1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 Network setup is performed by systemd-networkd(8).
13 The main Virtual Network Device file must have the extension .netdev;
15 other extensions are ignored. Virtual network devices are created as
16 soon as networkd is started. If a netdev with the specified name
17 already exists, networkd will use that as-is rather than create its
18 own. Note that the settings of the pre-existing netdev will not be
19 changed by networkd.
20 The .netdev files are read from the files located in the system network
22 directory /usr/lib/systemd/network, the volatile runtime network
23 directory /run/systemd/network and the local administration network
24 directory /etc/systemd/network. All configuration files are
25 collectively sorted and processed in lexical order, regardless of the
26 directories in which they live. However, files with identical filenames
27 replace each other. Files in /etc have the highest priority, files in
28 /run take precedence over files with the same name in /usr/lib. This
29 can be used to override a system-supplied configuration file with a
30 local file if needed. As a special case, an empty file (file size 0) or
31 symlink with the same name pointing to /dev/null disables the
32 configuration file entirely (it is "masked").
33 Along with the netdev file foo.netdev, a "drop-in" directory
35 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
36 directory will be parsed after the file itself is parsed. This is
37 useful to alter or add configuration settings, without having to modify
38 the main configuration file. Each drop-in file must have appropriate
39 section headers.
40 In addition to /etc/systemd/network, drop-in ".d" directories can be
42 placed in /usr/lib/systemd/network or /run/systemd/network directories.
43 Drop-in files in /etc take precedence over those in /run which in turn
44 take precedence over those in /usr/lib. Drop-in files under any of
45 these directories take precedence over the main netdev file wherever
46 located. (Of course, since /run is temporary and /usr/lib is for
47 vendors, it is unlikely drop-ins should be used in either of those
48 places.)
49
51 The following kinds of virtual network devices may be configured in
52 .netdev files:
53 Table 1. Supported kinds of virtual network devices
55 ┌──────────┬────────────────────────────┐
56 │Kind │ Description │
57 ├──────────┼────────────────────────────┤
58 │bond │ A bond device is an │
59 │ │ aggregation of all its │
60 │ │ slave devices. See Linux │
61 │ │ Ethernet Bonding Driver │
62 │ │ HOWTO[1] for details.Local │
63 │ │ configuration │
64 ├──────────┼────────────────────────────┤
65 │bridge │ A bridge device is a │
66 │ │ software switch, and each │
67 │ │ of its slave devices and │
68 │ │ the bridge itself are │
69 │ │ ports of the switch. │
70 ├──────────┼────────────────────────────┤
71 │dummy │ A dummy device drops all │
72 │ │ packets sent to it. │
73 ├──────────┼────────────────────────────┤
74 │gre │ A Level 3 GRE tunnel over │
75 │ │ IPv4. See RFC 2784[2] for │
76 │ │ details. │
77 ├──────────┼────────────────────────────┤
78 │gretap │ A Level 2 GRE tunnel over │
79 │ │ IPv4. │
80 ├──────────┼────────────────────────────┤
81 │erspan │ ERSPAN mirrors traffic on │
82 │ │ one or more source ports │
83 │ │ and delivers the mirrored │
84 │ │ traffic to one or more │
85 │ │ destination ports on │
86 │ │ another switch. The │
87 │ │ traffic is encapsulated in │
88 │ │ generic routing │
89 │ │ encapsulation (GRE) and is │
90 │ │ therefore routable across │
91 │ │ a layer 3 network between │
92 │ │ the source switch and the │
93 │ │ destination switch. │
94 ├──────────┼────────────────────────────┤
95 │ip6gre │ A Level 3 GRE tunnel over │
96 │ │ IPv6. │
97 ├──────────┼────────────────────────────┤
98 │ip6tnl │ An IPv4 or IPv6 tunnel │
99 │ │ over IPv6 │
100 ├──────────┼────────────────────────────┤
101 │ip6gretap │ A Level 2 GRE tunnel over │
102 │ │ IPv6. │
103 ├──────────┼────────────────────────────┤
104 │ipip │ An IPv4 over IPv4 tunnel. │
105 ├──────────┼────────────────────────────┤
106 │ipvlan │ An ipvlan device is a │
107 │ │ stacked device which │
108 │ │ receives packets from its │
109 │ │ underlying device based on │
110 │ │ IP address filtering. │
111 ├──────────┼────────────────────────────┤
112 │ipvtap │ An ipvtap device is a │
113 │ │ stacked device which │
114 │ │ receives packets from its │
115 │ │ underlying device based on │
116 │ │ IP address filtering and │
117 │ │ can be accessed using the │
118 │ │ tap user space interface. │
119 ├──────────┼────────────────────────────┤
120 │macvlan │ A macvlan device is a │
121 │ │ stacked device which │
122 │ │ receives packets from its │
123 │ │ underlying device based on │
124 │ │ MAC address filtering. │
125 ├──────────┼────────────────────────────┤
126 │macvtap │ A macvtap device is a │
127 │ │ stacked device which │
128 │ │ receives packets from its │
129 │ │ underlying device based on │
130 │ │ MAC address filtering. │
131 ├──────────┼────────────────────────────┤
132 │sit │ An IPv6 over IPv4 tunnel. │
133 ├──────────┼────────────────────────────┤
134 │tap │ A persistent Level 2 │
135 │ │ tunnel between a network │
136 │ │ device and a device node. │
137 ├──────────┼────────────────────────────┤
138 │tun │ A persistent Level 3 │
139 │ │ tunnel between a network │
140 │ │ device and a device node. │
141 ├──────────┼────────────────────────────┤
142 │veth │ An Ethernet tunnel between │
143 │ │ a pair of network devices. │
144 ├──────────┼────────────────────────────┤
145 │vlan │ A VLAN is a stacked device │
146 │ │ which receives packets │
147 │ │ from its underlying device │
148 │ │ based on VLAN tagging. See │
149 │ │ IEEE 802.1Q[3] for │
150 │ │ details. │
151 ├──────────┼────────────────────────────┤
152 │vti │ An IPv4 over IPSec tunnel. │
153 ├──────────┼────────────────────────────┤
154 │vti6 │ An IPv6 over IPSec tunnel. │
155 ├──────────┼────────────────────────────┤
156 │vxlan │ A virtual extensible LAN │
157 │ │ (vxlan), for connecting │
158 │ │ Cloud computing │
159 │ │ deployments. │
