1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 Network setup is performed by systemd-networkd(8).
13 The main network file must have the extension .network; other
15 extensions are ignored. Networks are applied to links whenever the
16 links appear.
17 The .network files are read from the files located in the system
19 network directory /usr/lib/systemd/network, the volatile runtime
20 network directory /run/systemd/network and the local administration
21 network directory /etc/systemd/network. All configuration files are
22 collectively sorted and processed in lexical order, regardless of the
23 directories in which they live. However, files with identical filenames
24 replace each other. Files in /etc have the highest priority, files in
25 /run take precedence over files with the same name in /usr/lib. This
26 can be used to override a system-supplied configuration file with a
27 local file if needed. As a special case, an empty file (file size 0) or
28 symlink with the same name pointing to /dev/null disables the
29 configuration file entirely (it is "masked").
30 Along with the network file foo.network, a "drop-in" directory
32 foo.network.d/ may exist. All files with the suffix ".conf" from this
33 directory will be parsed after the file itself is parsed. This is
34 useful to alter or add configuration settings, without having to modify
35 the main configuration file. Each drop-in file must have appropriate
36 section headers.
37 In addition to /etc/systemd/network, drop-in ".d" directories can be
39 placed in /usr/lib/systemd/network or /run/systemd/network directories.
40 Drop-in files in /etc take precedence over those in /run which in turn
41 take precedence over those in /usr/lib. Drop-in files under any of
42 these directories take precedence over the main netdev file wherever
43 located. (Of course, since /run is temporary and /usr/lib is for
44 vendors, it is unlikely drop-ins should be used in either of those
45 places.)
46 Note that an interface without any static IPv6 addresses configured,
48 and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no
49 IPv6 support. IPv6 will be automatically disabled for that interface by
50 writing "1" to /proc/sys/net/ipv6/conf/ifname/disable_ipv6.
51
53 The network file contains a "[Match]" section, which determines if a
54 given network file may be applied to a given device; and a "[Network]"
55 section specifying how the device should be configured. The first (in
56 lexical order) of the network files that matches a given device is
57 applied, all later files are ignored, even if they match as well.
58 A network file is said to match a device if each of the entries in the
60 "[Match]" section matches, or if the section is empty. The following
61 keys are accepted:
62 MACAddress=
64 A whitespace-separated list of hardware addresses. Use full colon-,
65 hyphen- or dot-delimited hexadecimal. See the example below. This
66 option may appear more than one, in which case the lists are
67 merged. If the empty string is assigned to this option, the list of
68 hardware addresses defined prior to this is reset.
69 Example:
71 MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
73 Path=
75 A whitespace-separated list of shell-style globs matching the
76 persistent path, as exposed by the udev property "ID_PATH". If the
77 list is prefixed with a "!", the test is inverted; i.e. it is true
78 when "ID_PATH" does not match any item in the list.
79 Driver=
81 A whitespace-separated list of shell-style globs matching the
82 driver currently bound to the device, as exposed by the udev
83 property "DRIVER" of its parent device, or if that is not set the
84 driver as exposed by "ethtool -i" of the device itself. If the list
85 is prefixed with a "!", the test is inverted.
86 Type=
88 A whitespace-separated list of shell-style globs matching the
89 device type, as exposed by the udev property "DEVTYPE". If the list
90 is prefixed with a "!", the test is inverted.
91 Name=
93 A whitespace-separated list of shell-style globs matching the
94 device name, as exposed by the udev property "INTERFACE". If the
95 list is prefixed with a "!", the test is inverted.
96 Host=
98 Matches against the hostname or machine ID of the host. See
99 "ConditionHost=" in systemd.unit(5) for details.
100 Virtualization=
102 Checks whether the system is executed in a virtualized environment
103 and optionally test whether it is a specific implementation. See
104 "ConditionVirtualization=" in systemd.unit(5) for details.
105 KernelCommandLine=
107 Checks whether a specific kernel command line option is set (or if
108 prefixed with the exclamation mark unset). See
109 "ConditionKernelCommandLine=" in systemd.unit(5) for details.
110 KernelVersion=
112 Checks whether the kernel version (as reported by uname -r) matches
113 a certain expression (or if prefixed with the exclamation mark does
114 not match it). See "ConditionKernelVersion=" in systemd.unit(5) for
115 details.
116 Architecture=
118 Checks whether the system is running on a specific architecture.
119 See "ConditionArchitecture=" in systemd.unit(5) for details.
120
122 The "[Link]" section accepts the following keys:
123 MACAddress=
125 The hardware address to set for the device.
126 MTUBytes=
128 The maximum transmission unit in bytes to set for the device. The
129 usual suffixes K, M, G, are supported and are understood to the
130 base of 1024.
131 Note that if IPv6 is enabled on the interface, and the MTU is
133 chosen below 1280 (the minimum MTU for IPv6) it will automatically
134 be increased to this value.
135 ARP=
137 A boolean. Enables or disables the ARP (low-level Address
138 Resolution Protocol) for this interface. Defaults to unset, which
139 means that the kernel default will be used.
140 For example, disabling ARP is useful when creating multiple MACVLAN
142 or VLAN virtual interfaces atop a single lower-level physical
143 interface, which will then only serve as a link/"bridge" device
144 aggregating traffic to the same physical link and not participate
145 in the network otherwise.
146 Multicast=
148 A boolean. Enables or disables the multicast flag on the device.
149 AllMulticast=
151 A boolean. When this flag is set the driver retrieves all multicast
152 packets from the network. This happens when multicast routing is
153 enabled.
154 Unmanaged=
156 A boolean. When "yes", no attempts are made to bring up or
157 configure matching links, equivalent to when there are no matching
158 network files. Defaults to "no".
159 This is useful for preventing later matching network files from
161 interfering with certain interfaces that are fully controlled by
162 other applications.
163 RequiredForOnline=
165 A boolean. When "yes", the network is deemed required when
166 determining whether the system is online when running
167 "systemd-networkd-wait-online". When "no", the network is ignored
168 when checking for online state. Defaults to "yes".
169 The network will be brought up normally in all cases, but in the
171 event that there is no address being assigned by DHCP or the cable
172 is not plugged in, the link will simply remain offline and be
173 skipped automatically by "systemd-networkd-wait-online" if
174 "RequiredForOnline=true".
175
177 The "[Network]" section accepts the following keys:
178 Description=
180 A description of the device. This is only used for presentation
181 purposes.
182 DHCP=
184 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
185 "ipv4", or "ipv6". Defaults to "no".
