1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 A plain ini-style text file that encodes network configuration for
13 matching network interfaces, used by systemd-networkd(8). See
14 systemd.syntax(5) for a general description of the syntax.
15 The main network file must have the extension .network; other
17 extensions are ignored. Networks are applied to links whenever the
18 links appear.
19 The .network files are read from the files located in the system
21 network directories /usr/lib/systemd/network and
22 /usr/local/lib/systemd/network, the volatile runtime network directory
23 /run/systemd/network and the local administration network directory
24 /etc/systemd/network. All configuration files are collectively sorted
25 and processed in lexical order, regardless of the directories in which
26 they live. However, files with identical filenames replace each other.
27 Files in /etc have the highest priority, files in /run take precedence
28 over files with the same name under /usr. This can be used to override
29 a system-supplied configuration file with a local file if needed. As a
30 special case, an empty file (file size 0) or symlink with the same name
31 pointing to /dev/null disables the configuration file entirely (it is
32 "masked").
33 Along with the network file foo.network, a "drop-in" directory
35 foo.network.d/ may exist. All files with the suffix ".conf" from this
36 directory will be parsed after the file itself is parsed. This is
37 useful to alter or add configuration settings, without having to modify
38 the main configuration file. Each drop-in file must have appropriate
39 section headers.
40 In addition to /etc/systemd/network, drop-in ".d" directories can be
42 placed in /usr/lib/systemd/network or /run/systemd/network directories.
43 Drop-in files in /etc take precedence over those in /run which in turn
44 take precedence over those in /usr/lib. Drop-in files under any of
45 these directories take precedence over the main network file wherever
46 located.
47 Note that an interface without any static IPv6 addresses configured,
49 and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no
50 IPv6 support. IPv6 will be automatically disabled for that interface by
51 writing "1" to /proc/sys/net/ipv6/conf/ifname/disable_ipv6.
52
54 The network file contains a "[Match]" section, which determines if a
55 given network file may be applied to a given device; and a "[Network]"
56 section specifying how the device should be configured. The first (in
57 lexical order) of the network files that matches a given device is
58 applied, all later files are ignored, even if they match as well.
59 A network file is said to match a network interface if all matches
61 specified by the "[Match]" section are satisfied. When a network file
62 does not contain valid settings in "[Match]" section, then the file
63 will match all interfaces and systemd-networkd warns about that. Hint:
64 to avoid the warning and to make it clear that all interfaces shall be
65 matched, add the following:
66 Name=*
68 The following keys are accepted:
70 MACAddress=
72 A whitespace-separated list of hardware addresses. Use full colon-,
73 hyphen- or dot-delimited hexadecimal. See the example below. This
74 option may appear more than once, in which case the lists are
75 merged. If the empty string is assigned to this option, the list of
76 hardware addresses defined prior to this is reset.
77 Example:
79 MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
81 PermanentMACAddress=
83 A whitespace-separated list of hardware's permanent addresses.
84 While MACAddress= matches the device's current MAC address, this
85 matches the device's permanent MAC address, which may be different
86 from the current one. Use full colon-, hyphen- or dot-delimited
87 hexadecimal. This option may appear more than once, in which case
88 the lists are merged. If the empty string is assigned to this
89 option, the list of hardware addresses defined prior to this is
90 reset.
91 Path=
93 A whitespace-separated list of shell-style globs matching the
94 persistent path, as exposed by the udev property ID_PATH.
95 Driver=
97 A whitespace-separated list of shell-style globs matching the
98 driver currently bound to the device, as exposed by the udev
99 property ID_NET_DRIVER of its parent device, or if that is not set,
100 the driver as exposed by ethtool -i of the device itself. If the
101 list is prefixed with a "!", the test is inverted.
102 Type=
104 A whitespace-separated list of shell-style globs matching the
105 device type, as exposed by networkctl status. If the list is
106 prefixed with a "!", the test is inverted.
107 Property=
109 A whitespace-separated list of udev property name with its value
110 after a equal ("="). If multiple properties are specified, the test
111 results are ANDed. If the list is prefixed with a "!", the test is
112 inverted. If a value contains white spaces, then please quote whole
113 key and value pair. If a value contains quotation, then please
114 escape the quotation with "\".
115 Example: if a .link file has the following:
117 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
119 then, the .link file matches only when an interface has all the
121 above three properties.
122 Name=
124 A whitespace-separated list of shell-style globs matching the
125 device name, as exposed by the udev property "INTERFACE", or
126 device's alternative names. If the list is prefixed with a "!", the
127 test is inverted.
128 WLANInterfaceType=
130 A whitespace-separated list of wireless network type. Supported
131 values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
132 "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
133 "nan". If the list is prefixed with a "!", the test is inverted.
134 SSID=
136 A whitespace-separated list of shell-style globs matching the SSID
137 of the currently connected wireless LAN. If the list is prefixed
138 with a "!", the test is inverted.
139 BSSID=
141 A whitespace-separated list of hardware address of the currently
142 connected wireless LAN. Use full colon-, hyphen- or dot-delimited
143 hexadecimal. See the example in MACAddress=. This option may appear
144 more than one, in which case the lists are merged. If the empty
145 string is assigned to this option, the list of BSSID defined prior
146 to this is reset.
147 Host=
149 Matches against the hostname or machine ID of the host. See
150 ConditionHost= in systemd.unit(5) for details. When prefixed with
151 an exclamation mark ("!"), the result is negated. If an empty
152 string is assigned, then previously assigned value is cleared.
153 Virtualization=
155 Checks whether the system is executed in a virtualized environment
156 and optionally test whether it is a specific implementation. See
157 ConditionVirtualization= in systemd.unit(5) for details. When
158 prefixed with an exclamation mark ("!"), the result is negated. If
159 an empty string is assigned, then previously assigned value is
160 cleared.
161 KernelCommandLine=
163 Checks whether a specific kernel command line option is set. See
164 ConditionKernelCommandLine= in systemd.unit(5) for details. When
165 prefixed with an exclamation mark ("!"), the result is negated. If
166 an empty string is assigned, then previously assigned value is
167 cleared.
168 KernelVersion=
170 Checks whether the kernel version (as reported by uname -r) matches
171 a certain expression. See ConditionKernelVersion= in
172 systemd.unit(5) for details. When prefixed with an exclamation mark
173 ("!"), the result is negated. If an empty string is assigned, then
174 previously assigned value is cleared.
175 Architecture=
177 Checks whether the system is running on a specific architecture.
178 See ConditionArchitecture= in systemd.unit(5) for details. When
179 prefixed with an exclamation mark ("!"), the result is negated. If
180 an empty string is assigned, then previously assigned value is
181 cleared.
182
184 The "[Link]" section accepts the following keys:
185 MACAddress=
187 The hardware address to set for the device.
188 MTUBytes=
190 The maximum transmission unit in bytes to set for the device. The
191 usual suffixes K, M, G, are supported and are understood to the
192 base of 1024.
193 Note that if IPv6 is enabled on the interface, and the MTU is
195 chosen below 1280 (the minimum MTU for IPv6) it will automatically
196 be increased to this value.
197 ARP=
199 Takes a boolean. If set to true, the ARP (low-level Address
200 Resolution Protocol) for this interface is enabled. When unset, the
201 kernel's default will be used.
202 For example, disabling ARP is useful when creating multiple MACVLAN
204 or VLAN virtual interfaces atop a single lower-level physical
205 interface, which will then only serve as a link/"bridge" device
206 aggregating traffic to the same physical link and not participate
207 in the network otherwise.
208 Multicast=
210 Takes a boolean. If set to true, the multicast flag on the device
211 is enabled.
212 AllMulticast=
214 Takes a boolean. If set to true, the driver retrieves all multicast
215 packets from the network. This happens when multicast routing is
216 enabled.
217 Unmanaged=
219 Takes a boolean. When "yes", no attempts are made to bring up or
220 configure matching links, equivalent to when there are no matching
221 network files. Defaults to "no".
222 This is useful for preventing later matching network files from
224 interfering with certain interfaces that are fully controlled by
225 other applications.
226 RequiredForOnline=
228 Takes a boolean or a minimum operational state and an optional
229 maximum operational state. Please see networkctl(1) for possible
230 operational states. When "yes", the network is deemed required when
231 determining whether the system is online when running
232 systemd-networkd-wait-online. When "no", the network is ignored
233 when checking for online state. When a minimum operational state
234 and an optional maximum operational state are set, "yes" is
235 implied, and this controls the minimum and maximum operational
236 state required for the network interface to be considered online.
237 Defaults to "yes".
238 The network will be brought up normally in all cases, but in the
240 event that there is no address being assigned by DHCP or the cable
241 is not plugged in, the link will simply remain offline and be
242 skipped automatically by systemd-networkd-wait-online if
243 "RequiredForOnline=no".
244
246 The "[Network]" section accepts the following keys:
247 Description=
249 A description of the device. This is only used for presentation
250 purposes.
251 DHCP=
253 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
254 "ipv4", or "ipv6". Defaults to "no".
255 Note that DHCPv6 will by default be triggered by Router
257 Advertisement, if that is enabled, regardless of this parameter. By
258 enabling DHCPv6 support explicitly, the DHCPv6 client will be
259 started regardless of the presence of routers on the link, or what
260 flags the routers pass. See "IPv6AcceptRA=".
261 Furthermore, note that by default the domain name specified through
263 DHCP is not used for name resolution. See option UseDomains= below.
264 See the "[DHCPv4]" or "[DHCPv6]" section below for further
266 configuration options for the DHCP client support.
267 DHCPServer=
269 Takes a boolean. If set to "yes", DHCPv4 server will be started.
270 Defaults to "no". Further settings for the DHCP server may be set
271 in the "[DHCPServer]" section described below.
272 LinkLocalAddressing=
274 Enables link-local address autoconfiguration. Accepts "yes", "no",
275 "ipv4", "ipv6", "fallback", or "ipv4-fallback". If "fallback" or
276 "ipv4-fallback" is specified, then an IPv4 link-local address is
277 configured only when DHCPv4 fails. If "fallback", an IPv6
278 link-local address is always configured, and if "ipv4-fallback",
279 the address is not configured. Note that, the fallback mechanism
280 works only when DHCPv4 client is enabled, that is, it requires
281 "DHCP=yes" or "DHCP=ipv4". If Bridge= is set, defaults to "no", and
282 if not, defaults to "ipv6".
283 IPv4LLRoute=
285 Takes a boolean. If set to true, sets up the route needed for
286 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
287 false.
