1IP-LINK(8) Linux IP-LINK(8)
2
3
4
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10
11
12 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19
20 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21
22 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr [ MACADDR ]
59 [ { flush | add | del } MACADDR ]
60 [ set MACADDR ] ]
61
62 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63 ] [ type ETYPE ] [ vrf NAME ]
64
65 ip link xstats type TYPE [ ARGS ]
66
67 ip link afstats [ dev DEVICE ]
68
69 ip link help [ TYPE ]
70
71 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72 macvlan | macvtap | vcan | vxcan | veth | vlan |
73 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75 | ipvtap | lowpan | geneve | vrf | macsec | netdevsim
76 | rmnet | xfrm ]
77
78 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79
80 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81
82 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83 ]
84
85
87 ip link add - add virtual link
88 link DEVICE
89 specifies the physical device to act operate on.
90
91 NAME specifies the name of the new virtual device.
92
93 TYPE specifies the type of the new device.
94
95 Link types:
96
97 bridge - Ethernet Bridge device
98
99 bond - Bonding device
100
101 dummy - Dummy network interface
102
103 hsr - High-availability Seamless Redundancy device
104
105 ifb - Intermediate Functional Block device
106
107 ipoib - IP over Infiniband device
108
109 macvlan - Virtual interface base on link layer address
110 (MAC)
111
112 macvtap - Virtual interface based on link layer address
113 (MAC) and TAP.
114
115 vcan - Virtual Controller Area Network interface
116
117 vxcan - Virtual Controller Area Network tunnel interface
118
119 veth - Virtual ethernet interface
120
121 vlan - 802.1q tagged virtual LAN interface
122
123 vxlan - Virtual eXtended LAN
124
125 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
126
127 ipip - Virtual tunnel interface IPv4 over IPv4
128
129 sit - Virtual tunnel interface IPv6 over IPv4
130
131 gre - Virtual tunnel interface GRE over IPv4
132
133 gretap - Virtual L2 tunnel interface GRE over IPv4
134
135 erspan - Encapsulated Remote SPAN over GRE and IPv4
136
137 ip6gre - Virtual tunnel interface GRE over IPv6
138
139 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
140
141 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
142
143 vti - Virtual tunnel interface
144
145 nlmon - Netlink monitoring device
146
147 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
148
149 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
150 TAP
151
152 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
153 / Bluetooth
154
155 geneve - GEneric NEtwork Virtualization Encapsulation
156
157 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
158 sec)
159
160 vrf - Interface for L3 VRF domains
161
162 netdevsim - Interface for netdev API tests
163
164 rmnet - Qualcomm rmnet device
165
166 xfrm - Virtual xfrm interface
167
168
169 numtxqueues QUEUE_COUNT
170 specifies the number of transmit queues for new device.
171
172
173 numrxqueues QUEUE_COUNT
174 specifies the number of receive queues for new device.
175
176
177 gso_max_size BYTES
178 specifies the recommended maximum size of a Generic Segment Off‐
179 load packet the new device should accept.
180
181
182 gso_max_segs SEGMENTS
183 specifies the recommended maximum number of a Generic Segment
184 Offload segments the new device should accept.
185
186
187 index IDX
188 specifies the desired index of the new virtual device. The link
189 creation fails, if the index is busy.
190
191
192 VLAN Type Support
193 For a link of type VLAN the following additional arguments are
194 supported:
195
196 ip link add link DEVICE name NAME type vlan [ protocol
197 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
198 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
199 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
200 egress-qos-map QOS-MAP ]
201
202
203 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
204
205 id VLANID - specifies the VLAN Identifer to use. Note
206 that numbers with a leading " 0 " or " 0x " are inter‐
207 preted as octal or hexadeimal, respectively.
208
209 reorder_hdr { on | off } - specifies whether ethernet
210 headers are reordered or not (default is on).
211
212 If reorder_hdr is on then VLAN header will be not
213 inserted immediately but only before passing to the
214 physical device (if this device does not support
215 VLAN offloading), the similar on the RX direction -
216 by default the packet will be untagged before being
217 received by VLAN device. Reordering allows to accel‐
218 erate tagging on egress and to hide VLAN header on
219 ingress so the packet looks like regular Ethernet
220 packet, at the same time it might be confusing for
221 packet capture as the VLAN header does not exist
222 within the packet.
223
224 VLAN offloading can be checked by ethtool(8):
225
226 ethtool -k <phy_dev> | grep tx-vlan-offload
227
228 where <phy_dev> is the physical device to which VLAN
229 device is bound.
230
231 gvrp { on | off } - specifies whether this VLAN should
232 be registered using GARP VLAN
233 Registration Protocol.
234
235 mvrp { on | off } - specifies whether this VLAN should
236 be registered using Multiple VLAN
237 Registration Protocol.
238
239 loose_binding { on | off } - specifies whether the VLAN
240 device state is bound to the physical device state.
241
242 bridge_binding { on | off } - specifies whether the VLAN
243 device link state tracks the state of bridge ports that
244 are members of the VLAN.
245
246 ingress-qos-map QOS-MAP - defines a mapping of VLAN
247 header prio field to the Linux internal packet priority
248 on incoming frames. The format is FROM:TO with multiple
249 mappings separated by spaces.
250
251 egress-qos-map QOS-MAP - defines a mapping of Linux
252 internal packet priority to VLAN header prio field but
253 for outgoing frames. The format is the same as for
254 ingress-qos-map.
255
256 Linux packet priority can be set by iptables(8):
257
258 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
259 SIFY --set-class 0:4
260
261 and this "4" priority can be used in the egress qos
262 mapping to set VLAN prio "5":
263
264 ip link set veth0.10 type vlan egress 4:5
265
266
267 VXLAN Type Support
268 For a link of type VXLAN the following additional arguments are
269 supported:
270
271 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
272 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
273 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
274 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
275 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
276 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
277 ] [ [no]external ] [ gbp ] [ gpe ]
278
279
280 id VNI - specifies the VXLAN Network Identifer (or VXLAN
281 Segment Identifier) to use.
282
283 dev PHYS_DEV - specifies the physical device to use for
284 tunnel endpoint communication.
