1IP-LINK(8)                           Linux                          IP-LINK(8)
2
3
4

NAME

6       ip-link - network device configuration
7

SYNOPSIS

9       ip link  { COMMAND | help }
10
11
12       ip link add [ link DEVICE ] [ name ] NAME
13               [ txqueuelen PACKETS ]
14               [ address LLADDR ] [ broadcast LLADDR ]
15               [ mtu MTU ] [ index IDX ]
16               [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17               [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18               type TYPE [ ARGS ]
19
20       ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21
22       ip link set { DEVICE | group GROUP }
23               [ { up | down } ]
24               [ type ETYPE TYPE_ARGS ]
25               [ arp { on | off } ]
26               [ dynamic { on | off } ]
27               [ multicast { on | off } ]
28               [ allmulticast { on | off } ]
29               [ promisc { on | off } ]
30               [ protodown { on | off } ]
31               [ trailers { on | off } ]
32               [ txqueuelen PACKETS ]
33               [ name NEWNAME ]
34               [ address LLADDR ]
35               [ broadcast LLADDR ]
36               [ mtu MTU ]
37               [ netns { PID | NETNSNAME } ]
38               [ link-netnsid ID ]
39               [ alias NAME ]
40               [ vf NUM [ mac LLADDR ]
41                        [ VFVLAN-LIST ]
42                        [ rate TXRATE ]
43                        [ max_tx_rate TXRATE ]
44                        [ min_tx_rate TXRATE ]
45                        [ spoofchk { on | off } ]
46                        [ query_rss { on | off } ]
47                        [ state { auto | enable | disable } ]
48                        [ trust { on | off } ]
49                        [ node_guid eui64 ]
50                        [ port_guid eui64 ] ]
51               [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52                       object FILE [ section NAME ] [ verbose ] |
53                       pinned FILE } ]
54               [ master DEVICE ]
55               [ nomaster ]
56               [ vrf NAME ]
57               [ addrgenmode { eui64 | none | stable_secret | random } ]
58               [ macaddr [ MACADDR ]
59                         [ { flush | add | del } MACADDR ]
60                         [ set MACADDR ] ]
61
62                 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63                         ] [ type ETYPE ] [ vrf NAME ]
64
65                 ip link xstats type TYPE [ ARGS ]
66
67                 ip link afstats [ dev DEVICE ]
68
69                 ip link help [ TYPE ]
70
71                 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72                         macvlan | macvtap | vcan | vxcan | veth | vlan |
73                         vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74                         ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75                         | ipvtap | lowpan | geneve | vrf | macsec | netdevsim
76                         | rmnet | xfrm ]
77
78                 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79
80                 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81
82                 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83                         ]
84
85

DESCRIPTION

87   ip link add - add virtual link
88       link DEVICE
89              specifies the physical device to act operate on.
90
91              NAME specifies the name of the new virtual device.
92
93              TYPE specifies the type of the new device.
94
95              Link types:
96
97                      bridge - Ethernet Bridge device
98
99                      bond - Bonding device
100
101                      dummy - Dummy network interface
102
103                      hsr - High-availability Seamless Redundancy device
104
105                      ifb - Intermediate Functional Block device
106
107                      ipoib - IP over Infiniband device
108
109                      macvlan - Virtual interface base on link layer address
110                      (MAC)
111
112                      macvtap - Virtual interface based on link layer address
113                      (MAC) and TAP.
114
115                      vcan - Virtual Controller Area Network interface
116
117                      vxcan - Virtual Controller Area Network tunnel interface
118
119                      veth - Virtual ethernet interface
120
121                      vlan - 802.1q tagged virtual LAN interface
122
123                      vxlan - Virtual eXtended LAN
124
125                      ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
126
127                      ipip - Virtual tunnel interface IPv4 over IPv4
128
129                      sit - Virtual tunnel interface IPv6 over IPv4
130
131                      gre - Virtual tunnel interface GRE over IPv4
132
133                      gretap - Virtual L2 tunnel interface GRE over IPv4
134
135                      erspan - Encapsulated Remote SPAN over GRE and IPv4
136
137                      ip6gre - Virtual tunnel interface GRE over IPv6
138
139                      ip6gretap - Virtual L2 tunnel interface GRE over IPv6
140
141                      ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
142
143                      vti - Virtual tunnel interface
144
145                      nlmon - Netlink monitoring device
146
147                      ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
148
149                      ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
150                      TAP
151
152                      lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
153                      / Bluetooth
154
155                      geneve - GEneric NEtwork Virtualization Encapsulation
156
157                      macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
158                      sec)
159
160                      vrf - Interface for L3 VRF domains
161
162                      netdevsim - Interface for netdev API tests
163
164                      rmnet - Qualcomm rmnet device
165
166                      xfrm - Virtual xfrm interface
167
168
169       numtxqueues QUEUE_COUNT
170              specifies the number of transmit queues for new device.
171
172
173       numrxqueues QUEUE_COUNT
174              specifies the number of receive queues for new device.
175
176
177       gso_max_size BYTES
178              specifies the recommended maximum size of a Generic Segment Off‐
179              load packet the new device should accept.
180
181
182       gso_max_segs SEGMENTS
183              specifies the recommended maximum number of a Generic Segment
184              Offload segments the new device should accept.
185
186
187       index IDX
188              specifies the desired index of the new virtual device. The link
189              creation fails, if the index is busy.
190
191
192       VLAN Type Support
193              For a link of type VLAN the following additional arguments are
194              supported:
195
196              ip link add link DEVICE name NAME type vlan [ protocol
197              VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
198              | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
199              bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
200              egress-qos-map QOS-MAP ]
201
202
203                      protocol VLAN_PROTO - either 802.1Q or 802.1ad.
204
205                      id VLANID - specifies the VLAN Identifer to use. Note
206                      that numbers with a leading " 0 " or " 0x " are inter‐
207                      preted as octal or hexadeimal, respectively.
208
209                      reorder_hdr { on | off } - specifies whether ethernet
210                      headers are reordered or not (default is on).
211
212                          If reorder_hdr is on then VLAN header will be not
213                          inserted immediately but only before passing to the
214                          physical device (if this device does not support
215                          VLAN offloading), the similar on the RX direction -
216                          by default the packet will be untagged before being
217                          received by VLAN device. Reordering allows to accel‐
218                          erate tagging on egress and to hide VLAN header on
219                          ingress so the packet looks like regular Ethernet
220                          packet, at the same time it might be confusing for
221                          packet capture as the VLAN header does not exist
222                          within the packet.
223
224                          VLAN offloading can be checked by ethtool(8):
225
226                              ethtool -k <phy_dev> | grep tx-vlan-offload
227
228                          where <phy_dev> is the physical device to which VLAN
229                          device is bound.