288 DefaultRouteOnDevice=
290 Takes a boolean. If set to true, sets up the default route bound to
291 the interface. Defaults to false. This is useful when creating
292 routes on point-to-point interfaces. This is equivalent to e.g. the
293 following.
294 ip route add default dev veth99
296 IPv6Token=
298 Specifies an optional address generation mode and a required IPv6
299 address. If the mode is present, the two parts must be separated
300 with a colon "mode:address". The address generation mode may be
301 either prefixstable or static. If not specified, static is assumed.
302 When the mode is set to static, or unspecified, the lower bits of
304 the supplied address are combined with the upper bits of a prefix
305 received in a Router Advertisement message to form a complete
306 address. Note that if multiple prefixes are received in an RA
307 message, or in multiple RA messages, addresses will be formed from
308 each of them using the supplied address. This mode implements SLAAC
309 but uses a static interface identifier instead of an identifier
310 generated using the EUI-64 algorithm. Because the interface
311 identifier is static, if Duplicate Address Detection detects that
312 the computed address is a duplicate (in use by another node on the
313 link), then this mode will fail to provide an address for that
314 prefix.
315 When the mode is set to "prefixstable" the RFC 7217 algorithm for
317 generating interface identifiers will be used, but only when a
318 prefix received in an RA message matches the supplied address. See
319 RFC 7217[1]. Prefix matching will be attempted against each
320 prefixstable IPv6Token variable provided in the configuration; if a
321 received prefix does not match any of the provided addresses, then
322 the EUI-64 algorithm will be used to form an interface identifier
323 for that prefix. This mode is also SLAAC, but with a potentially
324 stable interface identifier which does not directly map to the
325 interface's hardware address. Note that the prefixstable algorithm
326 includes both the interface's name and MAC address in the hash used
327 to compute the interface identifier, so if either of those are
328 changed the resulting interface identifier (and address) will
329 change, even if the prefix received in the RA message has not
330 changed. Note that if multiple prefixstable IPv6Token variables are
331 supplied with addresses that match a prefix received in an RA
332 message, only the first one will be used to generate addresses.
333 LLMNR=
335 Takes a boolean or "resolve". When true, enables Link-Local
336 Multicast Name Resolution[2] on the link. When set to "resolve",
337 only resolution is enabled, but not host registration and
338 announcement. Defaults to true. This setting is read by systemd-
339 resolved.service(8).
340 MulticastDNS=
342 Takes a boolean or "resolve". When true, enables Multicast DNS[3]
343 support on the link. When set to "resolve", only resolution is
344 enabled, but not host or service registration and announcement.
345 Defaults to false. This setting is read by systemd-
346 resolved.service(8).
347 DNSOverTLS=
349 Takes a boolean or "opportunistic". When true, enables
350 DNS-over-TLS[4] support on the link. When set to "opportunistic",
351 compatibility with non-DNS-over-TLS servers is increased, by
352 automatically turning off DNS-over-TLS servers in this case. This
353 option defines a per-interface setting for resolved.conf(5)'s
354 global DNSOverTLS= option. Defaults to false. This setting is read
355 by systemd-resolved.service(8).
356 DNSSEC=
358 Takes a boolean. or "allow-downgrade". When true, enables DNSSEC[5]
359 DNS validation support on the link. When set to "allow-downgrade",
360 compatibility with non-DNSSEC capable networks is increased, by
361 automatically turning off DNSSEC in this case. This option defines
362 a per-interface setting for resolved.conf(5)'s global DNSSEC=
363 option. Defaults to false. This setting is read by systemd-
364 resolved.service(8).
365 DNSSECNegativeTrustAnchors=
367 A space-separated list of DNSSEC negative trust anchor domains. If
368 specified and DNSSEC is enabled, look-ups done via the interface's
369 DNS server will be subject to the list of negative trust anchors,
370 and not require authentication for the specified domains, or
371 anything below it. Use this to disable DNSSEC authentication for
372 specific private domains, that cannot be proven valid using the
373 Internet DNS hierarchy. Defaults to the empty list. This setting is
374 read by systemd-resolved.service(8).
375 LLDP=
377 Controls support for Ethernet LLDP packet reception. LLDP is a
378 link-layer protocol commonly implemented on professional routers
379 and bridges which announces which physical port a system is
380 connected to, as well as other related data. Accepts a boolean or
381 the special value "routers-only". When true, incoming LLDP packets
382 are accepted and a database of all LLDP neighbors maintained. If
383 "routers-only" is set only LLDP data of various types of routers is
384 collected and LLDP data about other types of devices ignored (such
385 as stations, telephones and others). If false, LLDP reception is
386 disabled. Defaults to "routers-only". Use networkctl(1) to query
387 the collected neighbor data. LLDP is only available on Ethernet
388 links. See EmitLLDP= below for enabling LLDP packet emission from
389 the local system.
390 EmitLLDP=
392 Controls support for Ethernet LLDP packet emission. Accepts a
393 boolean parameter or the special values "nearest-bridge",
394 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
395 turns off LLDP packet emission. If not false, a short LLDP packet
396 with information about the local system is sent out in regular
397 intervals on the link. The LLDP packet will contain information
398 about the local host name, the local machine ID (as stored in
399 machine-id(5)) and the local interface name, as well as the pretty
400 hostname of the system (as set in machine-info(5)). LLDP emission
401 is only available on Ethernet links. Note that this setting passes
402 data suitable for identification of host to the network and should
403 thus not be enabled on untrusted networks, where such
404 identification data should not be made available. Use this option
405 to permit other systems to identify on which interfaces they are
406 connected to this system. The three special values control
407 propagation of the LLDP packets. The "nearest-bridge" setting
408 permits propagation only to the nearest connected bridge,
409 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
410 but not any other bridges, and "customer-bridge" permits
411 propagation until a customer bridge is reached. For details about
412 these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
413 this setting to true is equivalent to "nearest-bridge", the
414 recommended and most restricted level of propagation. See LLDP=
415 above for an option to enable LLDP reception.
416 BindCarrier=
418 A link name or a list of link names. When set, controls the
419 behavior of the current link. When all links in the list are in an
420 operational down state, the current link is brought down. When at
421 least one link has carrier, the current interface is brought up.
422 Address=
424 A static IPv4 or IPv6 address and its prefix length, separated by a
425 "/" character. Specify this key more than once to configure several
426 addresses. The format of the address must be as described in
427 inet_pton(3). This is a short-hand for an [Address] section only
428 containing an Address key (see below). This option may be specified
429 more than once.
430 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
432 IPv6), a new address range of the requested size is automatically
433 allocated from a system-wide pool of unused ranges. Note that the
434 prefix length must be equal or larger than 8 for IPv4, and 64 for
435 IPv6. The allocated range is checked against all current network
436 interfaces and all known network configuration files to avoid
437 address range conflicts. The default system-wide pool consists of
438 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
439 for IPv6. This functionality is useful to manage a large number of
440 dynamically created network interfaces with the same network
441 configuration and automatic address range assignment.
442 Gateway=
444 The gateway address, which must be in the format described in
445 inet_pton(3). This is a short-hand for a [Route] section only
446 containing a Gateway key. This option may be specified more than
447 once.
448 DNS=
450 A DNS server address, which must be in the format described in
451 inet_pton(3). This option may be specified more than once. This
452 setting is read by systemd-resolved.service(8).
453 Domains=
455 A whitespace-separated list of domains which should be resolved
456 using the DNS servers on this link. Each item in the list should be
457 a domain name, optionally prefixed with a tilde ("~"). The domains
458 with the prefix are called "routing-only domains". The domains
459 without the prefix are called "search domains" and are first used
460 as search suffixes for extending single-label host names (host
461 names containing no dots) to become fully qualified domain names
462 (FQDNs). If a single-label host name is resolved on this interface,
463 each of the specified search domains are appended to it in turn,
464 converting it into a fully qualified domain name, until one of them
465 may be successfully resolved.
466 Both "search" and "routing-only" domains are used for routing of
468 DNS queries: look-ups for host names ending in those domains (hence
469 also single label names, if any "search domains" are listed), are
470 routed to the DNS servers configured for this interface. The domain
471 routing logic is particularly useful on multi-homed hosts with DNS
472 servers serving particular private DNS zones on each interface.
473 The "routing-only" domain "~." (the tilde indicating definition of
475 a routing domain, the dot referring to the DNS root domain which is
476 the implied suffix of all valid DNS names) has special effect. It
477 causes all DNS traffic which does not match another configured
478 domain routing entry to be routed to DNS servers specified for this
479 interface. This setting is useful to prefer a certain set of DNS
480 servers if a link on which they are connected is available.
481 This setting is read by systemd-resolved.service(8). "Search
483 domains" correspond to the domain and search entries in
484 resolv.conf(5). Domain name routing has no equivalent in the
485 traditional glibc API, which has no concept of domain name servers
486 limited to a specific link.
487 DNSDefaultRoute=
489 Takes a boolean argument. If true, this link's configured DNS
490 servers are used for resolving domain names that do not match any
491 link's configured Domains= setting. If false, this link's
492 configured DNS servers are never used for such domains, and are
493 exclusively used for resolving names that match at least one of the
494 domains configured on this link. If not specified defaults to an
495 automatic mode: queries not matching any link's configured domains
496 will be routed to this link if it has no routing-only domains
497 configured.
498 NTP=
500 An NTP server address. This option may be specified more than once.
501 This setting is read by systemd-timesyncd.service(8).
502 IPForward=
504 Configures IP packet forwarding for the system. If enabled,
505 incoming packets on any network interface will be forwarded to any
506 other interfaces according to the routing table. Takes a boolean,
507 or the values "ipv4" or "ipv6", which only enable IP packet
508 forwarding for the specified address family. This controls the
509 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
510 of the network interface (see ip-sysctl.txt[7] for details about
511 sysctl options). Defaults to "no".
512 Note: this setting controls a global kernel option, and does so one
514 way only: if a network that has this setting enabled is set up the
515 global setting is turned on. However, it is never turned off again,
516 even after all networks with this setting enabled are shut down
517 again.
518 To allow IP packet forwarding only between specific network
520 interfaces use a firewall.