285
286
287 group IPADDR - specifies the multicast IP address to
288 join. This parameter cannot be specified with the
289 remote parameter.
290
291
292 remote IPADDR - specifies the unicast destination IP
293 address to use in outgoing packets when the destination
294 link layer address is not known in the VXLAN device for‐
295 warding database. This parameter cannot be specified
296 with the group parameter.
297
298
299 local IPADDR - specifies the source IP address to use in
300 outgoing packets.
301
302
303 ttl TTL - specifies the TTL value to use in outgoing
304 packets.
305
306
307 tos TOS - specifies the TOS value to use in outgoing
308 packets.
309
310
311 df DF - specifies the usage of the Don't Fragment flag
312 (DF) bit in outgoing packets with IPv4 headers. The
313 value inherit causes the bit to be copied from the orig‐
314 inal IP header. The values unset and set cause the bit
315 to be always unset or always set, respectively. By
316 default, the bit is not set.
317
318
319 flowlabel FLOWLABEL - specifies the flow label to use in
320 outgoing packets.
321
322
323 dstport PORT - specifies the UDP destination port to
324 communicate to the remote
325 VXLAN tunnel endpoint.
326
327
328 srcport MIN MAX - specifies the range of port numbers to
329 use as UDP source ports to communicate to the remote
330 VXLAN tunnel endpoint.
331
332
333 [no]learning - specifies if unknown source link layer
334 addresses and IP addresses are entered into the VXLAN
335 device forwarding database.
336
337
338 [no]rsc - specifies if route short circuit is turned on.
339
340
341 [no]proxy - specifies ARP proxy is turned on.
342
343
344 [no]l2miss - specifies if netlink LLADDR miss notifica‐
345 tions are generated.
346
347
348 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
349 tions are generated.
350
351
352 [no]udpcsum - specifies if UDP checksum is calculated
353 for transmitted packets over IPv4.
354
355
356 [no]udp6zerocsumtx - skip UDP checksum calculation for
357 transmitted packets over IPv6.
358
359
360 [no]udp6zerocsumrx - allow incoming UDP packets over
361 IPv6 with zero checksum field.
362
363
364 ageing SECONDS - specifies the lifetime in seconds of
365 FDB entries learnt by the kernel.
366
367
368 maxaddress NUMBER - specifies the maximum number of FDB
369 entries.
370
371
372 [no]external - specifies whether an external control
373 plane (e.g. ip route encap) or the internal FDB should
374 be used.
375
376
377 gbp - enables the Group Policy extension (VXLAN-GBP).
378
379 Allows to transport group policy context across
380 VXLAN network peers. If enabled, includes the mark
381 of a packet in the VXLAN header for outgoing packets
382 and fills the packet mark based on the information
383 found in the VXLAN header for incoming packets.
384
385 Format of upper 16 bits of packet mark (flags);
386
387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
388 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
389 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
390
391 D := Don't Learn bit. When set, this bit indicates
392 that the egress VTEP MUST NOT learn the source
393 address of the encapsulated frame.
394
395 A := Indicates that the group policy has already
396 been applied to this packet. Policies MUST NOT be
397 applied by devices when the A bit is set.
398
399 Format of lower 16 bits of packet mark (policy ID):
400
401 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
402 | Group Policy ID |
403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
404
405 Example:
406 iptables -A OUTPUT [...] -j MARK --set-mark
407 0x800FF
408
409
410
411 gpe - enables the Generic Protocol extension (VXLAN-
412 GPE). Currently, this is only supported together with
413 the external keyword.
414
415
416
417 VETH, VXCAN Type Support
418 For a link of types VETH/VXCAN the following additional argu‐
419 ments are supported:
420
421 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
422
423
424 peer name NAME - specifies the virtual pair device name
425 of the VETH/VXCAN tunnel.
426
427
428
429 IPIP, SIT Type Support
430 For a link of type IPIPorSIT the following additional arguments
431 are supported:
432
433 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
434 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
435 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
436 mode { ip6ip | ipip | mplsip | any } ] [ external ]
437
438
439 remote ADDR - specifies the remote address of the tun‐
440 nel.
441
442
443 local ADDR - specifies the fixed local address for tun‐
444 neled packets. It must be an address on another inter‐
445 face on this host.
446
447
448 encap { fou | gue | none } - specifies type of secondary
449 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
450 indicates Generic UDP Encapsulation.
451
452
453 encap-sport { PORT | auto } - specifies the source port
454 in UDP encapsulation. PORT indicates the port by num‐
455 ber, "auto" indicates that the port number should be
456 chosen automatically (the kernel picks a flow based on
457 the flow hash of the encapsulated packet).
458
459
460 [no]encap-csum - specifies if UDP checksums are enabled
461 in the secondary encapsulation.
462
463
464 [no]encap-remcsum - specifies if Remote Checksum Offload
465 is enabled. This is only applicable for Generic UDP
466 Encapsulation.
467
468
469 mode { ip6ip | ipip | mplsip | any } - specifies mode in
470 which device should run. "ip6ip" indicates IPv6-Over-
471 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
472 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
473 Over IPv4. Supported for SIT where the default is
474 "ip6ip" and IPIP where the default is "ipip".
475 IPv6-Over-IPv4 is not supported for IPIP.
476
477
478 external - make this tunnel externally controlled (e.g.
479 ip route encap).
480
481
482 GRE Type Support
483 For a link of type GRE or GRETAP the following additional argu‐
484 ments are supported:
485
486 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
487 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
488 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
489 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
490 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
491 remcsum ] [ external ]
492
493
494 remote ADDR - specifies the remote address of the tun‐
495 nel.
496
497
498 local ADDR - specifies the fixed local address for tun‐
499 neled packets. It must be an address on another inter‐
500 face on this host.
501
502
503 [no][i|o]seq - serialize packets. The oseq flag enables
504 sequencing of outgoing packets. The iseq flag requires
505 that all input packets are serialized.