186 Note that DHCPv6 will by default be triggered by Router
188 Advertisement, if that is enabled, regardless of this parameter. By
189 enabling DHCPv6 support explicitly, the DHCPv6 client will be
190 started regardless of the presence of routers on the link, or what
191 flags the routers pass. See "IPv6AcceptRA=".
192 Furthermore, note that by default the domain name specified through
194 DHCP is not used for name resolution. See option UseDomains= below.
195 See the "[DHCP]" section below for further configuration options
197 for the DHCP client support.
198 DHCPServer=
200 A boolean. Enables DHCPv4 server support. Defaults to "no". Further
201 settings for the DHCP server may be set in the "[DHCPServer]"
202 section described below.
203 LinkLocalAddressing=
205 Enables link-local address autoconfiguration. Accepts "yes", "no",
206 "ipv4", or "ipv6". Defaults to "ipv6".
207 IPv4LLRoute=
209 A boolean. When true, sets up the route needed for non-IPv4LL hosts
210 to communicate with IPv4LL-only hosts. Defaults to false.
211 IPv6Token=
213 An IPv6 address with the top 64 bits unset. When set, indicates the
214 64-bit interface part of SLAAC IPv6 addresses for this link. Note
215 that the token is only ever used for SLAAC, and not for DHCPv6
216 addresses, even in the case DHCP is requested by router
217 advertisement. By default, the token is autogenerated.
218 LLMNR=
220 A boolean or "resolve". When true, enables Link-Local Multicast
221 Name Resolution[1] on the link. When set to "resolve", only
222 resolution is enabled, but not host registration and announcement.
223 Defaults to true. This setting is read by systemd-
224 resolved.service(8).
225 MulticastDNS=
227 A boolean or "resolve". When true, enables Multicast DNS[2] support
228 on the link. When set to "resolve", only resolution is enabled, but
229 not host or service registration and announcement. Defaults to
230 false. This setting is read by systemd-resolved.service(8).
231 DNSOverTLS=
233 Takes false or "opportunistic". When set to "opportunistic",
234 enables DNS-over-TLS[3] support on the link. This option defines a
235 per-interface setting for resolved.conf(5)'s global DNSOverTLS=
236 option. Defaults to false. This setting is read by systemd-
237 resolved.service(8).
238 DNSSEC=
240 A boolean or "allow-downgrade". When true, enables DNSSEC[4] DNS
241 validation support on the link. When set to "allow-downgrade",
242 compatibility with non-DNSSEC capable networks is increased, by
243 automatically turning off DNSSEC in this case. This option defines
244 a per-interface setting for resolved.conf(5)'s global DNSSEC=
245 option. Defaults to false. This setting is read by systemd-
246 resolved.service(8).
247 DNSSECNegativeTrustAnchors=
249 A space-separated list of DNSSEC negative trust anchor domains. If
250 specified and DNSSEC is enabled, look-ups done via the interface's
251 DNS server will be subject to the list of negative trust anchors,
252 and not require authentication for the specified domains, or
253 anything below it. Use this to disable DNSSEC authentication for
254 specific private domains, that cannot be proven valid using the
255 Internet DNS hierarchy. Defaults to the empty list. This setting is
256 read by systemd-resolved.service(8).
257 LLDP=
259 Controls support for Ethernet LLDP packet reception. LLDP is a
260 link-layer protocol commonly implemented on professional routers
261 and bridges which announces which physical port a system is
262 connected to, as well as other related data. Accepts a boolean or
263 the special value "routers-only". When true, incoming LLDP packets
264 are accepted and a database of all LLDP neighbors maintained. If
265 "routers-only" is set only LLDP data of various types of routers is
266 collected and LLDP data about other types of devices ignored (such
267 as stations, telephones and others). If false, LLDP reception is
268 disabled. Defaults to "routers-only". Use networkctl(1) to query
269 the collected neighbor data. LLDP is only available on Ethernet
270 links. See EmitLLDP= below for enabling LLDP packet emission from
271 the local system.
272 EmitLLDP=
274 Controls support for Ethernet LLDP packet emission. Accepts a
275 boolean parameter or the special values "nearest-bridge",
276 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
277 turns off LLDP packet emission. If not false, a short LLDP packet
278 with information about the local system is sent out in regular
279 intervals on the link. The LLDP packet will contain information
280 about the local host name, the local machine ID (as stored in
281 machine-id(5)) and the local interface name, as well as the pretty
282 hostname of the system (as set in machine-info(5)). LLDP emission
283 is only available on Ethernet links. Note that this setting passes
284 data suitable for identification of host to the network and should
285 thus not be enabled on untrusted networks, where such
286 identification data should not be made available. Use this option
287 to permit other systems to identify on which interfaces they are
288 connected to this system. The three special values control
289 propagation of the LLDP packets. The "nearest-bridge" setting
290 permits propagation only to the nearest connected bridge,
291 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
292 but not any other bridges, and "customer-bridge" permits
293 propagation until a customer bridge is reached. For details about
294 these concepts, see IEEE 802.1AB-2016[5]. Note that configuring
295 this setting to true is equivalent to "nearest-bridge", the
296 recommended and most restricted level of propagation. See LLDP=
297 above for an option to enable LLDP reception.
298 BindCarrier=
300 A link name or a list of link names. When set, controls the
301 behavior of the current link. When all links in the list are in an
302 operational down state, the current link is brought down. When at
303 least one link has carrier, the current interface is brought up.
304 Address=
306 A static IPv4 or IPv6 address and its prefix length, separated by a
307 "/" character. Specify this key more than once to configure several
308 addresses. The format of the address must be as described in
309 inet_pton(3). This is a short-hand for an [Address] section only
310 containing an Address key (see below). This option may be specified
311 more than once.
312 If the specified address is 0.0.0.0 (for IPv4) or [::] (for IPv6),
314 a new address range of the requested size is automatically
315 allocated from a system-wide pool of unused ranges. The allocated
316 range is checked against all current network interfaces and all
317 known network configuration files to avoid address range conflicts.
318 The default system-wide pool consists of 192.168.0.0/16,
319 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fc00::/7 for IPv6. This
320 functionality is useful to manage a large number of dynamically
321 created network interfaces with the same network configuration and
322 automatic address range assignment.
323 Gateway=
325 The gateway address, which must be in the format described in
326 inet_pton(3). This is a short-hand for a [Route] section only
327 containing a Gateway key. This option may be specified more than
328 once.
329 DNS=
331 A DNS server address, which must be in the format described in
332 inet_pton(3). This option may be specified more than once. This
333 setting is read by systemd-resolved.service(8).