521 IPMasquerade=
523 Configures IP masquerading for the network interface. If enabled,
524 packets forwarded from the network interface will be appear as
525 coming from the local host. Takes a boolean argument. Implies
526 IPForward=ipv4. Defaults to "no".
527 IPv6PrivacyExtensions=
529 Configures use of stateless temporary addresses that change over
530 time (see RFC 4941[8], Privacy Extensions for Stateless Address
531 Autoconfiguration in IPv6). Takes a boolean or the special values
532 "prefer-public" and "kernel". When true, enables the privacy
533 extensions and prefers temporary addresses over public addresses.
534 When "prefer-public", enables the privacy extensions, but prefers
535 public addresses over temporary addresses. When false, the privacy
536 extensions remain disabled. When "kernel", the kernel's default
537 setting will be left in place. Defaults to "no".
538 IPv6AcceptRA=
540 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
541 support for the interface. If true, RAs are accepted; if false, RAs
542 are ignored. When RAs are accepted, they may trigger the start of
543 the DHCPv6 client if the relevant flags are set in the RA data, or
544 if no routers are found on the link. The default is to disable RA
545 reception for bridge devices or when IP forwarding is enabled, and
546 to enable it otherwise. Cannot be enabled on bond devices and when
547 link local adressing is disabled.
548 Further settings for the IPv6 RA support may be configured in the
550 "[IPv6AcceptRA]" section, see below.
551 Also see ip-sysctl.txt[7] in the kernel documentation regarding
553 "accept_ra", but note that systemd's setting of 1 (i.e. true)
554 corresponds to kernel's setting of 2.
555 Note that kernel's implementation of the IPv6 RA protocol is always
557 disabled, regardless of this setting. If this option is enabled, a
558 userspace implementation of the IPv6 RA protocol is used, and the
559 kernel's own implementation remains disabled, since
560 systemd-networkd needs to know all details supplied in the
561 advertisements, and these are not available from the kernel if the
562 kernel's own implementation is used.
563 IPv6DuplicateAddressDetection=
565 Configures the amount of IPv6 Duplicate Address Detection (DAD)
566 probes to send. When unset, the kernel's default will be used.
567 IPv6HopLimit=
569 Configures IPv6 Hop Limit. For each router that forwards the
570 packet, the hop limit is decremented by 1. When the hop limit field
571 reaches zero, the packet is discarded. When unset, the kernel's
572 default will be used.
573 IPv4ProxyARP=
575 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
576 technique in which one host, usually a router, answers ARP requests
577 intended for another machine. By "faking" its identity, the router
578 accepts responsibility for routing packets to the "real"
579 destination. (see RFC 1027[9]. When unset, the kernel's default
580 will be used.
581 IPv6ProxyNDP=
583 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
584 Discovery Protocol) is a technique for IPv6 to allow routing of
585 addresses to a different destination when peers expect them to be
586 present on a certain physical link. In this case a router answers
587 Neighbour Advertisement messages intended for another machine by
588 offering its own MAC address as destination. Unlike proxy ARP for
589 IPv4, it is not enabled globally, but will only send Neighbour
590 Advertisement messages for addresses in the IPv6 neighbor proxy
591 table, which can also be shown by ip -6 neighbour show proxy.
592 systemd-networkd will control the per-interface `proxy_ndp` switch
593 for each configured interface depending on this option. When unset,
594 the kernel's default will be used.
595 IPv6ProxyNDPAddress=
597 An IPv6 address, for which Neighbour Advertisement messages will be
598 proxied. This option may be specified more than once.
599 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
600 kernel's IPv6 neighbor proxy table. This option implies
601 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP has been set to
602 false. When unset, the kernel's default will be used.
603 IPv6PrefixDelegation=
605 Whether to enable or disable Router Advertisement sending on a
606 link. Allowed values are "static" which distributes prefixes as
607 defined in the "[IPv6PrefixDelegation]" and any "[IPv6Prefix]"
608 sections, "dhcpv6" which requests prefixes using a DHCPv6 client
609 configured for another link and any values configured in the
610 "[IPv6PrefixDelegation]" section while ignoring all static prefix
611 configuration sections, "yes" which uses both static configuration
612 and DHCPv6, and "false" which turns off IPv6 prefix delegation
613 altogether. Defaults to "false". See the "[IPv6PrefixDelegation]"
614 and the "[IPv6Prefix]" sections for more configuration options.
615 IPv6MTUBytes=
617 Configures IPv6 maximum transmission unit (MTU). An integer greater
618 than or equal to 1280 bytes. When unset, the kernel's default will
619 be used.
620 Bridge=
622 The name of the bridge to add the link to. See systemd.netdev(5).
623 Bond=
625 The name of the bond to add the link to. See systemd.netdev(5).
626 VRF=
628 The name of the VRF to add the link to. See systemd.netdev(5).
629 VLAN=
631 The name of a VLAN to create on the link. See systemd.netdev(5).
632 This option may be specified more than once.
633 IPVLAN=
635 The name of a IPVLAN to create on the link. See systemd.netdev(5).
636 This option may be specified more than once.
637 MACVLAN=
639 The name of a MACVLAN to create on the link. See systemd.netdev(5).
640 This option may be specified more than once.
641 VXLAN=
643 The name of a VXLAN to create on the link. See systemd.netdev(5).
644 This option may be specified more than once.
645 Tunnel=
647 The name of a Tunnel to create on the link. See systemd.netdev(5).
648 This option may be specified more than once.
649 MACsec=
651 The name of a MACsec device to create on the link. See
652 systemd.netdev(5). This option may be specified more than once.
653 ActiveSlave=
655 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
656 option is only valid for following modes: "active-backup",
657 "balance-alb" and "balance-tlb". Defaults to false.
658 PrimarySlave=
660 Takes a boolean. Specifies which slave is the primary device. The
661 specified device will always be the active slave while it is
662 available. Only when the primary is off-line will alternate devices
663 be used. This is useful when one slave is preferred over another,
664 e.g. when one slave has higher throughput than another. The
665 "PrimarySlave=" option is only valid for following modes:
666 "active-backup", "balance-alb" and "balance-tlb". Defaults to
667 false.
668 ConfigureWithoutCarrier=
670 Takes a boolean. Allows networkd to configure a specific link even
671 if it has no carrier. Defaults to false.
672 IgnoreCarrierLoss=
674 A boolean. Allows networkd to retain both the static and dynamic
675 configuration of the interface even if its carrier is lost.
676 Defaults to false.
677 Xfrm=
679 The name of the xfrm to create on the link. See systemd.netdev(5).
680 This option may be specified more than once.
681 KeepConfiguration=
683 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
684 "static", systemd-networkd will not drop static addresses and
685 routes on starting up process. When set to "dhcp-on-stop",
686 systemd-networkd will not drop addresses and routes on stopping the
687 daemon. When "dhcp", the addresses and routes provided by a DHCP
688 server will never be dropped even if the DHCP lease expires. This
689 is contrary to the DHCP specification, but may be the best choice
690 if, e.g., the root filesystem relies on this connection. The
691 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
692 "static". Defaults to "no".
693
695 An "[Address]" section accepts the following keys. Specify several
696 "[Address]" sections to configure several addresses.
697 Address=
699 As in the "[Network]" section. This key is mandatory. Each
700 "[Address]" section can contain one Address= setting.
701 Peer=
703 The peer address in a point-to-point connection. Accepts the same
704 format as the Address= key.
705 Broadcast=
707 The broadcast address, which must be in the format described in
708 inet_pton(3). This key only applies to IPv4 addresses. If it is not
709 given, it is derived from the Address= key.
710 Label=
712 An address label.
713 PreferredLifetime=
715 Allows the default "preferred lifetime" of the address to be
716 overridden. Only three settings are accepted: "forever" or
717 "infinity" which is the default and means that the address never
718 expires, and "0" which means that the address is considered
719 immediately "expired" and will not be used, unless explicitly
720 requested. A setting of PreferredLifetime=0 is useful for addresses
721 which are added to be used only by a specific application, which is
722 then configured to use them explicitly.
723 Scope=
725 The scope of the address, which can be "global", "link" or "host"
726 or an unsigned integer ranges 0 to 255. Defaults to "global".
727 HomeAddress=
729 Takes a boolean. Designates this address the "home address" as
730 defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
731 DuplicateAddressDetection=
733 Takes one of "ipv4", "ipv6", "both", "none". When "ipv4", performs
734 IPv4 Duplicate Address Detection. See RFC 5224[11]. When "ipv6",
735 performs IPv6 Duplicate Address Detection. See RFC 4862[12].
736 Defaults to "ipv6".
737 ManageTemporaryAddress=
739 Takes a boolean. If true the kernel manage temporary addresses
740 created from this one as template on behalf of Privacy Extensions
741 RFC 3041[13]. For this to become active, the use_tempaddr sysctl
742 setting has to be set to a value greater than zero. The given
743 address needs to have a prefix length of 64. This flag allows using
744 privacy extensions in a manually configured network, just like if
745 stateless auto-configuration was active. Defaults to false.
746 AddPrefixRoute=
748 Takes a boolean. When true, the prefix route for the address is
749 automatically added. Defaults to true.
750 AutoJoin=
752 Takes a boolean. Joining multicast group on ethernet level via ip
753 maddr command would not work if we have an Ethernet switch that
754 does IGMP snooping since the switch would not replicate multicast
755 packets on ports that did not have IGMP reports for the multicast
756 addresses. Linux vxlan interfaces created via ip link add vxlan or
757 networkd's netdev kind vxlan have the group option that enables
758 then to do the required join. By extending ip address command with
759 option "autojoin" we can get similar functionality for openvswitch
760 (OVS) vxlan interfaces as well as other tunneling mechanisms that
761 need to receive multicast traffic. Defaults to "no".
762
764 A "[Neighbor]" section accepts the following keys. The neighbor section
765 adds a permanent, static entry to the neighbor table (IPv6) or ARP
766 table (IPv4) for the given hardware address on the links matched for
767 the network. Specify several "[Neighbor]" sections to configure several
768 static neighbors.
769 Address=
771 The IP address of the neighbor.
772 LinkLayerAddress=
774 The link layer address (MAC address or IP address) of the neighbor.
775
777 An "[IPv6AddressLabel]" section accepts the following keys. Specify
778 several "[IPv6AddressLabel]" sections to configure several address
779 labels. IPv6 address labels are used for address selection. See RFC
780 3484[14]. Precedence is managed by userspace, and only the label itself
781 is stored in the kernel
782 Label=
784 The label for the prefix (an unsigned integer) ranges 0 to
785 4294967294. 0xffffffff is reserved. This key is mandatory.
786 Prefix=
788 IPv6 prefix is an address with a prefix length, separated by a
789 slash "/" character. This key is mandatory.