506
507
508 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
509 KEY is either a number or an IPv4 address-like dotted
510 quad. The key parameter specifies the same key to use
511 in both directions. The ikey and okey parameters spec‐
512 ify different keys for input and output.
513
514
515 [no][i|o]csum - generate/require checksums for tunneled
516 packets. The ocsum flag calculates checksums for outgo‐
517 ing packets. The icsum flag requires that all input
518 packets have the correct checksum. The csum flag is
519 equivalent to the combination icsum ocsum .
520
521
522 ttl TTL - specifies the TTL value to use in outgoing
523 packets.
524
525
526 tos TOS - specifies the TOS value to use in outgoing
527 packets.
528
529
530 [no]pmtudisc - enables/disables Path MTU Discovery on
531 this tunnel. It is enabled by default. Note that a
532 fixed ttl is incompatible with this option: tunneling
533 with a fixed ttl always makes pmtu discovery.
534
535
536 [no]ignore-df - enables/disables IPv4 DF suppression on
537 this tunnel. Normally datagrams that exceed the MTU
538 will be fragmented; the presence of the DF flag inhibits
539 this, resulting instead in an ICMP Unreachable (Fragmen‐
540 tation Required) message. Enabling this attribute
541 causes the DF flag to be ignored.
542
543
544 dev PHYS_DEV - specifies the physical device to use for
545 tunnel endpoint communication.
546
547
548 encap { fou | gue | none } - specifies type of secondary
549 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
550 indicates Generic UDP Encapsulation.
551
552
553 encap-sport { PORT | auto } - specifies the source port
554 in UDP encapsulation. PORT indicates the port by num‐
555 ber, "auto" indicates that the port number should be
556 chosen automatically (the kernel picks a flow based on
557 the flow hash of the encapsulated packet).
558
559
560 [no]encap-csum - specifies if UDP checksums are enabled
561 in the secondary encapsulation.
562
563
564 [no]encap-remcsum - specifies if Remote Checksum Offload
565 is enabled. This is only applicable for Generic UDP
566 Encapsulation.
567
568
569 external - make this tunnel externally controlled (e.g.
570 ip route encap).
571
572
573
574 IP6GRE/IP6GRETAP Type Support
575 For a link of type IP6GRE/IP6GRETAP the following additional
576 arguments are supported:
577
578 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
579 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
580 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
581 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
582 localremote ] [ dev PHYS_DEV ] [ external ]
583
584
585 remote ADDR - specifies the remote IPv6 address of the
586 tunnel.
587
588
589 local ADDR - specifies the fixed local IPv6 address for
590 tunneled packets. It must be an address on another
591 interface on this host.
592
593
594 [no][i|o]seq - serialize packets. The oseq flag enables
595 sequencing of outgoing packets. The iseq flag requires
596 that all input packets are serialized.
597
598
599 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
600 KEY is either a number or an IPv4 address-like dotted
601 quad. The key parameter specifies the same key to use
602 in both directions. The ikey and okey parameters spec‐
603 ify different keys for input and output.
604
605
606 [no][i|o]csum - generate/require checksums for tunneled
607 packets. The ocsum flag calculates checksums for outgo‐
608 ing packets. The icsum flag requires that all input
609 packets have the correct checksum. The csum flag is
610 equivalent to the combination icsum ocsum.
611
612
613 hoplimit TTL - specifies Hop Limit value to use in out‐
614 going packets.
615
616
617 encaplimit ELIM - specifies a fixed encapsulation limit.
618 Default is 4.
619
620
621 flowlabel FLOWLABEL - specifies a fixed flowlabel.
622
623
624 [no]allow-localremote - specifies whether to allow
625 remote endpoint to have an address configured on local
626 host.
627
628
629 tclass TCLASS - specifies the traffic class field on
630 tunneled packets, which can be specified as either a
631 two-digit hex value (e.g. c0) or a predefined string
632 (e.g. internet). The value inherit causes the field to
633 be copied from the original IP header. The values
634 inherit/STRING or inherit/00..ff will set the field to
635 STRING or 00..ff when tunneling non-IP packets. The
636 default value is 00.
637
638
639 external - make this tunnel externally controlled (or
640 not, which is the default). In the kernel, this is
641 referred to as collect metadata mode. This flag is
642 mutually exclusive with the remote, local, seq, key,
643 csum, hoplimit, encaplimit, flowlabel and tclass
644 options.
645
646
647
648 IPoIB Type Support
649 For a link of type IPoIB the following additional arguments are
650 supported:
651
652 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
653 MODE ]
654
655
656 pkey PKEY - specifies the IB P-Key to use.
657
658 mode MODE - specifies the mode (datagram or connected)
659 to use.
660
661
662 ERSPAN Type Support
663 For a link of type ERSPAN/IP6ERSPAN the following additional
664 arguments are supported:
665
666 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
667 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
668 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
669 mote ] [ external ]
670
671
672 remote ADDR - specifies the remote address of the tun‐
673 nel.
674
675
676 local ADDR - specifies the fixed local address for tun‐
677 neled packets. It must be an address on another inter‐
678 face on this host.
679
680
681 erspan_ver version - specifies the ERSPAN version num‐
682 ber. version indicates the ERSPAN version to be cre‐
683 ated: 1 for version 1 (type II) or 2 for version 2 (type
684 III).
685
686
687 erspan IDX - specifies the ERSPAN v1 index field. IDX
688 indicates a 20 bit index/port number associated with the
689 ERSPAN traffic's source port and direction.
690
691
692 erspan_dir { ingress | egress } - specifies the ERSPAN
693 v2 mirrored traffic's direction.
694
695
696 erspan_hwid hwid - an unique identifier of an ERSPAN v2
697 engine within a system. hwid is a 6-bit value for users
698 to configure.
699
700
701 [no]allow-localremote - specifies whether to allow
702 remote endpoint to have an address configured on local
703 host.
704
705
706 external - make this tunnel externally controlled (or
707 not, which is the default). In the kernel, this is
708 referred to as collect metadata mode. This flag is
709 mutually exclusive with the remote, local, erspan_ver,
710 erspan, erspan_dir and erspan_hwid options.