230
231                      gvrp { on | off } - specifies whether this VLAN should
232                      be registered using GARP VLAN
233                        Registration Protocol.
234
235                      mvrp { on | off } - specifies whether this VLAN should
236                      be registered using Multiple VLAN
237                        Registration Protocol.
238
239                      loose_binding { on | off } - specifies whether the VLAN
240                      device state is bound to the physical device state.
241
242                      bridge_binding { on | off } - specifies whether the VLAN
243                      device link state tracks the state of bridge ports that
244                      are members of the VLAN.
245
246                      ingress-qos-map QOS-MAP - defines a mapping of VLAN
247                      header prio field to the Linux internal packet priority
248                      on incoming frames. The format is FROM:TO with multiple
249                      mappings separated by spaces.
250
251                      egress-qos-map QOS-MAP - defines a mapping of Linux
252                      internal packet priority to VLAN header prio field but
253                      for outgoing frames. The format is the same as for
254                      ingress-qos-map.
255
256                          Linux packet priority can be set by iptables(8):
257
258                              iptables -t mangle -A POSTROUTING [...] -j CLAS‐
259                              SIFY --set-class 0:4
260
261                          and this "4" priority can be used in the egress qos
262                          mapping to set VLAN prio "5":
263
264                              ip link set veth0.10 type vlan egress 4:5
265
266
267       VXLAN Type Support
268              For a link of type VXLAN the following additional arguments are
269              supported:
270
271              ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV  ] [ { group
272              | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
273              TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
274              port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
275              [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
276              ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
277              ] [ [no]external ] [ gbp ] [ gpe ]
278
279
280                      id VNI - specifies the VXLAN Network Identifer (or VXLAN
281                      Segment Identifier) to use.
282
283                      dev PHYS_DEV - specifies the physical device to use for
284                      tunnel endpoint communication.
285
286
287                      group IPADDR - specifies the multicast IP address to
288                      join.  This parameter cannot be specified with the
289                      remote parameter.
290
291
292                      remote IPADDR - specifies the unicast destination IP
293                      address to use in outgoing packets when the destination
294                      link layer address is not known in the VXLAN device for‐
295                      warding database. This parameter cannot be specified
296                      with the group parameter.
297
298
299                      local IPADDR - specifies the source IP address to use in
300                      outgoing packets.
301
302
303                      ttl TTL - specifies the TTL value to use in outgoing
304                      packets.
305
306
307                      tos TOS - specifies the TOS value to use in outgoing
308                      packets.
309
310
311                      df DF - specifies the usage of the Don't Fragment flag
312                      (DF) bit in outgoing packets with IPv4 headers. The
313                      value inherit causes the bit to be copied from the orig‐
314                      inal IP header. The values unset and set cause the bit
315                      to be always unset or always set, respectively. By
316                      default, the bit is not set.
317
318
319                      flowlabel FLOWLABEL - specifies the flow label to use in
320                      outgoing packets.
321
322
323                      dstport PORT - specifies the UDP destination port to
324                      communicate to the remote
325                        VXLAN tunnel endpoint.
326
327
328                      srcport MIN MAX - specifies the range of port numbers to
329                      use as UDP source ports to communicate to the remote
330                      VXLAN tunnel endpoint.
331
332
333                      [no]learning - specifies if unknown source link layer
334                      addresses and IP addresses are entered into the VXLAN
335                      device forwarding database.
336
337
338                      [no]rsc - specifies if route short circuit is turned on.
339
340
341                      [no]proxy - specifies ARP proxy is turned on.
342
343
344                      [no]l2miss - specifies if netlink LLADDR miss notifica‐
345                      tions are generated.
346
347
348                      [no]l3miss - specifies if netlink IP ADDR miss notifica‐
349                      tions are generated.
350
351
352                      [no]udpcsum - specifies if UDP checksum is calculated
353                      for transmitted packets over IPv4.
354
355
356                      [no]udp6zerocsumtx - skip UDP checksum calculation for
357                      transmitted packets over IPv6.
358
359
360                      [no]udp6zerocsumrx - allow incoming UDP packets over
361                      IPv6 with zero checksum field.
362
363
364                      ageing SECONDS - specifies the lifetime in seconds of
365                      FDB entries learnt by the kernel.
366
367
368                      maxaddress NUMBER - specifies the maximum number of FDB
369                      entries.
370
371
372                      [no]external - specifies whether an external control
373                      plane (e.g. ip route encap) or the internal FDB should
374                      be used.
375
376
377                      gbp - enables the Group Policy extension (VXLAN-GBP).
378
379                          Allows to transport group policy context across
380                          VXLAN network peers.  If enabled, includes the mark
381                          of a packet in the VXLAN header for outgoing packets
382                          and fills the packet mark based on the information
383                          found in the VXLAN header for incoming packets.
384
385                          Format of upper 16 bits of packet mark (flags);
386
387                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
388                            |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
389                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
390
391                            D := Don't Learn bit. When set, this bit indicates
392                            that the egress VTEP MUST NOT learn the source
393                            address of the encapsulated frame.
394
395                            A := Indicates that the group policy has already
396                            been applied to this packet. Policies MUST NOT be
397                            applied by devices when the A bit is set.
398
399                          Format of lower 16 bits of packet mark (policy ID):
400
401                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
402                            |        Group Policy ID        |
403                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
404
405                          Example:
406                            iptables -A OUTPUT [...] -j MARK --set-mark
407                          0x800FF
408
409
410
411                      gpe - enables the Generic Protocol extension (VXLAN-
412                      GPE). Currently, this is only supported together with
413                      the external keyword.
414
415
416
417       VETH, VXCAN Type Support
418              For a link of types VETH/VXCAN the following additional argu‐
419              ments are supported:
420
421              ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
422
423
424                      peer name NAME - specifies the virtual pair device name
425                      of the VETH/VXCAN tunnel.
426
427
428
429       IPIP, SIT Type Support
430              For a link of type IPIPorSIT the following additional arguments
431              are supported:
432
433              ip link add DEVICE type { ipip | sit }  remote ADDR local ADDR [
434              encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
435              encap-dport PORT ] [ [no]encap-csum ] [  [no]encap-remcsum ] [
436              mode  { ip6ip | ipip | mplsip | any } ] [ external ]
437
438
439                      remote ADDR - specifies the remote address of the tun‐
440                      nel.
441
442
443                      local ADDR - specifies the fixed local address for tun‐
444                      neled packets.  It must be an address on another inter‐
445                      face on this host.
446
447
448                      encap { fou | gue | none } - specifies type of secondary
449                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
450                      indicates Generic UDP Encapsulation.