334 Domains=
336 A list of domains which should be resolved using the DNS servers on
337 this link. Each item in the list should be a domain name,
338 optionally prefixed with a tilde ("~"). The domains with the prefix
339 are called "routing-only domains". The domains without the prefix
340 are called "search domains" and are first used as search suffixes
341 for extending single-label host names (host names containing no
342 dots) to become fully qualified domain names (FQDNs). If a
343 single-label host name is resolved on this interface, each of the
344 specified search domains are appended to it in turn, converting it
345 into a fully qualified domain name, until one of them may be
346 successfully resolved.
347 Both "search" and "routing-only" domains are used for routing of
349 DNS queries: look-ups for host names ending in those domains (hence
350 also single label names, if any "search domains" are listed), are
351 routed to the DNS servers configured for this interface. The domain
352 routing logic is particularly useful on multi-homed hosts with DNS
353 servers serving particular private DNS zones on each interface.
354 The "routing-only" domain "~." (the tilde indicating definition of
356 a routing domain, the dot referring to the DNS root domain which is
357 the implied suffix of all valid DNS names) has special effect. It
358 causes all DNS traffic which does not match another configured
359 domain routing entry to be routed to DNS servers specified for this
360 interface. This setting is useful to prefer a certain set of DNS
361 servers if a link on which they are connected is available.
362 This setting is read by systemd-resolved.service(8). "Search
364 domains" correspond to the domain and search entries in
365 resolv.conf(5). Domain name routing has no equivalent in the
366 traditional glibc API, which has no concept of domain name servers
367 limited to a specific link.
368 NTP=
370 An NTP server address. This option may be specified more than once.
371 This setting is read by systemd-timesyncd.service(8).
372 IPForward=
374 Configures IP packet forwarding for the system. If enabled,
375 incoming packets on any network interface will be forwarded to any
376 other interfaces according to the routing table. Takes either a
377 boolean argument, or the values "ipv4" or "ipv6", which only enable
378 IP packet forwarding for the specified address family. This
379 controls the net.ipv4.ip_forward and net.ipv6.conf.all.forwarding
380 sysctl options of the network interface (see ip-sysctl.txt[6] for
381 details about sysctl options). Defaults to "no".
382 Note: this setting controls a global kernel option, and does so one
384 way only: if a network that has this setting enabled is set up the
385 global setting is turned on. However, it is never turned off again,
386 even after all networks with this setting enabled are shut down
387 again.
388 To allow IP packet forwarding only between specific network
390 interfaces use a firewall.
391 IPMasquerade=
393 Configures IP masquerading for the network interface. If enabled,
394 packets forwarded from the network interface will be appear as
395 coming from the local host. Takes a boolean argument. Implies
396 IPForward=ipv4. Defaults to "no".
397 IPv6PrivacyExtensions=
399 Configures use of stateless temporary addresses that change over
400 time (see RFC 4941[7], Privacy Extensions for Stateless Address
401 Autoconfiguration in IPv6). Takes a boolean or the special values
402 "prefer-public" and "kernel". When true, enables the privacy
403 extensions and prefers temporary addresses over public addresses.
404 When "prefer-public", enables the privacy extensions, but prefers
405 public addresses over temporary addresses. When false, the privacy
406 extensions remain disabled. When "kernel", the kernel's default
407 setting will be left in place. Defaults to "no".
408 IPv6AcceptRA=
410 Enable or disable IPv6 Router Advertisement (RA) reception support
411 for the interface. Takes a boolean parameter. If true, RAs are
412 accepted; if false, RAs are ignored, independently of the local
413 forwarding state. When not set, the kernel default is used, and RAs
414 are accepted only when local forwarding is disabled for that
415 interface. When RAs are accepted, they may trigger the start of the
416 DHCPv6 client if the relevant flags are set in the RA data, or if
417 no routers are found on the link.
418 Further settings for the IPv6 RA support may be configured in the
420 "[IPv6AcceptRA]" section, see below.
421 Also see ip-sysctl.txt[6] in the kernel documentation regarding
423 "accept_ra", but note that systemd's setting of 1 (i.e. true)
424 corresponds to kernel's setting of 2.
425 IPv6DuplicateAddressDetection=
427 Configures the amount of IPv6 Duplicate Address Detection (DAD)
428 probes to send. Defaults to unset.
429 IPv6HopLimit=
431 Configures IPv6 Hop Limit. For each router that forwards the
432 packet, the hop limit is decremented by 1. When the hop limit field
433 reaches zero, the packet is discarded. Defaults to unset.
434 IPv4ProxyARP=
436 A boolean. Configures proxy ARP for IPv4. Proxy ARP is the
437 technique in which one host, usually a router, answers ARP requests
438 intended for another machine. By "faking" its identity, the router
439 accepts responsibility for routing packets to the "real"
440 destination. (see RFC 1027[8]. Defaults to unset.
441 IPv6ProxyNDP=
443 A boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
444 Discovery Protocol) is a technique for IPv6 to allow routing of
445 addresses to a different destination when peers expect them to be
446 present on a certain physical link. In this case a router answers
447 Neighbour Advertisement messages intended for another machine by
448 offering its own MAC address as destination. Unlike proxy ARP for
449 IPv4, it is not enabled globally, but will only send Neighbour
450 Advertisement messages for addresses in the IPv6 neighbor proxy
451 table, which can also be shown by ip -6 neighbour show proxy.
452 systemd-networkd will control the per-interface `proxy_ndp` switch
453 for each configured interface depending on this option. Defautls to
454 unset.
455 IPv6ProxyNDPAddress=
457 An IPv6 address, for which Neighbour Advertisement messages will be
458 proxied. This option may be specified more than once.
459 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
460 kernel's IPv6 neighbor proxy table. This option implies
461 IPv6ProxyNDP=true but has no effect if IPv6ProxyNDP has been set to
462 false. Defaults to unset.
463 IPv6PrefixDelegation=
465 Whether to enable or disable Router Advertisement sending on a
466 link. Allowed values are "static" which distributes prefixes as
467 defined in the "[IPv6PrefixDelegation]" and any "[IPv6Prefix]"
468 sections, "dhcpv6" which requests prefixes using a DHCPv6 client
469 configured for another link and any values configured in the
470 "[IPv6PrefixDelegation]" section while ignoring all static prefix
471 configuration sections, "yes" which uses both static configuration
472 and DHCPv6, and "false" which turns off IPv6 prefix delegation
473 altogether. Defaults to "false". See the "[IPv6PrefixDelegation]"
474 and the "[IPv6Prefix]" sections for more configuration options.
475 IPv6MTUBytes=
477 Configures IPv6 maximum transmission unit (MTU). An integer greater
478 than or equal to 1280 bytes. Defaults to unset.