711
712
713
714 GENEVE Type Support
715 For a link of type GENEVE the following additional arguments are
716 supported:
717
718 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
719 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
720 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
721 [no]udp6zerocsumrx ]
722
723
724 id VNI - specifies the Virtual Network Identifer to use.
725
726
727 remote IPADDR - specifies the unicast destination IP
728 address to use in outgoing packets.
729
730
731 ttl TTL - specifies the TTL value to use in outgoing
732 packets. "0" or "auto" means use whatever default value,
733 "inherit" means inherit the inner protocol's ttl.
734 Default option is "0".
735
736
737 tos TOS - specifies the TOS value to use in outgoing
738 packets.
739
740
741 df DF - specifies the usage of the Don't Fragment flag
742 (DF) bit in outgoing packets with IPv4 headers. The
743 value inherit causes the bit to be copied from the orig‐
744 inal IP header. The values unset and set cause the bit
745 to be always unset or always set, respectively. By
746 default, the bit is not set.
747
748
749 flowlabel FLOWLABEL - specifies the flow label to use in
750 outgoing packets.
751
752
753 dstport PORT - select a destination port other than the
754 default of 6081.
755
756
757 [no]external - make this tunnel externally controlled
758 (or not, which is the default). This flag is mutually
759 exclusive with the id, remote, ttl, tos and flowlabel
760 options.
761
762
763 [no]udpcsum - specifies if UDP checksum is calculated
764 for transmitted packets over IPv4.
765
766
767 [no]udp6zerocsumtx - skip UDP checksum calculation for
768 transmitted packets over IPv6.
769
770
771 [no]udp6zerocsumrx - allow incoming UDP packets over
772 IPv6 with zero checksum field.
773
774
775
776 MACVLAN and MACVTAP Type Support
777 For a link of type MACVLAN or MACVTAP the following additional
778 arguments are supported:
779
780 ip link add link DEVICE name NAME type { macvlan | macvtap }
781 mode { private | vepa | bridge | passthru [ nopromisc ] |
782 source }
783
784
785 type { macvlan | macvtap } - specifies the link type to
786 use. macvlan creates just a virtual interface, while
787 macvtap in addition creates a character device /dev/tapX
788 to be used just like a tuntap device.
789
790 mode private - Do not allow communication between
791 macvlan instances on the same physical interface, even
792 if the external switch supports hairpin mode.
793
794 mode vepa - Virtual Ethernet Port Aggregator mode. Data
795 from one macvlan instance to the other on the same phys‐
796 ical interface is transmitted over the physical inter‐
797 face. Either the attached switch needs to support hair‐
798 pin mode, or there must be a TCP/IP router forwarding
799 the packets in order to allow communication. This is the
800 default mode.
801
802 mode bridge - In bridge mode, all endpoints are directly
803 connected to each other, communication is not redirected
804 through the physical interface's peer.
805
806 mode passthru [ nopromisc ] - This mode gives more power
807 to a single endpoint, usually in macvtap mode. It is not
808 allowed for more than one endpoint on the same physical
809 interface. All traffic will be forwarded to this end‐
810 point, allowing virtio guests to change MAC address or
811 set promiscuous mode in order to bridge the interface or
812 create vlan interfaces on top of it. By default, this
813 mode forces the underlying interface into promiscuous
814 mode. Passing the nopromisc flag prevents this, so the
815 promisc flag may be controlled using standard tools.
816
817 mode source - allows one to set a list of allowed mac
818 address, which is used to match against source mac
819 address from received frames on underlying interface.
820 This allows creating mac based VLAN associations,
821 instead of standard port or tag based. The feature is
822 useful to deploy 802.1x mac based behavior, where driv‐
823 ers of underlying interfaces doesn't allows that.
824
825
826 High-availability Seamless Redundancy (HSR) Support
827 For a link of type HSR the following additional arguments are
828 supported:
829
830 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
831 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
832
833
834 type hsr - specifies the link type to use, here HSR.
835
836 slave1 SLAVE1-IF - Specifies the physical device used
837 for the first of the two ring ports.
838
839 slave2 SLAVE2-IF - Specifies the physical device used
840 for the second of the two ring ports.
841
842 supervision ADDR-BYTE - The last byte of the multicast
843 address used for HSR supervision frames. Default option
844 is "0", possible values 0-255.
845
846 version { 0 | 1 } - Selects the protocol version of the
847 interface. Default option is "0", which corresponds to
848 the 2010 version of the HSR standard. Option "1" acti‐
849 vates the 2012 version.
850
851
852 BRIDGE Type Support
853 For a link of type BRIDGE the following additional arguments are
854 supported:
855
856 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
857 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
858 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
859 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
860 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
861 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
862 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
863 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
864 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
865 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
866 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
867 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
868 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
869 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
870 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
871 val QUERY_INTERVAL ] [ mcast_query_response_interval
872 QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
873 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
874 MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
875 mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
876 BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
877 bles NF_CALL_ARPTABLES ]
878
879
880 ageing_time AGEING_TIME - configure the bridge's FDB
881 entries ageing time, ie the number of seconds a MAC
882 address will be kept in the FDB after a packet has been
883 received from that address. after this time has passed,
884 entries are cleaned up.
885
886 group_fwd_mask MASK - set the group forward mask. This
887 is the bitmask that is applied to decide whether to for‐
888 ward incoming frames destined to link-local addresses,
889 ie addresses of the form 01:80:C2:00:00:0X (defaults to
890 0, ie the bridge does not forward any link-local
891 frames).
892
893 group_address ADDRESS - set the MAC address of the mul‐
894 ticast group this bridge uses for STP. The address must
895 be a link-local address in standard Ethernet MAC address
896 format, ie an address of the form 01:80:C2:00:00:0X,
897 with X
898 in [0, 4..f].
899
900 forward_delay FORWARD_DELAY - set the forwarding delay
901 in seconds, ie the time spent in LISTENING state (before
902 moving to LEARNING) and in LEARNING state (before moving
903 to FORWARDING). Only relevant if STP is enabled. Valid
904 values are between 2 and 30.
