1IP-LINK(8) Linux IP-LINK(8)
2
3
4
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10
11
12 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19
20 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21
22 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr [ MACADDR ]
59 [ { flush | add | del } MACADDR ]
60 [ set MACADDR ] ]
61
62 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63 ] [ type ETYPE ] [ vrf NAME ]
64
65 ip link xstats type TYPE [ ARGS ]
66
67 ip link afstats [ dev DEVICE ]
68
69 ip link help [ TYPE ]
70
71 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72 macvlan | macvtap | vcan | vxcan | veth | vlan |
73 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75 | ipvtap | lowpan | geneve | vrf | macsec | netdevsim
76 | rmnet | xfrm ]
77
78 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79
80 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81
82 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83 ]
84
85 ip link property add [ altname NAME .. ]
86
87 ip link property del [ altname NAME .. ]
88
89
91 ip link add - add virtual link
92 link DEVICE
93 specifies the physical device to act operate on.
94
95 NAME specifies the name of the new virtual device.
96
97 TYPE specifies the type of the new device.
98
99 Link types:
100
101 bridge - Ethernet Bridge device
102
103 bond - Bonding device
104
105 dummy - Dummy network interface
106
107 hsr - High-availability Seamless Redundancy device
108
109 ifb - Intermediate Functional Block device
110
111 ipoib - IP over Infiniband device
112
113 macvlan - Virtual interface base on link layer address
114 (MAC)
115
116 macvtap - Virtual interface based on link layer address
117 (MAC) and TAP.
118
119 vcan - Virtual Controller Area Network interface
120
121 vxcan - Virtual Controller Area Network tunnel interface
122
123 veth - Virtual ethernet interface
124
125 vlan - 802.1q tagged virtual LAN interface
126
127 vxlan - Virtual eXtended LAN
128
129 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
130
131 ipip - Virtual tunnel interface IPv4 over IPv4
132
133 sit - Virtual tunnel interface IPv6 over IPv4
134
135 gre - Virtual tunnel interface GRE over IPv4
136
137 gretap - Virtual L2 tunnel interface GRE over IPv4
138
139 erspan - Encapsulated Remote SPAN over GRE and IPv4
140
141 ip6gre - Virtual tunnel interface GRE over IPv6
142
143 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
144
145 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
146
147 vti - Virtual tunnel interface
148
149 nlmon - Netlink monitoring device
150
151 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
152
153 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
154 TAP
155
156 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
157 / Bluetooth
158
159 geneve - GEneric NEtwork Virtualization Encapsulation
160
161 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
162 sec)
163
164 vrf - Interface for L3 VRF domains
165
166 netdevsim - Interface for netdev API tests
167
168 rmnet - Qualcomm rmnet device
169
170 xfrm - Virtual xfrm interface
171
172
173 numtxqueues QUEUE_COUNT
174 specifies the number of transmit queues for new device.
175
176
177 numrxqueues QUEUE_COUNT
178 specifies the number of receive queues for new device.
179
180
181 gso_max_size BYTES
182 specifies the recommended maximum size of a Generic Segment Off‐
183 load packet the new device should accept.
184
185
186 gso_max_segs SEGMENTS
187 specifies the recommended maximum number of a Generic Segment
188 Offload segments the new device should accept.
189
190
191 index IDX
192 specifies the desired index of the new virtual device. The link
193 creation fails, if the index is busy.
194
195
196 VLAN Type Support
197 For a link of type VLAN the following additional arguments are
198 supported:
199
200 ip link add link DEVICE name NAME type vlan [ protocol
201 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
202 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
203 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
204 egress-qos-map QOS-MAP ]
205
206
207 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
208
209 id VLANID - specifies the VLAN Identifer to use. Note
210 that numbers with a leading " 0 " or " 0x " are inter‐
211 preted as octal or hexadeimal, respectively.
212
213 reorder_hdr { on | off } - specifies whether ethernet
214 headers are reordered or not (default is on).
215
216 If reorder_hdr is on then VLAN header will be not
217 inserted immediately but only before passing to the
218 physical device (if this device does not support
219 VLAN offloading), the similar on the RX direction -
220 by default the packet will be untagged before being
221 received by VLAN device. Reordering allows to accel‐
222 erate tagging on egress and to hide VLAN header on
223 ingress so the packet looks like regular Ethernet
224 packet, at the same time it might be confusing for
225 packet capture as the VLAN header does not exist
226 within the packet.
227
228 VLAN offloading can be checked by ethtool(8):
229
230 ethtool -k <phy_dev> | grep tx-vlan-offload
231
232 where <phy_dev> is the physical device to which VLAN
233 device is bound.
234
235 gvrp { on | off } - specifies whether this VLAN should
236 be registered using GARP VLAN
237 Registration Protocol.
238
239 mvrp { on | off } - specifies whether this VLAN should
240 be registered using Multiple VLAN
241 Registration Protocol.
242
243 loose_binding { on | off } - specifies whether the VLAN
244 device state is bound to the physical device state.
245
246 bridge_binding { on | off } - specifies whether the VLAN
247 device link state tracks the state of bridge ports that
248 are members of the VLAN.
249
250 ingress-qos-map QOS-MAP - defines a mapping of VLAN
251 header prio field to the Linux internal packet priority
252 on incoming frames. The format is FROM:TO with multiple
253 mappings separated by spaces.
254
255 egress-qos-map QOS-MAP - defines a mapping of Linux
256 internal packet priority to VLAN header prio field but
257 for outgoing frames. The format is the same as for
258 ingress-qos-map.
259
260 Linux packet priority can be set by iptables(8):
261
262 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
263 SIFY --set-class 0:4
264
265 and this "4" priority can be used in the egress qos
266 mapping to set VLAN prio "5":
267
268 ip link set veth0.10 type vlan egress 4:5
269
270
271 VXLAN Type Support
272 For a link of type VXLAN the following additional arguments are
273 supported:
274
275 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
276 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
277 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
278 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
279 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
280 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
281 ] [ [no]external ] [ gbp ] [ gpe ]
282
283
284 id VNI - specifies the VXLAN Network Identifer (or VXLAN
285 Segment Identifier) to use.
286
287 dev PHYS_DEV - specifies the physical device to use for
288 tunnel endpoint communication.