160 ├──────────┼────────────────────────────┤
161 │geneve │ A GEneric NEtwork │
162 │ │ Virtualization │
163 │ │ Encapsulation (GENEVE) │
164 │ │ netdev driver. │
165 ├──────────┼────────────────────────────┤
166 │l2tp │ A Layer 2 Tunneling │
167 │ │ Protocol (L2TP) is a │
168 │ │ tunneling protocol used to │
169 │ │ support virtual private │
170 │ │ networks (VPNs) or as part │
171 │ │ of the delivery of │
172 │ │ services by ISPs. It does │
173 │ │ not provide any encryption │
174 │ │ or confidentiality by │
175 │ │ itself │
176 ├──────────┼────────────────────────────┤
177 │macsec │ Media Access Control │
178 │ │ Security (MACsec) is an │
179 │ │ 802.1AE IEEE │
180 │ │ industry-standard security │
181 │ │ technology that provides │
182 │ │ secure communication for │
183 │ │ all traffic on Ethernet │
184 │ │ links. MACsec provides │
185 │ │ point-to-point security on │
186 │ │ Ethernet links between │
187 │ │ directly connected nodes │
188 │ │ and is capable of │
189 │ │ identifying and preventing │
190 │ │ most security threats. │
191 ├──────────┼────────────────────────────┤
192 │vrf │ A Virtual Routing and │
193 │ │ Forwarding (VRF[4]) │
194 │ │ interface to create │
195 │ │ separate routing and │
196 │ │ forwarding domains. │
197 ├──────────┼────────────────────────────┤
198 │vcan │ The virtual CAN driver │
199 │ │ (vcan). Similar to the │
200 │ │ network loopback devices, │
201 │ │ vcan offers a virtual │
202 │ │ local CAN interface. │
203 ├──────────┼────────────────────────────┤
204 │vxcan │ The virtual CAN tunnel │
205 │ │ driver (vxcan). Similar to │
206 │ │ the virtual ethernet │
207 │ │ driver veth, vxcan │
208 │ │ implements a local CAN │
209 │ │ traffic tunnel between two │
210 │ │ virtual CAN network │
211 │ │ devices. When creating a │
212 │ │ vxcan, two vxcan devices │
213 │ │ are created as pair. When │
214 │ │ one end receives the │
215 │ │ packet it appears on its │
216 │ │ pair and vice versa. The │
217 │ │ vxcan can be used for │
218 │ │ cross namespace │
219 │ │ communication. │
220 ├──────────┼────────────────────────────┤
221 │wireguard │ WireGuard Secure Network │
222 │ │ Tunnel. │
223 ├──────────┼────────────────────────────┤
224 │netdevsim │ A simulator. This │
225 │ │ simulated networking │
226 │ │ device is used for testing │
227 │ │ various networking APIs │
228 │ │ and at this time is │
229 │ │ particularly focused on │
230 │ │ testing hardware │
231 │ │ offloading related │
232 │ │ interfaces. │
233 ├──────────┼────────────────────────────┤
234 │nlmon │ A Netlink monitor device. │
235 │ │ Use an nlmon device when │
236 │ │ you want to monitor system │
237 │ │ Netlink messages. │
238 ├──────────┼────────────────────────────┤
239 │fou │ Foo-over-UDP tunneling. │
240 ├──────────┼────────────────────────────┤
241 │xfrm │ A virtual tunnel interface │
242 │ │ like vti/vti6 but with │
243 │ │ several advantages. │
244 └──────────┴────────────────────────────┘
245
247 A virtual network device is only created if the "[Match]" section
248 matches the current environment, or if the section is empty. The
249 following keys are accepted:
250 Host=
252 Matches against the hostname or machine ID of the host. See
253 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
254 an exclamation mark ("!"), the result is negated. If an empty
255 string is assigned, then previously assigned value is cleared.
256 Virtualization=
258 Checks whether the system is executed in a virtualized environment
259 and optionally test whether it is a specific implementation. See
260 "ConditionVirtualization=" in systemd.unit(5) for details. When
261 prefixed with an exclamation mark ("!"), the result is negated. If
262 an empty string is assigned, then previously assigned value is
263 cleared.
264 KernelCommandLine=
266 Checks whether a specific kernel command line option is set. See
267 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
268 prefixed with an exclamation mark ("!"), the result is negated. If
269 an empty string is assigned, then previously assigned value is
270 cleared.
271 KernelVersion=
273 Checks whether the kernel version (as reported by uname -r) matches
274 a certain expression. See "ConditionKernelVersion=" in
275 systemd.unit(5) for details. When prefixed with an exclamation mark
276 ("!"), the result is negated. If an empty string is assigned, then
277 previously assigned value is cleared.
278 Architecture=
280 Checks whether the system is running on a specific architecture.
281 See "ConditionArchitecture=" in systemd.unit(5) for details. When
282 prefixed with an exclamation mark ("!"), the result is negated. If
283 an empty string is assigned, then previously assigned value is
284 cleared.
285
287 The "[NetDev]" section accepts the following keys:
288 Description=
290 A free-form description of the netdev.
291 Name=
293 The interface name used when creating the netdev. This option is
294 compulsory.
295 Kind=
297 The netdev kind. This option is compulsory. See the "Supported
298 netdev kinds" section for the valid keys.
299 MTUBytes=
301 The maximum transmission unit in bytes to set for the device. The
302 usual suffixes K, M, G, are supported and are understood to the
303 base of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
304 currently supported in "[NetDev]" section. Please specify it in
305 "[Link]" section of corresponding systemd.network(5) files.
306 MACAddress=
308 The MAC address to use for the device. For "tun" or "tap" devices,
309 setting MACAddress= in the "[NetDev]" section is not supported.
310 Please specify it in "[Link]" section of the corresponding
311 systemd.network(5) file. If this option is not set, "vlan" devices
312 inherit the MAC address of the physical interface. For other kind
313 of netdevs, if this option is not set, then MAC address is
314 generated based on the interface name and the machine-id(5).
315
317 The "[Bridge]" section only applies for netdevs of kind "bridge", and
318 accepts the following keys:
319 HelloTimeSec=
321 HelloTimeSec specifies the number of seconds between two hello
322 packets sent out by the root bridge and the designated bridges.