905
906 hello_time HELLO_TIME - set the time in seconds between
907 hello packets sent by the bridge, when it is a root
908 bridge or a designated bridges. Only relevant if STP is
909 enabled. Valid values are between 1 and 10.
910
911 max_age MAX_AGE - set the hello packet timeout, ie the
912 time in seconds until another bridge in the spanning
913 tree is assumed to be dead, after reception of its last
914 hello message. Only relevant if STP is enabled. Valid
915 values are between 6 and 40.
916
917 stp_state STP_STATE - turn spanning tree protocol on
918 (STP_STATE > 0) or off (STP_STATE == 0). for this
919 bridge.
920
921 priority PRIORITY - set this bridge's spanning tree pri‐
922 ority, used during STP root bridge election. PRIORITY
923 is a 16bit unsigned integer.
924
925 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
926 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
927 disabled, the bridge will not consider the VLAN tag when
928 handling packets.
929
930 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
931 used for VLAN filtering.
932
933 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
934 PVID (native/untagged VLAN ID) for this bridge.
935
936 vlan_stats_enabled VLAN_STATS_ENABLED - enable
937 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
938 == 0) per-VLAN stats accounting.
939
940 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
941 (VLAN_STATS_PER_PORT == 1) or disable
942 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
943 accounting. Can be changed only when there are no port
944 VLANs configured.
945
946 mcast_snooping MULTICAST_SNOOPING - turn multicast
947 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
948 CAST_SNOOPING == 0).
949
950 mcast_router MULTICAST_ROUTER - set bridge's multicast
951 router if IGMP snooping is enabled. MULTICAST_ROUTER is
952 an integer value having the following meaning:
953
954 0 - disabled.
955
956 1 - automatic (queried).
957
958 2 - permanently enabled.
959
960 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
961 to use the bridge's own IP address as source address for
962 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
963 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
964
965 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
966 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
967 IGMP querier, ie sending of multicast queries by the
968 bridge (default: disabled).
969
970 mcast_querier_interval QUERIER_INTERVAL - interval
971 between queries sent by other routers. if no queries are
972 seen after this delay has passed, the bridge will start
973 to send its own queries (as if mcast_querier was
974 enabled).
975
976 mcast_hash_elasticity HASH_ELASTICITY - set multicast
977 database hash elasticity, ie the maximum chain length in
978 the multicast hash table (defaults to 4).
979
980 mcast_hash_max HASH_MAX - set maximum size of multicast
981 hash table (defaults to 512, value must be a power of
982 2).
983
984 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
985 cast last member count, ie the number of queries the
986 bridge will send before stopping forwarding a multicast
987 group after a "leave" message has been received
988 (defaults to 2).
989
990 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
991 val between queries to find remaining members of a
992 group, after a "leave" message is received.
993
994 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
995 number of IGMP queries to send during startup phase
996 (defaults to 2).
997
998 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
999 interval between queries in the startup phase.
1000
1001 mcast_query_interval QUERY_INTERVAL - interval between
1002 queries sent by the bridge after the end of the startup
1003 phase.
1004
1005 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1006 set the Max Response Time/Maximum Response Delay for
1007 IGMP/MLD queries sent by the bridge.
1008
1009 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1010 after which the bridge will leave a group, if no member‐
1011 ship reports for this group are received.
1012
1013 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1014 (MCAST_STATS_ENABLED > 0) or disable
1015 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1016 accounting.
1017
1018 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1019
1020 mcast_mld_version MLD_VERSION - set the MLD version.
1021
1022 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1023 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1024 hooks on the bridge.
1025
1026 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1027 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1028 0) ip6tables hooks on the bridge.
1029
1030 nf_call_arptables NF_CALL_ARPTABLES - enable
1031 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1032 0) arptables hooks on the bridge.
1033
1034
1035
1036
1037 MACsec Type Support
1038 For a link of type MACsec the following additional arguments are
1039 supported:
1040
1041 ip link add link DEVICE name NAME type macsec [ [ address
1042 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1043 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1044 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1045 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1046 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1047 ]
1048
1049
1050 address <lladdr> - sets the system identifier component
1051 of secure channel for this MACsec device.
1052
1053
1054 port PORT - sets the port number component of secure
1055 channel for this MACsec device, in a range from 1 to
1056 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1057 are interpreted as octal and hexadecimal, respectively.
1058
1059
1060 sci SCI - sets the secure channel identifier for this
1061 MACsec device. SCI is a 64bit wide number in hexadeci‐
1062 mal format.
1063
1064
1065 cipher CIPHER_SUITE - defines the cipher suite to use.
1066
1067
1068 icvlen LENGTH - sets the length of the Integrity Check
1069 Value (ICV).
1070
1071
1072 encrypt on or encrypt off - switches between authenti‐
1073 cated encryption, or authenticity mode only.
1074
1075
1076 send_sci on or send_sci off - specifies whether the SCI
1077 is included in every packet, or only when it is neces‐
1078 sary.
1079
1080
1081 end_station on or end_station off - sets the End Station
1082 bit.
1083
1084
1085 scb on or scb off - sets the Single Copy Broadcast bit.
1086
1087
1088 protect on or protect off - enables MACsec protection on
1089 the device.
1090
1091
1092 replay on or replay off - enables replay protection on
1093 the device.
1094
1095
1096
1097 window SIZE - sets the size of the replay win‐
1098 dow.
1099
1100
1101
1102 validate strict or validate check or validate disabled -
1103 sets the validation mode on the device.
1104
1105
1106 encodingsa AN - sets the active secure association for
1107 transmission.
1108
1109
1110
1111 VRF Type Support
1112 For a link of type VRF the following additional arguments are
1113 supported:
1114
1115 ip link add DEVICE type vrf table TABLE
1116
1117
1118 table table id associated with VRF device
1119
1120
1121
1122 RMNET Type Support
1123 For a link of type RMNET the following additional arguments are
1124 supported:
1125
1126 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1127
1128
1129 mux_id MUXID - specifies the mux identifier for the
1130 rmnet device, possible values 1-254.
