1SYSTEMD.NETWORK(5)              systemd.network             SYSTEMD.NETWORK(5)
2
3
4

NAME

6       systemd.network - Network configuration
7

SYNOPSIS

9       network.network
10

DESCRIPTION

12       A plain ini-style text file that encodes network configuration for
13       matching network interfaces, used by systemd-networkd(8). See
14       systemd.syntax(5) for a general description of the syntax.
15
16       The main network file must have the extension .network; other
17       extensions are ignored. Networks are applied to links whenever the
18       links appear.
19
20       The .network files are read from the files located in the system
21       network directories /usr/lib/systemd/network and
22       /usr/local/lib/systemd/network, the volatile runtime network directory
23       /run/systemd/network and the local administration network directory
24       /etc/systemd/network. All configuration files are collectively sorted
25       and processed in lexical order, regardless of the directories in which
26       they live. However, files with identical filenames replace each other.
27       Files in /etc have the highest priority, files in /run take precedence
28       over files with the same name under /usr. This can be used to override
29       a system-supplied configuration file with a local file if needed. As a
30       special case, an empty file (file size 0) or symlink with the same name
31       pointing to /dev/null disables the configuration file entirely (it is
32       "masked").
33
34       Along with the network file foo.network, a "drop-in" directory
35       foo.network.d/ may exist. All files with the suffix ".conf" from this
36       directory will be parsed after the file itself is parsed. This is
37       useful to alter or add configuration settings, without having to modify
38       the main configuration file. Each drop-in file must have appropriate
39       section headers.
40
41       In addition to /etc/systemd/network, drop-in ".d" directories can be
42       placed in /usr/lib/systemd/network or /run/systemd/network directories.
43       Drop-in files in /etc take precedence over those in /run which in turn
44       take precedence over those in /usr/lib. Drop-in files under any of
45       these directories take precedence over the main network file wherever
46       located.
47
48       Note that an interface without any static IPv6 addresses configured,
49       and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no
50       IPv6 support. IPv6 will be automatically disabled for that interface by
51       writing "1" to /proc/sys/net/ipv6/conf/ifname/disable_ipv6.
52