289
290
291 group IPADDR - specifies the multicast IP address to
292 join. This parameter cannot be specified with the
293 remote parameter.
294
295
296 remote IPADDR - specifies the unicast destination IP
297 address to use in outgoing packets when the destination
298 link layer address is not known in the VXLAN device for‐
299 warding database. This parameter cannot be specified
300 with the group parameter.
301
302
303 local IPADDR - specifies the source IP address to use in
304 outgoing packets.
305
306
307 ttl TTL - specifies the TTL value to use in outgoing
308 packets.
309
310
311 tos TOS - specifies the TOS value to use in outgoing
312 packets.
313
314
315 df DF - specifies the usage of the Don't Fragment flag
316 (DF) bit in outgoing packets with IPv4 headers. The
317 value inherit causes the bit to be copied from the orig‐
318 inal IP header. The values unset and set cause the bit
319 to be always unset or always set, respectively. By
320 default, the bit is not set.
321
322
323 flowlabel FLOWLABEL - specifies the flow label to use in
324 outgoing packets.
325
326
327 dstport PORT - specifies the UDP destination port to
328 communicate to the remote
329 VXLAN tunnel endpoint.
330
331
332 srcport MIN MAX - specifies the range of port numbers to
333 use as UDP source ports to communicate to the remote
334 VXLAN tunnel endpoint.
335
336
337 [no]learning - specifies if unknown source link layer
338 addresses and IP addresses are entered into the VXLAN
339 device forwarding database.
340
341
342 [no]rsc - specifies if route short circuit is turned on.
343
344
345 [no]proxy - specifies ARP proxy is turned on.
346
347
348 [no]l2miss - specifies if netlink LLADDR miss notifica‐
349 tions are generated.
350
351
352 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
353 tions are generated.
354
355
356 [no]udpcsum - specifies if UDP checksum is calculated
357 for transmitted packets over IPv4.
358
359
360 [no]udp6zerocsumtx - skip UDP checksum calculation for
361 transmitted packets over IPv6.
362
363
364 [no]udp6zerocsumrx - allow incoming UDP packets over
365 IPv6 with zero checksum field.
366
367
368 ageing SECONDS - specifies the lifetime in seconds of
369 FDB entries learnt by the kernel.
370
371
372 maxaddress NUMBER - specifies the maximum number of FDB
373 entries.
374
375
376 [no]external - specifies whether an external control
377 plane (e.g. ip route encap) or the internal FDB should
378 be used.
379
380
381 gbp - enables the Group Policy extension (VXLAN-GBP).
382
383 Allows to transport group policy context across
384 VXLAN network peers. If enabled, includes the mark
385 of a packet in the VXLAN header for outgoing packets
386 and fills the packet mark based on the information
387 found in the VXLAN header for incoming packets.
388
389 Format of upper 16 bits of packet mark (flags);
390
391 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
392 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
394
395 D := Don't Learn bit. When set, this bit indicates
396 that the egress VTEP MUST NOT learn the source
397 address of the encapsulated frame.
398
399 A := Indicates that the group policy has already
400 been applied to this packet. Policies MUST NOT be
401 applied by devices when the A bit is set.
402
403 Format of lower 16 bits of packet mark (policy ID):
404
405 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
406 | Group Policy ID |
407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
408
409 Example:
410 iptables -A OUTPUT [...] -j MARK --set-mark
411 0x800FF
412
413
414
415 gpe - enables the Generic Protocol extension (VXLAN-
416 GPE). Currently, this is only supported together with
417 the external keyword.
418
419
420
421 VETH, VXCAN Type Support
422 For a link of types VETH/VXCAN the following additional argu‐
423 ments are supported:
424
425 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
426
427
428 peer name NAME - specifies the virtual pair device name
429 of the VETH/VXCAN tunnel.
430
431
432
433 IPIP, SIT Type Support
434 For a link of type IPIPorSIT the following additional arguments
435 are supported:
436
437 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
438 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
439 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
440 mode { ip6ip | ipip | mplsip | any } ] [ external ]
441
442
443 remote ADDR - specifies the remote address of the tun‐
444 nel.
445
446
447 local ADDR - specifies the fixed local address for tun‐
448 neled packets. It must be an address on another inter‐
449 face on this host.
450
451
452 encap { fou | gue | none } - specifies type of secondary
453 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
454 indicates Generic UDP Encapsulation.
455
456
457 encap-sport { PORT | auto } - specifies the source port
458 in UDP encapsulation. PORT indicates the port by num‐
459 ber, "auto" indicates that the port number should be
460 chosen automatically (the kernel picks a flow based on
461 the flow hash of the encapsulated packet).
462
463
464 [no]encap-csum - specifies if UDP checksums are enabled
465 in the secondary encapsulation.
466
467
468 [no]encap-remcsum - specifies if Remote Checksum Offload
469 is enabled. This is only applicable for Generic UDP
470 Encapsulation.
471
472
473 mode { ip6ip | ipip | mplsip | any } - specifies mode in
474 which device should run. "ip6ip" indicates IPv6-Over-
475 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
476 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
477 Over IPv4. Supported for SIT where the default is
478 "ip6ip" and IPIP where the default is "ipip".
479 IPv6-Over-IPv4 is not supported for IPIP.
480
481
482 external - make this tunnel externally controlled (e.g.
483 ip route encap).
484
485
486 GRE Type Support
487 For a link of type GRE or GRETAP the following additional argu‐
488 ments are supported:
489
490 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
491 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
492 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
493 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
494 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
495 remcsum ] [ external ]
496
497
498 remote ADDR - specifies the remote address of the tun‐
499 nel.
500
501
502 local ADDR - specifies the fixed local address for tun‐
503 neled packets. It must be an address on another inter‐
504 face on this host.
505
506
507 [no][i|o]seq - serialize packets. The oseq flag enables
508 sequencing of outgoing packets. The iseq flag requires
509 that all input packets are serialized.