790
792 An "[RoutingPolicyRule]" section accepts the following keys. Specify
793 several "[RoutingPolicyRule]" sections to configure several rules.
794 TypeOfService=
796 Specifies the type of service to match a number between 0 to 255.
797 From=
799 Specifies the source address prefix to match. Possibly followed by
800 a slash and the prefix length.
801 To=
803 Specifies the destination address prefix to match. Possibly
804 followed by a slash and the prefix length.
805 FirewallMark=
807 Specifies the iptables firewall mark value to match (a number
808 between 1 and 4294967295).
809 Table=
811 Specifies the routing table identifier to lookup if the rule
812 selector matches. Takes one of "default", "main", and "local", or a
813 number between 1 and 4294967295. Defaults to "main".
814 Priority=
816 Specifies the priority of this rule. Priority= is an unsigned
817 integer. Higher number means lower priority, and rules get
818 processed in order of increasing number.
819 IncomingInterface=
821 Specifies incoming device to match. If the interface is loopback,
822 the rule only matches packets originating from this host.
823 OutgoingInterface=
825 Specifies the outgoing device to match. The outgoing interface is
826 only available for packets originating from local sockets that are
827 bound to a device.
828 SourcePort=
830 Specifies the source IP port or IP port range match in forwarding
831 information base (FIB) rules. A port range is specified by the
832 lower and upper port separated by a dash. Defaults to unset.
833 DestinationPort=
835 Specifies the destination IP port or IP port range match in
836 forwarding information base (FIB) rules. A port range is specified
837 by the lower and upper port separated by a dash. Defaults to unset.
838 IPProtocol=
840 Specifies the IP protocol to match in forwarding information base
841 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
842 or IP protocol number such as "6" for "tcp" or "17" for "udp".
843 Defaults to unset.
844 InvertRule=
846 A boolean. Specifies whether the rule is to be inverted. Defaults
847 to false.
848 Family=
850 Takes a special value "ipv4", "ipv6", or "both". By default, the
851 address family is determined by the address specified in To= or
852 From=. If neither To= nor From= are specified, then defaults to
853 "ipv4".
854 User=
856 Takes a username, a user ID, or a range of user IDs separated by a
857 dash. Defaults to unset.
858 SuppressPrefixLength=
860 Takes a number N in the range 0-128 and rejects routing decisions
861 that have a prefix length of N or less. Defaults to unset.
862
864 The "[NextHop]" section accepts the following keys. Specify several
865 "[NextHop]" sections to configure several nexthop. Nexthop is used to
866 manipulate entries in the kernel's nexthop tables.
867 Gateway=
869 As in the "[Network]" section. This is mandatory.
870 Id=
872 The id of the nexthop (an unsigned integer). If unspecified or '0'
873 then automatically chosen by kernel.
874
876 The "[Route]" section accepts the following keys. Specify several
877 "[Route]" sections to configure several routes.
878 Gateway=
880 Takes the gateway address or special value "_dhcp". If "_dhcp",
881 then the gateway address provided by DHCP (or in the IPv6 case,
882 provided by IPv6 RA) is used.
883 GatewayOnLink=
885 Takes a boolean. If set to true, the kernel does not have to check
886 if the gateway is reachable directly by the current machine (i.e.,
887 the kernel does not need to check if the gateway is attached to the
888 local network), so that we can insert the route in the kernel table
889 without it being complained about. Defaults to "no".
890 Destination=
892 The destination prefix of the route. Possibly followed by a slash
893 and the prefix length. If omitted, a full-length host route is
894 assumed.
895 Source=
897 The source prefix of the route. Possibly followed by a slash and
898 the prefix length. If omitted, a full-length host route is assumed.
899 Metric=
901 The metric of the route (an unsigned integer).
902 IPv6Preference=
904 Specifies the route preference as defined in RFC4191[15] for Router
905 Discovery messages. Which can be one of "low" the route has a
906 lowest priority, "medium" the route has a default priority or
907 "high" the route has a highest priority.
908 Scope=
910 The scope of the route, which can be "global", "site", "link",
911 "host", or "nowhere". For IPv4 route, defaults to "host" if Type=
912 is "local" or "nat", and "link" if Type= is "broadcast",
913 "multicast", or "anycast". In other cases, defaults to "global".
914 PreferredSource=
916 The preferred source address of the route. The address must be in
917 the format described in inet_pton(3).
918 Table=
920 The table identifier for the route. Takes "default", "main",
921 "local" or a number between 1 and 4294967295. The table can be
922 retrieved using ip route show table num. If unset and Type= is
923 "local", "broadcast", "anycast", or "nat", then "local" is used. In
924 other cases, defaults to "main".
925 Protocol=
927 The protocol identifier for the route. Takes a number between 0 and
928 255 or the special values "kernel", "boot", "static", "ra" and
929 "dhcp". Defaults to "static".
930 Type=
932 Specifies the type for the route. Takes one of "unicast", "local",
933 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
934 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
935 route is defined, i.e. a route indicating the path to take to a
936 destination network address. If "blackhole", packets to the defined
937 route are discarded silently. If "unreachable", packets to the
938 defined route are discarded and the ICMP message "Host Unreachable"
939 is generated. If "prohibit", packets to the defined route are
940 discarded and the ICMP message "Communication Administratively
941 Prohibited" is generated. If "throw", route lookup in the current
942 routing table will fail and the route selection process will return
943 to Routing Policy Database (RPDB). Defaults to "unicast".
944 InitialCongestionWindow=
946 The TCP initial congestion window is used during the start of a TCP
947 connection. During the start of a TCP session, when a client
948 requests a resource, the server's initial congestion window
949 determines how many data bytes will be sent during the initial
950 burst of data. Takes a size in bytes between 1 and 4294967295 (2^32
951 - 1). The usual suffixes K, M, G are supported and are understood
952 to the base of 1024. When unset, the kernel's default will be used.
953 InitialAdvertisedReceiveWindow=
955 The TCP initial advertised receive window is the amount of receive
956 data (in bytes) that can initially be buffered at one time on a
957 connection. The sending host can send only that amount of data
958 before waiting for an acknowledgment and window update from the
959 receiving host. Takes a size in bytes between 1 and 4294967295
960 (2^32 - 1). The usual suffixes K, M, G are supported and are
961 understood to the base of 1024. When unset, the kernel's default
962 will be used.
963 QuickAck=
965 Takes a boolean. When true enables TCP quick ack mode for the
966 route. When unset, the kernel's default will be used.
967 FastOpenNoCookie=
969 Takes a boolean. When true enables TCP fastopen without a cookie on
970 a per-route basis. When unset, the kernel's default will be used.
971 TTLPropagate=
973 Takes a boolean. When true enables TTL propagation at Label
974 Switched Path (LSP) egress. When unset, the kernel's default will
975 be used.
976 MTUBytes=
978 The maximum transmission unit in bytes to set for the route. The
979 usual suffixes K, M, G, are supported and are understood to the
980 base of 1024.
981 Note that if IPv6 is enabled on the interface, and the MTU is
983 chosen below 1280 (the minimum MTU for IPv6) it will automatically
984 be increased to this value.
985 IPServiceType=
987 Takes string; "CS6" or "CS4". Used to set IP service type to CS6
988 (network control) or CS4 (Realtime). Defaults to CS6.
989 MultiPathRoute=address[@name] [weight]
991 Configures multipath route. Multipath routing is the technique of
992 using multiple alternative paths through a network. Takes gateway
993 address. Optionally, takes a network interface name or index
994 separated with "@", and a weight in 1..256 for this multipath route
995 separated with whitespace. This setting can be specified multiple
996 times. If an empty string is assigned, then the all previous
997 assignments are cleared.
998
1000 The "[DHCPv4]" section configures the DHCPv4 client, if it is enabled
1001 with the DHCP= setting described above:
1002 UseDNS=
1004 When true (the default), the DNS servers received from the DHCP
1005 server will be used and take precedence over any statically
1006 configured ones.
1007 This corresponds to the nameserver option in resolv.conf(5).
1009 RoutesToDNS=
1011 When true, the routes to the DNS servers received from the DHCP
1012 server will be configured. When UseDNS= is disabled, this setting
1013 is ignored. Defaults to false.
1014 UseNTP=
1016 When true (the default), the NTP servers received from the DHCP
1017 server will be used by systemd-timesyncd and take precedence over
1018 any statically configured ones.
1019 UseSIP=
1021 When true (the default), the SIP servers received from the DHCP
1022 server will be saved at the state files and can be read via
1023 sd_network_link_get_sip_servers() function.
1024 UseMTU=
1026 When true, the interface maximum transmission unit from the DHCP
1027 server will be used on the current link. If MTUBytes= is set, then
1028 this setting is ignored. Defaults to false.
1029 Anonymize=
1031 Takes a boolean. When true, the options sent to the DHCP server
1032 will follow the RFC 7844[16] (Anonymity Profiles for DHCP Clients)
1033 to minimize disclosure of identifying information. Defaults to
1034 false.
1035 This option should only be set to true when MACAddressPolicy= is
1037 set to "random" (see systemd.link(5)).
1038 Note that this configuration will overwrite others. In concrete,
1040 the following variables will be ignored: SendHostname=,
1041 ClientIdentifier=, UseRoutes=, UseMTU=, VendorClassIdentifier=,
1042 UseTimezone=.
1043 With this option enabled DHCP requests will mimic those generated
1045 by Microsoft Windows, in order to reduce the ability to fingerprint
1046 and recognize installations. This means DHCP request sizes will
1047 grow and lease data will be more comprehensive than normally,
1048 though most of the requested data is not actually used.
1049 SendHostname=
1051 When true (the default), the machine's hostname will be sent to the
1052 DHCP server. Note that the machine's hostname must consist only of
1053 7-bit ASCII lower-case characters and no spaces or dots, and be
1054 formatted as a valid DNS domain name. Otherwise, the hostname is
1055 not sent even if this is set to true.
1056 UseHostname=
1058 When true (the default), the hostname received from the DHCP server
1059 will be set as the transient hostname of the system.
1060 Hostname=
1062 Use this value for the hostname which is sent to the DHCP server,
1063 instead of machine's hostname. Note that the specified hostname
1064 must consist only of 7-bit ASCII lower-case characters and no
1065 spaces or dots, and be formatted as a valid DNS domain name.