[MATCH] SECTION OPTIONS

54       The network file contains a "[Match]" section, which determines if a
55       given network file may be applied to a given device; and a "[Network]"
56       section specifying how the device should be configured. The first (in
57       lexical order) of the network files that matches a given device is
58       applied, all later files are ignored, even if they match as well.
59
60       A network file is said to match a network interface if all matches
61       specified by the "[Match]" section are satisfied. When a network file
62       does not contain valid settings in "[Match]" section, then the file
63       will match all interfaces and systemd-networkd warns about that. Hint:
64       to avoid the warning and to make it clear that all interfaces shall be
65       matched, add the following:
66
67           Name=*
68
69       The following keys are accepted:
70
71       MACAddress=
72           A whitespace-separated list of hardware addresses. Use full colon-,
73           hyphen- or dot-delimited hexadecimal. See the example below. This
74           option may appear more than once, in which case the lists are
75           merged. If the empty string is assigned to this option, the list of
76           hardware addresses defined prior to this is reset.
77
78           Example:
79
80               MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
81
82       PermanentMACAddress=
83           A whitespace-separated list of hardware's permanent addresses.
84           While MACAddress= matches the device's current MAC address, this
85           matches the device's permanent MAC address, which may be different
86           from the current one. Use full colon-, hyphen- or dot-delimited
87           hexadecimal. This option may appear more than once, in which case
88           the lists are merged. If the empty string is assigned to this
89           option, the list of hardware addresses defined prior to this is
90           reset.
91
92       Path=
93           A whitespace-separated list of shell-style globs matching the
94           persistent path, as exposed by the udev property ID_PATH.
95
96       Driver=
97           A whitespace-separated list of shell-style globs matching the
98           driver currently bound to the device, as exposed by the udev
99           property ID_NET_DRIVER of its parent device, or if that is not set,
100           the driver as exposed by ethtool -i of the device itself. If the
101           list is prefixed with a "!", the test is inverted.
102
103       Type=
104           A whitespace-separated list of shell-style globs matching the
105           device type, as exposed by networkctl status. If the list is
106           prefixed with a "!", the test is inverted.
107
108       Property=
109           A whitespace-separated list of udev property name with its value
110           after a equal ("="). If multiple properties are specified, the test
111           results are ANDed. If the list is prefixed with a "!", the test is
112           inverted. If a value contains white spaces, then please quote whole
113           key and value pair. If a value contains quotation, then please
114           escape the quotation with "\".
115
116           Example: if a .link file has the following:
117
118               Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
119
120           then, the .link file matches only when an interface has all the
121           above three properties.
122
123       Name=
124           A whitespace-separated list of shell-style globs matching the
125           device name, as exposed by the udev property "INTERFACE", or
126           device's alternative names. If the list is prefixed with a "!", the
127           test is inverted.
128
129       WLANInterfaceType=
130           A whitespace-separated list of wireless network type. Supported
131           values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
132           "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
133           "nan". If the list is prefixed with a "!", the test is inverted.
134
135       SSID=
136           A whitespace-separated list of shell-style globs matching the SSID
137           of the currently connected wireless LAN. If the list is prefixed
138           with a "!", the test is inverted.
139
140       BSSID=
141           A whitespace-separated list of hardware address of the currently
142           connected wireless LAN. Use full colon-, hyphen- or dot-delimited
143           hexadecimal. See the example in MACAddress=. This option may appear
144           more than one, in which case the lists are merged. If the empty
145           string is assigned to this option, the list of BSSID defined prior
146           to this is reset.
147
148       Host=
149           Matches against the hostname or machine ID of the host. See
150           ConditionHost= in systemd.unit(5) for details. When prefixed with
151           an exclamation mark ("!"), the result is negated. If an empty
152           string is assigned, then previously assigned value is cleared.
153
154       Virtualization=
155           Checks whether the system is executed in a virtualized environment
156           and optionally test whether it is a specific implementation. See
157           ConditionVirtualization= in systemd.unit(5) for details. When
158           prefixed with an exclamation mark ("!"), the result is negated. If
159           an empty string is assigned, then previously assigned value is
160           cleared.
161
162       KernelCommandLine=
163           Checks whether a specific kernel command line option is set. See
164           ConditionKernelCommandLine= in systemd.unit(5) for details. When
165           prefixed with an exclamation mark ("!"), the result is negated. If
166           an empty string is assigned, then previously assigned value is
167           cleared.
168
169       KernelVersion=
170           Checks whether the kernel version (as reported by uname -r) matches
171           a certain expression. See ConditionKernelVersion= in
172           systemd.unit(5) for details. When prefixed with an exclamation mark
173           ("!"), the result is negated. If an empty string is assigned, then
174           previously assigned value is cleared.
175
176       Architecture=
177           Checks whether the system is running on a specific architecture.
178           See ConditionArchitecture= in systemd.unit(5) for details. When
179           prefixed with an exclamation mark ("!"), the result is negated. If
180           an empty string is assigned, then previously assigned value is
181           cleared.
182