451
452
453                      encap-sport { PORT | auto } - specifies the source port
454                      in UDP encapsulation.  PORT indicates the port by num‐
455                      ber, "auto" indicates that the port number should be
456                      chosen automatically (the kernel picks a flow based on
457                      the flow hash of the encapsulated packet).
458
459
460                      [no]encap-csum - specifies if UDP checksums are enabled
461                      in the secondary encapsulation.
462
463
464                      [no]encap-remcsum - specifies if Remote Checksum Offload
465                      is enabled. This is only applicable for Generic UDP
466                      Encapsulation.
467
468
469                      mode { ip6ip | ipip | mplsip | any } - specifies mode in
470                      which device should run. "ip6ip" indicates IPv6-Over-
471                      IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
472                      cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
473                      Over IPv4. Supported for SIT where the default is
474                      "ip6ip" and IPIP where the default is "ipip".
475                      IPv6-Over-IPv4 is not supported for IPIP.
476
477
478                      external - make this tunnel externally controlled (e.g.
479                      ip route encap).
480
481
482       GRE Type Support
483              For a link of type GRE or GRETAP the following additional argu‐
484              ments are supported:
485
486              ip link add DEVICE type { gre | gretap }  remote ADDR local ADDR
487              [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
488              [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
489              PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
490              auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
491              remcsum ] [ external ]
492
493
494                      remote ADDR - specifies the remote address of the tun‐
495                      nel.
496
497
498                      local ADDR - specifies the fixed local address for tun‐
499                      neled packets.  It must be an address on another inter‐
500                      face on this host.
501
502
503                      [no][i|o]seq - serialize packets.  The oseq flag enables
504                      sequencing of outgoing packets.  The iseq flag requires
505                      that all input packets are serialized.
506
507
508                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
509                      KEY is either a number or an IPv4 address-like dotted
510                      quad.  The key parameter specifies the same key to use
511                      in both directions.  The ikey and okey parameters spec‐
512                      ify different keys for input and output.
513
514
515                      [no][i|o]csum - generate/require checksums for tunneled
516                      packets.  The ocsum flag calculates checksums for outgo‐
517                      ing packets.  The icsum flag requires that all input
518                      packets have the correct checksum. The csum flag is
519                      equivalent to the combination icsum ocsum .
520
521
522                      ttl TTL - specifies the TTL value to use in outgoing
523                      packets.
524
525
526                      tos TOS - specifies the TOS value to use in outgoing
527                      packets.
528
529
530                      [no]pmtudisc - enables/disables Path MTU Discovery on
531                      this tunnel.  It is enabled by default. Note that a
532                      fixed ttl is incompatible with this option: tunneling
533                      with a fixed ttl always makes pmtu discovery.
534
535
536                      [no]ignore-df - enables/disables IPv4 DF suppression on
537                      this tunnel.  Normally datagrams that exceed the MTU
538                      will be fragmented; the presence of the DF flag inhibits
539                      this, resulting instead in an ICMP Unreachable (Fragmen‐
540                      tation Required) message.  Enabling this attribute
541                      causes the DF flag to be ignored.
542
543
544                      dev PHYS_DEV - specifies the physical device to use for
545                      tunnel endpoint communication.
546
547
548                      encap { fou | gue | none } - specifies type of secondary
549                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
550                      indicates Generic UDP Encapsulation.
551
552
553                      encap-sport { PORT | auto } - specifies the source port
554                      in UDP encapsulation.  PORT indicates the port by num‐
555                      ber, "auto" indicates that the port number should be
556                      chosen automatically (the kernel picks a flow based on
557                      the flow hash of the encapsulated packet).
558
559
560                      [no]encap-csum - specifies if UDP checksums are enabled
561                      in the secondary encapsulation.
562
563
564                      [no]encap-remcsum - specifies if Remote Checksum Offload
565                      is enabled. This is only applicable for Generic UDP
566                      Encapsulation.
567
568
569                      external - make this tunnel externally controlled (e.g.
570                      ip route encap).
571
572
573
574       IP6GRE/IP6GRETAP Type Support
575              For a link of type IP6GRE/IP6GRETAP the following additional
576              arguments are supported:
577
578              ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
579              ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
580              [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
581              TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
582              localremote ] [ dev PHYS_DEV ] [ external ]
583
584
585                      remote ADDR - specifies the remote IPv6 address of the
586                      tunnel.
587
588
589                      local ADDR - specifies the fixed local IPv6 address for
590                      tunneled packets.  It must be an address on another
591                      interface on this host.
592
593
594                      [no][i|o]seq - serialize packets.  The oseq flag enables
595                      sequencing of outgoing packets.  The iseq flag requires
596                      that all input packets are serialized.
597
598
599                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
600                      KEY is either a number or an IPv4 address-like dotted
601                      quad.  The key parameter specifies the same key to use
602                      in both directions.  The ikey and okey parameters spec‐
603                      ify different keys for input and output.
604
605
606                      [no][i|o]csum - generate/require checksums for tunneled
607                      packets.  The ocsum flag calculates checksums for outgo‐
608                      ing packets.  The icsum flag requires that all input
609                      packets have the correct checksum. The csum flag is
610                      equivalent to the combination icsum ocsum.
611
612
613                      hoplimit TTL - specifies Hop Limit value to use in out‐
614                      going packets.
615
616
617                      encaplimit ELIM - specifies a fixed encapsulation limit.
618                      Default is 4.
619
620
621                      flowlabel FLOWLABEL - specifies a fixed flowlabel.
622
623
624                      [no]allow-localremote - specifies whether to allow
625                      remote endpoint to have an address configured on local
626                      host.
627
628
629                      tclass TCLASS - specifies the traffic class field on
630                      tunneled packets, which can be specified as either a
631                      two-digit hex value (e.g. c0) or a predefined string
632                      (e.g. internet).  The value inherit causes the field to
633                      be copied from the original IP header. The values
634                      inherit/STRING or inherit/00..ff will set the field to
635                      STRING or 00..ff when tunneling non-IP packets. The
636                      default value is 00.
637
638
639                      external - make this tunnel externally controlled (or
640                      not, which is the default).  In the kernel, this is
641                      referred to as collect metadata mode.  This flag is
642                      mutually exclusive with the remote, local, seq, key,
643                      csum, hoplimit, encaplimit, flowlabel and tclass
644                      options.
645
646
647
648       IPoIB Type Support
649              For a link of type IPoIB the following additional arguments are
650              supported:
651
652              ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
653              MODE ]
654
655
656                      pkey PKEY - specifies the IB P-Key to use.
657
658                      mode MODE - specifies the mode (datagram or connected)
659                      to use.
660
661
662       ERSPAN Type Support
663              For a link of type ERSPAN/IP6ERSPAN the following additional
664              arguments are supported:
665
666              ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
667              ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
668              { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
669              mote ] [ external ]
670
671
672                      remote ADDR - specifies the remote address of the tun‐
673                      nel.