323 Hello packets are used to communicate information about the
324 topology throughout the entire bridged local area network.
325 MaxAgeSec=
327 MaxAgeSec specifies the number of seconds of maximum message age.
328 If the last seen (received) hello packet is more than this number
329 of seconds old, the bridge in question will start the takeover
330 procedure in attempt to become the Root Bridge itself.
331 ForwardDelaySec=
333 ForwardDelaySec specifies the number of seconds spent in each of
334 the Listening and Learning states before the Forwarding state is
335 entered.
336 AgeingTimeSec=
338 This specifies the number of seconds a MAC Address will be kept in
339 the forwarding database after having a packet received from this
340 MAC Address.
341 Priority=
343 The priority of the bridge. An integer between 0 and 65535. A lower
344 value means higher priority. The bridge having the lowest priority
345 will be elected as root bridge.
346 GroupForwardMask=
348 A 16-bit bitmask represented as an integer which allows forwarding
349 of link local frames with 802.1D reserved addresses
350 (01:80:C2:00:00:0X). A logical AND is performed between the
351 specified bitmask and the exponentiation of 2^X, the lower nibble
352 of the last octet of the MAC address. For example, a value of 8
353 would allow forwarding of frames addressed to 01:80:C2:00:00:03
354 (802.1X PAE).
355 DefaultPVID=
357 This specifies the default port VLAN ID of a newly attached bridge
358 port. Set this to an integer in the range 1–4094 or "none" to
359 disable the PVID.
360 MulticastQuerier=
362 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
363 option in the kernel. If enabled, the kernel will send general ICMP
364 queries from a zero source address. This feature should allow
365 faster convergence on startup, but it causes some multicast-aware
366 switches to misbehave and disrupt forwarding of multicast packets.
367 When unset, the kernel's default will be used.
368 MulticastSnooping=
370 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
371 option in the kernel. If enabled, IGMP snooping monitors the
372 Internet Group Management Protocol (IGMP) traffic between hosts and
373 multicast routers. When unset, the kernel's default will be used.
374 VLANFiltering=
376 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
377 option in the kernel. If enabled, the bridge will be started in
378 VLAN-filtering mode. When unset, the kernel's default will be used.
379 STP=
381 Takes a boolean. This enables the bridge's Spanning Tree Protocol
382 (STP). When unset, the kernel's default will be used.
383 MulticastIGMPVersion=
385 Allows to change bridge's multicast Internet Group Management
386 Protocol (IGMP) version. Takes an interger 2 or 3. When unset, the
387 kernel's default will be used.
388
390 The "[VLAN]" section only applies for netdevs of kind "vlan", and
391 accepts the following key:
392 Id=
394 The VLAN ID to use. An integer in the range 0–4094. This option is
395 compulsory.
396 GVRP=
398 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
399 protocol that allows automatic learning of VLANs on a network. When
400 unset, the kernel's default will be used.
401 MVRP=
403 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
404 formerly known as GARP VLAN Registration Protocol (GVRP) is a
405 standards-based Layer 2 network protocol, for automatic
406 configuration of VLAN information on switches. It was defined in
407 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
408 default will be used.
409 LooseBinding=
411 Takes a boolean. The VLAN loose binding mode, in which only the
412 operational state is passed from the parent to the associated
413 VLANs, but the VLAN device state is not changed. When unset, the
414 kernel's default will be used.
415 ReorderHeader=
417 Takes a boolean. The VLAN reorder header is set VLAN interfaces
418 behave like physical interfaces. When unset, the kernel's default
419 will be used.
420
422 The "[MACVLAN]" section only applies for netdevs of kind "macvlan", and
423 accepts the following key:
424 Mode=
426 The MACVLAN mode to use. The supported options are "private",
427 "vepa", "bridge", and "passthru".
428
430 The "[MACVTAP]" section applies for netdevs of kind "macvtap" and
431 accepts the same key as "[MACVLAN]".
432
434 The "[IPVLAN]" section only applies for netdevs of kind "ipvlan", and
435 accepts the following key:
436 Mode=
438 The IPVLAN mode to use. The supported options are "L2","L3" and
439 "L3S".
440 Flags=
442 The IPVLAN flags to use. The supported options are
443 "bridge","private" and "vepa".
444
446 The "[IPVTAP]" section only applies for netdevs of kind "ipvtap" and
447 accepts the same key as "[IPVLAN]".
448
450 The "[VXLAN]" section only applies for netdevs of kind "vxlan", and
451 accepts the following keys:
452 VNI=
454 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
455 in the range 1-16777215.
456 Remote=
458 Configures destination IP address.
459 Local=
461 Configures local IP address.
462 Group=
464 Configures VXLAN multicast group IP address. All members of a VXLAN
465 must use the same multicast group address.
466 TOS=
468 The Type Of Service byte value for a vxlan interface.
469 TTL=
471 A fixed Time To Live N on Virtual eXtensible Local Area Network
472 packets. Takes "inherit" or a number in the range 0–255. 0 is a
473 special value meaning inherit the inner protocol's TTL value.
474 "inherit" means that it will inherit the outer protocol's TTL
475 value.
476 MacLearning=
478 Takes a boolean. When true, enables dynamic MAC learning to
479 discover remote MAC addresses.
480 FDBAgeingSec=
482 The lifetime of Forwarding Database entry learnt by the kernel, in
483 seconds.
484 MaximumFDBEntries=
486 Configures maximum number of FDB entries.
487 ReduceARPProxy=
489 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
490 answers ARP requests from the local bridge on behalf of remote
491 Distributed Overlay Virtual Ethernet (DVOE)[5] clients. Defaults to
492 false.
493 L2MissNotification=
495 Takes a boolean. When true, enables netlink LLADDR miss
496 notifications.
497 L3MissNotification=
499 Takes a boolean. When true, enables netlink IP address miss
500 notifications.
501 RouteShortCircuit=
503 Takes a boolean. When true, route short circuiting is turned on.
504 UDPChecksum=
506 Takes a boolean. When true, transmitting UDP checksums when doing
507 VXLAN/IPv4 is turned on.
508 UDP6ZeroChecksumTx=
510 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
511 turned on.
512 UDP6ZeroChecksumRx=
514 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
515 is turned on.