510
511
512 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
513 KEY is either a number or an IPv4 address-like dotted
514 quad. The key parameter specifies the same key to use
515 in both directions. The ikey and okey parameters spec‐
516 ify different keys for input and output.
517
518
519 [no][i|o]csum - generate/require checksums for tunneled
520 packets. The ocsum flag calculates checksums for outgo‐
521 ing packets. The icsum flag requires that all input
522 packets have the correct checksum. The csum flag is
523 equivalent to the combination icsum ocsum .
524
525
526 ttl TTL - specifies the TTL value to use in outgoing
527 packets.
528
529
530 tos TOS - specifies the TOS value to use in outgoing
531 packets.
532
533
534 [no]pmtudisc - enables/disables Path MTU Discovery on
535 this tunnel. It is enabled by default. Note that a
536 fixed ttl is incompatible with this option: tunneling
537 with a fixed ttl always makes pmtu discovery.
538
539
540 [no]ignore-df - enables/disables IPv4 DF suppression on
541 this tunnel. Normally datagrams that exceed the MTU
542 will be fragmented; the presence of the DF flag inhibits
543 this, resulting instead in an ICMP Unreachable (Fragmen‐
544 tation Required) message. Enabling this attribute
545 causes the DF flag to be ignored.
546
547
548 dev PHYS_DEV - specifies the physical device to use for
549 tunnel endpoint communication.
550
551
552 encap { fou | gue | none } - specifies type of secondary
553 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
554 indicates Generic UDP Encapsulation.
555
556
557 encap-sport { PORT | auto } - specifies the source port
558 in UDP encapsulation. PORT indicates the port by num‐
559 ber, "auto" indicates that the port number should be
560 chosen automatically (the kernel picks a flow based on
561 the flow hash of the encapsulated packet).
562
563
564 [no]encap-csum - specifies if UDP checksums are enabled
565 in the secondary encapsulation.
566
567
568 [no]encap-remcsum - specifies if Remote Checksum Offload
569 is enabled. This is only applicable for Generic UDP
570 Encapsulation.
571
572
573 external - make this tunnel externally controlled (e.g.
574 ip route encap).
575
576
577
578 IP6GRE/IP6GRETAP Type Support
579 For a link of type IP6GRE/IP6GRETAP the following additional
580 arguments are supported:
581
582 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
583 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
584 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
585 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
586 localremote ] [ dev PHYS_DEV ] [ external ]
587
588
589 remote ADDR - specifies the remote IPv6 address of the
590 tunnel.
591
592
593 local ADDR - specifies the fixed local IPv6 address for
594 tunneled packets. It must be an address on another
595 interface on this host.
596
597
598 [no][i|o]seq - serialize packets. The oseq flag enables
599 sequencing of outgoing packets. The iseq flag requires
600 that all input packets are serialized.
601
602
603 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
604 KEY is either a number or an IPv4 address-like dotted
605 quad. The key parameter specifies the same key to use
606 in both directions. The ikey and okey parameters spec‐
607 ify different keys for input and output.
608
609
610 [no][i|o]csum - generate/require checksums for tunneled
611 packets. The ocsum flag calculates checksums for outgo‐
612 ing packets. The icsum flag requires that all input
613 packets have the correct checksum. The csum flag is
614 equivalent to the combination icsum ocsum.
615
616
617 hoplimit TTL - specifies Hop Limit value to use in out‐
618 going packets.
619
620
621 encaplimit ELIM - specifies a fixed encapsulation limit.
622 Default is 4.
623
624
625 flowlabel FLOWLABEL - specifies a fixed flowlabel.
626
627
628 [no]allow-localremote - specifies whether to allow
629 remote endpoint to have an address configured on local
630 host.
631
632
633 tclass TCLASS - specifies the traffic class field on
634 tunneled packets, which can be specified as either a
635 two-digit hex value (e.g. c0) or a predefined string
636 (e.g. internet). The value inherit causes the field to
637 be copied from the original IP header. The values
638 inherit/STRING or inherit/00..ff will set the field to
639 STRING or 00..ff when tunneling non-IP packets. The
640 default value is 00.
641
642
643 external - make this tunnel externally controlled (or
644 not, which is the default). In the kernel, this is
645 referred to as collect metadata mode. This flag is
646 mutually exclusive with the remote, local, seq, key,
647 csum, hoplimit, encaplimit, flowlabel and tclass
648 options.
649
650
651
652 IPoIB Type Support
653 For a link of type IPoIB the following additional arguments are
654 supported:
655
656 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
657 MODE ]
658
659
660 pkey PKEY - specifies the IB P-Key to use.
661
662 mode MODE - specifies the mode (datagram or connected)
663 to use.
664
665
666 ERSPAN Type Support
667 For a link of type ERSPAN/IP6ERSPAN the following additional
668 arguments are supported:
669
670 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
671 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
672 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
673 mote ] [ external ]
674
675
676 remote ADDR - specifies the remote address of the tun‐
677 nel.
678
679
680 local ADDR - specifies the fixed local address for tun‐
681 neled packets. It must be an address on another inter‐
682 face on this host.
683
684
685 erspan_ver version - specifies the ERSPAN version num‐
686 ber. version indicates the ERSPAN version to be cre‐
687 ated: 1 for version 1 (type II) or 2 for version 2 (type
688 III).
689
690
691 erspan IDX - specifies the ERSPAN v1 index field. IDX
692 indicates a 20 bit index/port number associated with the
693 ERSPAN traffic's source port and direction.
694
695
696 erspan_dir { ingress | egress } - specifies the ERSPAN
697 v2 mirrored traffic's direction.
698
699
700 erspan_hwid hwid - an unique identifier of an ERSPAN v2
701 engine within a system. hwid is a 6-bit value for users
702 to configure.
703
704
705 [no]allow-localremote - specifies whether to allow
706 remote endpoint to have an address configured on local
707 host.