479 Bridge=
481 The name of the bridge to add the link to. See systemd.netdev(5).
482 Bond=
484 The name of the bond to add the link to. See systemd.netdev(5).
485 VRF=
487 The name of the VRF to add the link to. See systemd.netdev(5).
488 VLAN=
490 The name of a VLAN to create on the link. See systemd.netdev(5).
491 This option may be specified more than once.
492 MACVLAN=
494 The name of a MACVLAN to create on the link. See systemd.netdev(5).
495 This option may be specified more than once.
496 VXLAN=
498 The name of a VXLAN to create on the link. See systemd.netdev(5).
499 This option may be specified more than once.
500 Tunnel=
502 The name of a Tunnel to create on the link. See systemd.netdev(5).
503 This option may be specified more than once.
504 ActiveSlave=
506 A boolean. Specifies the new active slave. The "ActiveSlave="
507 option is only valid for following modes: "active-backup",
508 "balance-alb" and "balance-tlb". Defaults to false.
509 PrimarySlave=
511 A boolean. Specifies which slave is the primary device. The
512 specified device will always be the active slave while it is
513 available. Only when the primary is off-line will alternate devices
514 be used. This is useful when one slave is preferred over another,
515 e.g. when one slave has higher throughput than another. The
516 "PrimarySlave=" option is only valid for following modes:
517 "active-backup", "balance-alb" and "balance-tlb". Defaults to
518 false.
519 ConfigureWithoutCarrier=
521 A boolean. Allows networkd to configure a specific link even if it
522 has no carrier. Defaults to false.
523
525 An "[Address]" section accepts the following keys. Specify several
526 "[Address]" sections to configure several addresses.
527 Address=
529 As in the "[Network]" section. This key is mandatory.
530 Peer=
532 The peer address in a point-to-point connection. Accepts the same
533 format as the "Address" key.
534 Broadcast=
536 The broadcast address, which must be in the format described in
537 inet_pton(3). This key only applies to IPv4 addresses. If it is not
538 given, it is derived from the "Address" key.
539 Label=
541 An address label.
542 PreferredLifetime=
544 Allows the default "preferred lifetime" of the address to be
545 overridden. Only three settings are accepted: "forever" or
546 "infinity" which is the default and means that the address never
547 expires, and "0" which means that the address is considered
548 immediately "expired" and will not be used, unless explicitly
549 requested. A setting of PreferredLifetime=0 is useful for addresses
550 which are added to be used only by a specific application, which is
551 then configured to use them explicitly.
552 Scope=
554 The scope of the address, which can be "global", "link" or "host"
555 or an unsigned integer ranges 0 to 255. Defaults to "global".
556 HomeAddress=
558 Takes a boolean argument. Designates this address the "home
559 address" as defined in RFC 6275[9]. Supported only on IPv6.
560 Defaults to false.
561 DuplicateAddressDetection=
563 Takes a boolean argument. Do not perform Duplicate Address
564 Detection RFC 4862[10] when adding this address. Supported only on
565 IPv6. Defaults to false.
566 ManageTemporaryAddress=
568 Takes a boolean argument. If true the kernel manage temporary
569 addresses created from this one as template on behalf of Privacy
570 Extensions RFC 3041[11]. For this to become active, the
571 use_tempaddr sysctl setting has to be set to a value greater than
572 zero. The given address needs to have a prefix length of 64. This
573 flag allows to use privacy extensions in a manually configured
574 network, just like if stateless auto-configuration was active.
575 Defaults to false.
576 PrefixRoute=
578 Takes a boolean argument. When adding or modifying an IPv6 address,
579 the userspace application needs a way to suppress adding a prefix
580 route. This is for example relevant together with
581 IFA_F_MANAGERTEMPADDR, where userspace creates autoconf generated
582 addresses, but depending on on-link, no route for the prefix should
583 be added. Defaults to false.
584 AutoJoin=
586 Takes a boolean argument. Joining multicast group on ethernet level
587 via ip maddr command would not work if we have an Ethernet switch
588 that does IGMP snooping since the switch would not replicate
589 multicast packets on ports that did not have IGMP reports for the
590 multicast addresses. Linux vxlan interfaces created via ip link add
591 vxlan or networkd's netdev kind vxlan have the group option that
592 enables then to do the required join. By extending ip address
593 command with option "autojoin" we can get similar functionality for
594 openvswitch (OVS) vxlan interfaces as well as other tunneling
595 mechanisms that need to receive multicast traffic. Defaults to
596 "no".
597
599 An "[IPv6AddressLabel]" section accepts the following keys. Specify
600 several "[IPv6AddressLabel]" sections to configure several address
601 labels. IPv6 address labels are used for address selection. See RFC
602 3484[12]. Precedence is managed by userspace, and only the label itself
603 is stored in the kernel
604 Label=
606 The label for the prefix (an unsigned integer) ranges 0 to
607 4294967294. 0xffffffff is reserved. This key is mandatory.
608 Prefix=
610 IPv6 prefix is an address with a prefix length, separated by a
611 slash "/" character. This key is mandatory.
612
614 An "[RoutingPolicyRule]" section accepts the following keys. Specify
615 several "[RoutingPolicyRule]" sections to configure several rules.
616 TypeOfService=
618 Specifies the type of service to match a number between 0 to 255.
619 From=
621 Specifies the source address prefix to match. Possibly followed by
622 a slash and the prefix length.
623 To=
625 Specifies the destination address prefix to match. Possibly
626 followed by a slash and the prefix length.
627 FirewallMark=
629 Specifies the iptables firewall mark value to match (a number
630 between 1 and 4294967295).
631 Table=
633 Specifies the routing table identifier to lookup if the rule
634 selector matches. The table identifier for a route (a number
635 between 1 and 4294967295).
636 Priority=
638 Specifies the priority of this rule. Priority= is an unsigned
639 integer. Higher number means lower priority, and rules get
640 processed in order of increasing number.
641 IncomingInterface=
643 Specifies incoming device to match. If the interface is loopback,
644 the rule only matches packets originating from this host.
645 OutgoingInterface=
647 Specifies the outgoing device to match. The outgoing interface is
648 only available for packets originating from local sockets that are
649 bound to a device.
650
652 The "[Route]" section accepts the following keys. Specify several
653 "[Route]" sections to configure several routes.
654 Gateway=
656 As in the "[Network]" section.
657 GatewayOnlink=
659 The "GatewayOnlink" option tells the kernel that it does not have
660 to check if the gateway is reachable directly by the current
661 machine (i.e., the kernel does not need to check if the gateway is
662 attached to the local network), so that we can insert the route in
663 the kernel table without it being complained about. A boolean,
664 defaults to "no".