674
675
676                      local ADDR - specifies the fixed local address for tun‐
677                      neled packets.  It must be an address on another inter‐
678                      face on this host.
679
680
681                      erspan_ver version - specifies the ERSPAN version num‐
682                      ber.  version indicates the ERSPAN version to be cre‐
683                      ated: 1 for version 1 (type II) or 2 for version 2 (type
684                      III).
685
686
687                      erspan IDX - specifies the ERSPAN v1 index field.  IDX
688                      indicates a 20 bit index/port number associated with the
689                      ERSPAN traffic's source port and direction.
690
691
692                      erspan_dir { ingress | egress } - specifies the ERSPAN
693                      v2 mirrored traffic's direction.
694
695
696                      erspan_hwid hwid - an unique identifier of an ERSPAN v2
697                      engine within a system.  hwid is a 6-bit value for users
698                      to configure.
699
700
701                      [no]allow-localremote - specifies whether to allow
702                      remote endpoint to have an address configured on local
703                      host.
704
705
706                      external - make this tunnel externally controlled (or
707                      not, which is the default).  In the kernel, this is
708                      referred to as collect metadata mode.  This flag is
709                      mutually exclusive with the remote, local, erspan_ver,
710                      erspan, erspan_dir and erspan_hwid options.
711
712
713
714       GENEVE Type Support
715              For a link of type GENEVE the following additional arguments are
716              supported:
717
718              ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
719              [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
720              [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
721              [no]udp6zerocsumrx ]
722
723
724                      id VNI - specifies the Virtual Network Identifer to use.
725
726
727                      remote IPADDR - specifies the unicast destination IP
728                      address to use in outgoing packets.
729
730
731                      ttl TTL - specifies the TTL value to use in outgoing
732                      packets. "0" or "auto" means use whatever default value,
733                      "inherit" means inherit the inner protocol's ttl.
734                      Default option is "0".
735
736
737                      tos TOS - specifies the TOS value to use in outgoing
738                      packets.
739
740
741                      df DF - specifies the usage of the Don't Fragment flag
742                      (DF) bit in outgoing packets with IPv4 headers. The
743                      value inherit causes the bit to be copied from the orig‐
744                      inal IP header. The values unset and set cause the bit
745                      to be always unset or always set, respectively. By
746                      default, the bit is not set.
747
748
749                      flowlabel FLOWLABEL - specifies the flow label to use in
750                      outgoing packets.
751
752
753                      dstport PORT - select a destination port other than the
754                      default of 6081.
755
756
757                      [no]external - make this tunnel externally controlled
758                      (or not, which is the default). This flag is mutually
759                      exclusive with the id, remote, ttl, tos and flowlabel
760                      options.
761
762
763                      [no]udpcsum - specifies if UDP checksum is calculated
764                      for transmitted packets over IPv4.
765
766
767                      [no]udp6zerocsumtx - skip UDP checksum calculation for
768                      transmitted packets over IPv6.
769
770
771                      [no]udp6zerocsumrx - allow incoming UDP packets over
772                      IPv6 with zero checksum field.
773
774
775
776       MACVLAN and MACVTAP Type Support
777              For a link of type MACVLAN or MACVTAP the following additional
778              arguments are supported:
779
780              ip link add link DEVICE name NAME type { macvlan | macvtap }
781              mode { private | vepa | bridge | passthru  [ nopromisc ] |
782              source }
783
784
785                      type { macvlan | macvtap } - specifies the link type to
786                      use.  macvlan creates just a virtual interface, while
787                      macvtap in addition creates a character device /dev/tapX
788                      to be used just like a tuntap device.
789
790                      mode private - Do not allow communication between
791                      macvlan instances on the same physical interface, even
792                      if the external switch supports hairpin mode.
793
794                      mode vepa - Virtual Ethernet Port Aggregator mode. Data
795                      from one macvlan instance to the other on the same phys‐
796                      ical interface is transmitted over the physical inter‐
797                      face. Either the attached switch needs to support hair‐
798                      pin mode, or there must be a TCP/IP router forwarding
799                      the packets in order to allow communication. This is the
800                      default mode.
801
802                      mode bridge - In bridge mode, all endpoints are directly
803                      connected to each other, communication is not redirected
804                      through the physical interface's peer.
805
806                      mode passthru [ nopromisc ] - This mode gives more power
807                      to a single endpoint, usually in macvtap mode. It is not
808                      allowed for more than one endpoint on the same physical
809                      interface. All traffic will be forwarded to this end‐
810                      point, allowing virtio guests to change MAC address or
811                      set promiscuous mode in order to bridge the interface or
812                      create vlan interfaces on top of it. By default, this
813                      mode forces the underlying interface into promiscuous
814                      mode. Passing the nopromisc flag prevents this, so the
815                      promisc flag may be controlled using standard tools.
816
817                      mode source - allows one to set a list of allowed mac
818                      address, which is used to match against source mac
819                      address from received frames on underlying interface.
820                      This allows creating mac based VLAN associations,
821                      instead of standard port or tag based. The feature is
822                      useful to deploy 802.1x mac based behavior, where driv‐
823                      ers of underlying interfaces doesn't allows that.
824
825
826       High-availability Seamless Redundancy (HSR) Support
827              For a link of type HSR the following additional arguments are
828              supported:
829
830              ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
831              slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
832
833
834                      type hsr - specifies the link type to use, here HSR.
835
836                      slave1 SLAVE1-IF - Specifies the physical device used
837                      for the first of the two ring ports.
838
839                      slave2 SLAVE2-IF - Specifies the physical device used
840                      for the second of the two ring ports.
841
842                      supervision ADDR-BYTE - The last byte of the multicast
843                      address used for HSR supervision frames.  Default option
844                      is "0", possible values 0-255.
845
846                      version { 0 | 1 } - Selects the protocol version of the
847                      interface. Default option is "0", which corresponds to
848                      the 2010 version of the HSR standard. Option "1" acti‐
849                      vates the 2012 version.
850
851
852       BRIDGE Type Support
853              For a link of type BRIDGE the following additional arguments are
854              supported:
855
856              ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
857              group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
858              FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
859              stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
860              VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
861              vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
862              VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
863              [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
864              CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
865              [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
866              HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
867              ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
868              STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
869              BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
870              [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
871              val QUERY_INTERVAL ] [ mcast_query_response_interval
872              QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
873              STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
874              MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
875              mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
876              BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
877              bles NF_CALL_ARPTABLES ]
878
879
880                      ageing_time AGEING_TIME - configure the bridge's FDB
881                      entries ageing time, ie the number of seconds a MAC
882                      address will be kept in the FDB after a packet has been
883                      received from that address. after this time has passed,
884                      entries are cleaned up.