708
709
710 external - make this tunnel externally controlled (or
711 not, which is the default). In the kernel, this is
712 referred to as collect metadata mode. This flag is
713 mutually exclusive with the remote, local, erspan_ver,
714 erspan, erspan_dir and erspan_hwid options.
715
716
717
718 GENEVE Type Support
719 For a link of type GENEVE the following additional arguments are
720 supported:
721
722 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
723 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
724 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
725 [no]udp6zerocsumrx ]
726
727
728 id VNI - specifies the Virtual Network Identifer to use.
729
730
731 remote IPADDR - specifies the unicast destination IP
732 address to use in outgoing packets.
733
734
735 ttl TTL - specifies the TTL value to use in outgoing
736 packets. "0" or "auto" means use whatever default value,
737 "inherit" means inherit the inner protocol's ttl.
738 Default option is "0".
739
740
741 tos TOS - specifies the TOS value to use in outgoing
742 packets.
743
744
745 df DF - specifies the usage of the Don't Fragment flag
746 (DF) bit in outgoing packets with IPv4 headers. The
747 value inherit causes the bit to be copied from the orig‐
748 inal IP header. The values unset and set cause the bit
749 to be always unset or always set, respectively. By
750 default, the bit is not set.
751
752
753 flowlabel FLOWLABEL - specifies the flow label to use in
754 outgoing packets.
755
756
757 dstport PORT - select a destination port other than the
758 default of 6081.
759
760
761 [no]external - make this tunnel externally controlled
762 (or not, which is the default). This flag is mutually
763 exclusive with the id, remote, ttl, tos and flowlabel
764 options.
765
766
767 [no]udpcsum - specifies if UDP checksum is calculated
768 for transmitted packets over IPv4.
769
770
771 [no]udp6zerocsumtx - skip UDP checksum calculation for
772 transmitted packets over IPv6.
773
774
775 [no]udp6zerocsumrx - allow incoming UDP packets over
776 IPv6 with zero checksum field.
777
778
779
780 MACVLAN and MACVTAP Type Support
781 For a link of type MACVLAN or MACVTAP the following additional
782 arguments are supported:
783
784 ip link add link DEVICE name NAME type { macvlan | macvtap }
785 mode { private | vepa | bridge | passthru [ nopromisc ] |
786 source }
787
788
789 type { macvlan | macvtap } - specifies the link type to
790 use. macvlan creates just a virtual interface, while
791 macvtap in addition creates a character device /dev/tapX
792 to be used just like a tuntap device.
793
794 mode private - Do not allow communication between
795 macvlan instances on the same physical interface, even
796 if the external switch supports hairpin mode.
797
798 mode vepa - Virtual Ethernet Port Aggregator mode. Data
799 from one macvlan instance to the other on the same phys‐
800 ical interface is transmitted over the physical inter‐
801 face. Either the attached switch needs to support hair‐
802 pin mode, or there must be a TCP/IP router forwarding
803 the packets in order to allow communication. This is the
804 default mode.
805
806 mode bridge - In bridge mode, all endpoints are directly
807 connected to each other, communication is not redirected
808 through the physical interface's peer.
809
810 mode passthru [ nopromisc ] - This mode gives more power
811 to a single endpoint, usually in macvtap mode. It is not
812 allowed for more than one endpoint on the same physical
813 interface. All traffic will be forwarded to this end‐
814 point, allowing virtio guests to change MAC address or
815 set promiscuous mode in order to bridge the interface or
816 create vlan interfaces on top of it. By default, this
817 mode forces the underlying interface into promiscuous
818 mode. Passing the nopromisc flag prevents this, so the
819 promisc flag may be controlled using standard tools.
820
821 mode source - allows one to set a list of allowed mac
822 address, which is used to match against source mac
823 address from received frames on underlying interface.
824 This allows creating mac based VLAN associations,
825 instead of standard port or tag based. The feature is
826 useful to deploy 802.1x mac based behavior, where driv‐
827 ers of underlying interfaces doesn't allows that.
828
829
830 High-availability Seamless Redundancy (HSR) Support
831 For a link of type HSR the following additional arguments are
832 supported:
833
834 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
835 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
836
837
838 type hsr - specifies the link type to use, here HSR.
839
840 slave1 SLAVE1-IF - Specifies the physical device used
841 for the first of the two ring ports.
842
843 slave2 SLAVE2-IF - Specifies the physical device used
844 for the second of the two ring ports.
845
846 supervision ADDR-BYTE - The last byte of the multicast
847 address used for HSR supervision frames. Default option
848 is "0", possible values 0-255.
849
850 version { 0 | 1 } - Selects the protocol version of the
851 interface. Default option is "0", which corresponds to
852 the 2010 version of the HSR standard. Option "1" acti‐
853 vates the 2012 version.
854
855
856 BRIDGE Type Support
857 For a link of type BRIDGE the following additional arguments are
858 supported:
859
860 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
861 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
862 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
863 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
864 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
865 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
866 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
867 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
868 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
869 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
870 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
871 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
872 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
873 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
874 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
875 val QUERY_INTERVAL ] [ mcast_query_response_interval
876 QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
877 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
878 MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
879 mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
880 BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
881 bles NF_CALL_ARPTABLES ]
882
883
884 ageing_time AGEING_TIME - configure the bridge's FDB
885 entries ageing time, ie the number of seconds a MAC
886 address will be kept in the FDB after a packet has been
887 received from that address. after this time has passed,
888 entries are cleaned up.
889
890 group_fwd_mask MASK - set the group forward mask. This
891 is the bitmask that is applied to decide whether to for‐
892 ward incoming frames destined to link-local addresses,
893 ie addresses of the form 01:80:C2:00:00:0X (defaults to
894 0, ie the bridge does not forward any link-local
895 frames).
896
897 group_address ADDRESS - set the MAC address of the mul‐
898 ticast group this bridge uses for STP. The address must
899 be a link-local address in standard Ethernet MAC address
900 format, ie an address of the form 01:80:C2:00:00:0X,
901 with X
902 in [0, 4..f].