665 Destination=
667 The destination prefix of the route. Possibly followed by a slash
668 and the prefix length. If omitted, a full-length host route is
669 assumed.
670 Source=
672 The source prefix of the route. Possibly followed by a slash and
673 the prefix length. If omitted, a full-length host route is assumed.
674 Metric=
676 The metric of the route (an unsigned integer).
677 IPv6Preference=
679 Specifies the route preference as defined in RFC4191[13] for Router
680 Discovery messages. Which can be one of "low" the route has a
681 lowest priority, "medium" the route has a default priority or
682 "high" the route has a highest priority.
683 Scope=
685 The scope of the route, which can be "global", "link" or "host".
686 Defaults to "global".
687 PreferredSource=
689 The preferred source address of the route. The address must be in
690 the format described in inet_pton(3).
691 Table=num
693 The table identifier for the route (a number between 1 and
694 4294967295, or 0 to unset). The table can be retrieved using ip
695 route show table num.
696 Protocol=
698 The protocol identifier for the route. Takes a number between 0 and
699 255 or the special values "kernel", "boot" and "static". Defaults
700 to "static".
701 Type=
703 The Type identifier for special route types, which can be "unicast"
704 route to a destination network address which describes the path to
705 the destination, "blackhole" packets are discarded silently,
706 "unreachable" packets are discarded and the ICMP message host
707 unreachable is generated, "prohibit" packets are discarded and the
708 ICMP message communication administratively prohibited is
709 generated. Defaults to "unicast".
710 InitialCongestionWindow=
712 The TCP initial congestion window is used during the start of a TCP
713 connection. During the start of a TCP session, when a client
714 requests a resource, the server's initial congestion window
715 determines how many data bytes will be sent during the initial
716 burst of data. Takes a size in bytes between 1 and 4294967295 (2^32
717 - 1). The usual suffixes K, M, G are supported and are understood
718 to the base of 1024. Defaults to unset.
719 InitialAdvertisedReceiveWindow=
721 The TCP initial advertised receive window is the amount of receive
722 data (in bytes) that can initally be buffered at one time on a
723 connection. The sending host can send only that amount of data
724 before waiting for an acknowledgment and window update from the
725 receiving host. Takes a size in bytes between 1 and 4294967295
726 (2^32 - 1). The usual suffixes K, M, G are supported and are
727 understood to the base of 1024. Defaults to unset.
728 QuickAck=
730 Takes a boolean argument. When true enables TCP quick ack mode for
731 the route. Defaults to unset.
732 MTUBytes=
734 The maximum transmission unit in bytes to set for the route. The
735 usual suffixes K, M, G, are supported and are understood to the
736 base of 1024.
737 Note that if IPv6 is enabled on the interface, and the MTU is
739 chosen below 1280 (the minimum MTU for IPv6) it will automatically
740 be increased to this value.
741
743 The "[DHCP]" section configures the DHCPv4 and DHCP6 client, if it is
744 enabled with the DHCP= setting described above:
745 UseDNS=
747 When true (the default), the DNS servers received from the DHCP
748 server will be used and take precedence over any statically
749 configured ones.
750 This corresponds to the nameserver option in resolv.conf(5).
752 UseNTP=
754 When true (the default), the NTP servers received from the DHCP
755 server will be used by systemd-timesyncd and take precedence over
756 any statically configured ones.
757 UseMTU=
759 When true, the interface maximum transmission unit from the DHCP
760 server will be used on the current link. If MTUBytes= is set, then
761 this setting is ignored. Defaults to false.
762 Anonymize=
764 Takes a boolean argument. When true, the options sent to the DHCP
765 server will follow the RFC 7844[14] (Anonymity Profiles for DHCP
766 Clients) to minimize disclosure of identifying information.
767 Defaults to false.
768 This option should only be set to true when MACAddressPolicy= is
770 set to "random" (see systemd.link(5)).
771 Note that this configuration will overwrite others. In concrete,
773 the following variables will be ignored: SendHostname=,
774 ClientIdentifier=, UseRoutes=, SendHostname=, UseMTU=,
775 VendorClassIdentifier=, UseTimezone=.
776 SendHostname=
778 When true (the default), the machine's hostname will be sent to the
779 DHCP server.
780 UseHostname=
782 When true (the default), the hostname received from the DHCP server
783 will be set as the transient hostname of the system
784 Hostname=
786 Use this value for the hostname which is sent to the DHCP server,
787 instead of machine's hostname.
788 UseDomains=
790 Takes a boolean argument, or the special value "route". When true,
791 the domain name received from the DHCP server will be used as DNS
792 search domain over this link, similar to the effect of the Domains=
793 setting. If set to "route", the domain name received from the DHCP
794 server will be used for routing DNS queries only, but not for
795 searching, similar to the effect of the Domains= setting when the
796 argument is prefixed with "~". Defaults to false.
797 It is recommended to enable this option only on trusted networks,
799 as setting this affects resolution of all host names, in particular
800 of single-label names. It is generally safer to use the supplied
801 domain only as routing domain, rather than as search domain, in
802 order to not have it affect local resolution of single-label names.
803 When set to true, this setting corresponds to the domain option in
805 resolv.conf(5).
806 UseRoutes=
808 When true (the default), the static routes will be requested from
809 the DHCP server and added to the routing table with a metric of
810 1024, and a scope of "global", "link" or "host", depending on the
811 route's destination and gateway. If the destination is on the local
812 host, e.g., 127.x.x.x, or the same as the link's own address, the
813 scope will be set to "host". Otherwise if the gateway is null (a
814 direct route), a "link" scope will be used. For anything else,
815 scope defaults to "global".
816 UseTimezone=
818 When true, the timezone received from the DHCP server will be set
819 as timezone of the local system. Defaults to "no".
820 CriticalConnection=
822 When true, the connection will never be torn down even if the DHCP
823 lease expires. This is contrary to the DHCP specification, but may
824 be the best choice if, say, the root filesystem relies on this
825 connection. Defaults to false.
826 ClientIdentifier=
828 The DHCPv4 client identifier to use. Takes one of "mac", "duid" or
829 "duid-only". If set to "mac", the MAC address of the link is used.
830 If set to "duid", an RFC4361-compliant Client ID, which is the
831 combination of IAID and DUID (see below), is used. If set to
832 "duid-only", only DUID is used, this may not be RFC compliant, but
833 some setups may require to use this. Defaults to "duid".
834 VendorClassIdentifier=
836 The vendor class identifier used to identify vendor type and
837 configuration.
