1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 Network setup is performed by systemd-networkd(8).
13 The main network file must have the extension .network; other
15 extensions are ignored. Networks are applied to links whenever the
16 links appear.
17 The .network files are read from the files located in the system
19 network directory /usr/lib/systemd/network, the volatile runtime
20 network directory /run/systemd/network and the local administration
21 network directory /etc/systemd/network. All configuration files are
22 collectively sorted and processed in lexical order, regardless of the
23 directories in which they live. However, files with identical filenames
24 replace each other. Files in /etc have the highest priority, files in
25 /run take precedence over files with the same name in /usr/lib. This
26 can be used to override a system-supplied configuration file with a
27 local file if needed. As a special case, an empty file (file size 0) or
28 symlink with the same name pointing to /dev/null disables the
29 configuration file entirely (it is "masked").
30 Along with the network file foo.network, a "drop-in" directory
32 foo.network.d/ may exist. All files with the suffix ".conf" from this
33 directory will be parsed after the file itself is parsed. This is
34 useful to alter or add configuration settings, without having to modify
35 the main configuration file. Each drop-in file must have appropriate
36 section headers.
37 In addition to /etc/systemd/network, drop-in ".d" directories can be
39 placed in /usr/lib/systemd/network or /run/systemd/network directories.
40 Drop-in files in /etc take precedence over those in /run which in turn
41 take precedence over those in /usr/lib. Drop-in files under any of
42 these directories take precedence over the main netdev file wherever
43 located. (Of course, since /run is temporary and /usr/lib is for
44 vendors, it is unlikely drop-ins should be used in either of those
45 places.)
46 Note that an interface without any static IPv6 addresses configured,
48 and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no
49 IPv6 support. IPv6 will be automatically disabled for that interface by
50 writing "1" to /proc/sys/net/ipv6/conf/ifname/disable_ipv6.
51
53 The network file contains a "[Match]" section, which determines if a
54 given network file may be applied to a given device; and a "[Network]"
55 section specifying how the device should be configured. The first (in
56 lexical order) of the network files that matches a given device is
57 applied, all later files are ignored, even if they match as well.
58 A network file is said to match a device if each of the entries in the
60 "[Match]" section matches, or if the section is empty. The following
61 keys are accepted:
62 MACAddress=
64 A whitespace-separated list of hardware addresses. Use full colon-,
65 hyphen- or dot-delimited hexadecimal. See the example below. This
66 option may appear more than one, in which case the lists are
67 merged. If the empty string is assigned to this option, the list of
68 hardware addresses defined prior to this is reset.
69 Example:
71 MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
73 Path=
75 A whitespace-separated list of shell-style globs matching the
76 persistent path, as exposed by the udev property "ID_PATH". If the
77 list is prefixed with a "!", the test is inverted; i.e. it is true
78 when "ID_PATH" does not match any item in the list.
79 Driver=
81 A whitespace-separated list of shell-style globs matching the
82 driver currently bound to the device, as exposed by the udev
83 property "DRIVER" of its parent device, or if that is not set the
84 driver as exposed by "ethtool -i" of the device itself. If the list
85 is prefixed with a "!", the test is inverted.
86 Type=
88 A whitespace-separated list of shell-style globs matching the
89 device type, as exposed by the udev property "DEVTYPE". If the list
90 is prefixed with a "!", the test is inverted.
91 Name=
93 A whitespace-separated list of shell-style globs matching the
94 device name, as exposed by the udev property "INTERFACE". If the
95 list is prefixed with a "!", the test is inverted.
96 Host=
98 Matches against the hostname or machine ID of the host. See
99 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
100 an exclamation mark ("!"), the result is negated. If an empty
101 string is assigned, then previously assigned value is cleared.
102 Virtualization=
104 Checks whether the system is executed in a virtualized environment
105 and optionally test whether it is a specific implementation. See
106 "ConditionVirtualization=" in systemd.unit(5) for details. When
107 prefixed with an exclamation mark ("!"), the result is negated. If
108 an empty string is assigned, then previously assigned value is
109 cleared.
110 KernelCommandLine=
112 Checks whether a specific kernel command line option is set. See
113 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
114 prefixed with an exclamation mark ("!"), the result is negated. If
115 an empty string is assigned, then previously assigned value is
116 cleared.
117 KernelVersion=
119 Checks whether the kernel version (as reported by uname -r) matches
120 a certain expression. See "ConditionKernelVersion=" in
121 systemd.unit(5) for details. When prefixed with an exclamation mark
122 ("!"), the result is negated. If an empty string is assigned, then
123 previously assigned value is cleared.
124 Architecture=
126 Checks whether the system is running on a specific architecture.
127 See "ConditionArchitecture=" in systemd.unit(5) for details. When
128 prefixed with an exclamation mark ("!"), the result is negated. If
129 an empty string is assigned, then previously assigned value is
130 cleared.
131
133 The "[Link]" section accepts the following keys:
134 MACAddress=
136 The hardware address to set for the device.
137 MTUBytes=
139 The maximum transmission unit in bytes to set for the device. The
140 usual suffixes K, M, G, are supported and are understood to the
141 base of 1024.
142 Note that if IPv6 is enabled on the interface, and the MTU is
144 chosen below 1280 (the minimum MTU for IPv6) it will automatically
145 be increased to this value.
146 ARP=
148 Takes a boolean. If set to true, the ARP (low-level Address
149 Resolution Protocol) for this interface is enabled. When unset, the
150 kernel's default will be used.
151 For example, disabling ARP is useful when creating multiple MACVLAN
153 or VLAN virtual interfaces atop a single lower-level physical
154 interface, which will then only serve as a link/"bridge" device
155 aggregating traffic to the same physical link and not participate
156 in the network otherwise.
157 Multicast=
159 Takes a boolean. If set to true, the multicast flag on the device
160 is enabled.
161 AllMulticast=
163 Takes a boolean. If set to true, the driver retrieves all multicast
164 packets from the network. This happens when multicast routing is
165 enabled.
166 Unmanaged=
168 Takes a boolean. When "yes", no attempts are made to bring up or
169 configure matching links, equivalent to when there are no matching
170 network files. Defaults to "no".
171 This is useful for preventing later matching network files from
173 interfering with certain interfaces that are fully controlled by
174 other applications.
175 RequiredForOnline=
177 Takes a boolean. When "yes", the network is deemed required when
178 determining whether the system is online when running
179 "systemd-networkd-wait-online". When "no", the network is ignored
180 when checking for online state. Defaults to "yes".
181 The network will be brought up normally in all cases, but in the
183 event that there is no address being assigned by DHCP or the cable
184 is not plugged in, the link will simply remain offline and be
185 skipped automatically by "systemd-networkd-wait-online" if
186 "RequiredForOnline=no".
187
189 The "[Network]" section accepts the following keys:
190 Description=
192 A description of the device. This is only used for presentation
193 purposes.
194 DHCP=
196 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
197 "ipv4", or "ipv6". Defaults to "no".
198 Note that DHCPv6 will by default be triggered by Router
200 Advertisement, if that is enabled, regardless of this parameter. By
201 enabling DHCPv6 support explicitly, the DHCPv6 client will be
202 started regardless of the presence of routers on the link, or what
203 flags the routers pass. See "IPv6AcceptRA=".