[LINK] SECTION OPTIONS

184       The "[Link]" section accepts the following keys:
185
186       MACAddress=
187           The hardware address to set for the device.
188
189       MTUBytes=
190           The maximum transmission unit in bytes to set for the device. The
191           usual suffixes K, M, G, are supported and are understood to the
192           base of 1024.
193
194           Note that if IPv6 is enabled on the interface, and the MTU is
195           chosen below 1280 (the minimum MTU for IPv6) it will automatically
196           be increased to this value.
197
198       ARP=
199           Takes a boolean. If set to true, the ARP (low-level Address
200           Resolution Protocol) for this interface is enabled. When unset, the
201           kernel's default will be used.
202
203           For example, disabling ARP is useful when creating multiple MACVLAN
204           or VLAN virtual interfaces atop a single lower-level physical
205           interface, which will then only serve as a link/"bridge" device
206           aggregating traffic to the same physical link and not participate
207           in the network otherwise.
208
209       Multicast=
210           Takes a boolean. If set to true, the multicast flag on the device
211           is enabled.
212
213       AllMulticast=
214           Takes a boolean. If set to true, the driver retrieves all multicast
215           packets from the network. This happens when multicast routing is
216           enabled.
217
218       Unmanaged=
219           Takes a boolean. When "yes", no attempts are made to bring up or
220           configure matching links, equivalent to when there are no matching
221           network files. Defaults to "no".
222
223           This is useful for preventing later matching network files from
224           interfering with certain interfaces that are fully controlled by
225           other applications.
226
227       RequiredForOnline=
228           Takes a boolean or a minimum operational state and an optional
229           maximum operational state. Please see networkctl(1) for possible
230           operational states. When "yes", the network is deemed required when
231           determining whether the system is online when running
232           systemd-networkd-wait-online. When "no", the network is ignored
233           when checking for online state. When a minimum operational state
234           and an optional maximum operational state are set, "yes" is
235           implied, and this controls the minimum and maximum operational
236           state required for the network interface to be considered online.
237           Defaults to "yes".
238
239           The network will be brought up normally in all cases, but in the
240           event that there is no address being assigned by DHCP or the cable
241           is not plugged in, the link will simply remain offline and be
242           skipped automatically by systemd-networkd-wait-online if
243           "RequiredForOnline=no".
244