838 UserClass=
840 A DHCPv4 client can use UserClass option to identify the type or
841 category of user or applications it represents. The information
842 contained in this option is a string that represents the user class
843 of which the client is a member. Each class sets an identifying
844 string of information to be used by the DHCP service to classify
845 clients. Takes a whitespace-separated list of strings.
846 DUIDType=
848 Override the global DUIDType setting for this network. See
849 networkd.conf(5) for a description of possible values.
850 DUIDRawData=
852 Override the global DUIDRawData setting for this network. See
853 networkd.conf(5) for a description of possible values.
854 IAID=
856 The DHCP Identity Association Identifier (IAID) for the interface,
857 a 32-bit unsigned integer.
858 RequestBroadcast=
860 Request the server to use broadcast messages before the IP address
861 has been configured. This is necessary for devices that cannot
862 receive RAW packets, or that cannot receive packets at all before
863 an IP address has been configured. On the other hand, this must not
864 be enabled on networks where broadcasts are filtered out.
865 RouteMetric=
867 Set the routing metric for routes specified by the DHCP server.
868 RouteTable=num
870 The table identifier for DHCP routes (a number between 1 and
871 4294967295, or 0 to unset). The table can be retrieved using ip
872 route show table num.
873 When used in combination with VRF= the VRF's routing table is used
875 unless this parameter is specified.
876 ListenPort=
878 Allow setting custom port for the DHCP client to listen on.
879 RapidCommit=
881 A boolean. The DHCPv6 client can obtain configuration parameters
882 from a DHCPv6 server through a rapid two-message exchange (solicit
883 and reply). When the rapid commit option is enabled by both the
884 DHCPv6 client and the DHCPv6 server, the two-message exchange is
885 used, rather than the default four-method exchange (solicit,
886 advertise, request, and reply). The two-message exchange provides
887 faster client configuration and is beneficial in environments in
888 which networks are under a heavy load. See RFC 3315[15] for
889 details. Defaults to true.
890
892 The "[IPv6AcceptRA]" section configures the IPv6 Router Advertisement
893 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
894 above:
895 UseDNS=
897 When true (the default), the DNS servers received in the Router
898 Advertisement will be used and take precedence over any statically
899 configured ones.
900 This corresponds to the nameserver option in resolv.conf(5).
902 UseDomains=
904 Takes a boolean argument, or the special value "route". When true,
905 the domain name received via IPv6 Router Advertisement (RA) will be
906 used as DNS search domain over this link, similar to the effect of
907 the Domains= setting. If set to "route", the domain name received
908 via IPv6 RA will be used for routing DNS queries only, but not for
909 searching, similar to the effect of the Domains= setting when the
910 argument is prefixed with "~". Defaults to false.
911 It is recommended to enable this option only on trusted networks,
913 as setting this affects resolution of all host names, in particular
914 of single-label names. It is generally safer to use the supplied
915 domain only as routing domain, rather than as search domain, in
916 order to not have it affect local resolution of single-label names.
917 When set to true, this setting corresponds to the domain option in
919 resolv.conf(5).
920 RouteTable=num
922 The table identifier for the routes received in the Router
923 Advertisement (a number between 1 and 4294967295, or 0 to unset).
924 The table can be retrieved using ip route show table num.
925
927 The "[DHCPServer]" section contains settings for the DHCP server, if
928 enabled via the DHCPServer= option described above:
929 PoolOffset=, PoolSize=
931 Configures the pool of addresses to hand out. The pool is a
932 contiguous sequence of IP addresses in the subnet configured for
933 the server address, which does not include the subnet nor the
934 broadcast address. PoolOffset= takes the offset of the pool from
935 the start of subnet, or zero to use the default value. PoolSize=
936 takes the number of IP addresses in the pool or zero to use the
937 default value. By default, the pool starts at the first address
938 after the subnet address and takes up the rest of the subnet,
939 excluding the broadcast address. If the pool includes the server
940 address (the default), this is reserved and not handed out to
941 clients.
942 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
944 Control the default and maximum DHCP lease time to pass to clients.
945 These settings take time values in seconds or another common time
946 unit, depending on the suffix. The default lease time is used for
947 clients that did not ask for a specific lease time. If a client
948 asks for a lease time longer than the maximum lease time, it is
949 automatically shortened to the specified time. The default lease
950 time defaults to 1h, the maximum lease time to 12h. Shorter lease
951 times are beneficial if the configuration data in DHCP leases
952 changes frequently and clients shall learn the new settings with
953 shorter latencies. Longer lease times reduce the generated DHCP
954 network traffic.
955 EmitDNS=, DNS=
957 Configures whether the DHCP leases handed out to clients shall
958 contain DNS server information. The EmitDNS= setting takes a
959 boolean argument and defaults to "yes". The DNS servers to pass to
960 clients may be configured with the DNS= option, which takes a list
961 of IPv4 addresses. If the EmitDNS= option is enabled but no servers
962 configured, the servers are automatically propagated from an
963 "uplink" interface that has appropriate servers set. The "uplink"
964 interface is determined by the default route of the system with the
965 highest priority. Note that this information is acquired at the
966 time the lease is handed out, and does not take uplink interfaces
967 into account that acquire DNS or NTP server information at a later
968 point. DNS server propagation does not take /etc/resolv.conf into
969 account. Also, note that the leases are not refreshed if the uplink
970 network configuration changes. To ensure clients regularly acquire
971 the most current uplink DNS server information, it is thus
972 advisable to shorten the DHCP lease time via MaxLeaseTimeSec=
973 described above.
974 EmitNTP=, NTP=
976 Similar to the EmitDNS= and DNS= settings described above, these
977 settings configure whether and what NTP server information shall be
978 emitted as part of the DHCP lease. The same syntax, propagation
979 semantics and defaults apply as for EmitDNS= and DNS=.
980 EmitRouter=
982 Similar to the EmitDNS= setting described above, this setting
983 configures whether the DHCP lease should contain the router option.
984 The same syntax, propagation semantics and defaults apply as for
985 EmitDNS=.
986 EmitTimezone=, Timezone=
988 Configures whether the DHCP leases handed out to clients shall
989 contain timezone information. The EmitTimezone= setting takes a
990 boolean argument and defaults to "yes". The Timezone= setting takes
991 a timezone string (such as "Europe/Berlin" or "UTC") to pass to
992 clients. If no explicit timezone is set, the system timezone of the
993 local host is propagated, as determined by the /etc/localtime
994 symlink.
995
997 The "[IPv6PrefixDelegation]" section contains settings for sending IPv6
998 Router Advertisements and whether to act as a router, if enabled via
999 the IPv6PrefixDelegation= option described above. IPv6 network prefixes
1000 are defined with one or more "[IPv6Prefix]" sections.