1131
1132
1133
1134 XFRM Type Support
1135 For a link of type XFRM the following additional arguments are
1136 supported:
1137
1138 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1139
1140
1141 dev PHYS_DEV - specifies the underlying physical inter‐
1142 face from which transform traffic is sent and received.
1143
1144
1145 if_id IF-ID - specifies the hexadecimal lookup key used
1146 to send traffic to and from specific xfrm policies.
1147 Policies must be configured with the same key. If not
1148 set, the key defaults to 0 and will match any policies
1149 which similarly do not have a lookup key configuration.
1150
1151
1152
1153 ip link delete - delete virtual link
1154 dev DEVICE
1155 specifies the virtual device to act operate on.
1156
1157
1158 group GROUP
1159 specifies the group of virtual links to delete. Group 0 is not
1160 allowed to be deleted since it is the default group.
1161
1162
1163 type TYPE
1164 specifies the type of the device.
1165
1166
1167 ip link set - change device attributes
1168 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1169 ately after any of the changes have failed. This is the only case when
1170 ip can move the system to an unpredictable state. The solution is to
1171 avoid changing several parameters with one ip link set call. The modi‐
1172 fier change is equivalent to set.
1173
1174
1175
1176 dev DEVICE
1177 DEVICE specifies network device to operate on. When configuring
1178 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1179 ify the associated Physical Function (PF) device.
1180
1181
1182 group GROUP
1183 GROUP has a dual role: If both group and dev are present, then
1184 move the device to the specified group. If only a group is spec‐
1185 ified, then the command operates on all devices in that group.
1186
1187
1188 up and down
1189 change the state of the device to UP or DOWN.
1190
1191
1192 arp on or arp off
1193 change the NOARP flag on the device.
1194
1195
1196 multicast on or multicast off
1197 change the MULTICAST flag on the device.
1198
1199
1200 protodown on or protodown off
1201 change the PROTODOWN state on the device. Indicates that a pro‐
1202 tocol error has been detected on the port. Switch drivers can
1203 react to this error by doing a phys down on the switch port.
1204
1205
1206 dynamic on or dynamic off
1207 change the DYNAMIC flag on the device. Indicates that address
1208 can change when interface goes down (currently NOT used by the
1209 Linux).
1210
1211
1212 name NAME
1213 change the name of the device. This operation is not recommended
1214 if the device is running or has some addresses already config‐
1215 ured.
1216
1217
1218 txqueuelen NUMBER
1219
1220 txqlen NUMBER
1221 change the transmit queue length of the device.
1222
1223
1224 mtu NUMBER
1225 change the MTU of the device.
1226
1227
1228 address LLADDRESS
1229 change the station address of the interface.
1230
1231
1232 broadcast LLADDRESS
1233
1234 brd LLADDRESS
1235
1236 peer LLADDRESS
1237 change the link layer broadcast address or the peer address when
1238 the interface is POINTOPOINT.
1239
1240
1241 netns NETNSNAME | PID
1242 move the device to the network namespace associated with name
1243 NETNSNAME or process PID.
1244
1245 Some devices are not allowed to change network namespace: loop‐
1246 back, bridge, ppp, wireless. These are network namespace local
1247 devices. In such case ip tool will return "Invalid argument"
1248 error. It is possible to find out if device is local to a single
1249 network namespace by checking netns-local flag in the output of
1250 the ethtool:
1251
1252 ethtool -k DEVICE
1253
1254 To change network namespace for wireless devices the iw tool can
1255 be used. But it allows to change network namespace only for
1256 physical devices and by process PID.
1257
1258
1259 alias NAME
1260 give the device a symbolic name for easy reference.
1261
1262
1263 group GROUP
1264 specify the group the device belongs to. The available groups
1265 are listed in file /etc/iproute2/group.
1266
1267
1268 vf NUM specify a Virtual Function device to be configured. The associ‐
1269 ated PF device must be specified using the dev parameter.
1270
1271 mac LLADDRESS - change the station address for the spec‐
1272 ified VF. The vf parameter must be specified.
1273
1274
1275 vlan VLANID - change the assigned VLAN for the specified
1276 VF. When specified, all traffic sent from the VF will be
1277 tagged with the specified VLAN ID. Incoming traffic will
1278 be filtered for the specified VLAN ID, and will have all
1279 VLAN tags stripped before being passed to the VF. Set‐
1280 ting this parameter to 0 disables VLAN tagging and fil‐
1281 tering. The vf parameter must be specified.
1282
1283
1284 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1285 VLAN tag. When specified, all VLAN tags transmitted by
1286 the VF will include the specified priority bits in the
1287 VLAN tag. If not specified, the value is assumed to be
1288 0. Both the vf and vlan parameters must be specified.
1289 Setting both vlan and qos as 0 disables VLAN tagging and
1290 filtering for the VF.
1291
1292
1293 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1294 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1295 traffic sent from the VF will be tagged with VLAN S-Tag.
1296 Incoming traffic will have VLAN S-Tags stripped before
1297 being passed to the VF. Setting to 802.1ad also enables
1298 an option to concatenate another VLAN tag, so both S-TAG
1299 and C-TAG will be inserted/stripped for outgoing/incom‐
1300 ing traffic, respectively. If not specified, the value
1301 is assumed to be 802.1Q. Both the vf and vlan parameters
1302 must be specified.
1303
1304
1305 rate TXRATE -- change the allowed transmit bandwidth, in
1306 Mbps, for the specified VF. Setting this parameter to 0
1307 disables rate limiting. vf parameter must be specified.
1308 Please use new API max_tx_rate option instead.
1309
1310
1311 max_tx_rate TXRATE - change the allowed maximum transmit
1312 bandwidth, in Mbps, for the specified VF. Setting this
1313 parameter to 0 disables rate limiting. vf parameter
1314 must be specified.