903
904 forward_delay FORWARD_DELAY - set the forwarding delay
905 in seconds, ie the time spent in LISTENING state (before
906 moving to LEARNING) and in LEARNING state (before moving
907 to FORWARDING). Only relevant if STP is enabled. Valid
908 values are between 2 and 30.
909
910 hello_time HELLO_TIME - set the time in seconds between
911 hello packets sent by the bridge, when it is a root
912 bridge or a designated bridges. Only relevant if STP is
913 enabled. Valid values are between 1 and 10.
914
915 max_age MAX_AGE - set the hello packet timeout, ie the
916 time in seconds until another bridge in the spanning
917 tree is assumed to be dead, after reception of its last
918 hello message. Only relevant if STP is enabled. Valid
919 values are between 6 and 40.
920
921 stp_state STP_STATE - turn spanning tree protocol on
922 (STP_STATE > 0) or off (STP_STATE == 0). for this
923 bridge.
924
925 priority PRIORITY - set this bridge's spanning tree pri‐
926 ority, used during STP root bridge election. PRIORITY
927 is a 16bit unsigned integer.
928
929 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
930 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
931 disabled, the bridge will not consider the VLAN tag when
932 handling packets.
933
934 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
935 used for VLAN filtering.
936
937 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
938 PVID (native/untagged VLAN ID) for this bridge.
939
940 vlan_stats_enabled VLAN_STATS_ENABLED - enable
941 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
942 == 0) per-VLAN stats accounting.
943
944 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
945 (VLAN_STATS_PER_PORT == 1) or disable
946 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
947 accounting. Can be changed only when there are no port
948 VLANs configured.
949
950 mcast_snooping MULTICAST_SNOOPING - turn multicast
951 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
952 CAST_SNOOPING == 0).
953
954 mcast_router MULTICAST_ROUTER - set bridge's multicast
955 router if IGMP snooping is enabled. MULTICAST_ROUTER is
956 an integer value having the following meaning:
957
958 0 - disabled.
959
960 1 - automatic (queried).
961
962 2 - permanently enabled.
963
964 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
965 to use the bridge's own IP address as source address for
966 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
967 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
968
969 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
970 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
971 IGMP querier, ie sending of multicast queries by the
972 bridge (default: disabled).
973
974 mcast_querier_interval QUERIER_INTERVAL - interval
975 between queries sent by other routers. if no queries are
976 seen after this delay has passed, the bridge will start
977 to send its own queries (as if mcast_querier was
978 enabled).
979
980 mcast_hash_elasticity HASH_ELASTICITY - set multicast
981 database hash elasticity, ie the maximum chain length in
982 the multicast hash table (defaults to 4).
983
984 mcast_hash_max HASH_MAX - set maximum size of multicast
985 hash table (defaults to 512, value must be a power of
986 2).
987
988 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
989 cast last member count, ie the number of queries the
990 bridge will send before stopping forwarding a multicast
991 group after a "leave" message has been received
992 (defaults to 2).
993
994 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
995 val between queries to find remaining members of a
996 group, after a "leave" message is received.
997
998 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
999 number of IGMP queries to send during startup phase
1000 (defaults to 2).
1001
1002 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1003 interval between queries in the startup phase.
1004
1005 mcast_query_interval QUERY_INTERVAL - interval between
1006 queries sent by the bridge after the end of the startup
1007 phase.
1008
1009 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1010 set the Max Response Time/Maximum Response Delay for
1011 IGMP/MLD queries sent by the bridge.
1012
1013 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1014 after which the bridge will leave a group, if no member‐
1015 ship reports for this group are received.
1016
1017 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1018 (MCAST_STATS_ENABLED > 0) or disable
1019 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1020 accounting.
1021
1022 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1023
1024 mcast_mld_version MLD_VERSION - set the MLD version.
1025
1026 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1027 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1028 hooks on the bridge.
1029
1030 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1031 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1032 0) ip6tables hooks on the bridge.
1033
1034 nf_call_arptables NF_CALL_ARPTABLES - enable
1035 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1036 0) arptables hooks on the bridge.
1037
1038
1039
1040
1041 MACsec Type Support
1042 For a link of type MACsec the following additional arguments are
1043 supported:
1044
1045 ip link add link DEVICE name NAME type macsec [ [ address
1046 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1047 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1048 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1049 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1050 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1051 ]
1052
1053
1054 address <lladdr> - sets the system identifier component
1055 of secure channel for this MACsec device.
1056
1057
1058 port PORT - sets the port number component of secure
1059 channel for this MACsec device, in a range from 1 to
1060 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1061 are interpreted as octal and hexadecimal, respectively.
1062
1063
1064 sci SCI - sets the secure channel identifier for this
1065 MACsec device. SCI is a 64bit wide number in hexadeci‐
1066 mal format.
1067
1068
1069 cipher CIPHER_SUITE - defines the cipher suite to use.
1070
1071
1072 icvlen LENGTH - sets the length of the Integrity Check
1073 Value (ICV).
1074
1075
1076 encrypt on or encrypt off - switches between authenti‐
1077 cated encryption, or authenticity mode only.
1078
1079
1080 send_sci on or send_sci off - specifies whether the SCI
1081 is included in every packet, or only when it is neces‐
1082 sary.
1083
1084
1085 end_station on or end_station off - sets the End Station
1086 bit.
1087
1088
1089 scb on or scb off - sets the Single Copy Broadcast bit.
1090
1091
1092 protect on or protect off - enables MACsec protection on
1093 the device.
1094
1095
1096 replay on or replay off - enables replay protection on
1097 the device.
1098
1099
1100
1101 window SIZE - sets the size of the replay win‐
1102 dow.
1103
1104
1105
1106 validate strict or validate check or validate disabled -
1107 sets the validation mode on the device.
1108
1109
1110 encodingsa AN - sets the active secure association for
1111 transmission.
1112
1113
1114
1115 VRF Type Support
1116 For a link of type VRF the following additional arguments are
1117 supported:
1118
1119 ip link add DEVICE type vrf table TABLE
1120
1121
1122 table table id associated with VRF device
1123
1124
1125
1126 RMNET Type Support
1127 For a link of type RMNET the following additional arguments are
1128 supported:
1129
1130 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1131
1132
1133 mux_id MUXID - specifies the mux identifier for the
1134 rmnet device, possible values 1-254.