885
886                      group_fwd_mask MASK - set the group forward mask. This
887                      is the bitmask that is applied to decide whether to for‐
888                      ward incoming frames destined to link-local addresses,
889                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
890                      0, ie the bridge does not forward any link-local
891                      frames).
892
893                      group_address ADDRESS - set the MAC address of the mul‐
894                      ticast group this bridge uses for STP.  The address must
895                      be a link-local address in standard Ethernet MAC address
896                      format, ie an address of the form 01:80:C2:00:00:0X,
897                      with X
898                       in [0, 4..f].
899
900                      forward_delay FORWARD_DELAY - set the forwarding delay
901                      in seconds, ie the time spent in LISTENING state (before
902                      moving to LEARNING) and in LEARNING state (before moving
903                      to FORWARDING). Only relevant if STP is enabled. Valid
904                      values are between 2 and 30.
905
906                      hello_time HELLO_TIME - set the time in seconds between
907                      hello packets sent by the bridge, when it is a root
908                      bridge or a designated bridges.  Only relevant if STP is
909                      enabled. Valid values are between 1 and 10.
910
911                      max_age MAX_AGE - set the hello packet timeout, ie the
912                      time in seconds until another bridge in the spanning
913                      tree is assumed to be dead, after reception of its last
914                      hello message. Only relevant if STP is enabled. Valid
915                      values are between 6 and 40.
916
917                      stp_state STP_STATE - turn spanning tree protocol on
918                      (STP_STATE > 0) or off (STP_STATE == 0).  for this
919                      bridge.
920
921                      priority PRIORITY - set this bridge's spanning tree pri‐
922                      ority, used during STP root bridge election.  PRIORITY
923                      is a 16bit unsigned integer.
924
925                      vlan_filtering VLAN_FILTERING - turn VLAN filtering on
926                      (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0).  When
927                      disabled, the bridge will not consider the VLAN tag when
928                      handling packets.
929
930                      vlan_protocol { 802.1Q | 802.1ad } - set the protocol
931                      used for VLAN filtering.
932
933                      vlan_default_pvid VLAN_DEFAULT_PVID - set the default
934                      PVID (native/untagged VLAN ID) for this bridge.
935
936                      vlan_stats_enabled VLAN_STATS_ENABLED - enable
937                      (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
938                      == 0) per-VLAN stats accounting.
939
940                      vlan_stats_per_port VLAN_STATS_PER_PORT - enable
941                      (VLAN_STATS_PER_PORT == 1) or disable
942                      (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
943                      accounting. Can be changed only when there are no port
944                      VLANs configured.
945
946                      mcast_snooping MULTICAST_SNOOPING - turn multicast
947                      snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
948                      CAST_SNOOPING == 0).
949
950                      mcast_router MULTICAST_ROUTER - set bridge's multicast
951                      router if IGMP snooping is enabled.  MULTICAST_ROUTER is
952                      an integer value having the following meaning:
953
954                              0 - disabled.
955
956                              1 - automatic (queried).
957
958                              2 - permanently enabled.
959
960                      mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
961                      to use the bridge's own IP address as source address for
962                      IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
963                      of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
964
965                      mcast_querier MULTICAST_QUERIER - enable (MULTI‐
966                      CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
967                      IGMP querier, ie sending of multicast queries by the
968                      bridge (default: disabled).
969
970                      mcast_querier_interval QUERIER_INTERVAL - interval
971                      between queries sent by other routers. if no queries are
972                      seen after this delay has passed, the bridge will start
973                      to send its own queries (as if mcast_querier was
974                      enabled).
975
976                      mcast_hash_elasticity HASH_ELASTICITY - set multicast
977                      database hash elasticity, ie the maximum chain length in
978                      the multicast hash table (defaults to 4).
979
980                      mcast_hash_max HASH_MAX - set maximum size of multicast
981                      hash table (defaults to 512, value must be a power of
982                      2).
983
984                      mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
985                      cast last member count, ie the number of queries the
986                      bridge will send before stopping forwarding a multicast
987                      group after a "leave" message has been received
988                      (defaults to 2).
989
990                      mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
991                      val between queries to find remaining members of a
992                      group, after a "leave" message is received.
993
994                      mcast_startup_query_count STARTUP_QUERY_COUNT - set the
995                      number of IGMP queries to send during startup phase
996                      (defaults to 2).
997
998                      mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
999                      interval between queries in the startup phase.
1000
1001                      mcast_query_interval QUERY_INTERVAL - interval between
1002                      queries sent by the bridge after the end of the startup
1003                      phase.
1004
1005                      mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1006                      set the Max Response Time/Maximum Response Delay for
1007                      IGMP/MLD queries sent by the bridge.
1008
1009                      mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1010                      after which the bridge will leave a group, if no member‐
1011                      ship reports for this group are received.
1012
1013                      mcast_stats_enabled MCAST_STATS_ENABLED - enable
1014                      (MCAST_STATS_ENABLED > 0) or disable
1015                      (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1016                      accounting.
1017
1018                      mcast_igmp_version IGMP_VERSION - set the IGMP version.
1019
1020                      mcast_mld_version MLD_VERSION - set the MLD version.
1021
1022                      nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1023                      ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1024                      hooks on the bridge.
1025
1026                      nf_call_ip6tables NF_CALL_IP6TABLES - enable
1027                      (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1028                      0) ip6tables hooks on the bridge.
1029
1030                      nf_call_arptables NF_CALL_ARPTABLES - enable
1031                      (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1032                      0) arptables hooks on the bridge.
1033
1034
1035
1036
1037       MACsec Type Support
1038              For a link of type MACsec the following additional arguments are
1039              supported:
1040
1041              ip link add link DEVICE name NAME type macsec [ [ address
1042              <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1043              icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1044              off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1045              tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1046              [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1047              ]
1048
1049
1050                      address <lladdr> - sets the system identifier component
1051                      of secure channel for this MACsec device.
1052
1053
1054                      port PORT - sets the port number component of secure
1055                      channel for this MACsec device, in a range from 1 to
1056                      65535 inclusive. Numbers with a leading " 0 " or " 0x "
1057                      are interpreted as octal and hexadecimal, respectively.
1058
1059
1060                      sci SCI - sets the secure channel identifier for this
1061                      MACsec device.  SCI is a 64bit wide number in hexadeci‐
1062                      mal format.
1063
1064
1065                      cipher CIPHER_SUITE - defines the cipher suite to use.
1066
1067
1068                      icvlen LENGTH - sets the length of the Integrity Check
1069                      Value (ICV).
1070
1071
1072                      encrypt on or encrypt off - switches between authenti‐
1073                      cated encryption, or authenticity mode only.