516 RemoteChecksumTx=
518 Takes a boolean. When true, remote transmit checksum offload of
519 VXLAN is turned on.
520 RemoteChecksumRx=
522 Takes a boolean. When true, remote receive checksum offload in
523 VXLAN is turned on.
524 GroupPolicyExtension=
526 Takes a boolean. When true, it enables Group Policy VXLAN extension
527 security label mechanism across network peers based on VXLAN. For
528 details about the Group Policy VXLAN, see the VXLAN Group Policy[6]
529 document. Defaults to false.
530 GenericProtocolExtension=
532 Takes a boolean. When true, Generic Protocol Extension extends the
533 existing VXLAN protocol to provide protocol typing, OAM, and
534 versioning capabilities. For details about the VXLAN GPE Header,
535 see the Generic Protocol Extension for VXLAN[7] document. If
536 destination port is not specified and Generic Protocol Extension is
537 set then default port of 4790 is used. Defaults to false.
538 DestinationPort=
540 Configures the default destination UDP port on a per-device basis.
541 If destination port is not specified then Linux kernel default will
542 be used. Set destination port 4789 to get the IANA assigned value.
543 If not set or if the destination port is assigned the empty string
544 the default port of 4789 is used.
545 PortRange=
547 Configures VXLAN port range. VXLAN bases source UDP port based on
548 flow to help the receiver to be able to load balance based on outer
549 header flow. It restricts the port range to the normal UDP local
550 ports, and allows overriding via configuration.
551 FlowLabel=
553 Specifies the flow label to use in outgoing packets. The valid
554 range is 0-1048575.
555 IPDoNotFragment=
557 Allows to set the IPv4 Do not Fragment (DF) bit in outgoing
558 packets, or to inherit its value from the IPv4 inner header. Takes
559 a boolean value, or "inherit". Set to "inherit" if the encapsulated
560 protocol is IPv6. When unset, the kernel's default will be used.
561
563 The "[GENEVE]" section only applies for netdevs of kind "geneve", and
564 accepts the following keys:
565 Id=
567 Specifies the Virtual Network Identifier (VNI) to use. Ranges
568 [0-16777215]. This field is mandatory.
569 Remote=
571 Specifies the unicast destination IP address to use in outgoing
572 packets.
573 TOS=
575 Specifies the TOS value to use in outgoing packets. Ranges [1-255].
576 TTL=
578 Accepts the same key in "[VXLAN]" section except when unset or set
579 to 0, the kernel's default will be used meaning that packets TTL
580 will be set from /proc/sys/net/ipv4/ip_default_ttl.
581 UDPChecksum=
583 Takes a boolean. When true, specifies if UDP checksum is calculated
584 for transmitted packets over IPv4.
585 UDP6ZeroChecksumTx=
587 Takes a boolean. When true, skip UDP checksum calculation for
588 transmitted packets over IPv6.
589 UDP6ZeroChecksumRx=
591 Takes a boolean. When true, allows incoming UDP packets over IPv6
592 with zero checksum field.
593 DestinationPort=
595 Specifies destination port. Defaults to 6081. If not set or
596 assigned the empty string, the default port of 6081 is used.
597 FlowLabel=
599 Specifies the flow label to use in outgoing packets.
600 IPDoNotFragment=
602 Accepts the same key in "[VXLAN]" section.
603
605 The "[L2TP]" section only applies for netdevs of kind "l2tp", and
606 accepts the following keys:
607 TunnelId=
609 Specifies the tunnel id. The value used must match the
610 "PeerTunnelId=" value being used at the peer. Ranges a number
611 between 1 and 4294967295). This option is compulsory.
612 PeerTunnelId=
614 Specifies the peer tunnel id. The value used must match the
615 "PeerTunnelId=" value being used at the peer. Ranges a number
616 between 1 and 4294967295). This option is compulsory.
617 Remote=
619 Specifies the IP address of the remote peer. This option is
620 compulsory.
621 Local=
623 Specifies the IP address of the local interface. Takes an IP
624 address, or the special values "auto", "static", or "dynamic". When
625 an address is set, then the local interface must have the address.
626 If "auto", then one of the addresses on the local interface is
627 used. Similarly, if "static" or "dynamic" is set, then one of the
628 static or dynamic addresses on the local interface is used.
629 Defaults to "auto".
630 EncapsulationType=
632 Specifies the encapsulation type of the tunnel. Takes one of "udp"
633 or "ip".
634 UDPSourcePort=
636 Specifies the UDP source port to be used for the tunnel. When UDP
637 encapsulation is selected it's mandotory. Ignored when ip
638 encapsulation is selected.
639 DestinationPort=
641 Specifies destination port. When UDP encapsulation is selected it's
642 mandotory. Ignored when ip encapsulation is selected.
643 UDPChecksum=
645 Takes a boolean. When true, specifies if UDP checksum is calculated
646 for transmitted packets over IPv4.
647 UDP6ZeroChecksumTx=
649 Takes a boolean. When true, skip UDP checksum calculation for
650 transmitted packets over IPv6.
651 UDP6ZeroChecksumRx=
653 Takes a boolean. When true, allows incoming UDP packets over IPv6
654 with zero checksum field.
655
657 The "[L2TPSession]" section only applies for netdevs of kind "l2tp",
658 and accepts the following keys:
659 Name=
661 Specifies the name of the session. This option is compulsory.
662 SessionId=
664 Specifies the session id. The value used must match the
665 "SessionId=" value being used at the peer. Ranges a number between
666 1 and 4294967295). This option is compulsory.
667 PeerSessionId=
669 Specifies the peer session id. The value used must match the
670 "PeerSessionId=" value being used at the peer. Ranges a number
671 between 1 and 4294967295). This option is compulsory.
672 Layer2SpecificHeader=
674 Specifies layer2specific header type of the session. One of "none"
675 or "default". Defaults to "default".
676
678 The "[MACsec]" section only applies for network devices of kind
679 "macsec", and accepts the following keys:
680 Port=
682 Specifies the port to be used for the MACsec transmit channel. The
683 port is used to make secure channel identifier (SCI). Takes a value
684 between 1 and 65535. Defaults to unset.