204 Furthermore, note that by default the domain name specified through
206 DHCP is not used for name resolution. See option UseDomains= below.
207 See the "[DHCP]" section below for further configuration options
209 for the DHCP client support.
210 DHCPServer=
212 Takes a boolean. If set to "yes", DHCPv4 server will be start.
213 Defaults to "no". Further settings for the DHCP server may be set
214 in the "[DHCPServer]" section described below.
215 LinkLocalAddressing=
217 Enables link-local address autoconfiguration. Accepts "yes", "no",
218 "ipv4", or "ipv6". Defaults to "ipv6".
219 IPv4LLRoute=
221 Takes a boolean. If set to true, sets up the route needed for
222 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
223 false.
224 IPv6Token=
226 An IPv6 address with the top 64 bits unset. When set, indicates the
227 64-bit interface part of SLAAC IPv6 addresses for this link. Note
228 that the token is only ever used for SLAAC, and not for DHCPv6
229 addresses, even in the case DHCP is requested by router
230 advertisement. By default, the token is autogenerated.
231 LLMNR=
233 Takes a boolean or "resolve". When true, enables Link-Local
234 Multicast Name Resolution[1] on the link. When set to "resolve",
235 only resolution is enabled, but not host registration and
236 announcement. Defaults to true. This setting is read by systemd-
237 resolved.service(8).
238 MulticastDNS=
240 Takes a boolean or "resolve". When true, enables Multicast DNS[2]
241 support on the link. When set to "resolve", only resolution is
242 enabled, but not host or service registration and announcement.
243 Defaults to false. This setting is read by systemd-
244 resolved.service(8).
245 DNSOverTLS=
247 Takes false or "opportunistic". When set to "opportunistic",
248 enables DNS-over-TLS[3] support on the link. This option defines a
249 per-interface setting for resolved.conf(5)'s global DNSOverTLS=
250 option. Defaults to false. This setting is read by systemd-
251 resolved.service(8).
252 DNSSEC=
254 Takes a boolean. or "allow-downgrade". When true, enables DNSSEC[4]
255 DNS validation support on the link. When set to "allow-downgrade",
256 compatibility with non-DNSSEC capable networks is increased, by
257 automatically turning off DNSSEC in this case. This option defines
258 a per-interface setting for resolved.conf(5)'s global DNSSEC=
259 option. Defaults to false. This setting is read by systemd-
260 resolved.service(8).
261 DNSSECNegativeTrustAnchors=
263 A space-separated list of DNSSEC negative trust anchor domains. If
264 specified and DNSSEC is enabled, look-ups done via the interface's
265 DNS server will be subject to the list of negative trust anchors,
266 and not require authentication for the specified domains, or
267 anything below it. Use this to disable DNSSEC authentication for
268 specific private domains, that cannot be proven valid using the
269 Internet DNS hierarchy. Defaults to the empty list. This setting is
270 read by systemd-resolved.service(8).
271 LLDP=
273 Controls support for Ethernet LLDP packet reception. LLDP is a
274 link-layer protocol commonly implemented on professional routers
275 and bridges which announces which physical port a system is
276 connected to, as well as other related data. Accepts a boolean or
277 the special value "routers-only". When true, incoming LLDP packets
278 are accepted and a database of all LLDP neighbors maintained. If
279 "routers-only" is set only LLDP data of various types of routers is
280 collected and LLDP data about other types of devices ignored (such
281 as stations, telephones and others). If false, LLDP reception is
282 disabled. Defaults to "routers-only". Use networkctl(1) to query
283 the collected neighbor data. LLDP is only available on Ethernet
284 links. See EmitLLDP= below for enabling LLDP packet emission from
285 the local system.
286 EmitLLDP=
288 Controls support for Ethernet LLDP packet emission. Accepts a
289 boolean parameter or the special values "nearest-bridge",
290 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
291 turns off LLDP packet emission. If not false, a short LLDP packet
292 with information about the local system is sent out in regular
293 intervals on the link. The LLDP packet will contain information
294 about the local host name, the local machine ID (as stored in
295 machine-id(5)) and the local interface name, as well as the pretty
296 hostname of the system (as set in machine-info(5)). LLDP emission
297 is only available on Ethernet links. Note that this setting passes
298 data suitable for identification of host to the network and should
299 thus not be enabled on untrusted networks, where such
300 identification data should not be made available. Use this option
301 to permit other systems to identify on which interfaces they are
302 connected to this system. The three special values control
303 propagation of the LLDP packets. The "nearest-bridge" setting
304 permits propagation only to the nearest connected bridge,
305 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
306 but not any other bridges, and "customer-bridge" permits
307 propagation until a customer bridge is reached. For details about
308 these concepts, see IEEE 802.1AB-2016[5]. Note that configuring
309 this setting to true is equivalent to "nearest-bridge", the
310 recommended and most restricted level of propagation. See LLDP=
311 above for an option to enable LLDP reception.
312 BindCarrier=
314 A link name or a list of link names. When set, controls the
315 behavior of the current link. When all links in the list are in an
316 operational down state, the current link is brought down. When at
317 least one link has carrier, the current interface is brought up.
318 Address=
320 A static IPv4 or IPv6 address and its prefix length, separated by a
321 "/" character. Specify this key more than once to configure several
322 addresses. The format of the address must be as described in
323 inet_pton(3). This is a short-hand for an [Address] section only
324 containing an Address key (see below). This option may be specified
325 more than once.
326 If the specified address is 0.0.0.0 (for IPv4) or [::] (for IPv6),
328 a new address range of the requested size is automatically
329 allocated from a system-wide pool of unused ranges. The allocated
330 range is checked against all current network interfaces and all
331 known network configuration files to avoid address range conflicts.
332 The default system-wide pool consists of 192.168.0.0/16,
333 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fc00::/7 for IPv6. This
334 functionality is useful to manage a large number of dynamically
335 created network interfaces with the same network configuration and
336 automatic address range assignment.
337 Gateway=
339 The gateway address, which must be in the format described in
340 inet_pton(3). This is a short-hand for a [Route] section only
341 containing a Gateway key. This option may be specified more than
342 once.
343 DNS=
345 A DNS server address, which must be in the format described in
346 inet_pton(3). This option may be specified more than once. This
347 setting is read by systemd-resolved.service(8).
348 Domains=
350 A list of domains which should be resolved using the DNS servers on
351 this link. Each item in the list should be a domain name,
352 optionally prefixed with a tilde ("~"). The domains with the prefix
353 are called "routing-only domains". The domains without the prefix
354 are called "search domains" and are first used as search suffixes
355 for extending single-label host names (host names containing no
356 dots) to become fully qualified domain names (FQDNs). If a
357 single-label host name is resolved on this interface, each of the
358 specified search domains are appended to it in turn, converting it
359 into a fully qualified domain name, until one of them may be
360 successfully resolved.
361 Both "search" and "routing-only" domains are used for routing of
363 DNS queries: look-ups for host names ending in those domains (hence
364 also single label names, if any "search domains" are listed), are
365 routed to the DNS servers configured for this interface. The domain
366 routing logic is particularly useful on multi-homed hosts with DNS
367 servers serving particular private DNS zones on each interface.