[NETWORK] SECTION OPTIONS

246       The "[Network]" section accepts the following keys:
247
248       Description=
249           A description of the device. This is only used for presentation
250           purposes.
251
252       DHCP=
253           Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
254           "ipv4", or "ipv6". Defaults to "no".
255
256           Note that DHCPv6 will by default be triggered by Router
257           Advertisement, if that is enabled, regardless of this parameter. By
258           enabling DHCPv6 support explicitly, the DHCPv6 client will be
259           started regardless of the presence of routers on the link, or what
260           flags the routers pass. See "IPv6AcceptRA=".
261
262           Furthermore, note that by default the domain name specified through
263           DHCP is not used for name resolution. See option UseDomains= below.
264
265           See the "[DHCPv4]" or "[DHCPv6]" section below for further
266           configuration options for the DHCP client support.
267
268       DHCPServer=
269           Takes a boolean. If set to "yes", DHCPv4 server will be started.
270           Defaults to "no". Further settings for the DHCP server may be set
271           in the "[DHCPServer]" section described below.
272
273       LinkLocalAddressing=
274           Enables link-local address autoconfiguration. Accepts "yes", "no",
275           "ipv4", "ipv6", "fallback", or "ipv4-fallback". If "fallback" or
276           "ipv4-fallback" is specified, then an IPv4 link-local address is
277           configured only when DHCPv4 fails. If "fallback", an IPv6
278           link-local address is always configured, and if "ipv4-fallback",
279           the address is not configured. Note that, the fallback mechanism
280           works only when DHCPv4 client is enabled, that is, it requires
281           "DHCP=yes" or "DHCP=ipv4". If Bridge= is set, defaults to "no", and
282           if not, defaults to "ipv6".
283
284       IPv4LLRoute=
285           Takes a boolean. If set to true, sets up the route needed for
286           non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
287           false.
288
289       DefaultRouteOnDevice=
290           Takes a boolean. If set to true, sets up the default route bound to
291           the interface. Defaults to false. This is useful when creating
292           routes on point-to-point interfaces. This is equivalent to e.g. the
293           following.
294
295               ip route add default dev veth99
296
297       IPv6Token=
298           Specifies an optional address generation mode and a required IPv6
299           address. If the mode is present, the two parts must be separated
300           with a colon "mode:address". The address generation mode may be
301           either prefixstable or static. If not specified, static is assumed.
302
303           When the mode is set to static, or unspecified, the lower bits of
304           the supplied address are combined with the upper bits of a prefix
305           received in a Router Advertisement message to form a complete
306           address. Note that if multiple prefixes are received in an RA
307           message, or in multiple RA messages, addresses will be formed from
308           each of them using the supplied address. This mode implements SLAAC
309           but uses a static interface identifier instead of an identifier
310           generated using the EUI-64 algorithm. Because the interface
311           identifier is static, if Duplicate Address Detection detects that
312           the computed address is a duplicate (in use by another node on the
313           link), then this mode will fail to provide an address for that
314           prefix.
315
316           When the mode is set to "prefixstable" the RFC 7217 algorithm for
317           generating interface identifiers will be used, but only when a
318           prefix received in an RA message matches the supplied address. See
319           RFC 7217[1]. Prefix matching will be attempted against each
320           prefixstable IPv6Token variable provided in the configuration; if a
321           received prefix does not match any of the provided addresses, then
322           the EUI-64 algorithm will be used to form an interface identifier
323           for that prefix. This mode is also SLAAC, but with a potentially
324           stable interface identifier which does not directly map to the
325           interface's hardware address. Note that the prefixstable algorithm
326           includes both the interface's name and MAC address in the hash used
327           to compute the interface identifier, so if either of those are
328           changed the resulting interface identifier (and address) will
329           change, even if the prefix received in the RA message has not
330           changed. Note that if multiple prefixstable IPv6Token variables are
331           supplied with addresses that match a prefix received in an RA
332           message, only the first one will be used to generate addresses.
333
334       LLMNR=
335           Takes a boolean or "resolve". When true, enables Link-Local
336           Multicast Name Resolution[2] on the link. When set to "resolve",
337           only resolution is enabled, but not host registration and
338           announcement. Defaults to true. This setting is read by systemd-
339           resolved.service(8).
340
341       MulticastDNS=
342           Takes a boolean or "resolve". When true, enables Multicast DNS[3]
343           support on the link. When set to "resolve", only resolution is
344           enabled, but not host or service registration and announcement.
345           Defaults to false. This setting is read by systemd-
346           resolved.service(8).
347
348       DNSOverTLS=
349           Takes a boolean or "opportunistic". When true, enables
350           DNS-over-TLS[4] support on the link. When set to "opportunistic",
351           compatibility with non-DNS-over-TLS servers is increased, by
352           automatically turning off DNS-over-TLS servers in this case. This
353           option defines a per-interface setting for resolved.conf(5)'s
354           global DNSOverTLS= option. Defaults to false. This setting is read
355           by systemd-resolved.service(8).
356
357       DNSSEC=
358           Takes a boolean. or "allow-downgrade". When true, enables DNSSEC[5]
359           DNS validation support on the link. When set to "allow-downgrade",