685 Encrypt=
687 Takes a boolean. When true, enable encryption. Defaults to unset.
688
690 The "[MACsecReceiveChannel]" section only applies for network devices
691 of kind "macsec", and accepts the following keys:
692 Port=
694 Specifies the port to be used for the MACsec receive channel. The
695 port is used to make secure channel identifier (SCI). Takes a value
696 between 1 and 65535. This option is compulsory, and is not set by
697 default.
698 MACAddress=
700 Specifies the MAC address to be used for the MACsec receive
701 channel. The MAC address used to make secure channel identifier
702 (SCI). This option is compulsory, and is not set by default.
703
705 The "[MACsecTransmitAssociation]" section only applies for network
706 devices of kind "macsec", and accepts the following keys:
707 PacketNumber=
709 Specifies the packet number to be used for replay protection and
710 the construction of the initialization vector (along with the
711 secure channel identifier [SCI]). Takes a value between
712 1-4,294,967,295. Defaults to unset.
713 KeyId=
715 Specifies the identification for the key. Takes a number between
716 0-255. This option is compulsory, and is not set by default.
717 Key=
719 Specifies the encryption key used in the transmission channel. The
720 same key must be configured on the peer’s matching receive channel.
721 This option is compulsory, and is not set by default. Takes a
722 128-bit key encoded in a hexadecimal string, for example
723 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
724 KeyFile=
726 Takes a absolute path to a file which contains a 128-bit key
727 encoded in a hexadecimal string, which will be used in the
728 transmission channel. When this option is specified, Key= is
729 ignored. Note that the file must be readable by the user
730 "systemd-network", so it should be, e.g., owned by
731 "root:systemd-network" with a "0640" file mode.
732 Activate=
734 Takes a boolean. If enabled, then the security association is
735 activated. Defaults to unset.
736 UseForEncoding=
738 Takes a boolean. If enabled, then the security association is used
739 for encoding. Only one "[MACsecTransmitAssociation]" section can
740 enable this option. When enabled, Activate=yes is implied. Defaults
741 to unset.
742
744 The "[MACsecReceiveAssociation]" section only applies for network
745 devices of kind "macsec", and accepts the following keys:
746 Port=
748 Accepts the same key in "[MACsecReceiveChannel]" section.
749 MACAddress=
751 Accepts the same key in "[MACsecReceiveChannel]" section.
752 PacketNumber=
754 Accepts the same key in "[MACsecTransmitAssociation]" section.
755 KeyId=
757 Accepts the same key in "[MACsecTransmitAssociation]" section.
758 Key=
760 Accepts the same key in "[MACsecTransmitAssociation]" section.
761 KeyFile=
763 Accepts the same key in "[MACsecTransmitAssociation]" section.
764 Activate=
766 Accepts the same key in "[MACsecTransmitAssociation]" section.
767
769 The "[Tunnel]" section only applies for netdevs of kind "ipip", "sit",
770 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
771 "erspan" and accepts the following keys:
772 Local=
774 A static local address for tunneled packets. It must be an address
775 on another interface of this host, or the special value "any".
776 Remote=
778 The remote endpoint of the tunnel. Takes an IP address or the
779 special value "any".
780 TOS=
782 The Type Of Service byte value for a tunnel interface. For details
783 about the TOS, see the Type of Service in the Internet Protocol
784 Suite[8] document.
785 TTL=
787 A fixed Time To Live N on tunneled packets. N is a number in the
788 range 1–255. 0 is a special value meaning that packets inherit the
789 TTL value. The default value for IPv4 tunnels is: inherit. The
790 default value for IPv6 tunnels is 64.
791 DiscoverPathMTU=
793 Takes a boolean. When true, enables Path MTU Discovery on the
794 tunnel.
795 IPv6FlowLabel=
797 Configures the 20-bit flow label (see RFC 6437[9]) field in the
798 IPv6 header (see RFC 2460[10]), which is used by a node to label
799 packets of a flow. It is only used for IPv6 tunnels. A flow label
800 of zero is used to indicate packets that have not been labeled. It
801 can be configured to a value in the range 0–0xFFFFF, or be set to
802 "inherit", in which case the original flowlabel is used.
803 CopyDSCP=
805 Takes a boolean. When true, the Differentiated Service Code Point
806 (DSCP) field will be copied to the inner header from outer header
807 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
808 in an IP packet that enables different levels of service to be
809 assigned to network traffic. Defaults to "no".
810 EncapsulationLimit=
812 The Tunnel Encapsulation Limit option specifies how many additional
813 levels of encapsulation are permitted to be prepended to the
814 packet. For example, a Tunnel Encapsulation Limit option containing
815 a limit value of zero means that a packet carrying that option may
816 not enter another tunnel before exiting the current tunnel. (see
817 RFC 2473[11]). The valid range is 0–255 and "none". Defaults to 4.
818 Key=
820 The Key= parameter specifies the same key to use in both directions
821 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
822 address-like dotted quad. It is used as mark-configured SAD/SPD
823 entry as part of the lookup key (both in data and control path) in
824 ip xfrm (framework used to implement IPsec protocol). See ip-xfrm —
825 transform configuration[12] for details. It is only used for
826 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
827 InputKey=
829 The InputKey= parameter specifies the key to use for input. The
830 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
831 and ERSPAN tunnels.
832 OutputKey=
834 The OutputKey= parameter specifies the key to use for output. The
835 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
836 and ERSPAN tunnels.
837 Mode=
839 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
840 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
841 Independent=
843 Takes a boolean. When true tunnel does not require .network file.
844 Created as "tunnel@NONE". Defaults to "false".
845 AssignToLoopback=
847 Takes a boolean. If set to "yes", the loopback interface "lo" is
848 used as the underlying device of the tunnel interface. Defaults to
849 "no".
850 AllowLocalRemote=
852 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
853 where the remote endpoint is a local host address. When unset, the
854 kernel's default will be used.
855 FooOverUDP=
857 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
858 configured. Defaults to false. This takes effects only for IPIP,
859 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
860 over UDP[13]
861 FOUDestinationPort=
863 This setting specifies the UDP destination port for encapsulation.
864 This field is mandatory when FooOverUDP=yes, and is not set by
865 default.
866 FOUSourcePort=
868 This setting specifies the UDP source port for encapsulation.
869 Defaults to 0 — that is, the source port for packets is left to the
870 network stack to decide.