1001 Managed=, OtherInformation=
1003 Controls whether a DHCPv6 server is used to acquire IPv6 addresses
1004 on the network link when Managed= boolean is set to "true" or if
1005 only additional network information can be obtained via DHCPv6 for
1006 the network link when OtherInformation= boolean is set to "true".
1007 Both settings default to "false", which means that a DHCPv6 server
1008 is not being used.
1009 RouterLifetimeSec=
1011 Configures the IPv6 router lifetime in seconds. If set, this host
1012 also announces itself in Router Advertisements as an IPv6 router
1013 for the network link. Defaults to unset, which means the host is
1014 not acting as a router.
1015 RouterPreference=
1017 Configures IPv6 router preference if RouterLifetimeSec= is
1018 non-zero. Valid values are "high", "medium" and "low", with
1019 "normal" and "default" added as synonyms for "medium" just to make
1020 configuration easier. See RFC 4191[13] for details. Defaults to
1021 "medium".
1022 EmitDNS=, DNS=
1024 DNS= specifies a list of recursive DNS server IPv6 addresses that
1025 distributed via Router Advertisement messages when EmitDNS= is
1026 true. If DNS= is empty, DNS servers are read from the "[Network]"
1027 section. If the "[Network]" section does not contain any DNS
1028 servers either, DNS servers from the uplink with the highest
1029 priority default route are used. When EmitDNS= is false, no DNS
1030 server information is sent in Router Advertisement messages.
1031 EmitDNS= defaults to true.
1032 EmitDomains=, Domains=
1034 A list of DNS search domains distributed via Router Advertisement
1035 messages when EmitDomains= is true. If Domains= is empty, DNS
1036 search domains are read from the "[Network]" section. If the
1037 "[Network]" section does not contain any DNS search domains either,
1038 DNS search domains from the uplink with the highest priority
1039 default route are used. When EmitDomains= is false, no DNS search
1040 domain information is sent in Router Advertisement messages.
1041 EmitDomains= defaults to true.
1042 DNSLifetimeSec=
1044 Lifetime in seconds for the DNS server addresses listed in DNS= and
1045 search domains listed in Domains=.
1046
1048 One or more "[IPv6Prefix]" sections contain the IPv6 prefixes that are
1049 announced via Router Advertisements. See RFC 4861[16] for further
1050 details.
1051 AddressAutoconfiguration=, OnLink=
1053 Boolean values to specify whether IPv6 addresses can be
1054 autoconfigured with this prefix and whether the prefix can be used
1055 for onlink determination. Both settings default to "true" in order
1056 to ease configuration.
1057 Prefix=
1059 The IPv6 prefix that is to be distributed to hosts. Similarly to
1060 configuring static IPv6 addresses, the setting is configured as an
1061 IPv6 prefix and its prefix length, separated by a "/" character.
1062 Use multiple "[IPv6Prefix]" sections to configure multiple IPv6
1063 prefixes since prefix lifetimes, address autoconfiguration and
1064 onlink status may differ from one prefix to another.
1065 PreferredLifetimeSec=, ValidLifetimeSec=
1067 Preferred and valid lifetimes for the prefix measured in seconds.
1068 PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1069 ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1070
1072 The "[Bridge]" section accepts the following keys.
1073 UnicastFlood=
1075 A boolean. Controls whether the bridge should flood traffic for
1076 which an FDB entry is missing and the destination is unknown
1077 through this port. Defaults to unset.
1078 HairPin=
1080 A boolean. Configures whether traffic may be sent back out of the
1081 port on which it was received. Defaults to unset. When this flag is
1082 false, and the bridge will not forward traffic back out of the
1083 receiving port.
1084 UseBPDU=
1086 A boolean. Configures whether STP Bridge Protocol Data Units will
1087 be processed by the bridge port. Defaults to unset.
1088 FastLeave=
1090 A boolean. This flag allows the bridge to immediately stop
1091 multicast traffic on a port that receives an IGMP Leave message. It
1092 is only used with IGMP snooping if enabled on the bridge. Defaults
1093 to unset.
1094 AllowPortToBeRoot=
1096 A boolean. Configures whether a given port is allowed to become a
1097 root port. Only used when STP is enabled on the bridge. Defaults to
1098 unset.
1099 Cost=
1101 Sets the "cost" of sending packets of this interface. Each port in
1102 a bridge may have a different speed and the cost is used to decide
1103 which link to use. Faster interfaces should have lower costs. It is
1104 an integer value between 1 and 65535.
1105 Priority=
1107 Sets the "priority" of sending packets on this interface. Each port
1108 in a bridge may have a different priority which is used to decide
1109 which link to use. Lower value means higher priority. It is an
1110 integer value between 0 to 63. Networkd does not set any default,
1111 meaning the kernel default value of 32 is used.
1112
1114 The "[BridgeFDB]" section manages the forwarding database table of a
1115 port and accepts the following keys. Specify several "[BridgeFDB]"
1116 sections to configure several static MAC table entries.
1117 MACAddress=
1119 As in the "[Network]" section. This key is mandatory.
1120 VLANId=
1122 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
1123 ID information is appended to the new static MAC table entry.
1124
1126 The "[CAN]" section manages the Controller Area Network (CAN bus) and
1127 accepts the following keys.
1128 BitRate=
1130 The bitrate of CAN device in bits per second. The usual SI prefixes
1131 (K, M) with the base of 1000 can be used here.
1132 SamplePoint=
1134 Optional sample point in percent with one decimal (e.g. "75%",
1135 "87.5%") or permille (e.g. "875‰").
1136 RestartSec=
1138 Automatic restart delay time. If set to a non-zero value, a restart
1139 of the CAN controller will be triggered automatically in case of a
1140 bus-off condition after the specified delay time. Subsecond delays
1141 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
1142 postfix. Using "infinity" or "0" will turn the automatic restart
1143 off. By default automatic restart is disabled.
1144
1146 The "[BridgeVLAN]" section manages the VLAN ID configuration of a
1147 bridge port and accepts the following keys. Specify several
1148 "[BridgeVLAN]" sections to configure several VLAN entries. The
1149 VLANFiltering= option has to be enabled, see "[Bridge]" section in
1150 systemd.netdev(5).
1151 VLAN=
1153 The VLAN ID allowed on the port. This can be either a single ID or
1154 a range M-N. VLAN IDs are valid from 1 to 4094.
1155 EgressUntagged=
1157 The VLAN ID specified here will be used to untag frames on egress.
1158 Configuring EgressUntagged= implicates the use of VLAN= above and
1159 will enable the VLAN ID for ingress as well. This can be either a
1160 single ID or a range M-N.