360           compatibility with non-DNSSEC capable networks is increased, by
361           automatically turning off DNSSEC in this case. This option defines
362           a per-interface setting for resolved.conf(5)'s global DNSSEC=
363           option. Defaults to false. This setting is read by systemd-
364           resolved.service(8).
365
366       DNSSECNegativeTrustAnchors=
367           A space-separated list of DNSSEC negative trust anchor domains. If
368           specified and DNSSEC is enabled, look-ups done via the interface's
369           DNS server will be subject to the list of negative trust anchors,
370           and not require authentication for the specified domains, or
371           anything below it. Use this to disable DNSSEC authentication for
372           specific private domains, that cannot be proven valid using the
373           Internet DNS hierarchy. Defaults to the empty list. This setting is
374           read by systemd-resolved.service(8).
375
376       LLDP=
377           Controls support for Ethernet LLDP packet reception. LLDP is a
378           link-layer protocol commonly implemented on professional routers
379           and bridges which announces which physical port a system is
380           connected to, as well as other related data. Accepts a boolean or
381           the special value "routers-only". When true, incoming LLDP packets
382           are accepted and a database of all LLDP neighbors maintained. If
383           "routers-only" is set only LLDP data of various types of routers is
384           collected and LLDP data about other types of devices ignored (such
385           as stations, telephones and others). If false, LLDP reception is
386           disabled. Defaults to "routers-only". Use networkctl(1) to query
387           the collected neighbor data. LLDP is only available on Ethernet
388           links. See EmitLLDP= below for enabling LLDP packet emission from
389           the local system.
390
391       EmitLLDP=
392           Controls support for Ethernet LLDP packet emission. Accepts a
393           boolean parameter or the special values "nearest-bridge",
394           "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
395           turns off LLDP packet emission. If not false, a short LLDP packet
396           with information about the local system is sent out in regular
397           intervals on the link. The LLDP packet will contain information
398           about the local host name, the local machine ID (as stored in
399           machine-id(5)) and the local interface name, as well as the pretty
400           hostname of the system (as set in machine-info(5)). LLDP emission
401           is only available on Ethernet links. Note that this setting passes
402           data suitable for identification of host to the network and should
403           thus not be enabled on untrusted networks, where such
404           identification data should not be made available. Use this option
405           to permit other systems to identify on which interfaces they are
406           connected to this system. The three special values control
407           propagation of the LLDP packets. The "nearest-bridge" setting
408           permits propagation only to the nearest connected bridge,
409           "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
410           but not any other bridges, and "customer-bridge" permits
411           propagation until a customer bridge is reached. For details about
412           these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
413           this setting to true is equivalent to "nearest-bridge", the
414           recommended and most restricted level of propagation. See LLDP=
415           above for an option to enable LLDP reception.
416
417       BindCarrier=
418           A link name or a list of link names. When set, controls the
419           behavior of the current link. When all links in the list are in an
420           operational down state, the current link is brought down. When at
421           least one link has carrier, the current interface is brought up.
422
423       Address=
424           A static IPv4 or IPv6 address and its prefix length, separated by a
425           "/" character. Specify this key more than once to configure several
426           addresses. The format of the address must be as described in
427           inet_pton(3). This is a short-hand for an [Address] section only
428           containing an Address key (see below). This option may be specified
429           more than once.
430
431           If the specified address is "0.0.0.0" (for IPv4) or "::" (for
432           IPv6), a new address range of the requested size is automatically
433           allocated from a system-wide pool of unused ranges. Note that the
434           prefix length must be equal or larger than 8 for IPv4, and 64 for
435           IPv6. The allocated range is checked against all current network
436           interfaces and all known network configuration files to avoid
437           address range conflicts. The default system-wide pool consists of
438           192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
439           for IPv6. This functionality is useful to manage a large number of
440           dynamically created network interfaces with the same network
441           configuration and automatic address range assignment.
442
443       Gateway=
444           The gateway address, which must be in the format described in
445           inet_pton(3). This is a short-hand for a [Route] section only
446           containing a Gateway key. This option may be specified more than
447           once.
448
449       DNS=
450           A DNS server address, which must be in the format described in
451           inet_pton(3). This option may be specified more than once. This
452           setting is read by systemd-resolved.service(8).
453
454       Domains=
455           A whitespace-separated list of domains which should be resolved
456           using the DNS servers on this link. Each item in the list should be
457           a domain name, optionally prefixed with a tilde ("~"). The domains
458           with the prefix are called "routing-only domains". The domains
459           without the prefix are called "search domains" and are first used
460           as search suffixes for extending single-label host names (host
461           names containing no dots) to become fully qualified domain names
462           (FQDNs). If a single-label host name is resolved on this interface,