1066 UseDomains=
1068 Takes a boolean, or the special value "route". When true, the
1069 domain name received from the DHCP server will be used as DNS
1070 search domain over this link, similar to the effect of the Domains=
1071 setting. If set to "route", the domain name received from the DHCP
1072 server will be used for routing DNS queries only, but not for
1073 searching, similar to the effect of the Domains= setting when the
1074 argument is prefixed with "~". Defaults to false.
1075 It is recommended to enable this option only on trusted networks,
1077 as setting this affects resolution of all host names, in particular
1078 of single-label names. It is generally safer to use the supplied
1079 domain only as routing domain, rather than as search domain, in
1080 order to not have it affect local resolution of single-label names.
1081 When set to true, this setting corresponds to the domain option in
1083 resolv.conf(5).
1084 UseRoutes=
1086 When true (the default), the static routes will be requested from
1087 the DHCP server and added to the routing table with a metric of
1088 1024, and a scope of "global", "link" or "host", depending on the
1089 route's destination and gateway. If the destination is on the local
1090 host, e.g., 127.x.x.x, or the same as the link's own address, the
1091 scope will be set to "host". Otherwise if the gateway is null (a
1092 direct route), a "link" scope will be used. For anything else,
1093 scope defaults to "global".
1094 UseTimezone=
1096 When true, the timezone received from the DHCP server will be set
1097 as timezone of the local system. Defaults to "no".
1098 ClientIdentifier=
1100 The DHCPv4 client identifier to use. Takes one of "mac", "duid" or
1101 "duid-only". If set to "mac", the MAC address of the link is used.
1102 If set to "duid", an RFC4361-compliant Client ID, which is the
1103 combination of IAID and DUID (see below), is used. If set to
1104 "duid-only", only DUID is used, this may not be RFC compliant, but
1105 some setups may require to use this. Defaults to "duid".
1106 VendorClassIdentifier=
1108 The vendor class identifier used to identify vendor type and
1109 configuration.
1110 UserClass=
1112 A DHCPv4 client can use UserClass option to identify the type or
1113 category of user or applications it represents. The information
1114 contained in this option is a string that represents the user class
1115 of which the client is a member. Each class sets an identifying
1116 string of information to be used by the DHCP service to classify
1117 clients. Takes a whitespace-separated list of strings.
1118 MaxAttempts=
1120 Specifies how many times the DHCPv4 client configuration should be
1121 attempted. Takes a number or "infinity". Defaults to "infinity".
1122 Note that the time between retries is increased exponentially, so
1123 the network will not be overloaded even if this number is high.
1124 DUIDType=
1126 Override the global DUIDType setting for this network. See
1127 networkd.conf(5) for a description of possible values.
1128 DUIDRawData=
1130 Override the global DUIDRawData setting for this network. See
1131 networkd.conf(5) for a description of possible values.
1132 IAID=
1134 The DHCP Identity Association Identifier (IAID) for the interface,
1135 a 32-bit unsigned integer.
1136 RequestBroadcast=
1138 Request the server to use broadcast messages before the IP address
1139 has been configured. This is necessary for devices that cannot
1140 receive RAW packets, or that cannot receive packets at all before
1141 an IP address has been configured. On the other hand, this must not
1142 be enabled on networks where broadcasts are filtered out.
1143 RouteMetric=
1145 Set the routing metric for routes specified by the DHCP server.
1146 RouteTable=num
1148 The table identifier for DHCP routes (a number between 1 and
1149 4294967295, or 0 to unset). The table can be retrieved using ip
1150 route show table num.
1151 When used in combination with VRF= the VRF's routing table is used
1153 unless this parameter is specified.
1154 RouteMTUBytes=
1156 Specifies the MTU for the DHCP routes. Please see the [Route]
1157 section for further details.
1158 ListenPort=
1160 Allow setting custom port for the DHCP client to listen on.
1161 SendRelease=
1163 When true, the DHCPv4 client sends a DHCP release packet when it
1164 stops. Defaults to true.
1165 SendDecline=
1167 A boolen. When "true", DHCPv4 clients receives IP address from DHCP
1168 server. After new IP is received, DHCPv4 performs IPv4 Duplicate
1169 Address Detection. If duplicate use of IP is detected the DHCPv4
1170 client rejects the IP by sending a DHCPDECLINE packet DHCP clients
1171 try to obtain an IP address again. See RFC 5224[11]. Defaults to
1172 "unset".
1173 BlackList=
1175 A whitespace-separated list of IPv4 addresses. DHCP offers from
1176 servers in the list are rejected.
1177 RequestOptions=
1179 A whitespace-separated list of integers in the range 1–254.
1180 SendOption=
1182 Send an arbitrary option in the DHCPv4 request. Takes a DHCP option
1183 number, data type and data separated with a colon
1184 ("option:type:value"). The option number must be an integer in the
1185 range 1..254. The type takes one of "uint8", "uint16", "uint32",
1186 "ipv4address", or "string". Special characters in the data string
1187 may be escaped using C-style escapes[17]. This setting can be
1188 specified multiple times. If an empty string is specified, then all
1189 options specified earlier are cleared. Defaults to unset.
1190
1192 The "[DHCPv6]" section configures the DHCPv6 client, if it is enabled
1193 with the DHCP= setting described above, or invoked by the IPv6 Router
1194 Advertisement:
1195 UseDNS=, UseNTP=
1197 As in the "[DHCPv4]" section.
1198 RapidCommit=
1200 Takes a boolean. The DHCPv6 client can obtain configuration
1201 parameters from a DHCPv6 server through a rapid two-message
1202 exchange (solicit and reply). When the rapid commit option is
1203 enabled by both the DHCPv6 client and the DHCPv6 server, the
1204 two-message exchange is used, rather than the default four-method
1205 exchange (solicit, advertise, request, and reply). The two-message
1206 exchange provides faster client configuration and is beneficial in
1207 environments in which networks are under a heavy load. See RFC
1208 3315[18] for details. Defaults to true.
1209 ForceDHCPv6PDOtherInformation=
1211 Takes a boolean that enforces DHCPv6 stateful mode when the 'Other
1212 information' bit is set in Router Advertisement messages. By
1213 default setting only the 'O' bit in Router Advertisements makes
1214 DHCPv6 request network information in a stateless manner using a
1215 two-message Information Request and Information Reply message
1216 exchange. RFC 7084[19], requirement WPD-4, updates this behavior
1217 for a Customer Edge router so that stateful DHCPv6 Prefix
1218 Delegation is also requested when only the 'O' bit is set in Router
1219 Advertisements. This option enables such a CE behavior as it is
1220 impossible to automatically distinguish the intention of the 'O'
1221 bit otherwise. By default this option is set to 'false', enable it
1222 if no prefixes are delegated when the device should be acting as a
1223 CE router.
1224 PrefixDelegationHint=
1226 Takes an IPv6 address with prefix length as Address= in the
1227 "[Network]" section. Specifies the DHCPv6 client for the requesting
1228 router to include a prefix-hint in the DHCPv6 solicitation. Prefix
1229 ranges 1-128. Defaults to unset.
1230
1232 The "[IPv6AcceptRA]" section configures the IPv6 Router Advertisement
1233 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1234 above:
1235 UseDNS=
1237 When true (the default), the DNS servers received in the Router
1238 Advertisement will be used and take precedence over any statically
1239 configured ones.
1240 This corresponds to the nameserver option in resolv.conf(5).
1242 UseDomains=
1244 Takes a boolean, or the special value "route". When true, the
1245 domain name received via IPv6 Router Advertisement (RA) will be
1246 used as DNS search domain over this link, similar to the effect of
1247 the Domains= setting. If set to "route", the domain name received
1248 via IPv6 RA will be used for routing DNS queries only, but not for
1249 searching, similar to the effect of the Domains= setting when the
1250 argument is prefixed with "~". Defaults to false.
1251 It is recommended to enable this option only on trusted networks,
1253 as setting this affects resolution of all host names, in particular
1254 of single-label names. It is generally safer to use the supplied
1255 domain only as routing domain, rather than as search domain, in
1256 order to not have it affect local resolution of single-label names.
1257 When set to true, this setting corresponds to the domain option in
1259 resolv.conf(5).
1260 RouteTable=num
1262 The table identifier for the routes received in the Router
1263 Advertisement (a number between 1 and 4294967295, or 0 to unset).
1264 The table can be retrieved using ip route show table num.
1265 UseAutonomousPrefix=
1267 When true (the default), the autonomous prefix received in the
1268 Router Advertisement will be used and take precedence over any
1269 statically configured ones.
1270 UseOnLinkPrefix=
1272 When true (the default), the onlink prefix received in the Router
1273 Advertisement will be used and take precedence over any statically
1274 configured ones.
1275 BlackList=
1277 A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1278 supplied via router advertisements in the list are ignored.
1279
1281 The "[DHCPServer]" section contains settings for the DHCP server, if
1282 enabled via the DHCPServer= option described above:
1283 PoolOffset=, PoolSize=
1285 Configures the pool of addresses to hand out. The pool is a
1286 contiguous sequence of IP addresses in the subnet configured for
1287 the server address, which does not include the subnet nor the
1288 broadcast address. PoolOffset= takes the offset of the pool from
1289 the start of subnet, or zero to use the default value. PoolSize=
1290 takes the number of IP addresses in the pool or zero to use the
1291 default value. By default, the pool starts at the first address
1292 after the subnet address and takes up the rest of the subnet,
1293 excluding the broadcast address. If the pool includes the server
1294 address (the default), this is reserved and not handed out to
1295 clients.
1296 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1298 Control the default and maximum DHCP lease time to pass to clients.
1299 These settings take time values in seconds or another common time
1300 unit, depending on the suffix. The default lease time is used for
1301 clients that did not ask for a specific lease time. If a client
1302 asks for a lease time longer than the maximum lease time, it is
1303 automatically shortened to the specified time. The default lease
1304 time defaults to 1h, the maximum lease time to 12h. Shorter lease
1305 times are beneficial if the configuration data in DHCP leases
1306 changes frequently and clients shall learn the new settings with
1307 shorter latencies. Longer lease times reduce the generated DHCP
1308 network traffic.
1309 EmitDNS=, DNS=
1311 Takes a boolean. Configures whether the DHCP leases handed out to
1312 clients shall contain DNS server information. Defaults to "yes".