871 Encapsulation=
873 Accepts the same key as in the "[FooOverUDP]" section.
874 IPv6RapidDeploymentPrefix=
876 Reconfigure the tunnel for IPv6 Rapid Deployment[14], also known as
877 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
878 length. Only applicable to SIT tunnels.
879 ISATAP=
881 Takes a boolean. If set, configures the tunnel as Intra-Site
882 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
883 applicable to SIT tunnels. When unset, the kernel's default will be
884 used.
885 SerializeTunneledPackets=
887 Takes a boolean. If set to yes, then packets are serialized. Only
888 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
889 kernel's default will be used.
890 ERSPANIndex=
892 Specifies the ERSPAN index field for the interface, an integer in
893 the range 1-1048575 associated with the ERSPAN traffic's source
894 port and direction. This field is mandatory.
895
897 The "[FooOverUDP]" section only applies for netdevs of kind "fou" and
898 accepts the following keys:
899 Encapsulation=
901 Specifies the encapsulation mechanism used to store networking
902 packets of various protocols inside the UDP packets. Supports the
903 following values: "FooOverUDP" provides the simplest no frills
904 model of UDP encapsulation, it simply encapsulates packets directly
905 in the UDP payload. "GenericUDPEncapsulation" is a generic and
906 extensible encapsulation, it allows encapsulation of packets for
907 any IP protocol and optional data as part of the encapsulation. For
908 more detailed information see Generic UDP Encapsulation[15].
909 Defaults to "FooOverUDP".
910 Port=
912 Specifies the port number, where the IP encapsulation packets will
913 arrive. Please take note that the packets will arrive with the
914 encapsulation will be removed. Then they will be manually fed back
915 into the network stack, and sent ahead for delivery to the real
916 destination. This option is mandatory.
917 PeerPort=
919 Specifies the peer port number. Defaults to unset. Note that when
920 peer port is set "Peer=" address is mandotory.
921 Protocol=
923 The Protocol= specifies the protocol number of the packets arriving
924 at the UDP port. When Encapsulation=FooOverUDP, this field is
925 mandatory and is not set by default. Takes an IP protocol name such
926 as "gre" or "ipip", or an integer within the range 1-255. When
927 Encapsulation=GenericUDPEncapsulation, this must not be specified.
928 Peer=
930 Configures peer IP address. Note that when peer address is set
931 "PeerPort=" is mandotory.
932 Local=
934 Configures local IP address.
935
937 The "[Peer]" section only applies for netdevs of kind "veth" and
938 accepts the following keys:
939 Name=
941 The interface name used when creating the netdev. This option is
942 compulsory.
943 MACAddress=
945 The peer MACAddress, if not set, it is generated in the same way as
946 the MAC address of the main interface.
947
949 The "[VXCAN]" section only applies for netdevs of kind "vxcan" and
950 accepts the following key:
951 Peer=
953 The peer interface name used when creating the netdev. This option
954 is compulsory.
955
957 The "[Tun]" section only applies for netdevs of kind "tun", and accepts
958 the following keys:
959 MultiQueue=
961 Takes a boolean. Configures whether to use multiple file
962 descriptors (queues) to parallelize packets sending and receiving.
963 Defaults to "no".
964 PacketInfo=
966 Takes a boolean. Configures whether packets should be prepended
967 with four extra bytes (two flag bytes and two protocol bytes). If
968 disabled, it indicates that the packets will be pure IP packets.
969 Defaults to "no".
970 VNetHeader=
972 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
973 device. It allows sending and receiving larger Generic Segmentation
974 Offload (GSO) packets. This may increase throughput significantly.
975 Defaults to "no".
976 User=
978 User to grant access to the /dev/net/tun device.
979 Group=
981 Group to grant access to the /dev/net/tun device.
982
984 The "[Tap]" section only applies for netdevs of kind "tap", and accepts
985 the same keys as the "[Tun]" section.
986
988 The "[WireGuard]" section accepts the following keys:
989 PrivateKey=
991 The Base64 encoded private key for the interface. It can be
992 generated using the wg genkey command (see wg(8)). This option or
993 PrivateKeyFile= is mandatory to use WireGuard. Note that because
994 this information is secret, you may want to set the permissions of
995 the .netdev file to be owned by "root:systemd-network" with a
996 "0640" file mode.
997 PrivateKeyFile=
999 Takes an absolute path to a file which contains the Base64 encoded
1000 private key for the interface. When this option is specified, then
1001 PrivateKey= is ignored. Note that the file must be readable by the
1002 user "systemd-network", so it should be, e.g., owned by
1003 "root:systemd-network" with a "0640" file mode.
1004 ListenPort=
1006 Sets UDP port for listening. Takes either value between 1 and 65535
1007 or "auto". If "auto" is specified, the port is automatically
1008 generated based on interface name. Defaults to "auto".
1009 FirewallMark=
1011 Sets a firewall mark on outgoing WireGuard packets from this
1012 interface. Takes a number between 1 and 4294967295.
1013
1015 The "[WireGuardPeer]" section accepts the following keys:
1016 PublicKey=
1018 Sets a Base64 encoded public key calculated by wg pubkey (see
1019 wg(8)) from a private key, and usually transmitted out of band to
1020 the author of the configuration file. This option is mandatory for
1021 this section.
1022 PresharedKey=
1024 Optional preshared key for the interface. It can be generated by
1025 the wg genpsk command. This option adds an additional layer of
1026 symmetric-key cryptography to be mixed into the already existing
1027 public-key cryptography, for post-quantum resistance. Note that
1028 because this information is secret, you may want to set the
1029 permissions of the .netdev file to be owned by
1030 "root:systemd-networkd" with a "0640" file mode.
1031 PresharedKeyFile=
1033 Takes an absolute path to a file which contains the Base64 encoded
1034 preshared key for the peer. When this option is specified, then
1035 PresharedKey= is ignored. Note that the file must be readable by
1036 the user "systemd-network", so it should be, e.g., owned by
1037 "root:systemd-network" with a "0640" file mode.
1038 AllowedIPs=
1040 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1041 masks from which this peer is allowed to send incoming traffic and
1042 to which outgoing traffic for this peer is directed. The catch-all
1043 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
1044 ::/0 may be specified for matching all IPv6 addresses.
1045 Endpoint=
1047 Sets an endpoint IP address or hostname, followed by a colon, and
1048 then a port number. This endpoint will be updated automatically
1049 once to the most recent source IP address and port of correctly
1050 authenticated packets from the peer at configuration time.