368 The "routing-only" domain "~." (the tilde indicating definition of
370 a routing domain, the dot referring to the DNS root domain which is
371 the implied suffix of all valid DNS names) has special effect. It
372 causes all DNS traffic which does not match another configured
373 domain routing entry to be routed to DNS servers specified for this
374 interface. This setting is useful to prefer a certain set of DNS
375 servers if a link on which they are connected is available.
376 This setting is read by systemd-resolved.service(8). "Search
378 domains" correspond to the domain and search entries in
379 resolv.conf(5). Domain name routing has no equivalent in the
380 traditional glibc API, which has no concept of domain name servers
381 limited to a specific link.
382 DNSDefaultRoute=
384 Takes a boolean argument. If true, this link's configured DNS
385 servers are used for resolving domain names that do not match any
386 link's configured Domains= setting. If false, this link's
387 configured DNS servers are never used for such domains, and are
388 exclusively used for resolving names that match at least one of the
389 domains configured on this link. If not specified defaults to an
390 automatic mode: queries not matching any link's configured domains
391 will be routed to this link if it has no routing-only domains
392 configured.
393 NTP=
395 An NTP server address. This option may be specified more than once.
396 This setting is read by systemd-timesyncd.service(8).
397 IPForward=
399 Configures IP packet forwarding for the system. If enabled,
400 incoming packets on any network interface will be forwarded to any
401 other interfaces according to the routing table. Takes a boolean,
402 or the values "ipv4" or "ipv6", which only enable IP packet
403 forwarding for the specified address family. This controls the
404 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
405 of the network interface (see ip-sysctl.txt[6] for details about
406 sysctl options). Defaults to "no".
407 Note: this setting controls a global kernel option, and does so one
409 way only: if a network that has this setting enabled is set up the
410 global setting is turned on. However, it is never turned off again,
411 even after all networks with this setting enabled are shut down
412 again.
413 To allow IP packet forwarding only between specific network
415 interfaces use a firewall.
416 IPMasquerade=
418 Configures IP masquerading for the network interface. If enabled,
419 packets forwarded from the network interface will be appear as
420 coming from the local host. Takes a boolean argument. Implies
421 IPForward=ipv4. Defaults to "no".
422 IPv6PrivacyExtensions=
424 Configures use of stateless temporary addresses that change over
425 time (see RFC 4941[7], Privacy Extensions for Stateless Address
426 Autoconfiguration in IPv6). Takes a boolean or the special values
427 "prefer-public" and "kernel". When true, enables the privacy
428 extensions and prefers temporary addresses over public addresses.
429 When "prefer-public", enables the privacy extensions, but prefers
430 public addresses over temporary addresses. When false, the privacy
431 extensions remain disabled. When "kernel", the kernel's default
432 setting will be left in place. Defaults to "no".
433 IPv6AcceptRA=
435 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
436 support for the interface. If true, RAs are accepted; if false, RAs
437 are ignored, independently of the local forwarding state. If unset,
438 the kernel's default is used, and RAs are accepted only when local
439 forwarding is disabled for that interface. When RAs are accepted,
440 they may trigger the start of the DHCPv6 client if the relevant
441 flags are set in the RA data, or if no routers are found on the
442 link.
443 Further settings for the IPv6 RA support may be configured in the
445 "[IPv6AcceptRA]" section, see below.
446 Also see ip-sysctl.txt[6] in the kernel documentation regarding
448 "accept_ra", but note that systemd's setting of 1 (i.e. true)
449 corresponds to kernel's setting of 2.
450 Note that if this option is enabled a userspace implementation of
452 the IPv6 RA protocol is used, and the kernel's own implementation
453 remains disabled, since `networkd` needs to know all details
454 supplied in the advertisements, and these are not available from
455 the kernel if the kernel's own implemenation is used.
456 IPv6DuplicateAddressDetection=
458 Configures the amount of IPv6 Duplicate Address Detection (DAD)
459 probes to send. When unset, the kernel's default will be used.
460 IPv6HopLimit=
462 Configures IPv6 Hop Limit. For each router that forwards the
463 packet, the hop limit is decremented by 1. When the hop limit field
464 reaches zero, the packet is discarded. When unset, the kernel's
465 default will be used.
466 IPv4ProxyARP=
468 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
469 technique in which one host, usually a router, answers ARP requests
470 intended for another machine. By "faking" its identity, the router
471 accepts responsibility for routing packets to the "real"
472 destination. (see RFC 1027[8]. When unset, the kernel's default
473 will be used.
474 IPv6ProxyNDP=
476 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
477 Discovery Protocol) is a technique for IPv6 to allow routing of
478 addresses to a different destination when peers expect them to be
479 present on a certain physical link. In this case a router answers
480 Neighbour Advertisement messages intended for another machine by
481 offering its own MAC address as destination. Unlike proxy ARP for
482 IPv4, it is not enabled globally, but will only send Neighbour
483 Advertisement messages for addresses in the IPv6 neighbor proxy
484 table, which can also be shown by ip -6 neighbour show proxy.
485 systemd-networkd will control the per-interface `proxy_ndp` switch
486 for each configured interface depending on this option. When unset,
487 the kernel's default will be used.
488 IPv6ProxyNDPAddress=
490 An IPv6 address, for which Neighbour Advertisement messages will be
491 proxied. This option may be specified more than once.
492 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
493 kernel's IPv6 neighbor proxy table. This option implies
494 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP has been set to
495 false. When unset, the kernel's default will be used.
496 IPv6PrefixDelegation=
498 Whether to enable or disable Router Advertisement sending on a
499 link. Allowed values are "static" which distributes prefixes as
500 defined in the "[IPv6PrefixDelegation]" and any "[IPv6Prefix]"
501 sections, "dhcpv6" which requests prefixes using a DHCPv6 client
502 configured for another link and any values configured in the
503 "[IPv6PrefixDelegation]" section while ignoring all static prefix
504 configuration sections, "yes" which uses both static configuration
505 and DHCPv6, and "false" which turns off IPv6 prefix delegation
506 altogether. Defaults to "false". See the "[IPv6PrefixDelegation]"
507 and the "[IPv6Prefix]" sections for more configuration options.
508 IPv6MTUBytes=
510 Configures IPv6 maximum transmission unit (MTU). An integer greater
511 than or equal to 1280 bytes. When unset, the kernel's default will
512 be used.
513 Bridge=
515 The name of the bridge to add the link to. See systemd.netdev(5).
516 Bond=
518 The name of the bond to add the link to. See systemd.netdev(5).
519 VRF=
521 The name of the VRF to add the link to. See systemd.netdev(5).
522 VLAN=
524 The name of a VLAN to create on the link. See systemd.netdev(5).
525 This option may be specified more than once.
526 IPVLAN=
528 The name of a IPVLAN to create on the link. See systemd.netdev(5).
529 This option may be specified more than once.
530 MACVLAN=
532 The name of a MACVLAN to create on the link. See systemd.netdev(5).
533 This option may be specified more than once.
534 VXLAN=
536 The name of a VXLAN to create on the link. See systemd.netdev(5).
537 This option may be specified more than once.
538 Tunnel=
540 The name of a Tunnel to create on the link. See systemd.netdev(5).
541 This option may be specified more than once.
542 ActiveSlave=
544 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
545 option is only valid for following modes: "active-backup",
546 "balance-alb" and "balance-tlb". Defaults to false.