1161 PVID=
1163 The Port VLAN ID specified here is assigned to all untagged frames
1164 at ingress. PVID= can be used only once. Configuring PVID=
1165 implicates the use of VLAN= above and will enable the VLAN ID for
1166 ingress as well.
1167
1169 Example 1. Static network configuration
1170 # /etc/systemd/network/50-static.network
1172 [Match]
1173 Name=enp2s0
1174 [Network]
1176 Address=192.168.0.15/24
1177 Gateway=192.168.0.1
1178 This brings interface "enp2s0" up with a static address. The specified
1180 gateway will be used for a default route.
1181 Example 2. DHCP on ethernet links
1183 # /etc/systemd/network/80-dhcp.network
1185 [Match]
1186 Name=en*
1187 [Network]
1189 DHCP=yes
1190 This will enable DHCPv4 and DHCPv6 on all interfaces with names
1192 starting with "en" (i.e. ethernet interfaces).
1193 Example 3. A bridge with two enslaved links
1195 # /etc/systemd/network/25-bridge-static.network
1197 [Match]
1198 Name=bridge0
1199 [Network]
1201 Address=192.168.0.15/24
1202 Gateway=192.168.0.1
1203 DNS=192.168.0.1
1204 # /etc/systemd/network/25-bridge-slave-interface-1.network
1206 [Match]
1207 Name=enp2s0
1208 [Network]
1210 Bridge=bridge0
1211 # /etc/systemd/network/25-bridge-slave-interface-2.network
1213 [Match]
1214 Name=wlp3s0
1215 [Network]
1217 Bridge=bridge0
1218 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
1220 The bridge will have the specified static address and network assigned,
1221 and a default route via the specified gateway will be added. The
1222 specified DNS server will be added to the global list of DNS resolvers.
1223 Example 4.
1225 # /etc/systemd/network/20-bridge-slave-interface-vlan.network
1227 [Match]
1228 Name=enp2s0
1229 [Network]
1231 Bridge=bridge0
1232 [BridgeVLAN]
1234 VLAN=1-32
1235 PVID=42
1236 EgressUntagged=42
1237 [BridgeVLAN]
1239 VLAN=100-200
1240 [BridgeVLAN]
1242 EgressUntagged=300-400
1243 This overrides the configuration specified in the previous example for
1245 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
1246 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
1247 300-400 will be untagged when they leave on this interface. Untagged
1248 packets which arrive on this interface will be assigned VLAN ID 42.
1249 Example 5. Various tunnels
1251 /etc/systemd/network/25-tunnels.network
1253 [Match]
1254 Name=ens1
1255 [Network]
1257 Tunnel=ipip-tun
1258 Tunnel=sit-tun
1259 Tunnel=gre-tun
1260 Tunnel=vti-tun
1261 /etc/systemd/network/25-tunnel-ipip.netdev
1264 [NetDev]
1265 Name=ipip-tun
1266 Kind=ipip
1267 /etc/systemd/network/25-tunnel-sit.netdev
1270 [NetDev]
1271 Name=sit-tun
1272 Kind=sit
1273 /etc/systemd/network/25-tunnel-gre.netdev
1276 [NetDev]
1277 Name=gre-tun
1278 Kind=gre
1279 /etc/systemd/network/25-tunnel-vti.netdev
1282 [NetDev]
1283 Name=vti-tun
1284 Kind=vti
1285 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
1288 tunnel, a GRE tunnel, and a VTI tunnel using it.
1289 Example 6. A bond device
1291 # /etc/systemd/network/30-bond1.network
1293 [Match]
1294 Name=bond1
1295 [Network]
1297 DHCP=ipv6
1298 # /etc/systemd/network/30-bond1.netdev
1300 [NetDev]
1301 Name=bond1
1302 Kind=bond
1303 # /etc/systemd/network/30-bond1-dev1.network
1305 [Match]
1306 MACAddress=52:54:00:e9:64:41
1307 [Network]
1309 Bond=bond1
1310 # /etc/systemd/network/30-bond1-dev2.network
1312 [Match]
1313 MACAddress=52:54:00:e9:64:42
1314 [Network]
1316 Bond=bond1
1317 This will create a bond device "bond1" and enslave the two devices with
1319 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
1320 will be used to acquire an address.
1321 Example 7. Virtual Routing and Forwarding (VRF)
1323 Add the "bond1" interface to the VRF master interface "vrf1". This will
1325 redirect routes generated on this interface to be within the routing
1326 table defined during VRF creation. For kernels before 4.8 traffic won't
1327 be redirected towards the VRFs routing table unless specific ip-rules
1328 are added.
1329 # /etc/systemd/network/25-vrf.network
1331 [Match]
1332 Name=bond1
1333 [Network]
1335 VRF=vrf1
1336 Example 8. MacVTap
1338 This brings up a network interface "macvtap-test" and attaches it to
1340 "enp0s25".
1341 # /usr/lib/systemd/network/25-macvtap.network
1343 [Match]
1344 Name=enp0s25
1345 [Network]
1347 MACVTAP=macvtap-test
1348
1350 systemd(1), systemd-networkd.service(8), systemd.link(5),
1351 systemd.netdev(5), systemd-resolved.service(8)
1352
1354 1. Link-Local Multicast Name Resolution
1355 https://tools.ietf.org/html/rfc4795
1356 2. Multicast DNS
1358 https://tools.ietf.org/html/rfc6762
1359 3. DNS-over-TLS
1361 https://tools.ietf.org/html/rfc7858
1362 4. DNSSEC
1364 https://tools.ietf.org/html/rfc4033
1365 5. IEEE 802.1AB-2016
1367 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
1368 6. ip-sysctl.txt
1370 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
1371 7. RFC 4941
1373 https://tools.ietf.org/html/rfc4941
1374 8. RFC 1027
1376 https://tools.ietf.org/html/rfc1027
1377 9. RFC 6275
1379 https://tools.ietf.org/html/rfc6275
1380 10. RFC 4862
1382 https://tools.ietf.org/html/rfc4862
1383 11. RFC 3041
1385 https://tools.ietf.org/html/rfc3041
1386 12. RFC 3484
1388 https://tools.ietf.org/html/rfc3484
1389 13. RFC4191
1391 https://tools.ietf.org/html/rfc4191
1392 14. RFC 7844
1394 https://tools.ietf.org/html/rfc7844
1395 15. RFC 3315
1397 https://tools.ietf.org/html/rfc3315#section-17.2.1
1398 16. RFC 4861
1400 https://tools.ietf.org/html/rfc4861
1401systemd 239 SYSTEMD.NETWORK(5)