1135
1136
1137
1138 XFRM Type Support
1139 For a link of type XFRM the following additional arguments are
1140 supported:
1141
1142 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1143
1144
1145 dev PHYS_DEV - specifies the underlying physical inter‐
1146 face from which transform traffic is sent and received.
1147
1148
1149 if_id IF-ID - specifies the hexadecimal lookup key used
1150 to send traffic to and from specific xfrm policies.
1151 Policies must be configured with the same key. If not
1152 set, the key defaults to 0 and will match any policies
1153 which similarly do not have a lookup key configuration.
1154
1155
1156
1157 ip link delete - delete virtual link
1158 dev DEVICE
1159 specifies the virtual device to act operate on.
1160
1161
1162 group GROUP
1163 specifies the group of virtual links to delete. Group 0 is not
1164 allowed to be deleted since it is the default group.
1165
1166
1167 type TYPE
1168 specifies the type of the device.
1169
1170
1171 ip link set - change device attributes
1172 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1173 ately after any of the changes have failed. This is the only case when
1174 ip can move the system to an unpredictable state. The solution is to
1175 avoid changing several parameters with one ip link set call. The modi‐
1176 fier change is equivalent to set.
1177
1178
1179
1180 dev DEVICE
1181 DEVICE specifies network device to operate on. When configuring
1182 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1183 ify the associated Physical Function (PF) device.
1184
1185
1186 group GROUP
1187 GROUP has a dual role: If both group and dev are present, then
1188 move the device to the specified group. If only a group is spec‐
1189 ified, then the command operates on all devices in that group.
1190
1191
1192 up and down
1193 change the state of the device to UP or DOWN.
1194
1195
1196 arp on or arp off
1197 change the NOARP flag on the device.
1198
1199
1200 multicast on or multicast off
1201 change the MULTICAST flag on the device.
1202
1203
1204 protodown on or protodown off
1205 change the PROTODOWN state on the device. Indicates that a pro‐
1206 tocol error has been detected on the port. Switch drivers can
1207 react to this error by doing a phys down on the switch port.
1208
1209
1210 dynamic on or dynamic off
1211 change the DYNAMIC flag on the device. Indicates that address
1212 can change when interface goes down (currently NOT used by the
1213 Linux).
1214
1215
1216 name NAME
1217 change the name of the device. This operation is not recommended
1218 if the device is running or has some addresses already config‐
1219 ured.
1220
1221
1222 txqueuelen NUMBER
1223
1224 txqlen NUMBER
1225 change the transmit queue length of the device.
1226
1227
1228 mtu NUMBER
1229 change the MTU of the device.
1230
1231
1232 address LLADDRESS
1233 change the station address of the interface.
1234
1235
1236 broadcast LLADDRESS
1237
1238 brd LLADDRESS
1239
1240 peer LLADDRESS
1241 change the link layer broadcast address or the peer address when
1242 the interface is POINTOPOINT.
1243
1244
1245 netns NETNSNAME | PID
1246 move the device to the network namespace associated with name
1247 NETNSNAME or process PID.
1248
1249 Some devices are not allowed to change network namespace: loop‐
1250 back, bridge, wireless. These are network namespace local
1251 devices. In such case ip tool will return "Invalid argument"
1252 error. It is possible to find out if device is local to a single
1253 network namespace by checking netns-local flag in the output of
1254 the ethtool:
1255
1256 ethtool -k DEVICE
1257
1258 To change network namespace for wireless devices the iw tool can
1259 be used. But it allows to change network namespace only for
1260 physical devices and by process PID.
1261
1262
1263 alias NAME
1264 give the device a symbolic name for easy reference.
1265
1266
1267 group GROUP
1268 specify the group the device belongs to. The available groups
1269 are listed in file /etc/iproute2/group.
1270
1271
1272 vf NUM specify a Virtual Function device to be configured. The associ‐
1273 ated PF device must be specified using the dev parameter.
1274
1275 mac LLADDRESS - change the station address for the spec‐
1276 ified VF. The vf parameter must be specified.
1277
1278
1279 vlan VLANID - change the assigned VLAN for the specified
1280 VF. When specified, all traffic sent from the VF will be
1281 tagged with the specified VLAN ID. Incoming traffic will
1282 be filtered for the specified VLAN ID, and will have all
1283 VLAN tags stripped before being passed to the VF. Set‐
1284 ting this parameter to 0 disables VLAN tagging and fil‐
1285 tering. The vf parameter must be specified.
1286
1287
1288 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1289 VLAN tag. When specified, all VLAN tags transmitted by
1290 the VF will include the specified priority bits in the
1291 VLAN tag. If not specified, the value is assumed to be
1292 0. Both the vf and vlan parameters must be specified.
1293 Setting both vlan and qos as 0 disables VLAN tagging and
1294 filtering for the VF.
1295
1296
1297 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1298 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1299 traffic sent from the VF will be tagged with VLAN S-Tag.
1300 Incoming traffic will have VLAN S-Tags stripped before
1301 being passed to the VF. Setting to 802.1ad also enables
1302 an option to concatenate another VLAN tag, so both S-TAG
1303 and C-TAG will be inserted/stripped for outgoing/incom‐
1304 ing traffic, respectively. If not specified, the value
1305 is assumed to be 802.1Q. Both the vf and vlan parameters
1306 must be specified.
1307
1308
1309 rate TXRATE -- change the allowed transmit bandwidth, in
1310 Mbps, for the specified VF. Setting this parameter to 0
1311 disables rate limiting. vf parameter must be specified.
1312 Please use new API max_tx_rate option instead.
1313
1314
1315 max_tx_rate TXRATE - change the allowed maximum transmit
1316 bandwidth, in Mbps, for the specified VF. Setting this
1317 parameter to 0 disables rate limiting. vf parameter
1318 must be specified.