1051 PersistentKeepalive=
1053 Sets a seconds interval, between 1 and 65535 inclusive, of how
1054 often to send an authenticated empty packet to the peer for the
1055 purpose of keeping a stateful firewall or NAT mapping valid
1056 persistently. For example, if the interface very rarely sends
1057 traffic, but it might at anytime receive traffic from a peer, and
1058 it is behind NAT, the interface might benefit from having a
1059 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1060 this option is disabled. By default or when unspecified, this
1061 option is off. Most users will not need this.
1062
1064 The "[Bond]" section accepts the following key:
1065 Mode=
1067 Specifies one of the bonding policies. The default is "balance-rr"
1068 (round robin). Possible values are "balance-rr", "active-backup",
1069 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1070 "balance-alb".
1071 TransmitHashPolicy=
1073 Selects the transmit hash policy to use for slave selection in
1074 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1075 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1076 LACPTransmitRate=
1078 Specifies the rate with which link partner transmits Link
1079 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1080 Possible values are "slow", which requests partner to transmit
1081 LACPDUs every 30 seconds, and "fast", which requests partner to
1082 transmit LACPDUs every second. The default value is "slow".
1083 MIIMonitorSec=
1085 Specifies the frequency that Media Independent Interface link
1086 monitoring will occur. A value of zero disables MII link
1087 monitoring. This value is rounded down to the nearest millisecond.
1088 The default value is 0.
1089 UpDelaySec=
1091 Specifies the delay before a link is enabled after a link up status
1092 has been detected. This value is rounded down to a multiple of
1093 MIIMonitorSec. The default value is 0.
1094 DownDelaySec=
1096 Specifies the delay before a link is disabled after a link down
1097 status has been detected. This value is rounded down to a multiple
1098 of MIIMonitorSec. The default value is 0.
1099 LearnPacketIntervalSec=
1101 Specifies the number of seconds between instances where the bonding
1102 driver sends learning packets to each slave peer switch. The valid
1103 range is 1–0x7fffffff; the default value is 1. This option has an
1104 effect only for the balance-tlb and balance-alb modes.
1105 AdSelect=
1107 Specifies the 802.3ad aggregation selection logic to use. Possible
1108 values are "stable", "bandwidth" and "count".
1109 AdActorSystemPriority=
1111 Specifies the 802.3ad actor system priority. Ranges [1-65535].
1112 AdUserPortKey=
1114 Specifies the 802.3ad user defined portion of the port key. Ranges
1115 [0-1023].
1116 AdActorSystem=
1118 Specifies the 802.3ad system mac address. This can not be either
1119 NULL or Multicast.
1120 FailOverMACPolicy=
1122 Specifies whether the active-backup mode should set all slaves to
1123 the same MAC address at the time of enslavement or, when enabled,
1124 to perform special handling of the bond's MAC address in accordance
1125 with the selected policy. The default policy is none. Possible
1126 values are "none", "active" and "follow".
1127 ARPValidate=
1129 Specifies whether or not ARP probes and replies should be validated
1130 in any mode that supports ARP monitoring, or whether non-ARP
1131 traffic should be filtered (disregarded) for link monitoring
1132 purposes. Possible values are "none", "active", "backup" and "all".
1133 ARPIntervalSec=
1135 Specifies the ARP link monitoring frequency. A value of 0 disables
1136 ARP monitoring. The default value is 0, and the default unit
1137 seconds.
1138 ARPIPTargets=
1140 Specifies the IP addresses to use as ARP monitoring peers when
1141 ARPIntervalSec is greater than 0. These are the targets of the ARP
1142 request sent to determine the health of the link to the targets.
1143 Specify these values in IPv4 dotted decimal format. At least one IP
1144 address must be given for ARP monitoring to function. The maximum
1145 number of targets that can be specified is 16. The default value is
1146 no IP addresses.
1147 ARPAllTargets=
1149 Specifies the quantity of ARPIPTargets that must be reachable in
1150 order for the ARP monitor to consider a slave as being up. This
1151 option affects only active-backup mode for slaves with ARPValidate
1152 enabled. Possible values are "any" and "all".
1153 PrimaryReselectPolicy=
1155 Specifies the reselection policy for the primary slave. This
1156 affects how the primary slave is chosen to become the active slave
1157 when failure of the active slave or recovery of the primary slave
1158 occurs. This option is designed to prevent flip-flopping between
1159 the primary slave and other slaves. Possible values are "always",
1160 "better" and "failure".
1161 ResendIGMP=
1163 Specifies the number of IGMP membership reports to be issued after
1164 a failover event. One membership report is issued immediately after
1165 the failover, subsequent packets are sent in each 200ms interval.
1166 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
1167 IGMP membership report from being issued in response to the
1168 failover event.
1169 PacketsPerSlave=
1171 Specify the number of packets to transmit through a slave before
1172 moving to the next one. When set to 0, then a slave is chosen at
1173 random. The valid range is 0–65535. Defaults to 1. This option only
1174 has effect when in balance-rr mode.
1175 GratuitousARP=
1177 Specify the number of peer notifications (gratuitous ARPs and
1178 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1179 failover event. As soon as the link is up on the new slave, a peer
1180 notification is sent on the bonding device and each VLAN
1181 sub-device. This is repeated at each link monitor interval
1182 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1183 number is greater than 1. The valid range is 0–255. The default
1184 value is 1. These options affect only the active-backup mode.
1185 AllSlavesActive=
1187 Takes a boolean. Specifies that duplicate frames (received on
1188 inactive ports) should be dropped when false, or delivered when
1189 true. Normally, bonding will drop duplicate frames (received on
1190 inactive ports), which is desirable for most users. But there are
1191 some times it is nice to allow duplicate frames to be delivered.
1192 The default value is false (drop duplicate frames received on
1193 inactive ports).
1194 DynamicTransmitLoadBalancing=
1196 Takes a boolean. Specifies if dynamic shuffling of flows is
1197 enabled. Applies only for balance-tlb mode. Defaults to unset.
1198 MinLinks=
1200 Specifies the minimum number of links that must be active before
1201 asserting carrier. The default value is 0.