1315
1316
1317 min_tx_rate TXRATE - change the allowed minimum transmit
1318 bandwidth, in Mbps, for the specified VF. Minimum
1319 TXRATE should be always <= Maximum TXRATE. Setting this
1320 parameter to 0 disables rate limiting. vf parameter
1321 must be specified.
1322
1323
1324 spoofchk on|off - turn packet spoof checking on or off
1325 for the specified VF.
1326
1327 query_rss on|off - toggle the ability of querying the
1328 RSS configuration of a specific
1329 VF. VF RSS information like RSS hash key may be con‐
1330 sidered sensitive
1331 on some devices where this information is shared
1332 between VF and PF
1333 and thus its querying may be prohibited by default.
1334
1335 state auto|enable|disable - set the virtual link state
1336 as seen by the specified VF. Setting to auto means a
1337 reflection of the PF link state, enable lets the VF to
1338 communicate with other VFs on this host even if the PF
1339 link state is down, disable causes the HW to drop any
1340 packets sent by the VF.
1341
1342 trust on|off - trust the specified VF user. This enables
1343 that VF user can set a specific feature which may impact
1344 security and/or performance. (e.g. VF multicast promis‐
1345 cuous mode)
1346
1347 node_guid eui64 - configure node GUID for Infiniband
1348 VFs.
1349
1350 port_guid eui64 - configure port GUID for Infiniband
1351 VFs.
1352
1353
1354 xdp object | pinned | off
1355 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1356 every packet at driver level. ip link output will indicate a
1357 xdp flag for the networking device. If the driver does not have
1358 native XDP support, the kernel will fall back to a slower,
1359 driver-independent "generic" XDP variant. The ip link output
1360 will in that case indicate xdpgeneric instead of xdp only. If
1361 the driver does have native XDP support, but the program is
1362 loaded under xdpgeneric object | pinned then the kernel will use
1363 the generic XDP variant instead of the native one. xdpdrv has
1364 the opposite effect of requestsing that the automatic fallback
1365 to the generic XDP variant be disabled and in case driver is not
1366 XDP-capable error should be returned. xdpdrv also disables
1367 hardware offloads. xdpoffload in ip link output indicates that
1368 the program has been offloaded to hardware and can also be used
1369 to request the "offload" mode, much like xdpgeneric it forces
1370 program to be installed specifically in HW/FW of the apater.
1371
1372 off (or none ) - Detaches any currently attached XDP/BPF program
1373 from the given device.
1374
1375 object FILE - Attaches a XDP/BPF program to the given device.
1376 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1377 contains the BPF program code, map specifications, etc. If a
1378 XDP/BPF program is already attached to the given device, an
1379 error will be thrown. If no XDP/BPF program is currently
1380 attached, the device supports XDP and the program from the BPF
1381 ELF file passes the kernel verifier, then it will be attached to
1382 the device. If the option -force is passed to ip then any prior
1383 attached XDP/BPF program will be atomically overridden and no
1384 error will be thrown in this case. If no section option is
1385 passed, then the default section name ("prog") will be assumed,
1386 otherwise the provided section name will be used. If no verbose
1387 option is passed, then a verifier log will only be dumped on
1388 load error. See also EXAMPLES section for usage examples.
1389
1390 section NAME - Specifies a section name that contains the BPF
1391 program code. If no section name is specified, the default one
1392 ("prog") will be used. This option is to be passed with the
1393 object option.
1394
1395 verbose - Act in verbose mode. For example, even in case of suc‐
1396 cess, this will print the verifier log in case a program was
1397 loaded from a BPF ELF file.
1398
1399 pinned FILE - Attaches a XDP/BPF program to the given device.
1400 The FILE points to an already pinned BPF program in the BPF file
1401 system. The option section doesn't apply here, but otherwise
1402 semantics are the same as with the option object described
1403 already.
1404
1405
1406 master DEVICE
1407 set master device of the device (enslave device).
1408
1409
1410 nomaster
1411 unset master device of the device (release device).
1412
1413
1414 addrgenmode eui64|none|stable_secret|random
1415 set the IPv6 address generation mode
1416
1417 eui64 - use a Modified EUI-64 format interface identifier
1418
1419 none - disable automatic address generation
1420
1421 stable_secret - generate the interface identifier based on a
1422 preset
1423 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1424
1425 random - like stable_secret, but auto-generate a new random
1426 secret if none is set
1427
1428
1429 link-netnsid
1430 set peer netnsid for a cross-netns interface
1431
1432
1433 type ETYPE TYPE_ARGS
1434 Change type-specific settings. For a list of supported types and
1435 arguments refer to the description of ip link add above. In
1436 addition to that, it is possible to manipulate settings to slave
1437 devices:
1438
1439
1440 Bridge Slave Support
1441 For a link with master bridge the following additional arguments
1442 are supported:
1443
1444 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1445 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1446 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1447 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1448 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1449 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1450 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1451 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1452 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1453 backup_port DEVICE ] [ nobackup_port ]
1454
1455
1456 fdb_flush - flush bridge slave's fdb dynamic entries.
1457
1458 state STATE - Set port state. STATE is a number repre‐
1459 senting the following states: 0 (disabled), 1 (listen‐
1460 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1461
1462 priority PRIO - set port priority (allowed values are
1463 between 0 and 63, inclusively).
1464
1465 cost COST - set port cost (allowed values are between 1
1466 and 65535, inclusively).
1467
1468 guard { on | off } - block incoming BPDU packets on this
1469 port.
1470
1471 hairpin { on | off } - enable hairpin mode on this port.
1472 This will allow incoming packets on this port to be
1473 reflected back.
1474
1475 fastleave { on | off } - enable multicast fast leave on
1476 this port.
1477
1478 root_block { on | off } - block this port from becoming
1479 the bridge's root port.
1480
1481 learning { on | off } - allow MAC address learning on
1482 this port.
1483
1484 flood { on | off } - open the flood gates on this port,
1485 i.e. forward all unicast frames to this port also.
1486 Requires proxy_arp and proxy_arp_wifi to be turned off.
1487
1488 proxy_arp { on | off } - enable proxy ARP on this port.