1319
1320
1321 min_tx_rate TXRATE - change the allowed minimum transmit
1322 bandwidth, in Mbps, for the specified VF. Minimum
1323 TXRATE should be always <= Maximum TXRATE. Setting this
1324 parameter to 0 disables rate limiting. vf parameter
1325 must be specified.
1326
1327
1328 spoofchk on|off - turn packet spoof checking on or off
1329 for the specified VF.
1330
1331 query_rss on|off - toggle the ability of querying the
1332 RSS configuration of a specific
1333 VF. VF RSS information like RSS hash key may be con‐
1334 sidered sensitive
1335 on some devices where this information is shared
1336 between VF and PF
1337 and thus its querying may be prohibited by default.
1338
1339 state auto|enable|disable - set the virtual link state
1340 as seen by the specified VF. Setting to auto means a
1341 reflection of the PF link state, enable lets the VF to
1342 communicate with other VFs on this host even if the PF
1343 link state is down, disable causes the HW to drop any
1344 packets sent by the VF.
1345
1346 trust on|off - trust the specified VF user. This enables
1347 that VF user can set a specific feature which may impact
1348 security and/or performance. (e.g. VF multicast promis‐
1349 cuous mode)
1350
1351 node_guid eui64 - configure node GUID for Infiniband
1352 VFs.
1353
1354 port_guid eui64 - configure port GUID for Infiniband
1355 VFs.
1356
1357
1358 xdp object | pinned | off
1359 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1360 every packet at driver level. ip link output will indicate a
1361 xdp flag for the networking device. If the driver does not have
1362 native XDP support, the kernel will fall back to a slower,
1363 driver-independent "generic" XDP variant. The ip link output
1364 will in that case indicate xdpgeneric instead of xdp only. If
1365 the driver does have native XDP support, but the program is
1366 loaded under xdpgeneric object | pinned then the kernel will use
1367 the generic XDP variant instead of the native one. xdpdrv has
1368 the opposite effect of requestsing that the automatic fallback
1369 to the generic XDP variant be disabled and in case driver is not
1370 XDP-capable error should be returned. xdpdrv also disables
1371 hardware offloads. xdpoffload in ip link output indicates that
1372 the program has been offloaded to hardware and can also be used
1373 to request the "offload" mode, much like xdpgeneric it forces
1374 program to be installed specifically in HW/FW of the apater.
1375
1376 off (or none ) - Detaches any currently attached XDP/BPF program
1377 from the given device.
1378
1379 object FILE - Attaches a XDP/BPF program to the given device.
1380 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1381 contains the BPF program code, map specifications, etc. If a
1382 XDP/BPF program is already attached to the given device, an
1383 error will be thrown. If no XDP/BPF program is currently
1384 attached, the device supports XDP and the program from the BPF
1385 ELF file passes the kernel verifier, then it will be attached to
1386 the device. If the option -force is passed to ip then any prior
1387 attached XDP/BPF program will be atomically overridden and no
1388 error will be thrown in this case. If no section option is
1389 passed, then the default section name ("prog") will be assumed,
1390 otherwise the provided section name will be used. If no verbose
1391 option is passed, then a verifier log will only be dumped on
1392 load error. See also EXAMPLES section for usage examples.
1393
1394 section NAME - Specifies a section name that contains the BPF
1395 program code. If no section name is specified, the default one
1396 ("prog") will be used. This option is to be passed with the
1397 object option.
1398
1399 verbose - Act in verbose mode. For example, even in case of suc‐
1400 cess, this will print the verifier log in case a program was
1401 loaded from a BPF ELF file.
1402
1403 pinned FILE - Attaches a XDP/BPF program to the given device.
1404 The FILE points to an already pinned BPF program in the BPF file
1405 system. The option section doesn't apply here, but otherwise
1406 semantics are the same as with the option object described
1407 already.
1408
1409
1410 master DEVICE
1411 set master device of the device (enslave device).
1412
1413
1414 nomaster
1415 unset master device of the device (release device).
1416
1417
1418 addrgenmode eui64|none|stable_secret|random
1419 set the IPv6 address generation mode
1420
1421 eui64 - use a Modified EUI-64 format interface identifier
1422
1423 none - disable automatic address generation
1424
1425 stable_secret - generate the interface identifier based on a
1426 preset
1427 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1428
1429 random - like stable_secret, but auto-generate a new random
1430 secret if none is set
1431
1432
1433 link-netnsid
1434 set peer netnsid for a cross-netns interface
1435
1436
1437 type ETYPE TYPE_ARGS
1438 Change type-specific settings. For a list of supported types and
1439 arguments refer to the description of ip link add above. In
1440 addition to that, it is possible to manipulate settings to slave
1441 devices:
1442
1443
1444 Bridge Slave Support
1445 For a link with master bridge the following additional arguments
1446 are supported:
1447
1448 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1449 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1450 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1451 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1452 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1453 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1454 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1455 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1456 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1457 backup_port DEVICE ] [ nobackup_port ]
1458
1459
1460 fdb_flush - flush bridge slave's fdb dynamic entries.
1461
1462 state STATE - Set port state. STATE is a number repre‐
1463 senting the following states: 0 (disabled), 1 (listen‐
1464 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1465
1466 priority PRIO - set port priority (allowed values are
1467 between 0 and 63, inclusively).
1468
1469 cost COST - set port cost (allowed values are between 1
1470 and 65535, inclusively).
1471
1472 guard { on | off } - block incoming BPDU packets on this
1473 port.
1474
1475 hairpin { on | off } - enable hairpin mode on this port.
1476 This will allow incoming packets on this port to be
1477 reflected back.
1478
1479 fastleave { on | off } - enable multicast fast leave on
1480 this port.
1481
1482 root_block { on | off } - block this port from becoming
1483 the bridge's root port.
1484
1485 learning { on | off } - allow MAC address learning on
1486 this port.
1487
1488 flood { on | off } - open the flood gates on this port,
1489 i.e. forward all unicast frames to this port also.
1490 Requires proxy_arp and proxy_arp_wifi to be turned off.
1491
1492 proxy_arp { on | off } - enable proxy ARP on this port.