1202 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1204
1206 The "[Xfrm]" section accepts the following keys:
1207 InterfaceId=
1209 Sets the ID/key of the xfrm interface which needs to be associated
1210 with a SA/policy. Can be decimal or hexadecimal, valid range is
1211 0-0xffffffff, defaults to 0.
1212 Independent=
1214 Takes a boolean. If set to "no", the xfrm interface should have an
1215 underlying device which can be used for hardware offloading.
1216 Defaults to "no". See systemd.network(5) for how to configure the
1217 underlying device.
1218 For more detail information see Virtual xfrm interfaces[16]
1220
1222 The "[VRF]" section only applies for netdevs of kind "vrf" and accepts
1223 the following key:
1224 Table=
1226 The numeric routing table identifier. This option is compulsory.
1227
1229 Example 1. /etc/systemd/network/25-bridge.netdev
1230 [NetDev]
1232 Name=bridge0
1233 Kind=bridge
1234 Example 2. /etc/systemd/network/25-vlan1.netdev
1236 [Match]
1238 Virtualization=no
1239 [NetDev]
1241 Name=vlan1
1242 Kind=vlan
1243 [VLAN]
1245 Id=1
1246 Example 3. /etc/systemd/network/25-ipip.netdev
1248 [NetDev]
1250 Name=ipip-tun
1251 Kind=ipip
1252 MTUBytes=1480
1253 [Tunnel]
1255 Local=192.168.223.238
1256 Remote=192.169.224.239
1257 TTL=64
1258 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1260 [NetDev]
1262 Name=fou-tun
1263 Kind=fou
1264 [FooOverUDP]
1266 Port=5555
1267 Protocol=4
1268 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1271 [NetDev]
1273 Name=ipip-tun
1274 Kind=ipip
1275 [Tunnel]
1277 Independent=yes
1278 Local=10.65.208.212
1279 Remote=10.65.208.211
1280 FooOverUDP=yes
1281 FOUDestinationPort=5555
1282 Example 6. /etc/systemd/network/25-tap.netdev
1285 [NetDev]
1287 Name=tap-test
1288 Kind=tap
1289 [Tap]
1291 MultiQueue=yes
1292 PacketInfo=yes
1293 Example 7. /etc/systemd/network/25-sit.netdev
1295 [NetDev]
1297 Name=sit-tun
1298 Kind=sit
1299 MTUBytes=1480
1300 [Tunnel]
1302 Local=10.65.223.238
1303 Remote=10.65.223.239
1304 Example 8. /etc/systemd/network/25-6rd.netdev
1306 [NetDev]
1308 Name=6rd-tun
1309 Kind=sit
1310 MTUBytes=1480
1311 [Tunnel]
1313 Local=10.65.223.238
1314 IPv6RapidDeploymentPrefix=2602::/24
1315 Example 9. /etc/systemd/network/25-gre.netdev
1317 [NetDev]
1319 Name=gre-tun
1320 Kind=gre
1321 MTUBytes=1480
1322 [Tunnel]
1324 Local=10.65.223.238
1325 Remote=10.65.223.239
1326 Example 10. /etc/systemd/network/25-vti.netdev
1328 [NetDev]
1330 Name=vti-tun
1331 Kind=vti
1332 MTUBytes=1480
1333 [Tunnel]
1335 Local=10.65.223.238
1336 Remote=10.65.223.239
1337 Example 11. /etc/systemd/network/25-veth.netdev
1339 [NetDev]
1341 Name=veth-test
1342 Kind=veth
1343 [Peer]
1345 Name=veth-peer
1346 Example 12. /etc/systemd/network/25-bond.netdev
1348 [NetDev]
1350 Name=bond1
1351 Kind=bond
1352 [Bond]
1354 Mode=802.3ad
1355 TransmitHashPolicy=layer3+4
1356 MIIMonitorSec=1s
1357 LACPTransmitRate=fast
1358 Example 13. /etc/systemd/network/25-dummy.netdev
1360 [NetDev]
1362 Name=dummy-test
1363 Kind=dummy
1364 MACAddress=12:34:56:78:9a:bc
1365 Example 14. /etc/systemd/network/25-vrf.netdev
1367 Create a VRF interface with table 42.
1369 [NetDev]
1371 Name=vrf-test
1372 Kind=vrf
1373 [VRF]
1375 Table=42
1376 Example 15. /etc/systemd/network/25-macvtap.netdev
1378 Create a MacVTap device.
1380 [NetDev]
1382 Name=macvtap-test
1383 Kind=macvtap
1384 Example 16. /etc/systemd/network/25-wireguard.netdev
1387 [NetDev]
1389 Name=wg0
1390 Kind=wireguard
1391 [WireGuard]
1393 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1394 ListenPort=51820
1395 [WireGuardPeer]
1397 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1398 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1399 Endpoint=wireguard.example.com:51820
1400 Example 17. /etc/systemd/network/27-xfrm.netdev
1402 [Xfrm]
1404 Name=xfrm0
1405 Kind=xfrm
1406 [Xfrm]
1408 Independent=yes
1409
1411 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1412
1414 1. Linux Ethernet Bonding Driver HOWTO
1415 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1416 2. RFC 2784
1418 https://tools.ietf.org/html/rfc2784
1419 3. IEEE 802.1Q
1421 http://www.ieee802.org/1/pages/802.1Q.html
1422 4. VRF
1424 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1425 5. (DVOE)
1427 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1428 6. VXLAN Group Policy
1430 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1431 7. Generic Protocol Extension for VXLAN
1433 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1434 8. Type of Service in the Internet Protocol Suite
1436 http://tools.ietf.org/html/rfc1349
1437 9. RFC 6437
1439 https://tools.ietf.org/html/rfc6437
1440 10. RFC 2460
1442 https://tools.ietf.org/html/rfc2460
1443 11. RFC 2473
1445 https://tools.ietf.org/html/rfc2473#section-4.1.1
1446 12. ip-xfrm — transform configuration
1448 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1449 13. Foo over UDP
1451 https://lwn.net/Articles/614348
1452 14. IPv6 Rapid Deployment
1454 https://tools.ietf.org/html/rfc5569
1455 15. Generic UDP Encapsulation
1457 https://lwn.net/Articles/615044
1458 16. Virtual xfrm interfaces
1460 https://lwn.net/Articles/757391
1461systemd 243 SYSTEMD.NETDEV(5)