547 PrimarySlave=
549 Takes a boolean. Specifies which slave is the primary device. The
550 specified device will always be the active slave while it is
551 available. Only when the primary is off-line will alternate devices
552 be used. This is useful when one slave is preferred over another,
553 e.g. when one slave has higher throughput than another. The
554 "PrimarySlave=" option is only valid for following modes:
555 "active-backup", "balance-alb" and "balance-tlb". Defaults to
556 false.
557 ConfigureWithoutCarrier=
559 Takes a boolean. Allows networkd to configure a specific link even
560 if it has no carrier. Defaults to false.
561
563 An "[Address]" section accepts the following keys. Specify several
564 "[Address]" sections to configure several addresses.
565 Address=
567 As in the "[Network]" section. This key is mandatory.
568 Peer=
570 The peer address in a point-to-point connection. Accepts the same
571 format as the "Address" key.
572 Broadcast=
574 The broadcast address, which must be in the format described in
575 inet_pton(3). This key only applies to IPv4 addresses. If it is not
576 given, it is derived from the "Address" key.
577 Label=
579 An address label.
580 PreferredLifetime=
582 Allows the default "preferred lifetime" of the address to be
583 overridden. Only three settings are accepted: "forever" or
584 "infinity" which is the default and means that the address never
585 expires, and "0" which means that the address is considered
586 immediately "expired" and will not be used, unless explicitly
587 requested. A setting of PreferredLifetime=0 is useful for addresses
588 which are added to be used only by a specific application, which is
589 then configured to use them explicitly.
590 Scope=
592 The scope of the address, which can be "global", "link" or "host"
593 or an unsigned integer ranges 0 to 255. Defaults to "global".
594 HomeAddress=
596 Takes a boolean. Designates this address the "home address" as
597 defined in RFC 6275[9]. Supported only on IPv6. Defaults to false.
598 DuplicateAddressDetection=
600 Takes a boolean. Do not perform Duplicate Address Detection RFC
601 4862[10] when adding this address. Supported only on IPv6. Defaults
602 to false.
603 ManageTemporaryAddress=
605 Takes a boolean. If true the kernel manage temporary addresses
606 created from this one as template on behalf of Privacy Extensions
607 RFC 3041[11]. For this to become active, the use_tempaddr sysctl
608 setting has to be set to a value greater than zero. The given
609 address needs to have a prefix length of 64. This flag allows to
610 use privacy extensions in a manually configured network, just like
611 if stateless auto-configuration was active. Defaults to false.
612 PrefixRoute=
614 Takes a boolean. When adding or modifying an IPv6 address, the
615 userspace application needs a way to suppress adding a prefix
616 route. This is for example relevant together with
617 IFA_F_MANAGERTEMPADDR, where userspace creates autoconf generated
618 addresses, but depending on on-link, no route for the prefix should
619 be added. Defaults to false.
620 AutoJoin=
622 Takes a boolean. Joining multicast group on ethernet level via ip
623 maddr command would not work if we have an Ethernet switch that
624 does IGMP snooping since the switch would not replicate multicast
625 packets on ports that did not have IGMP reports for the multicast
626 addresses. Linux vxlan interfaces created via ip link add vxlan or
627 networkd's netdev kind vxlan have the group option that enables
628 then to do the required join. By extending ip address command with
629 option "autojoin" we can get similar functionality for openvswitch
630 (OVS) vxlan interfaces as well as other tunneling mechanisms that
631 need to receive multicast traffic. Defaults to "no".
632
634 A "[Neighbor]" section accepts the following keys. The neighbor section
635 adds a permanent, static entry to the neighbor table (IPv6) or ARP
636 table (IPv4) for the given hardware address on the links matched for
637 the network. Specify several "[Neighbor]" sections to configure several
638 static neighbors.
639 Address=
641 The IP address of the neighbor.
642 MACAddress=
644 The hardware address of the neighbor.
645
647 An "[IPv6AddressLabel]" section accepts the following keys. Specify
648 several "[IPv6AddressLabel]" sections to configure several address
649 labels. IPv6 address labels are used for address selection. See RFC
650 3484[12]. Precedence is managed by userspace, and only the label itself
651 is stored in the kernel
652 Label=
654 The label for the prefix (an unsigned integer) ranges 0 to
655 4294967294. 0xffffffff is reserved. This key is mandatory.
656 Prefix=
658 IPv6 prefix is an address with a prefix length, separated by a
659 slash "/" character. This key is mandatory.
660
662 An "[RoutingPolicyRule]" section accepts the following keys. Specify
663 several "[RoutingPolicyRule]" sections to configure several rules.
664 TypeOfService=
666 Specifies the type of service to match a number between 0 to 255.
667 From=
669 Specifies the source address prefix to match. Possibly followed by
670 a slash and the prefix length.
671 To=
673 Specifies the destination address prefix to match. Possibly
674 followed by a slash and the prefix length.
675 FirewallMark=
677 Specifies the iptables firewall mark value to match (a number
678 between 1 and 4294967295).
679 Table=
681 Specifies the routing table identifier to lookup if the rule
682 selector matches. The table identifier for a route (a number
683 between 1 and 4294967295).
684 Priority=
686 Specifies the priority of this rule. Priority= is an unsigned
687 integer. Higher number means lower priority, and rules get
688 processed in order of increasing number.
689 IncomingInterface=
691 Specifies incoming device to match. If the interface is loopback,
692 the rule only matches packets originating from this host.
693 OutgoingInterface=
695 Specifies the outgoing device to match. The outgoing interface is
696 only available for packets originating from local sockets that are
697 bound to a device.
698 SourcePort=
700 Specifies the source IP port or IP port range match in forwarding
701 information base (FIB) rules. A port range is specified by the
702 lower and upper port separated by a dash. Defaults to unset.
703 DestinationPort=
705 Specifies the destination IP port or IP port range match in
706 forwarding information base (FIB) rules. A port range is specified
707 by the lower and upper port separated by a dash. Defaults to unset.
708 IPProtocol=
710 Specifies the IP protocol to match in forwarding information base
711 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
712 or IP protocol number such as "6" for "tcp" or "17" for "udp".
713 Defaults to unset.
714 InvertRule=
716 A boolean. Specifies wheather the rule to be inverted. Defaults to
717 false.
718
720 The "[Route]" section accepts the following keys. Specify several
721 "[Route]" sections to configure several routes.
722 Gateway=
724 As in the "[Network]" section.
725 GatewayOnlink=
727 Takes a boolean. If set to true, the kernel does not have to check
728 if the gateway is reachable directly by the current machine (i.e.,
729 the kernel does not need to check if the gateway is attached to the
730 local network), so that we can insert the route in the kernel table
731 without it being complained about. Defaults to "no".
732 Destination=
734 The destination prefix of the route. Possibly followed by a slash
735 and the prefix length. If omitted, a full-length host route is
736 assumed.