1074
1075
1076                      send_sci on or send_sci off - specifies whether the SCI
1077                      is included in every packet, or only when it is neces‐
1078                      sary.
1079
1080
1081                      end_station on or end_station off - sets the End Station
1082                      bit.
1083
1084
1085                      scb on or scb off - sets the Single Copy Broadcast bit.
1086
1087
1088                      protect on or protect off - enables MACsec protection on
1089                      the device.
1090
1091
1092                      replay on or replay off - enables replay protection on
1093                      the device.
1094
1095
1096
1097                              window SIZE - sets the size of the replay win‐
1098                              dow.
1099
1100
1101
1102                      validate strict or validate check or validate disabled -
1103                      sets the validation mode on the device.
1104
1105
1106                      encodingsa AN - sets the active secure association for
1107                      transmission.
1108
1109
1110
1111       VRF Type Support
1112              For a link of type VRF the following additional arguments are
1113              supported:
1114
1115              ip link add DEVICE type vrf table TABLE
1116
1117
1118                      table table id associated with VRF device
1119
1120
1121
1122       RMNET Type Support
1123              For a link of type RMNET the following additional arguments are
1124              supported:
1125
1126              ip link add link DEVICE name NAME type rmnet mux_id MUXID
1127
1128
1129                      mux_id MUXID - specifies the mux identifier for the
1130                      rmnet device, possible values 1-254.
1131
1132
1133
1134       XFRM Type Support
1135              For a link of type XFRM the following additional arguments are
1136              supported:
1137
1138              ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1139
1140
1141                      dev PHYS_DEV - specifies the underlying physical inter‐
1142                      face from which transform traffic is sent and received.
1143
1144
1145                      if_id IF-ID - specifies the hexadecimal lookup key used
1146                      to send traffic to and from specific xfrm policies.
1147                      Policies must be configured with the same key. If not
1148                      set, the key defaults to 0 and will match any policies
1149                      which similarly do not have a lookup key configuration.
1150
1151
1152
1153   ip link delete - delete virtual link
1154       dev DEVICE
1155              specifies the virtual device to act operate on.
1156
1157
1158       group GROUP
1159              specifies the group of virtual links to delete. Group 0 is not
1160              allowed to be deleted since it is the default group.
1161
1162
1163       type TYPE
1164              specifies the type of the device.
1165
1166
1167   ip link set - change device attributes
1168       Warning: If multiple parameter changes are requested, ip aborts immedi‐
1169       ately after any of the changes have failed.  This is the only case when
1170       ip can move the system to an unpredictable state. The solution is to
1171       avoid changing several parameters with one ip link set call.  The modi‐
1172       fier change is equivalent to set.
1173
1174
1175
1176       dev DEVICE
1177              DEVICE specifies network device to operate on. When configuring
1178              SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1179              ify the associated Physical Function (PF) device.
1180
1181
1182       group GROUP
1183              GROUP has a dual role: If both group and dev are present, then
1184              move the device to the specified group. If only a group is spec‐
1185              ified, then the command operates on all devices in that group.
1186
1187
1188       up and down
1189              change the state of the device to UP or DOWN.
1190
1191
1192       arp on or arp off
1193              change the NOARP flag on the device.
1194
1195
1196       multicast on or multicast off
1197              change the MULTICAST flag on the device.
1198
1199
1200       protodown on or protodown off
1201              change the PROTODOWN state on the device. Indicates that a pro‐
1202              tocol error has been detected on the port. Switch drivers can
1203              react to this error by doing a phys down on the switch port.
1204
1205
1206       dynamic on or dynamic off
1207              change the DYNAMIC flag on the device. Indicates that address
1208              can change when interface goes down (currently NOT used by the
1209              Linux).
1210
1211
1212       name NAME
1213              change the name of the device. This operation is not recommended
1214              if the device is running or has some addresses already config‐
1215              ured.
1216
1217
1218       txqueuelen NUMBER
1219
1220       txqlen NUMBER
1221              change the transmit queue length of the device.
1222
1223
1224       mtu NUMBER
1225              change the MTU of the device.
1226
1227
1228       address LLADDRESS
1229              change the station address of the interface.
1230
1231
1232       broadcast LLADDRESS
1233
1234       brd LLADDRESS
1235
1236       peer LLADDRESS
1237              change the link layer broadcast address or the peer address when
1238              the interface is POINTOPOINT.
1239
1240
1241       netns NETNSNAME | PID
1242              move the device to the network namespace associated with name
1243              NETNSNAME or process PID.
1244
1245              Some devices are not allowed to change network namespace: loop‐
1246              back, bridge, ppp, wireless. These are network namespace local
1247              devices. In such case ip tool will return "Invalid argument"
1248              error. It is possible to find out if device is local to a single
1249              network namespace by checking netns-local flag in the output of
1250              the ethtool:
1251
1252                      ethtool -k DEVICE
1253
1254              To change network namespace for wireless devices the iw tool can
1255              be used. But it allows to change network namespace only for
1256              physical devices and by process PID.
1257
1258
1259       alias NAME
1260              give the device a symbolic name for easy reference.
1261
1262
1263       group GROUP
1264              specify the group the device belongs to.  The available groups
1265              are listed in file /etc/iproute2/group.
1266
1267
1268       vf NUM specify a Virtual Function device to be configured. The associ‐
1269              ated PF device must be specified using the dev parameter.
1270
1271                      mac LLADDRESS - change the station address for the spec‐
1272                      ified VF. The vf parameter must be specified.
1273
1274
1275                      vlan VLANID - change the assigned VLAN for the specified
1276                      VF. When specified, all traffic sent from the VF will be
1277                      tagged with the specified VLAN ID. Incoming traffic will
1278                      be filtered for the specified VLAN ID, and will have all
1279                      VLAN tags stripped before being passed to the VF. Set‐
1280                      ting this parameter to 0 disables VLAN tagging and fil‐
1281                      tering. The vf parameter must be specified.
1282
1283
1284                      qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1285                      VLAN tag. When specified, all VLAN tags transmitted by
1286                      the VF will include the specified priority bits in the
1287                      VLAN tag. If not specified, the value is assumed to be
1288                      0. Both the vf and vlan parameters must be specified.
1289                      Setting both vlan and qos as 0 disables VLAN tagging and
1290                      filtering for the VF.
1291
1292
1293                      proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1294                      tag, either 802.1Q or 802.1ad.  Setting to 802.1ad, all
1295                      traffic sent from the VF will be tagged with VLAN S-Tag.