1493
1494 proxy_arp_wifi { on | off } - enable proxy ARP on this
1495 port which meets extended requirements by IEEE 802.11
1496 and Hotspot 2.0 specifications.
1497
1498 mcast_router MULTICAST_ROUTER - configure this port for
1499 having multicast routers attached. A port with a multi‐
1500 cast router will receive all multicast traffic. MULTI‐
1501 CAST_ROUTER may be either 0 to disable multicast routers
1502 on this port, 1 to let the system detect the presence of
1503 of routers (this is the default), 2 to permanently
1504 enable multicast traffic forwarding on this port or 3 to
1505 enable multicast routers temporarily on this port, not
1506 depending on incoming queries.
1507
1508 mcast_fast_leave { on | off } - this is a synonym to the
1509 fastleave option above.
1510
1511 mcast_flood { on | off } - controls whether a given port
1512 will flood multicast traffic for which
1513 there is no MDB entry.
1514
1515 mcast_to_unicast { on | off } - controls whether a given
1516 port will replicate packets using unicast
1517 instead of multicast. By default this flag is off.
1518
1519 group_fwd_mask MASK - set the group forward mask. This
1520 is the bitmask that is applied to decide whether to for‐
1521 ward incoming frames destined to link-local addresses,
1522 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1523 0, ie the bridge does not forward any link-local frames
1524 coming on this port).
1525
1526 neigh_suppress { on | off } - controls whether neigh
1527 discovery (arp and nd) proxy and suppression is enabled
1528 on the port. By default this flag is off.
1529
1530 vlan_tunnel { on | off } - controls whether vlan to tun‐
1531 nel mapping is enabled on the port. By default this flag
1532 is off.
1533
1534 backup_port DEVICE - if the port loses carrier all traf‐
1535 fic will be redirected to the configured backup port
1536
1537 nobackup_port - removes the currently configured backup
1538 port
1539
1540
1541
1542 Bonding Slave Support
1543 For a link with master bond the following additional arguments
1544 are supported:
1545
1546 ip link set type bond_slave [ queue_id ID ]
1547
1548
1549 queue_id ID - set the slave's queue ID (a 16bit unsigned
1550 value).
1551
1552
1553
1554 MACVLAN and MACVTAP Support
1555 Modify list of allowed macaddr for link in source mode.
1556
1557 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1558 ... ]
1559
1560 Commands:
1561 add - add MACADDR to allowed list
1562
1563 set - replace allowed list
1564
1565 del - remove MACADDR from allowed list
1566
1567 flush - flush whole allowed list
1568
1569
1570
1571
1572 ip link show - display device attributes
1573 dev NAME (default)
1574 NAME specifies the network device to show.
1575
1576
1577 group GROUP
1578 GROUP specifies what group of devices to show.
1579
1580
1581 up only display running interfaces.
1582
1583
1584 master DEVICE
1585 DEVICE specifies the master device which enslaves devices to
1586 show.
1587
1588
1589 vrf NAME
1590 NAME speficies the VRF which enslaves devices to show.
1591
1592
1593 type TYPE
1594 TYPE specifies the type of devices to show.
1595
1596 Note that the type name is not checked against the list of sup‐
1597 ported types - instead it is sent as-is to the kernel. Later it
1598 is used to filter the returned interface list by comparing it
1599 with the relevant attribute in case the kernel didn't filter
1600 already. Therefore any string is accepted, but may lead to empty
1601 output.
1602
1603
1604 ip link xstats - display extended statistics
1605 type TYPE
1606 TYPE specifies the type of devices to display extended statis‐
1607 tics for.
1608
1609
1610 ip link afstats - display address-family specific statistics
1611 dev DEVICE
1612 DEVICE specifies the device to display address-family statistics
1613 for.
1614
1615
1616 ip link help - display help
1617 TYPE specifies which help of link type to dislpay.
1618
1619
1620 GROUP
1621 may be a number or a string from the file /etc/iproute2/group which can
1622 be manually filled.
1623
1624
1626 ip link show
1627 Shows the state of all network interfaces on the system.
1628
1629 ip link show type bridge
1630 Shows the bridge devices.
1631
1632 ip link show type vlan
1633 Shows the vlan devices.
1634
1635 ip link show master br0
1636 Shows devices enslaved by br0
1637
1638 ip link set dev ppp0 mtu 1400
1639 Change the MTU the ppp0 device.
1640
1641 ip link add link eth0 name eth0.10 type vlan id 10
1642 Creates a new vlan device eth0.10 on device eth0.
1643
1644 ip link delete dev eth0.10
1645 Removes vlan device.
1646
1647 ip link help gre
1648 Display help for the gre link type.
1649
1650 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1651 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1652 remcsum
1653 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1654 tion, and the outer UDP checksum and remote checksum offload are
1655 enabled.
1656
1657 ip link set dev eth0 xdp obj prog.o
1658 Attaches a XDP/BPF program to device eth0, where the program is
1659 located in prog.o, section "prog" (default section). In case a
1660 XDP/BPF program is already attached, throw an error.
1661
1662 ip -force link set dev eth0 xdp obj prog.o sec foo
1663 Attaches a XDP/BPF program to device eth0, where the program is
1664 located in prog.o, section "foo". In case a XDP/BPF program is
1665 already attached, it will be overridden by the new one.
1666
1667 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1668 Attaches a XDP/BPF program to device eth0, where the program was
1669 previously pinned as an object node into BPF file system under name
1670 foo.
1671
1672 ip link set dev eth0 xdp off
1673 If a XDP/BPF program is attached on device eth0, detach it and
1674 effectively turn off XDP for device eth0.
1675
1676 ip link add link wpan0 lowpan0 type lowpan
1677 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1678 802.15.4 device wpan0.
1679
1680 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1681 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1682 erspan_hwid 17
1683 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1684
1685
1687 ip(8), ip-netns(8), ethtool(8), iptables(8)
1688
1689
1691 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1692
1693
1694
1695iproute2 13 Dec 2012 IP-LINK(8)