737 Source=
739 The source prefix of the route. Possibly followed by a slash and
740 the prefix length. If omitted, a full-length host route is assumed.
741 Metric=
743 The metric of the route (an unsigned integer).
744 IPv6Preference=
746 Specifies the route preference as defined in RFC4191[13] for Router
747 Discovery messages. Which can be one of "low" the route has a
748 lowest priority, "medium" the route has a default priority or
749 "high" the route has a highest priority.
750 Scope=
752 The scope of the route, which can be "global", "link" or "host".
753 Defaults to "global".
754 PreferredSource=
756 The preferred source address of the route. The address must be in
757 the format described in inet_pton(3).
758 Table=num
760 The table identifier for the route (a number between 1 and
761 4294967295, or 0 to unset). The table can be retrieved using ip
762 route show table num.
763 Protocol=
765 The protocol identifier for the route. Takes a number between 0 and
766 255 or the special values "kernel", "boot" and "static". Defaults
767 to "static".
768 Type=
770 Specifies the type for the route. If "unicast", a regular route is
771 defined, i.e. a route indicating the path to take to a destination
772 network address. If "blackhole", packets to the defined route are
773 discarded silently. If "unreachable", packets to the defined route
774 are discarded and the ICMP message "Host Unreachable" is generated.
775 If "prohibit", packets to the defined route are discarded and the
776 ICMP message "Communication Administratively Prohibited" is
777 generated. If "throw", route lookup in the current routing table
778 will fail and the route selection process will return to Routing
779 Policy Database (RPDB). Defaults to "unicast".
780 InitialCongestionWindow=
782 The TCP initial congestion window is used during the start of a TCP
783 connection. During the start of a TCP session, when a client
784 requests a resource, the server's initial congestion window
785 determines how many data bytes will be sent during the initial
786 burst of data. Takes a size in bytes between 1 and 4294967295 (2^32
787 - 1). The usual suffixes K, M, G are supported and are understood
788 to the base of 1024. When unset, the kernel's default will be used.
789 InitialAdvertisedReceiveWindow=
791 The TCP initial advertised receive window is the amount of receive
792 data (in bytes) that can initally be buffered at one time on a
793 connection. The sending host can send only that amount of data
794 before waiting for an acknowledgment and window update from the
795 receiving host. Takes a size in bytes between 1 and 4294967295
796 (2^32 - 1). The usual suffixes K, M, G are supported and are
797 understood to the base of 1024. When unset, the kernel's default
798 will be used.
799 QuickAck=
801 Takes a boolean. When true enables TCP quick ack mode for the
802 route. When unset, the kernel's default will be used.
803 MTUBytes=
805 The maximum transmission unit in bytes to set for the route. The
806 usual suffixes K, M, G, are supported and are understood to the
807 base of 1024.
808 Note that if IPv6 is enabled on the interface, and the MTU is
810 chosen below 1280 (the minimum MTU for IPv6) it will automatically
811 be increased to this value.
812
814 The "[DHCP]" section configures the DHCPv4 and DHCP6 client, if it is
815 enabled with the DHCP= setting described above:
816 UseDNS=
818 When true (the default), the DNS servers received from the DHCP
819 server will be used and take precedence over any statically
820 configured ones.
821 This corresponds to the nameserver option in resolv.conf(5).
823 UseNTP=
825 When true (the default), the NTP servers received from the DHCP
826 server will be used by systemd-timesyncd and take precedence over
827 any statically configured ones.
828 UseMTU=
830 When true, the interface maximum transmission unit from the DHCP
831 server will be used on the current link. If MTUBytes= is set, then
832 this setting is ignored. Defaults to false.
833 Anonymize=
835 Takes a boolean. When true, the options sent to the DHCP server
836 will follow the RFC 7844[14] (Anonymity Profiles for DHCP Clients)
837 to minimize disclosure of identifying information. Defaults to
838 false.
839 This option should only be set to true when MACAddressPolicy= is
841 set to "random" (see systemd.link(5)).
842 Note that this configuration will overwrite others. In concrete,
844 the following variables will be ignored: SendHostname=,
845 ClientIdentifier=, UseRoutes=, SendHostname=, UseMTU=,
846 VendorClassIdentifier=, UseTimezone=.
847 With this option enabled DHCP requests will mimic those generated
849 by Microsoft Windows, in order to reduce the ability to fingerprint
850 and recognize installations. This means DHCP request sizes will
851 grow and lease data will be more comprehensive than normally,
852 though most of the requested data is not actually used.
853 SendHostname=
855 When true (the default), the machine's hostname will be sent to the
856 DHCP server. Note that the machine's hostname must consist only of
857 7-bit ASCII lower-case characters and no spaces or dots, and be
858 formatted as a valid DNS domain name. Otherwise, the hostname is
859 not sent even if this is set to true.
860 UseHostname=
862 When true (the default), the hostname received from the DHCP server
863 will be set as the transient hostname of the system.
864 Hostname=
866 Use this value for the hostname which is sent to the DHCP server,
867 instead of machine's hostname. Note that the specified hostname
868 must consist only of 7-bit ASCII lower-case characters and no
869 spaces or dots, and be formatted as a valid DNS domain name.
870 UseDomains=
872 Takes a boolean, or the special value "route". When true, the
873 domain name received from the DHCP server will be used as DNS
874 search domain over this link, similar to the effect of the Domains=
875 setting. If set to "route", the domain name received from the DHCP
876 server will be used for routing DNS queries only, but not for
877 searching, similar to the effect of the Domains= setting when the
878 argument is prefixed with "~". Defaults to false.
879 It is recommended to enable this option only on trusted networks,
881 as setting this affects resolution of all host names, in particular
882 of single-label names. It is generally safer to use the supplied
883 domain only as routing domain, rather than as search domain, in
884 order to not have it affect local resolution of single-label names.
885 When set to true, this setting corresponds to the domain option in
887 resolv.conf(5).
888 UseRoutes=
890 When true (the default), the static routes will be requested from
891 the DHCP server and added to the routing table with a metric of
892 1024, and a scope of "global", "link" or "host", depending on the
893 route's destination and gateway. If the destination is on the local
894 host, e.g., 127.x.x.x, or the same as the link's own address, the
895 scope will be set to "host". Otherwise if the gateway is null (a
896 direct route), a "link" scope will be used. For anything else,
897 scope defaults to "global".
898 UseTimezone=
900 When true, the timezone received from the DHCP server will be set
901 as timezone of the local system. Defaults to "no".
902 CriticalConnection=
904 When true, the connection will never be torn down even if the DHCP
905 lease expires. This is contrary to the DHCP specification, but may
906 be the best choice if, say, the root filesystem relies on this
907 connection. Defaults to false.
908 ClientIdentifier=
910 The DHCPv4 client identifier to use. Takes one of "mac", "duid" or
911 "duid-only". If set to "mac", the MAC address of the link is used.
912 If set to "duid", an RFC4361-compliant Client ID, which is the
913 combination of IAID and DUID (see below), is used. If set to
914 "duid-only", only DUID is used, this may not be RFC compliant, but
915 some setups may require to use this. Defaults to "duid".