1313 The DNS servers to pass to clients may be configured with the DNS=
1314 option, which takes a list of IPv4 addresses. If the EmitDNS=
1315 option is enabled but no servers configured, the servers are
1316 automatically propagated from an "uplink" interface that has
1317 appropriate servers set. The "uplink" interface is determined by
1318 the default route of the system with the highest priority. Note
1319 that this information is acquired at the time the lease is handed
1320 out, and does not take uplink interfaces into account that acquire
1321 DNS or NTP server information at a later point. DNS server
1322 propagation does not take /etc/resolv.conf into account. Also, note
1323 that the leases are not refreshed if the uplink network
1324 configuration changes. To ensure clients regularly acquire the most
1325 current uplink DNS server information, it is thus advisable to
1326 shorten the DHCP lease time via MaxLeaseTimeSec= described above.
1327 EmitNTP=, NTP=
1329 Similar to the EmitDNS= and DNS= settings described above, these
1330 settings configure whether and what NTP server information shall be
1331 emitted as part of the DHCP lease. The same syntax, propagation
1332 semantics and defaults apply as for EmitDNS= and DNS=.
1333 EmitSIP=, SIP=
1335 Similar to the EmitDNS= and DNS= settings described above, these
1336 settings configure whether and what SIP server information shall be
1337 emitted as part of the DHCP lease. The same syntax, propagation
1338 semantics and defaults apply as for EmitDNS= and DNS=.
1339 EmitRouter=
1341 Similar to the EmitDNS= setting described above, this setting
1342 configures whether the DHCP lease should contain the router option.
1343 The same syntax, propagation semantics and defaults apply as for
1344 EmitDNS=.
1345 EmitTimezone=, Timezone=
1347 Takes a boolean. Configures whether the DHCP leases handed out to
1348 clients shall contain timezone information. Defaults to "yes". The
1349 Timezone= setting takes a timezone string (such as "Europe/Berlin"
1350 or "UTC") to pass to clients. If no explicit timezone is set, the
1351 system timezone of the local host is propagated, as determined by
1352 the /etc/localtime symlink.
1353 SendOption=
1355 Send a raw option with value via DHCPv4 server. Takes a DHCP option
1356 number, data type and data ("option:type:value"). The option number
1357 is an integer in the range 1..254. The type takes one of "uint8",
1358 "uint16", "uint32", "ipv4address", or "string". Special characters
1359 in the data string may be escaped using C-style escapes[17]. This
1360 setting can be specified multiple times. If an empty string is
1361 specified, then all options specified earlier are cleared. Defaults
1362 to unset.
1363
1365 The "[IPv6PrefixDelegation]" section contains settings for sending IPv6
1366 Router Advertisements and whether to act as a router, if enabled via
1367 the IPv6PrefixDelegation= option described above. IPv6 network prefixes
1368 are defined with one or more "[IPv6Prefix]" sections.
1369 Managed=, OtherInformation=
1371 Takes a boolean. Controls whether a DHCPv6 server is used to
1372 acquire IPv6 addresses on the network link when Managed= is set to
1373 "true" or if only additional network information can be obtained
1374 via DHCPv6 for the network link when OtherInformation= is set to
1375 "true". Both settings default to "false", which means that a DHCPv6
1376 server is not being used.
1377 RouterLifetimeSec=
1379 Takes a timespan. Configures the IPv6 router lifetime in seconds.
1380 If set, this host also announces itself in Router Advertisements as
1381 an IPv6 router for the network link. When unset, the host is not
1382 acting as a router.
1383 RouterPreference=
1385 Configures IPv6 router preference if RouterLifetimeSec= is
1386 non-zero. Valid values are "high", "medium" and "low", with
1387 "normal" and "default" added as synonyms for "medium" just to make
1388 configuration easier. See RFC 4191[15] for details. Defaults to
1389 "medium".
1390 EmitDNS=, DNS=
1392 DNS= specifies a list of recursive DNS server IPv6 addresses that
1393 are distributed via Router Advertisement messages when EmitDNS= is
1394 true. DNS= also takes special value "_link_local"; in that case
1395 the IPv6 link local address is distributed. If DNS= is empty, DNS
1396 servers are read from the "[Network]" section. If the "[Network]"
1397 section does not contain any DNS servers either, DNS servers from
1398 the uplink with the highest priority default route are used. When
1399 EmitDNS= is false, no DNS server information is sent in Router
1400 Advertisement messages. EmitDNS= defaults to true.
1401 EmitDomains=, Domains=
1403 A list of DNS search domains distributed via Router Advertisement
1404 messages when EmitDomains= is true. If Domains= is empty, DNS
1405 search domains are read from the "[Network]" section. If the
1406 "[Network]" section does not contain any DNS search domains either,
1407 DNS search domains from the uplink with the highest priority
1408 default route are used. When EmitDomains= is false, no DNS search
1409 domain information is sent in Router Advertisement messages.
1410 EmitDomains= defaults to true.
1411 DNSLifetimeSec=
1413 Lifetime in seconds for the DNS server addresses listed in DNS= and
1414 search domains listed in Domains=.
1415
1417 One or more "[IPv6Prefix]" sections contain the IPv6 prefixes that are
1418 announced via Router Advertisements. See RFC 4861[20] for further
1419 details.
1420 AddressAutoconfiguration=, OnLink=
1422 Takes a boolean to specify whether IPv6 addresses can be
1423 autoconfigured with this prefix and whether the prefix can be used
1424 for onlink determination. Both settings default to "true" in order
1425 to ease configuration.
1426 Prefix=
1428 The IPv6 prefix that is to be distributed to hosts. Similarly to
1429 configuring static IPv6 addresses, the setting is configured as an
1430 IPv6 prefix and its prefix length, separated by a "/" character.
1431 Use multiple "[IPv6Prefix]" sections to configure multiple IPv6
1432 prefixes since prefix lifetimes, address autoconfiguration and
1433 onlink status may differ from one prefix to another.
1434 PreferredLifetimeSec=, ValidLifetimeSec=
1436 Preferred and valid lifetimes for the prefix measured in seconds.
1437 PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1438 ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1439
1441 One or more "[IPv6RoutePrefix]" sections contain the IPv6 prefix routes
1442 that are announced via Router Advertisements. See RFC 4191[15] for
1443 further details.
1444 Route=
1446 The IPv6 route that is to be distributed to hosts. Similarly to
1447 configuring static IPv6 routes, the setting is configured as an
1448 IPv6 prefix routes and its prefix route length, separated by a"/"
1449 character. Use multiple "[IPv6PrefixRoutes]" sections to configure
1450 multiple IPv6 prefix routes.
1451 LifetimeSec=
1453 Lifetime for the route prefix measured in seconds. LifetimeSec=
1454 defaults to 604800 seconds (one week).
1455
1457 The "[Bridge]" section accepts the following keys.
1458 UnicastFlood=
1460 Takes a boolean. Controls whether the bridge should flood traffic
1461 for which an FDB entry is missing and the destination is unknown
1462 through this port. When unset, the kernel's default will be used.
1463 MulticastFlood=
1465 Takes a boolean. Controls whether the bridge should flood traffic
1466 for which an MDB entry is missing and the destination is unknown
1467 through this port. When unset, the kernel's default will be used.
1468 MulticastToUnicast=
1470 Takes a boolean. Multicast to unicast works on top of the multicast
1471 snooping feature of the bridge. Which means unicast copies are only
1472 delivered to hosts which are interested in it. When unset, the
1473 kernel's default will be used.
1474 NeighborSuppression=
1476 Takes a boolean. Configures whether ARP and ND neighbor suppression
1477 is enabled for this port. When unset, the kernel's default will be
1478 used.
1479 Learning=
1481 Takes a boolean. Configures whether MAC address learning is enabled
1482 for this port. When unset, the kernel's default will be used.
1483 HairPin=
1485 Takes a boolean. Configures whether traffic may be sent back out of
1486 the port on which it was received. When this flag is false, and the
1487 bridge will not forward traffic back out of the receiving port.
1488 When unset, the kernel's default will be used.
1489 UseBPDU=
1491 Takes a boolean. Configures whether STP Bridge Protocol Data Units
1492 will be processed by the bridge port. When unset, the kernel's
1493 default will be used.
1494 FastLeave=
1496 Takes a boolean. This flag allows the bridge to immediately stop
1497 multicast traffic on a port that receives an IGMP Leave message. It
1498 is only used with IGMP snooping if enabled on the bridge. When
1499 unset, the kernel's default will be used.
1500 AllowPortToBeRoot=
1502 Takes a boolean. Configures whether a given port is allowed to
1503 become a root port. Only used when STP is enabled on the bridge.
1504 When unset, the kernel's default will be used.
1505 ProxyARP=
1507 Takes a boolean. Configures whether proxy ARP to be enabled on this
1508 port. When unset, the kernel's default will be used.
1509 ProxyARPWiFi=
1511 Takes a boolean. Configures whether proxy ARP to be enabled on this
1512 port which meets extended requirements by IEEE 802.11 and Hotspot
1513 2.0 specifications. When unset, the kernel's default will be used.
1514 MulticastRouter=
1516 Configures this port for having multicast routers attached. A port
1517 with a multicast router will receive all multicast traffic. Takes
1518 one of "no" to disable multicast routers on this port, "query" to
1519 let the system detect the presence of routers, "permanent" to
1520 permanently enable multicast traffic forwarding on this port, or
1521 "temporary" to enable multicast routers temporarily on this port,
1522 not depending on incoming queries. When unset, the kernel's default
1523 will be used.
1524 Cost=
1526 Sets the "cost" of sending packets of this interface. Each port in
1527 a bridge may have a different speed and the cost is used to decide
1528 which link to use. Faster interfaces should have lower costs. It is
1529 an integer value between 1 and 65535.
1530 Priority=
1532 Sets the "priority" of sending packets on this interface. Each port
1533 in a bridge may have a different priority which is used to decide
1534 which link to use. Lower value means higher priority. It is an
1535 integer value between 0 to 63. Networkd does not set any default,
1536 meaning the kernel default value of 32 is used.
1537
1539 The "[BridgeFDB]" section manages the forwarding database table of a
1540 port and accepts the following keys. Specify several "[BridgeFDB]"
1541 sections to configure several static MAC table entries.
1542 MACAddress=
1544 As in the "[Network]" section. This key is mandatory.
1545 Destination=
1547 Takes an IP address of the destination VXLAN tunnel endpoint.
1548 VLANId=
1550 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
1551 ID information is appended to the new static MAC table entry.
1552 VNI=
1554 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
1555 connect to the remote VXLAN tunnel endpoint. Takes a number in the
1556 range 1-16777215. Defaults to unset.
