default group are listed.
1506
1507
1508       group GROUP
1509              GROUP specifies what group of devices to show.
1510
1511
1512       up     only display running interfaces.
1513
1514
1515       master DEVICE
1516              DEVICE specifies the master device which enslaves devices to
1517              show.
1518
1519
1520       vrf NAME
1521              NAME speficies the VRF which enslaves devices to show.
1522
1523
1524       type TYPE
1525              TYPE specifies the type of devices to show.
1526
1527              Note that the type name is not checked against the list of sup‐
1528              ported types - instead it is sent as-is to the kernel. Later it
1529              is used to filter the returned interface list by comparing it
1530              with the relevant attribute in case the kernel didn't filter
1531              already. Therefore any string is accepted, but may lead to empty
1532              output.
1533
1534
1535   ip link xstats - display extended statistics
1536       type TYPE
1537              TYPE specifies the type of devices to display extended statis‐
1538              tics for.
1539
1540
1541   ip link afstats - display address-family specific statistics
1542       dev DEVICE
1543              DEVICE specifies the device to display address-family statistics
1544              for.
1545
1546
1547   ip link help - display help
1548       TYPE specifies which help of link type to dislpay.
1549
1550
1551   GROUP
1552       may be a number or a string from the file /etc/iproute2/group which can
1553       be manually filled.
1554
1555

EXAMPLES

1557       ip link show
1558           Shows the state of all network interfaces on the system.
1559
1560       ip link show type bridge
1561           Shows the bridge devices.
1562
1563       ip link show type vlan
1564           Shows the vlan devices.
1565
1566       ip link show master br0
1567           Shows devices enslaved by br0
1568
1569       ip link set dev ppp0 mtu 1400
1570           Change the MTU the ppp0 device.
1571
1572       ip link add link eth0 name eth0.10 type vlan id 10
1573           Creates a new vlan device eth0.10 on device eth0.
1574
1575       ip link delete dev eth0.10
1576           Removes vlan device.
1577
1578       ip link help gre
1579           Display help for the gre link type.
1580
1581       ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1582       ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1583       remcsum
1584           Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1585           tion, and the outer UDP checksum and remote checksum offload are
1586           enabled.
1587
1588       ip link set dev eth0 xdp obj prog.o
1589           Attaches a XDP/BPF program to device eth0, where the program is
1590           located in prog.o, section "prog" (default section). In case a
1591           XDP/BPF program is already attached, throw an error.
1592
1593       ip -force link set dev eth0 xdp obj prog.o sec foo
1594           Attaches a XDP/BPF program to device eth0, where the program is
1595           located in prog.o, section "foo". In case a XDP/BPF program is
1596           already attached, it will be overridden by the new one.
1597
1598       ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1599           Attaches a XDP/BPF program to device eth0, where the program was
1600           previously pinned as an object node into BPF file system under name
1601           foo.
1602
1603       ip link set dev eth0 xdp off
1604           If a XDP/BPF program is attached on device eth0, detach it and
1605           effectively turn off XDP for device eth0.
1606
1607       ip link add link wpan0 lowpan0 type lowpan
1608           Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1609           802.15.4 device wpan0.
1610
1611       ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1612       fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1613       erspan_hwid 17
1614           Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1615
1616

SEE ALSO

1618       ip(8), ip-netns(8), ethtool(8), iptables(8)
1619
1620

AUTHOR

1622       Original Manpage by Michail Litvak <mci@owl.openwall.com>
1623
1624
1625
1626iproute2                          13 Dec 2012                       IP-LINK(8)
Impressum