916 VendorClassIdentifier=
918 The vendor class identifier used to identify vendor type and
919 configuration.
920 UserClass=
922 A DHCPv4 client can use UserClass option to identify the type or
923 category of user or applications it represents. The information
924 contained in this option is a string that represents the user class
925 of which the client is a member. Each class sets an identifying
926 string of information to be used by the DHCP service to classify
927 clients. Takes a whitespace-separated list of strings.
928 DUIDType=
930 Override the global DUIDType setting for this network. See
931 networkd.conf(5) for a description of possible values.
932 DUIDRawData=
934 Override the global DUIDRawData setting for this network. See
935 networkd.conf(5) for a description of possible values.
936 IAID=
938 The DHCP Identity Association Identifier (IAID) for the interface,
939 a 32-bit unsigned integer.
940 RequestBroadcast=
942 Request the server to use broadcast messages before the IP address
943 has been configured. This is necessary for devices that cannot
944 receive RAW packets, or that cannot receive packets at all before
945 an IP address has been configured. On the other hand, this must not
946 be enabled on networks where broadcasts are filtered out.
947 RouteMetric=
949 Set the routing metric for routes specified by the DHCP server.
950 RouteTable=num
952 The table identifier for DHCP routes (a number between 1 and
953 4294967295, or 0 to unset). The table can be retrieved using ip
954 route show table num.
955 When used in combination with VRF= the VRF's routing table is used
957 unless this parameter is specified.
958 ListenPort=
960 Allow setting custom port for the DHCP client to listen on.
961 RapidCommit=
963 Takes a boolean. The DHCPv6 client can obtain configuration
964 parameters from a DHCPv6 server through a rapid two-message
965 exchange (solicit and reply). When the rapid commit option is
966 enabled by both the DHCPv6 client and the DHCPv6 server, the
967 two-message exchange is used, rather than the default four-method
968 exchange (solicit, advertise, request, and reply). The two-message
969 exchange provides faster client configuration and is beneficial in
970 environments in which networks are under a heavy load. See RFC
971 3315[15] for details. Defaults to true.
972 ForceDHCPv6PDOtherInformation=
974 Takes a boolean that enforces DHCPv6 stateful mode when the 'Other
975 information' bit is set in Router Advertisement messages. By
976 default setting only the 'O' bit in Router Advertisements makes
977 DHCPv6 request network information in a stateless manner using a
978 two-message Information Request and Information Reply message
979 exchange. RFC 7084[16], requirement WPD-4, updates this behavior
980 for a Customer Edge router so that stateful DHCPv6 Prefix
981 Delegation is also requested when only the 'O' bit is set in Router
982 Advertisements. This option enables such a CE behavior as it is
983 impossible to automatically distinguish the intention of the 'O'
984 bit otherwise. By default this option is set to 'false', enable it
985 if no prefixes are delegated when the device should be acting as a
986 CE router.
987
989 The "[IPv6AcceptRA]" section configures the IPv6 Router Advertisement
990 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
991 above:
992 UseDNS=
994 When true (the default), the DNS servers received in the Router
995 Advertisement will be used and take precedence over any statically
996 configured ones.
997 This corresponds to the nameserver option in resolv.conf(5).
999 UseDomains=
1001 Takes a boolean, or the special value "route". When true, the
1002 domain name received via IPv6 Router Advertisement (RA) will be
1003 used as DNS search domain over this link, similar to the effect of
1004 the Domains= setting. If set to "route", the domain name received
1005 via IPv6 RA will be used for routing DNS queries only, but not for
1006 searching, similar to the effect of the Domains= setting when the
1007 argument is prefixed with "~". Defaults to false.
1008 It is recommended to enable this option only on trusted networks,
1010 as setting this affects resolution of all host names, in particular
1011 of single-label names. It is generally safer to use the supplied
1012 domain only as routing domain, rather than as search domain, in
1013 order to not have it affect local resolution of single-label names.
1014 When set to true, this setting corresponds to the domain option in
1016 resolv.conf(5).
1017 RouteTable=num
1019 The table identifier for the routes received in the Router
1020 Advertisement (a number between 1 and 4294967295, or 0 to unset).
1021 The table can be retrieved using ip route show table num.
1022
1024 The "[DHCPServer]" section contains settings for the DHCP server, if
1025 enabled via the DHCPServer= option described above:
1026 PoolOffset=, PoolSize=
1028 Configures the pool of addresses to hand out. The pool is a
1029 contiguous sequence of IP addresses in the subnet configured for
1030 the server address, which does not include the subnet nor the
1031 broadcast address. PoolOffset= takes the offset of the pool from
1032 the start of subnet, or zero to use the default value. PoolSize=
1033 takes the number of IP addresses in the pool or zero to use the
1034 default value. By default, the pool starts at the first address
1035 after the subnet address and takes up the rest of the subnet,
1036 excluding the broadcast address. If the pool includes the server
1037 address (the default), this is reserved and not handed out to
1038 clients.
1039 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1041 Control the default and maximum DHCP lease time to pass to clients.
1042 These settings take time values in seconds or another common time
1043 unit, depending on the suffix. The default lease time is used for
1044 clients that did not ask for a specific lease time. If a client
1045 asks for a lease time longer than the maximum lease time, it is
1046 automatically shortened to the specified time. The default lease
1047 time defaults to 1h, the maximum lease time to 12h. Shorter lease
1048 times are beneficial if the configuration data in DHCP leases
1049 changes frequently and clients shall learn the new settings with
1050 shorter latencies. Longer lease times reduce the generated DHCP
1051 network traffic.
1052 EmitDNS=, DNS=
1054 Takes a boolean. Configures whether the DHCP leases handed out to
1055 clients shall contain DNS server information. Defaults to "yes".
1056 The DNS servers to pass to clients may be configured with the DNS=
1057 option, which takes a list of IPv4 addresses. If the EmitDNS=
1058 option is enabled but no servers configured, the servers are
1059 automatically propagated from an "uplink" interface that has
1060 appropriate servers set. The "uplink" interface is determined by
1061 the default route of the system with the highest priority. Note
1062 that this information is acquired at the time the lease is handed
1063 out, and does not take uplink interfaces into account that acquire
1064 DNS or NTP server information at a later point. DNS server
1065 propagation does not take /etc/resolv.conf into account. Also, note
1066 that the leases are not refreshed if the uplink network
1067 configuration changes. To ensure clients regularly acquire the most
1068 current uplink DNS server information, it is thus advisable to
1069 shorten the DHCP lease time via MaxLeaseTimeSec= described above.
1070 EmitNTP=, NTP=
1072 Similar to the EmitDNS= and DNS= settings described above, these
1073 settings configure whether and what NTP server information shall be
1074 emitted as part of the DHCP lease. The same syntax, propagation
1075 semantics and defaults apply as for EmitDNS= and DNS=.
1076 EmitRouter=
1078 Similar to the EmitDNS= setting described above, this setting
1079 configures whether the DHCP lease should contain the router option.