1296                      Incoming traffic will have VLAN S-Tags stripped before
1297                      being passed to the VF.  Setting to 802.1ad also enables
1298                      an option to concatenate another VLAN tag, so both S-TAG
1299                      and C-TAG will be inserted/stripped for outgoing/incom‐
1300                      ing traffic, respectively.  If not specified, the value
1301                      is assumed to be 802.1Q. Both the vf and vlan parameters
1302                      must be specified.
1303
1304
1305                      rate TXRATE -- change the allowed transmit bandwidth, in
1306                      Mbps, for the specified VF.  Setting this parameter to 0
1307                      disables rate limiting.  vf parameter must be specified.
1308                      Please use new API max_tx_rate option instead.
1309
1310
1311                      max_tx_rate TXRATE - change the allowed maximum transmit
1312                      bandwidth, in Mbps, for the specified VF.  Setting this
1313                      parameter to 0 disables rate limiting.  vf parameter
1314                      must be specified.
1315
1316
1317                      min_tx_rate TXRATE - change the allowed minimum transmit
1318                      bandwidth, in Mbps, for the specified VF.  Minimum
1319                      TXRATE should be always <= Maximum TXRATE.  Setting this
1320                      parameter to 0 disables rate limiting.  vf parameter
1321                      must be specified.
1322
1323
1324                      spoofchk on|off - turn packet spoof checking on or off
1325                      for the specified VF.
1326
1327                      query_rss on|off - toggle the ability of querying the
1328                      RSS configuration of a specific
1329                        VF. VF RSS information like RSS hash key may be con‐
1330                      sidered sensitive
1331                        on some devices where this information is shared
1332                      between VF and PF
1333                        and thus its querying may be prohibited by default.
1334
1335                      state auto|enable|disable - set the virtual link state
1336                      as seen by the specified VF. Setting to auto means a
1337                      reflection of the PF link state, enable lets the VF to
1338                      communicate with other VFs on this host even if the PF
1339                      link state is down, disable causes the HW to drop any
1340                      packets sent by the VF.
1341
1342                      trust on|off - trust the specified VF user. This enables
1343                      that VF user can set a specific feature which may impact
1344                      security and/or performance. (e.g. VF multicast promis‐
1345                      cuous mode)
1346
1347                      node_guid eui64 - configure node GUID for Infiniband
1348                      VFs.
1349
1350                      port_guid eui64 - configure port GUID for Infiniband
1351                      VFs.
1352
1353
1354       xdp object | pinned | off
1355              set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1356              every packet at driver level.  ip link output will indicate a
1357              xdp flag for the networking device. If the driver does not have
1358              native XDP support, the kernel will fall back to a slower,
1359              driver-independent "generic" XDP variant. The ip link output
1360              will in that case indicate xdpgeneric instead of xdp only. If
1361              the driver does have native XDP support, but the program is
1362              loaded under xdpgeneric object | pinned then the kernel will use
1363              the generic XDP variant instead of the native one.  xdpdrv has
1364              the opposite effect of requestsing that the automatic fallback
1365              to the generic XDP variant be disabled and in case driver is not
1366              XDP-capable error should be returned.  xdpdrv also disables
1367              hardware offloads.  xdpoffload in ip link output indicates that
1368              the program has been offloaded to hardware and can also be used
1369              to request the "offload" mode, much like xdpgeneric it forces
1370              program to be installed specifically in HW/FW of the apater.
1371
1372              off (or none ) - Detaches any currently attached XDP/BPF program
1373              from the given device.
1374
1375              object FILE - Attaches a XDP/BPF program to the given device.
1376              The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1377              contains the BPF program code, map specifications, etc. If a
1378              XDP/BPF program is already attached to the given device, an
1379              error will be thrown. If no XDP/BPF program is currently
1380              attached, the device supports XDP and the program from the BPF
1381              ELF file passes the kernel verifier, then it will be attached to
1382              the device. If the option -force is passed to ip then any prior
1383              attached XDP/BPF program will be atomically overridden and no
1384              error will be thrown in this case. If no section option is
1385              passed, then the default section name ("prog") will be assumed,
1386              otherwise the provided section name will be used. If no verbose
1387              option is passed, then a verifier log will only be dumped on
1388              load error.  See also EXAMPLES section for usage examples.
1389
1390              section NAME - Specifies a section name that contains the BPF
1391              program code. If no section name is specified, the default one
1392              ("prog") will be used. This option is to be passed with the
1393              object option.
1394
1395              verbose - Act in verbose mode. For example, even in case of suc‐
1396              cess, this will print the verifier log in case a program was
1397              loaded from a BPF ELF file.
1398
1399              pinned FILE - Attaches a XDP/BPF program to the given device.
1400              The FILE points to an already pinned BPF program in the BPF file
1401              system. The option section doesn't apply here, but otherwise
1402              semantics are the same as with the option object described
1403              already.
1404
1405
1406       master DEVICE
1407              set master device of the device (enslave device).
1408
1409
1410       nomaster
1411              unset master device of the device (release device).
1412
1413
1414       addrgenmode eui64|none|stable_secret|random
1415              set the IPv6 address generation mode
1416
1417              eui64 - use a Modified EUI-64 format interface identifier
1418
1419              none - disable automatic address generation
1420
1421              stable_secret - generate the interface identifier based on a
1422              preset
1423                /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1424
1425              random - like stable_secret, but auto-generate a new random
1426              secret if none is set
1427
1428
1429       link-netnsid
1430              set peer netnsid for a cross-netns interface
1431
1432
1433       type ETYPE TYPE_ARGS
1434              Change type-specific settings. For a list of supported types and
1435              arguments refer to the description of ip link add above. In
1436              addition to that, it is possible to manipulate settings to slave
1437              devices:
1438
1439
1440       Bridge Slave Support
1441              For a link with master bridge the following additional arguments
1442              are supported:
1443
1444              ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1445              priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1446              on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1447              } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1448              { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1449              MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1450              mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1451              group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1452              vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1453              backup_port DEVICE ] [ nobackup_port ]
1454
1455
1456                      fdb_flush - flush bridge slave's fdb dynamic entries.
1457
1458                      state STATE - Set port state.  STATE is a number repre‐
1459                      senting the following states: 0 (disabled), 1 (listen‐
1460                      ing), 2 (learning), 3 (forwarding), 4 (blocking).
1461
1462                      priority PRIO - set port priority (allowed values are
1463                      between 0 and 63, inclusively).
1464
1465                      cost COST - set port cost (allowed values are between 1
1466                      and 65535, inclusively).
1467
1468                      guard { on | off } - block incoming BPDU packets on this
1469                      port.
1470
1471                      hairpin { on | off } - enable hairpin mode on this port.
1472                      This will allow incoming packets on this port to be
1473                      reflected back.
1474
1475                      fastleave { on | off } - enable multicast fast leave on
1476                      this port.
1477
1478                      root_block { on | off } - block this port from becoming
1479                      the bridge's root port.