1489
1490 proxy_arp_wifi { on | off } - enable proxy ARP on this
1491 port which meets extended requirements by IEEE 802.11
1492 and Hotspot 2.0 specifications.
1493
1494 mcast_router MULTICAST_ROUTER - configure this port for
1495 having multicast routers attached. A port with a multi‐
1496 cast router will receive all multicast traffic. MULTI‐
1497 CAST_ROUTER may be either 0 to disable multicast routers
1498 on this port, 1 to let the system detect the presence of
1499 of routers (this is the default), 2 to permanently
1500 enable multicast traffic forwarding on this port or 3 to
1501 enable multicast routers temporarily on this port, not
1502 depending on incoming queries.
1503
1504 mcast_fast_leave { on | off } - this is a synonym to the
1505 fastleave option above.
1506
1507 mcast_flood { on | off } - controls whether a given port
1508 will flood multicast traffic for which
1509 there is no MDB entry.
1510
1511 mcast_to_unicast { on | off } - controls whether a given
1512 port will replicate packets using unicast
1513 instead of multicast. By default this flag is off.
1514
1515 group_fwd_mask MASK - set the group forward mask. This
1516 is the bitmask that is applied to decide whether to for‐
1517 ward incoming frames destined to link-local addresses,
1518 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1519 0, ie the bridge does not forward any link-local frames
1520 coming on this port).
1521
1522 neigh_suppress { on | off } - controls whether neigh
1523 discovery (arp and nd) proxy and suppression is enabled
1524 on the port. By default this flag is off.
1525
1526 vlan_tunnel { on | off } - controls whether vlan to tun‐
1527 nel mapping is enabled on the port. By default this flag
1528 is off.
1529
1530 backup_port DEVICE - if the port loses carrier all traf‐
1531 fic will be redirected to the configured backup port
1532
1533 nobackup_port - removes the currently configured backup
1534 port
1535
1536
1537
1538 Bonding Slave Support
1539 For a link with master bond the following additional arguments
1540 are supported:
1541
1542 ip link set type bond_slave [ queue_id ID ]
1543
1544
1545 queue_id ID - set the slave's queue ID (a 16bit unsigned
1546 value).
1547
1548
1549
1550 MACVLAN and MACVTAP Support
1551 Modify list of allowed macaddr for link in source mode.
1552
1553 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1554 ... ]
1555
1556 Commands:
1557 add - add MACADDR to allowed list
1558
1559 set - replace allowed list
1560
1561 del - remove MACADDR from allowed list
1562
1563 flush - flush whole allowed list
1564
1565
1566
1567
1568 ip link show - display device attributes
1569 dev NAME (default)
1570 NAME specifies the network device to show. If this argument is
1571 omitted all devices in the default group are listed.
1572
1573
1574 group GROUP
1575 GROUP specifies what group of devices to show.
1576
1577
1578 up only display running interfaces.
1579
1580
1581 master DEVICE
1582 DEVICE specifies the master device which enslaves devices to
1583 show.
1584
1585
1586 vrf NAME
1587 NAME speficies the VRF which enslaves devices to show.
1588
1589
1590 type TYPE
1591 TYPE specifies the type of devices to show.
1592
1593 Note that the type name is not checked against the list of sup‐
1594 ported types - instead it is sent as-is to the kernel. Later it
1595 is used to filter the returned interface list by comparing it
1596 with the relevant attribute in case the kernel didn't filter
1597 already. Therefore any string is accepted, but may lead to empty
1598 output.
1599
1600
1601 ip link xstats - display extended statistics
1602 type TYPE
1603 TYPE specifies the type of devices to display extended statis‐
1604 tics for.
1605
1606
1607 ip link afstats - display address-family specific statistics
1608 dev DEVICE
1609 DEVICE specifies the device to display address-family statistics
1610 for.
1611
1612
1613 ip link help - display help
1614 TYPE specifies which help of link type to dislpay.
1615
1616
1617 GROUP
1618 may be a number or a string from the file /etc/iproute2/group which can
1619 be manually filled.
1620
1621
1623 ip link show
1624 Shows the state of all network interfaces on the system.
1625
1626 ip link show type bridge
1627 Shows the bridge devices.
1628
1629 ip link show type vlan
1630 Shows the vlan devices.
1631
1632 ip link show master br0
1633 Shows devices enslaved by br0
1634
1635 ip link set dev ppp0 mtu 1400
1636 Change the MTU the ppp0 device.
1637
1638 ip link add link eth0 name eth0.10 type vlan id 10
1639 Creates a new vlan device eth0.10 on device eth0.
1640
1641 ip link delete dev eth0.10
1642 Removes vlan device.
1643
1644 ip link help gre
1645 Display help for the gre link type.
1646
1647 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1648 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1649 remcsum
1650 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1651 tion, and the outer UDP checksum and remote checksum offload are
1652 enabled.
1653
1654 ip link set dev eth0 xdp obj prog.o
1655 Attaches a XDP/BPF program to device eth0, where the program is
1656 located in prog.o, section "prog" (default section). In case a
1657 XDP/BPF program is already attached, throw an error.
1658
1659 ip -force link set dev eth0 xdp obj prog.o sec foo
1660 Attaches a XDP/BPF program to device eth0, where the program is
1661 located in prog.o, section "foo". In case a XDP/BPF program is
1662 already attached, it will be overridden by the new one.
1663
1664 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1665 Attaches a XDP/BPF program to device eth0, where the program was
1666 previously pinned as an object node into BPF file system under name
1667 foo.
1668
1669 ip link set dev eth0 xdp off
1670 If a XDP/BPF program is attached on device eth0, detach it and
1671 effectively turn off XDP for device eth0.
1672
1673 ip link add link wpan0 lowpan0 type lowpan
1674 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1675 802.15.4 device wpan0.
1676
1677 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1678 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1679 erspan_hwid 17
1680 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1681
1682
1684 ip(8), ip-netns(8), ethtool(8), iptables(8)
1685
1686
1688 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1689
1690
1691
1692iproute2 13 Dec 2012 IP-LINK(8)