1080 The same syntax, propagation semantics and defaults apply as for
1081 EmitDNS=.
1082 EmitTimezone=, Timezone=
1084 Takes a boolean. Configures whether the DHCP leases handed out to
1085 clients shall contain timezone information. Defaults to "yes". The
1086 Timezone= setting takes a timezone string (such as "Europe/Berlin"
1087 or "UTC") to pass to clients. If no explicit timezone is set, the
1088 system timezone of the local host is propagated, as determined by
1089 the /etc/localtime symlink.
1090
1092 The "[IPv6PrefixDelegation]" section contains settings for sending IPv6
1093 Router Advertisements and whether to act as a router, if enabled via
1094 the IPv6PrefixDelegation= option described above. IPv6 network prefixes
1095 are defined with one or more "[IPv6Prefix]" sections.
1096 Managed=, OtherInformation=
1098 Takes a boolean. Controls whether a DHCPv6 server is used to
1099 acquire IPv6 addresses on the network link when Managed= is set to
1100 "true" or if only additional network information can be obtained
1101 via DHCPv6 for the network link when OtherInformation= is set to
1102 "true". Both settings default to "false", which means that a DHCPv6
1103 server is not being used.
1104 RouterLifetimeSec=
1106 Takes a timespan. Configures the IPv6 router lifetime in seconds.
1107 If set, this host also announces itself in Router Advertisements as
1108 an IPv6 router for the network link. When unset, the host is not
1109 acting as a router.
1110 RouterPreference=
1112 Configures IPv6 router preference if RouterLifetimeSec= is
1113 non-zero. Valid values are "high", "medium" and "low", with
1114 "normal" and "default" added as synonyms for "medium" just to make
1115 configuration easier. See RFC 4191[13] for details. Defaults to
1116 "medium".
1117 EmitDNS=, DNS=
1119 DNS= specifies a list of recursive DNS server IPv6 addresses that
1120 distributed via Router Advertisement messages when EmitDNS= is
1121 true. If DNS= is empty, DNS servers are read from the "[Network]"
1122 section. If the "[Network]" section does not contain any DNS
1123 servers either, DNS servers from the uplink with the highest
1124 priority default route are used. When EmitDNS= is false, no DNS
1125 server information is sent in Router Advertisement messages.
1126 EmitDNS= defaults to true.
1127 EmitDomains=, Domains=
1129 A list of DNS search domains distributed via Router Advertisement
1130 messages when EmitDomains= is true. If Domains= is empty, DNS
1131 search domains are read from the "[Network]" section. If the
1132 "[Network]" section does not contain any DNS search domains either,
1133 DNS search domains from the uplink with the highest priority
1134 default route are used. When EmitDomains= is false, no DNS search
1135 domain information is sent in Router Advertisement messages.
1136 EmitDomains= defaults to true.
1137 DNSLifetimeSec=
1139 Lifetime in seconds for the DNS server addresses listed in DNS= and
1140 search domains listed in Domains=.
1141
1143 One or more "[IPv6Prefix]" sections contain the IPv6 prefixes that are
1144 announced via Router Advertisements. See RFC 4861[17] for further
1145 details.
1146 AddressAutoconfiguration=, OnLink=
1148 Takes a boolean to specify whether IPv6 addresses can be
1149 autoconfigured with this prefix and whether the prefix can be used
1150 for onlink determination. Both settings default to "true" in order
1151 to ease configuration.
1152 Prefix=
1154 The IPv6 prefix that is to be distributed to hosts. Similarly to
1155 configuring static IPv6 addresses, the setting is configured as an
1156 IPv6 prefix and its prefix length, separated by a "/" character.
1157 Use multiple "[IPv6Prefix]" sections to configure multiple IPv6
1158 prefixes since prefix lifetimes, address autoconfiguration and
1159 onlink status may differ from one prefix to another.
1160 PreferredLifetimeSec=, ValidLifetimeSec=
1162 Preferred and valid lifetimes for the prefix measured in seconds.
1163 PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1164 ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1165
1167 The "[Bridge]" section accepts the following keys.
1168 UnicastFlood=
1170 Takes a boolean. Controls whether the bridge should flood traffic
1171 for which an FDB entry is missing and the destination is unknown
1172 through this port. When unset, the kernel's default will be used.
1173 MulticastToUnicast=
1175 Takes a boolean. Multicast to unicast works on top of the multicast
1176 snooping feature of the bridge. Which means unicast copies are only
1177 delivered to hosts which are interested in it. When unset, the
1178 kernel's default will be used.
1179 HairPin=
1181 Takes a boolean. Configures whether traffic may be sent back out of
1182 the port on which it was received. When this flag is false, and the
1183 bridge will not forward traffic back out of the receiving port.
1184 When unset, the kernel's default will be used.
1185 UseBPDU=
1187 Takes a boolean. Configures whether STP Bridge Protocol Data Units
1188 will be processed by the bridge port. When unset, the kernel's
1189 default will be used.
1190 FastLeave=
1192 Takes a boolean. This flag allows the bridge to immediately stop
1193 multicast traffic on a port that receives an IGMP Leave message. It
1194 is only used with IGMP snooping if enabled on the bridge. When
1195 unset, the kernel's default will be used.
1196 AllowPortToBeRoot=
1198 Takes a boolean. Configures whether a given port is allowed to
1199 become a root port. Only used when STP is enabled on the bridge.
1200 When unset, the kernel's default will be used.
1201 Cost=
1203 Sets the "cost" of sending packets of this interface. Each port in
1204 a bridge may have a different speed and the cost is used to decide
1205 which link to use. Faster interfaces should have lower costs. It is
1206 an integer value between 1 and 65535.
1207 Priority=
1209 Sets the "priority" of sending packets on this interface. Each port
1210 in a bridge may have a different priority which is used to decide
1211 which link to use. Lower value means higher priority. It is an
1212 integer value between 0 to 63. Networkd does not set any default,
1213 meaning the kernel default value of 32 is used.
1214
1216 The "[BridgeFDB]" section manages the forwarding database table of a
1217 port and accepts the following keys. Specify several "[BridgeFDB]"
1218 sections to configure several static MAC table entries.
1219 MACAddress=
1221 As in the "[Network]" section. This key is mandatory.
1222 VLANId=
1224 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
1225 ID information is appended to the new static MAC table entry.
1226
1228 The "[CAN]" section manages the Controller Area Network (CAN bus) and
1229 accepts the following keys.
1230 BitRate=
1232 The bitrate of CAN device in bits per second. The usual SI prefixes
1233 (K, M) with the base of 1000 can be used here.
1234 SamplePoint=
1236 Optional sample point in percent with one decimal (e.g. "75%",
1237 "87.5%") or permille (e.g. "875‰").
1238 RestartSec=
1240 Automatic restart delay time. If set to a non-zero value, a restart
1241 of the CAN controller will be triggered automatically in case of a
1242 bus-off condition after the specified delay time. Subsecond delays
1243 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
1244 postfix. Using "infinity" or "0" will turn the automatic restart
1245 off. By default automatic restart is disabled.
1246
1248 The "[BridgeVLAN]" section manages the VLAN ID configuration of a
1249 bridge port and accepts the following keys. Specify several
1250 "[BridgeVLAN]" sections to configure several VLAN entries. The
1251 VLANFiltering= option has to be enabled, see "[Bridge]" section in
1252 systemd.netdev(5).