1480
1481                      learning { on | off } - allow MAC address learning on
1482                      this port.
1483
1484                      flood { on | off } - open the flood gates on this port,
1485                      i.e. forward all unicast frames to this port also.
1486                      Requires proxy_arp and proxy_arp_wifi to be turned off.
1487
1488                      proxy_arp { on | off } - enable proxy ARP on this port.
1489
1490                      proxy_arp_wifi { on | off } - enable proxy ARP on this
1491                      port which meets extended requirements by IEEE 802.11
1492                      and Hotspot 2.0 specifications.
1493
1494                      mcast_router MULTICAST_ROUTER - configure this port for
1495                      having multicast routers attached. A port with a multi‐
1496                      cast router will receive all multicast traffic.  MULTI‐
1497                      CAST_ROUTER may be either 0 to disable multicast routers
1498                      on this port, 1 to let the system detect the presence of
1499                      of routers (this is the default), 2 to permanently
1500                      enable multicast traffic forwarding on this port or 3 to
1501                      enable multicast routers temporarily on this port, not
1502                      depending on incoming queries.
1503
1504                      mcast_fast_leave { on | off } - this is a synonym to the
1505                      fastleave option above.
1506
1507                      mcast_flood { on | off } - controls whether a given port
1508                      will flood multicast traffic for which
1509                        there is no MDB entry.
1510
1511                      mcast_to_unicast { on | off } - controls whether a given
1512                      port will replicate packets using unicast
1513                        instead of multicast. By default this flag is off.
1514
1515                      group_fwd_mask MASK - set the group forward mask. This
1516                      is the bitmask that is applied to decide whether to for‐
1517                      ward incoming frames destined to link-local addresses,
1518                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
1519                      0, ie the bridge does not forward any link-local frames
1520                      coming on this port).
1521
1522                      neigh_suppress { on | off } - controls whether neigh
1523                      discovery (arp and nd) proxy and suppression is enabled
1524                      on the port. By default this flag is off.
1525
1526                      vlan_tunnel { on | off } - controls whether vlan to tun‐
1527                      nel mapping is enabled on the port. By default this flag
1528                      is off.
1529
1530                      backup_port DEVICE - if the port loses carrier all traf‐
1531                      fic will be redirected to the configured backup port
1532
1533                      nobackup_port - removes the currently configured backup
1534                      port
1535
1536
1537
1538       Bonding Slave Support
1539              For a link with master bond the following additional arguments
1540              are supported:
1541
1542              ip link set type bond_slave [ queue_id ID ]
1543
1544
1545                      queue_id ID - set the slave's queue ID (a 16bit unsigned
1546                      value).
1547
1548
1549
1550       MACVLAN and MACVTAP Support
1551              Modify list of allowed macaddr for link in source mode.
1552
1553              ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1554              ...  ]
1555
1556              Commands:
1557                      add - add MACADDR to allowed list
1558
1559                      set - replace allowed list
1560
1561                      del - remove MACADDR from allowed list
1562
1563                      flush - flush whole allowed list
1564
1565
1566
1567
1568   ip link show - display device attributes
1569       dev NAME (default)
1570              NAME specifies the network device to show.  If this argument is
1571              omitted all devices in the default group are listed.
1572
1573
1574       group GROUP
1575              GROUP specifies what group of devices to show.
1576
1577
1578       up     only display running interfaces.
1579
1580
1581       master DEVICE
1582              DEVICE specifies the master device which enslaves devices to
1583              show.
1584
1585
1586       vrf NAME
1587              NAME speficies the VRF which enslaves devices to show.
1588
1589
1590       type TYPE
1591              TYPE specifies the type of devices to show.
1592
1593              Note that the type name is not checked against the list of sup‐
1594              ported types - instead it is sent as-is to the kernel. Later it
1595              is used to filter the returned interface list by comparing it
1596              with the relevant attribute in case the kernel didn't filter
1597              already. Therefore any string is accepted, but may lead to empty
1598              output.
1599
1600
1601   ip link xstats - display extended statistics
1602       type TYPE
1603              TYPE specifies the type of devices to display extended statis‐
1604              tics for.
1605
1606
1607   ip link afstats - display address-family specific statistics
1608       dev DEVICE
1609              DEVICE specifies the device to display address-family statistics
1610              for.
1611
1612
1613   ip link help - display help
1614       TYPE specifies which help of link type to dislpay.
1615
1616
1617   GROUP
1618       may be a number or a string from the file /etc/iproute2/group which can
1619       be manually filled.
1620
1621

EXAMPLES

1623       ip link show
1624           Shows the state of all network interfaces on the system.
1625
1626       ip link show type bridge
1627           Shows the bridge devices.
1628
1629       ip link show type vlan
1630           Shows the vlan devices.
1631
1632       ip link show master br0
1633           Shows devices enslaved by br0
1634
1635       ip link set dev ppp0 mtu 1400
1636           Change the MTU the ppp0 device.
1637
1638       ip link add link eth0 name eth0.10 type vlan id 10
1639           Creates a new vlan device eth0.10 on device eth0.
1640
1641       ip link delete dev eth0.10
1642           Removes vlan device.
1643
1644       ip link help gre
1645           Display help for the gre link type.
1646
1647       ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1648       ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1649       remcsum
1650           Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1651           tion, and the outer UDP checksum and remote checksum offload are
1652           enabled.
1653
1654       ip link set dev eth0 xdp obj prog.o
1655           Attaches a XDP/BPF program to device eth0, where the program is
1656           located in prog.o, section "prog" (default section). In case a
1657           XDP/BPF program is already attached, throw an error.
1658
1659       ip -force link set dev eth0 xdp obj prog.o sec foo
1660           Attaches a XDP/BPF program to device eth0, where the program is
1661           located in prog.o, section "foo". In case a XDP/BPF program is
1662           already attached, it will be overridden by the new one.
1663
1664       ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1665           Attaches a XDP/BPF program to device eth0, where the program was
1666           previously pinned as an object node into BPF file system under name
1667           foo.
1668
1669       ip link set dev eth0 xdp off
1670           If a XDP/BPF program is attached on device eth0, detach it and
1671           effectively turn off XDP for device eth0.
1672
1673       ip link add link wpan0 lowpan0 type lowpan
1674           Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1675           802.15.4 device wpan0.
1676
1677       ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1678       fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1679       erspan_hwid 17
1680           Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1681
1682

SEE ALSO

1684       ip(8), ip-netns(8), ethtool(8), iptables(8)
1685
1686

AUTHOR

1688       Original Manpage by Michail Litvak <mci@owl.openwall.com>
1689
1690
1691
1692iproute2                          13 Dec 2012                       IP-LINK(8)
Impressum