1557 AssociatedWith=
1559 Specifies where the address is associated with. Takes one of "use",
1560 "self", "master" or "router". "use" means the address is in use.
1561 User space can use this option to indicate to the kernel that the
1562 fdb entry is in use. "self" means the address is associated with
1563 the port drivers fdb. Usually hardware. "master" means the address
1564 is associated with master devices fdb. "router" means the
1565 destination address is associated with a router. Note that it's
1566 valid if the referenced device is a VXLAN type device and has route
1567 shortcircuit enabled. Defaults to "self".
1568
1570 The "[CAN]" section manages the Controller Area Network (CAN bus) and
1571 accepts the following keys.
1572 BitRate=
1574 The bitrate of CAN device in bits per second. The usual SI prefixes
1575 (K, M) with the base of 1000 can be used here.
1576 SamplePoint=
1578 Optional sample point in percent with one decimal (e.g. "75%",
1579 "87.5%") or permille (e.g. "875‰").
1580 RestartSec=
1582 Automatic restart delay time. If set to a non-zero value, a restart
1583 of the CAN controller will be triggered automatically in case of a
1584 bus-off condition after the specified delay time. Subsecond delays
1585 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
1586 postfix. Using "infinity" or "0" will turn the automatic restart
1587 off. By default automatic restart is disabled.
1588 TripleSampling=
1590 Takes a boolean. When "yes", three samples (instead of one) are
1591 used to determine the value of a received bit by majority rule.
1592 When unset, the kernel's default will be used.
1593
1595 The "[QDisc]" section manages the traffic control queueing discipline
1596 (qdisc).
1597 Parent=
1599 Specifies the parent Queueing Discipline (qdisc). Takes one of
1600 "clsact" or "ingress". This is mandatory.
1601 Handle=
1603 Specifies the major number of unique identifier of the qdisc, known
1604 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1605 Defaults to unset.
1606
1608 The "[NetworkEmulator]" section manages the queueing discipline (qdisc)
1609 of the network emulator. It can be used to configure the kernel packet
1610 scheduler and simulate packet delay and loss for UDP or TCP
1611 applications, or limit the bandwidth usage of a particular service to
1612 simulate internet connections.
1613 Parent=
1615 Specifies the parent Queueing Discipline (qdisc). Takes one of
1616 "root", "clsact" or "ingress". Defaults to "root".
1617 Handle=
1619 Specifies the major number of unique identifier of the qdisc, known
1620 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1621 Defaults to unset.
1622 DelaySec=
1624 Specifies the fixed amount of delay to be added to all packets
1625 going out of the interface. Defaults to unset.
1626 DelayJitterSec=
1628 Specifies the chosen delay to be added to the packets outgoing to
1629 the network interface. Defaults to unset.
1630 PacketLimit=
1632 Specifies the maximum number of packets the qdisc may hold queued
1633 at a time. An unsigned integer ranges 0 to 4294967294. Defaults to
1634 1000.
1635 LossRate=
1637 Specifies an independent loss probability to be added to the
1638 packets outgoing from the network interface. Takes a percentage
1639 value, suffixed with "%". Defaults to unset.
1640 DuplicateRate=
1642 Specifies that the chosen percent of packets is duplicated before
1643 queuing them. Takes a percentage value, suffixed with "%". Defaults
1644 to unset.
1645
1647 The "[TokenBucketFilter]" section manages the queueing discipline
1648 (qdisc) of token bucket filter (tbf).
1649 Parent=
1651 Specifies the parent Queueing Discipline (qdisc). Takes one of
1652 "root", "clsact" or "ingress". Defaults to "root".
1653 Handle=
1655 Specifies the major number of unique identifier of the qdisc, known
1656 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1657 Defaults to unset.
1658 LatencySec=
1660 Specifies the latency parameter, which specifies the maximum amount
1661 of time a packet can sit in the Token Bucket Filter (TBF). Defaults
1662 to unset.
1663 LimitSize=
1665 Takes the number of bytes that can be queued waiting for tokens to
1666 become available. When the size is suffixed with K, M, or G, it is
1667 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
1668 base of 1000. Defaults to unset.
1669 Burst=
1671 Specifies the size of the bucket. This is the maximum amount of
1672 bytes that tokens can be available for instantaneous transfer. When
1673 the size is suffixed with K, M, or G, it is parsed as Kilobytes,
1674 Megabytes, or Gigabytes, respectively, to the base of 1000.
1675 Defaults to unset.
1676 Rate=
1678 Specifies the device specific bandwidth. When suffixed with K, M,
1679 or G, the specified bandwidth is parsed as Kilobits, Megabits, or
1680 Gigabits, respectively, to the base of 1000. Defaults to unset.
1681 MPUBytes=
1683 The Minimum Packet Unit (MPU) determines the minimal token usage
1684 (specified in bytes) for a packet. When suffixed with K, M, or G,
1685 the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
1686 respectively, to the base of 1000. Defaults to zero.
1687 PeakRate=
1689 Takes the maximum depletion rate of the bucket. When suffixed with
1690 K, M, or G, the specified size is parsed as Kilobits, Megabits, or
1691 Gigabits, respectively, to the base of 1000. Defaults to unset.
1692 MTUBytes=
1694 Specifies the size of the peakrate bucket. When suffixed with K, M,
1695 or G, the specified size is parsed as Kilobytes, Megabytes, or
1696 Gigabytes, respectively, to the base of 1000. Defaults to unset.
1697
1699 The "[StochasticFairnessQueueing]" section manages the queueing
1700 discipline (qdisc) of stochastic fairness queueing (sfq).
1701 Parent=
1703 Specifies the parent Queueing Discipline (qdisc). Takes one of
1704 "root", "clsact" or "ingress". Defaults to "root".
1705 Handle=
1707 Specifies the major number of unique identifier of the qdisc, known
1708 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1709 Defaults to unset.
1710 PerturbPeriodSec=
1712 Specifies the interval in seconds for queue algorithm perturbation.
1713 Defaults to unset.
1714
1716 The "[ControlledDelay]" section manages the queueing discipline (qdisc)
1717 of controlled delay (CoDel).
1718 Parent=
1720 Specifies the parent Queueing Discipline (qdisc). Takes one of
1721 "root", "clsact" or "ingress". Defaults to "root".
1722 Handle=
1724 Specifies the major number of unique identifier of the qdisc, known
1725 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1726 Defaults to unset.
1727 PacketLimit=
1729 Specifies the hard limit on the queue size in number of packets.
1730 When this limit is reached, incoming packets are dropped. An
1731 unsigned integer ranges 0 to 4294967294. Defaults to unset and
1732 kernel's default is used.
1733 TargetSec=
1735 Takes a timespan. Specifies the acceptable minimum
1736 standing/persistent queue delay. Defaults to unset and kernel's
1737 default is used.
1738 IntervalSec=
1740 Takes a timespan. This is used to ensure that the measured minimum
1741 delay does not become too stale. Defaults to unset and kernel's
1742 default is used.
1743 ECN=
1745 Takes a boolean. This can be used to mark packets instead of
1746 dropping them. Defaults to unset and kernel's default is used.
1747 CEThresholdSec=
1749 Takes a timespan. This sets a threshold above which all packets are
1750 marked with ECN Congestion Experienced (CE). Defaults to unset and
1751 kernel's default is used.
1752
1754 The "[FairQueueingControlledDelay]" section manages the queueing
1755 discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
1756 Parent=
1758 Specifies the parent Queueing Discipline (qdisc). Takes one of
1759 "root", "clsact" or "ingress". Defaults to "root".
1760 Handle=
1762 Specifies the major number of unique identifier of the qdisc, known
1763 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1764 Defaults to unset.
1765 PacketLimit=
1767 Specifies the hard limit on the real queue size. When this limit is
1768 reached, incoming packets are dropped. Defaults to unset and
1769 kernel's default is used.
1770 MemoryLimit=
1772 Specifies the limit on the total number of bytes that can be queued
1773 in this FQ-CoDel instance. When suffixed with K, M, or G, the
1774 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
1775 respectively, to the base of 1024. Defaults to unset and kernel's
1776 default is used.
1777 Flows=
1779 Specifies the number of flows into which the incoming packets are
1780 classified. Defaults to unset and kernel's default is used.
1781 TargetSec=
1783 Takes a timespan. Specifies the acceptable minimum
1784 standing/persistent queue delay. Defaults to unset and kernel's
1785 default is used.
1786 IntervalSec=
1788 Takes a timespan. This is used to ensure that the measured minimum
1789 delay does not become too stale. Defaults to unset and kernel's
1790 default is used.
1791 Quantum=
1793 Specifies the number of bytes used as 'deficit' in the fair queuing
1794 algorithmtimespan. When suffixed with K, M, or G, the specified
1795 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
1796 to the base of 1024. Defaults to unset and kernel's default is
1797 used.
1798 ECN=
1800 Takes a boolean. This can be used to mark packets instead of
1801 dropping them. Defaults to unset and kernel's default is used.
1802 CEThresholdSec=
1804 Takes a timespan. This sets a threshold above which all packets are
1805 marked with ECN Congestion Experienced (CE). Defaults to unset and
1806 kernel's default is used.
1807
1809 The "[FairQueueing]" section manages the queueing discipline (qdisc) of
1810 fair queue traffic policing (FQ).
1811 Parent=
1813 Specifies the parent Queueing Discipline (qdisc). Takes one of
1814 "root", "clsact" or "ingress". Defaults to "root".
1815 Handle=
1817 Specifies the major number of unique identifier of the qdisc, known
1818 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1819 Defaults to unset.
1820 PacketLimit=
1822 Specifies the hard limit on the real queue size. When this limit is
1823 reached, incoming packets are dropped. Defaults to unset and
1824 kernel's default is used.
1825 FlowLimit=
1827 Specifies the hard limit on the maximum number of packets queued
1828 per flow. Defaults to unset and kernel's default is used.
1829 Quantum=
1831 Specifies the credit per dequeue RR round, i.e. the amount of bytes
1832 a flow is allowed to dequeue at once. When suffixed with K, M, or
1833 G, the specified size is parsed as Kilobytes, Megabytes, or
1834 Gigabytes, respectively, to the base of 1024. Defaults to unset and
1835 kernel's default is used.
1836 InitialQuantum=
1838 Specifies the initial sending rate credit, i.e. the amount of bytes
1839 a new flow is allowed to dequeue initially. When suffixed with K,
1840 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
1841 Gigabytes, respectively, to the base of 1024. Defaults to unset and
1842 kernel's default is used.