1253 VLAN=
1255 The VLAN ID allowed on the port. This can be either a single ID or
1256 a range M-N. VLAN IDs are valid from 1 to 4094.
1257 EgressUntagged=
1259 The VLAN ID specified here will be used to untag frames on egress.
1260 Configuring EgressUntagged= implicates the use of VLAN= above and
1261 will enable the VLAN ID for ingress as well. This can be either a
1262 single ID or a range M-N.
1263 PVID=
1265 The Port VLAN ID specified here is assigned to all untagged frames
1266 at ingress. PVID= can be used only once. Configuring PVID=
1267 implicates the use of VLAN= above and will enable the VLAN ID for
1268 ingress as well.
1269
1271 Example 1. Static network configuration
1272 # /etc/systemd/network/50-static.network
1274 [Match]
1275 Name=enp2s0
1276 [Network]
1278 Address=192.168.0.15/24
1279 Gateway=192.168.0.1
1280 This brings interface "enp2s0" up with a static address. The specified
1282 gateway will be used for a default route.
1283 Example 2. DHCP on ethernet links
1285 # /etc/systemd/network/80-dhcp.network
1287 [Match]
1288 Name=en*
1289 [Network]
1291 DHCP=yes
1292 This will enable DHCPv4 and DHCPv6 on all interfaces with names
1294 starting with "en" (i.e. ethernet interfaces).
1295 Example 3. A bridge with two enslaved links
1297 # /etc/systemd/network/25-bridge-static.network
1299 [Match]
1300 Name=bridge0
1301 [Network]
1303 Address=192.168.0.15/24
1304 Gateway=192.168.0.1
1305 DNS=192.168.0.1
1306 # /etc/systemd/network/25-bridge-slave-interface-1.network
1308 [Match]
1309 Name=enp2s0
1310 [Network]
1312 Bridge=bridge0
1313 # /etc/systemd/network/25-bridge-slave-interface-2.network
1315 [Match]
1316 Name=wlp3s0
1317 [Network]
1319 Bridge=bridge0
1320 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
1322 The bridge will have the specified static address and network assigned,
1323 and a default route via the specified gateway will be added. The
1324 specified DNS server will be added to the global list of DNS resolvers.
1325 Example 4.
1327 # /etc/systemd/network/20-bridge-slave-interface-vlan.network
1329 [Match]
1330 Name=enp2s0
1331 [Network]
1333 Bridge=bridge0
1334 [BridgeVLAN]
1336 VLAN=1-32
1337 PVID=42
1338 EgressUntagged=42
1339 [BridgeVLAN]
1341 VLAN=100-200
1342 [BridgeVLAN]
1344 EgressUntagged=300-400
1345 This overrides the configuration specified in the previous example for
1347 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
1348 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
1349 300-400 will be untagged when they leave on this interface. Untagged
1350 packets which arrive on this interface will be assigned VLAN ID 42.
1351 Example 5. Various tunnels
1353 /etc/systemd/network/25-tunnels.network
1355 [Match]
1356 Name=ens1
1357 [Network]
1359 Tunnel=ipip-tun
1360 Tunnel=sit-tun
1361 Tunnel=gre-tun
1362 Tunnel=vti-tun
1363 /etc/systemd/network/25-tunnel-ipip.netdev
1366 [NetDev]
1367 Name=ipip-tun
1368 Kind=ipip
1369 /etc/systemd/network/25-tunnel-sit.netdev
1372 [NetDev]
1373 Name=sit-tun
1374 Kind=sit
1375 /etc/systemd/network/25-tunnel-gre.netdev
1378 [NetDev]
1379 Name=gre-tun
1380 Kind=gre
1381 /etc/systemd/network/25-tunnel-vti.netdev
1384 [NetDev]
1385 Name=vti-tun
1386 Kind=vti
1387 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
1390 tunnel, a GRE tunnel, and a VTI tunnel using it.
1391 Example 6. A bond device
1393 # /etc/systemd/network/30-bond1.network
1395 [Match]
1396 Name=bond1
1397 [Network]
1399 DHCP=ipv6
1400 # /etc/systemd/network/30-bond1.netdev
1402 [NetDev]
1403 Name=bond1
1404 Kind=bond
1405 # /etc/systemd/network/30-bond1-dev1.network
1407 [Match]
1408 MACAddress=52:54:00:e9:64:41
1409 [Network]
1411 Bond=bond1
1412 # /etc/systemd/network/30-bond1-dev2.network
1414 [Match]
1415 MACAddress=52:54:00:e9:64:42
1416 [Network]
1418 Bond=bond1
1419 This will create a bond device "bond1" and enslave the two devices with
1421 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
1422 will be used to acquire an address.
1423 Example 7. Virtual Routing and Forwarding (VRF)
1425 Add the "bond1" interface to the VRF master interface "vrf1". This will
1427 redirect routes generated on this interface to be within the routing
1428 table defined during VRF creation. For kernels before 4.8 traffic won't
1429 be redirected towards the VRFs routing table unless specific ip-rules
1430 are added.
1431 # /etc/systemd/network/25-vrf.network
1433 [Match]
1434 Name=bond1
1435 [Network]
1437 VRF=vrf1
1438 Example 8. MacVTap
1440 This brings up a network interface "macvtap-test" and attaches it to
1442 "enp0s25".
1443 # /usr/lib/systemd/network/25-macvtap.network
1445 [Match]
1446 Name=enp0s25
1447 [Network]
1449 MACVTAP=macvtap-test
1450
1452 systemd(1), systemd-networkd.service(8), systemd.link(5),
1453 systemd.netdev(5), systemd-resolved.service(8)
1454
1456 1. Link-Local Multicast Name Resolution
1457 https://tools.ietf.org/html/rfc4795
1458 2. Multicast DNS
1460 https://tools.ietf.org/html/rfc6762
1461 3. DNS-over-TLS
1463 https://tools.ietf.org/html/rfc7858
1464 4. DNSSEC
1466 https://tools.ietf.org/html/rfc4033
1467 5. IEEE 802.1AB-2016
1469 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
1470 6. ip-sysctl.txt
1472 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
1473 7. RFC 4941
1475 https://tools.ietf.org/html/rfc4941
1476 8. RFC 1027
1478 https://tools.ietf.org/html/rfc1027
1479 9. RFC 6275
1481 https://tools.ietf.org/html/rfc6275
1482 10. RFC 4862
1484 https://tools.ietf.org/html/rfc4862
1485 11. RFC 3041
1487 https://tools.ietf.org/html/rfc3041
1488 12. RFC 3484
1490 https://tools.ietf.org/html/rfc3484
1491 13. RFC4191
1493 https://tools.ietf.org/html/rfc4191
1494 14. RFC 7844
1496 https://tools.ietf.org/html/rfc7844
1497 15. RFC 3315
1499 https://tools.ietf.org/html/rfc3315#section-17.2.1
1500 16. RFC 7084
1502 https://tools.ietf.org/html/rfc7084
1503 17. RFC 4861
1505 https://tools.ietf.org/html/rfc4861
1506systemd 241 SYSTEMD.NETWORK(5)