1843 MaximumRate=
1845 Specifies the maximum sending rate of a flow. When suffixed with K,
1846 M, or G, the specified size is parsed as Kilobits, Megabits, or
1847 Gigabits, respectively, to the base of 1000. Defaults to unset and
1848 kernel's default is used.
1849 Buckets=
1851 Specifies the size of the hash table used for flow lookups.
1852 Defaults to unset and kernel's default is used.
1853 OrphanMask=
1855 Takes an unsigned integer. For packets not owned by a socket, fq is
1856 able to mask a part of hash and reduce number of buckets associated
1857 with the traffic. Defaults to unset and kernel's default is used.
1858 Pacing=
1860 Takes a boolean, and enables or disables flow pacing. Defaults to
1861 unset and kernel's default is used.
1862 CEThresholdSec=
1864 Takes a timespan. This sets a threshold above which all packets are
1865 marked with ECN Congestion Experienced (CE). Defaults to unset and
1866 kernel's default is used.
1867
1869 The "[TrivialLinkEqualizer]" section manages the queueing discipline
1870 (qdisc) of trivial link equalizer (teql).
1871 Parent=
1873 Specifies the parent Queueing Discipline (qdisc). Takes one of
1874 "root", "clsact" or "ingress". Defaults to "root".
1875 Handle=
1877 Specifies the major number of unique identifier of the qdisc, known
1878 as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1879 Defaults to unset.
1880 Id=
1882 Specifies the interface ID "N" of teql. Defaults to "0". Note that
1883 when teql is used, currently, the module sch_teql with
1884 max_equalizers=N+1 option must be loaded before systemd-networkd is
1885 started.
1886
1888 The "[BridgeVLAN]" section manages the VLAN ID configuration of a
1889 bridge port and accepts the following keys. Specify several
1890 "[BridgeVLAN]" sections to configure several VLAN entries. The
1891 VLANFiltering= option has to be enabled, see "[Bridge]" section in
1892 systemd.netdev(5).
1893 VLAN=
1895 The VLAN ID allowed on the port. This can be either a single ID or
1896 a range M-N. VLAN IDs are valid from 1 to 4094.
1897 EgressUntagged=
1899 The VLAN ID specified here will be used to untag frames on egress.
1900 Configuring EgressUntagged= implicates the use of VLAN= above and
1901 will enable the VLAN ID for ingress as well. This can be either a
1902 single ID or a range M-N.
1903 PVID=
1905 The Port VLAN ID specified here is assigned to all untagged frames
1906 at ingress. PVID= can be used only once. Configuring PVID=
1907 implicates the use of VLAN= above and will enable the VLAN ID for
1908 ingress as well.
1909
1911 Example 1. Static network configuration
1912 # /etc/systemd/network/50-static.network
1914 [Match]
1915 Name=enp2s0
1916 [Network]
1918 Address=192.168.0.15/24
1919 Gateway=192.168.0.1
1920 This brings interface "enp2s0" up with a static address. The specified
1922 gateway will be used for a default route.
1923 Example 2. DHCP on ethernet links
1925 # /etc/systemd/network/80-dhcp.network
1927 [Match]
1928 Name=en*
1929 [Network]
1931 DHCP=yes
1932 This will enable DHCPv4 and DHCPv6 on all interfaces with names
1934 starting with "en" (i.e. ethernet interfaces).
1935 Example 3. IPv6 Prefix Delegation
1937 # /etc/systemd/network/55-ipv6-pd-upstream.network
1939 [Match]
1940 Name=enp1s0
1941 [Network]
1943 DHCP=ipv6
1944 # /etc/systemd/network/56-ipv6-pd-downstream.network
1946 [Match]
1947 Name=enp2s0
1948 [Network]
1950 IPv6PrefixDelegation=dhcpv6
1951 This will enable IPv6 PD on the interface enp1s0 as an upstream
1953 interface where the DHCPv6 client is running and enp2s0 as a downstream
1954 interface where the prefix is delegated to.
1955 Example 4. A bridge with two enslaved links
1957 # /etc/systemd/network/25-bridge-static.network
1959 [Match]
1960 Name=bridge0
1961 [Network]
1963 Address=192.168.0.15/24
1964 Gateway=192.168.0.1
1965 DNS=192.168.0.1
1966 # /etc/systemd/network/25-bridge-slave-interface-1.network
1968 [Match]
1969 Name=enp2s0
1970 [Network]
1972 Bridge=bridge0
1973 # /etc/systemd/network/25-bridge-slave-interface-2.network
1975 [Match]
1976 Name=wlp3s0
1977 [Network]
1979 Bridge=bridge0
1980 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
1982 The bridge will have the specified static address and network assigned,
1983 and a default route via the specified gateway will be added. The
1984 specified DNS server will be added to the global list of DNS resolvers.
1985 Example 5.
1987 # /etc/systemd/network/20-bridge-slave-interface-vlan.network
1989 [Match]
1990 Name=enp2s0
1991 [Network]
1993 Bridge=bridge0
1994 [BridgeVLAN]
1996 VLAN=1-32
1997 PVID=42
1998 EgressUntagged=42
1999 [BridgeVLAN]
2001 VLAN=100-200
2002 [BridgeVLAN]
2004 EgressUntagged=300-400
2005 This overrides the configuration specified in the previous example for
2007 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
2008 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
2009 300-400 will be untagged when they leave on this interface. Untagged
2010 packets which arrive on this interface will be assigned VLAN ID 42.
2011 Example 6. Various tunnels
2013 /etc/systemd/network/25-tunnels.network
2015 [Match]
2016 Name=ens1
2017 [Network]
2019 Tunnel=ipip-tun
2020 Tunnel=sit-tun
2021 Tunnel=gre-tun
2022 Tunnel=vti-tun
2023 /etc/systemd/network/25-tunnel-ipip.netdev
2026 [NetDev]
2027 Name=ipip-tun
2028 Kind=ipip
2029 /etc/systemd/network/25-tunnel-sit.netdev
2032 [NetDev]
2033 Name=sit-tun
2034 Kind=sit
2035 /etc/systemd/network/25-tunnel-gre.netdev
2038 [NetDev]
2039 Name=gre-tun
2040 Kind=gre
2041 /etc/systemd/network/25-tunnel-vti.netdev
2044 [NetDev]
2045 Name=vti-tun
2046 Kind=vti
2047 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
2050 tunnel, a GRE tunnel, and a VTI tunnel using it.
2051 Example 7. A bond device
2053 # /etc/systemd/network/30-bond1.network
2055 [Match]
2056 Name=bond1
2057 [Network]
2059 DHCP=ipv6
2060 # /etc/systemd/network/30-bond1.netdev
2062 [NetDev]
2063 Name=bond1
2064 Kind=bond
2065 # /etc/systemd/network/30-bond1-dev1.network
2067 [Match]
2068 MACAddress=52:54:00:e9:64:41
2069 [Network]
2071 Bond=bond1
2072 # /etc/systemd/network/30-bond1-dev2.network
2074 [Match]
2075 MACAddress=52:54:00:e9:64:42
2076 [Network]
2078 Bond=bond1
2079 This will create a bond device "bond1" and enslave the two devices with
2081 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
2082 will be used to acquire an address.
2083 Example 8. Virtual Routing and Forwarding (VRF)
2085 Add the "bond1" interface to the VRF master interface "vrf1". This will
2087 redirect routes generated on this interface to be within the routing
2088 table defined during VRF creation. For kernels before 4.8 traffic won't
2089 be redirected towards the VRFs routing table unless specific ip-rules
2090 are added.
2091 # /etc/systemd/network/25-vrf.network
2093 [Match]
2094 Name=bond1
2095 [Network]
2097 VRF=vrf1
2098 Example 9. MacVTap
2100 This brings up a network interface "macvtap-test" and attaches it to
2102 "enp0s25".
2103 # /usr/lib/systemd/network/25-macvtap.network
2105 [Match]
2106 Name=enp0s25
2107 [Network]
2109 MACVTAP=macvtap-test
2110 Example 10. A Xfrm interface with physical underlying device.
2112 # /etc/systemd/network/27-xfrm.netdev
2114 [NetDev]
2115 Name=xfrm0
2116 [Xfrm]
2118 InterfaceId=7
2119 # /etc/systemd/network/27-eth0.network
2121 [Match]
2122 Name=eth0
2123 [Network]
2125 Xfrm=xfrm0
2126 This creates a "xfrm0" interface and binds it to the "eth0" device.
2128 This allows hardware based ipsec offloading to the "eth0" nic. If
2129 offloading is not needed, xfrm interfaces can be assigned to the "lo"
2130 device.
2131
2133 systemd(1), systemd-networkd.service(8), systemd.link(5),
2134 systemd.netdev(5), systemd-resolved.service(8)
2135
2137 1. RFC 7217
2138 https://tools.ietf.org/html/rfc7217
2139 2. Link-Local Multicast Name Resolution
2141 https://tools.ietf.org/html/rfc4795
2142 3. Multicast DNS
2144 https://tools.ietf.org/html/rfc6762
2145 4. DNS-over-TLS
2147 https://tools.ietf.org/html/rfc7858
2148 5. DNSSEC
2150 https://tools.ietf.org/html/rfc4033
2151 6. IEEE 802.1AB-2016
2153 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
2154 7. ip-sysctl.txt
2156 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
2157 8. RFC 4941
2159 https://tools.ietf.org/html/rfc4941
2160 9. RFC 1027
2162 https://tools.ietf.org/html/rfc1027
2163 10. RFC 6275
2165 https://tools.ietf.org/html/rfc6275
2166 11. RFC 5224
2168 https://tools.ietf.org/html/rfc5227
2169 12. RFC 4862
2171 https://tools.ietf.org/html/rfc4862
2172 13. RFC 3041
2174 https://tools.ietf.org/html/rfc3041
2175 14. RFC 3484
2177 https://tools.ietf.org/html/rfc3484
2178 15. RFC4191
2180 https://tools.ietf.org/html/rfc4191
2181 16. RFC 7844
2183 https://tools.ietf.org/html/rfc7844
2184 17. C-style escapes
2186 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
2187 18. RFC 3315
2189 https://tools.ietf.org/html/rfc3315#section-17.2.1
2190 19. RFC 7084
2192 https://tools.ietf.org/html/rfc7084
2193 20. RFC 4861
2195 https://tools.ietf.org/html/rfc4861
2196systemd 245 SYSTEMD.NETWORK(5)