463           each of the specified search domains are appended to it in turn,
464           converting it into a fully qualified domain name, until one of them
465           may be successfully resolved.
466
467           Both "search" and "routing-only" domains are used for routing of
468           DNS queries: look-ups for host names ending in those domains (hence
469           also single label names, if any "search domains" are listed), are
470           routed to the DNS servers configured for this interface. The domain
471           routing logic is particularly useful on multi-homed hosts with DNS
472           servers serving particular private DNS zones on each interface.
473
474           The "routing-only" domain "~."  (the tilde indicating definition of
475           a routing domain, the dot referring to the DNS root domain which is
476           the implied suffix of all valid DNS names) has special effect. It
477           causes all DNS traffic which does not match another configured
478           domain routing entry to be routed to DNS servers specified for this
479           interface. This setting is useful to prefer a certain set of DNS
480           servers if a link on which they are connected is available.
481
482           This setting is read by systemd-resolved.service(8). "Search
483           domains" correspond to the domain and search entries in
484           resolv.conf(5). Domain name routing has no equivalent in the
485           traditional glibc API, which has no concept of domain name servers
486           limited to a specific link.
487
488       DNSDefaultRoute=
489           Takes a boolean argument. If true, this link's configured DNS
490           servers are used for resolving domain names that do not match any
491           link's configured Domains= setting. If false, this link's
492           configured DNS servers are never used for such domains, and are
493           exclusively used for resolving names that match at least one of the
494           domains configured on this link. If not specified defaults to an
495           automatic mode: queries not matching any link's configured domains
496           will be routed to this link if it has no routing-only domains
497           configured.
498
499       NTP=
500           An NTP server address. This option may be specified more than once.
501           This setting is read by systemd-timesyncd.service(8).
502
503       IPForward=
504           Configures IP packet forwarding for the system. If enabled,
505           incoming packets on any network interface will be forwarded to any
506           other interfaces according to the routing table. Takes a boolean,
507           or the values "ipv4" or "ipv6", which only enable IP packet
508           forwarding for the specified address family. This controls the
509           net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
510           of the network interface (see ip-sysctl.txt[7] for details about
511           sysctl options). Defaults to "no".
512
513           Note: this setting controls a global kernel option, and does so one
514           way only: if a network that has this setting enabled is set up the
515           global setting is turned on. However, it is never turned off again,
516           even after all networks with this setting enabled are shut down
517           again.
518
519           To allow IP packet forwarding only between specific network
520           interfaces use a firewall.
521
522       IPMasquerade=
523           Configures IP masquerading for the network interface. If enabled,
524           packets forwarded from the network interface will be appear as
525           coming from the local host. Takes a boolean argument. Implies
526           IPForward=ipv4. Defaults to "no".
527
528       IPv6PrivacyExtensions=
529           Configures use of stateless temporary addresses that change over
530           time (see RFC 4941[8], Privacy Extensions for Stateless Address
531           Autoconfiguration in IPv6). Takes a boolean or the special values
532           "prefer-public" and "kernel". When true, enables the privacy
533           extensions and prefers temporary addresses over public addresses.
534           When "prefer-public", enables the privacy extensions, but prefers
535           public addresses over temporary addresses. When false, the privacy
536           extensions remain disabled. When "kernel", the kernel's default
537           setting will be left in place. Defaults to "no".
538
539       IPv6AcceptRA=
540           Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
541           support for the interface. If true, RAs are accepted; if false, RAs
542           are ignored. When RAs are accepted, they may trigger the start of
543           the DHCPv6 client if the relevant flags are set in the RA data, or
544           if no routers are found on the link. The default is to disable RA
545           reception for bridge devices or when IP forwarding is enabled, and
546           to enable it otherwise. Cannot be enabled on bond devices and when
547           link local adressing is disabled.
548
549           Further settings for the IPv6 RA support may be configured in the
550           "[IPv6AcceptRA]" section, see below.
551
552           Also see ip-sysctl.txt[7] in the kernel documentation regarding
553           "accept_ra", but note that systemd's setting of 1 (i.e. true)
554           corresponds to kernel's setting of 2.
555
556           Note that kernel's implementation of the IPv6 RA protocol is always
557           disabled, regardless of this setting. If this option is enabled, a
558           userspace implementation of the IPv6 RA protocol is used, and the
559           kernel's own implementation remains disabled, since
560           systemd-networkd needs to know all details supplied in the
561           advertisements, and these are not available from the kernel if the
562           kernel's own implementation is used.
563
564       IPv6DuplicateAddressDetection=
565           Configures the amount of IPv6 Duplicate Address Detection (DAD)
566           probes to send. When unset, the kernel's default will be used.
567
568       IPv6HopLimit=
569           Configures IPv6 Hop Limit. For each router that forwards the
570           packet, the hop limit is decremented by 1. When the hop limit field
571           reaches zero, the packet is discarded. When unset, the kernel's
572           default will be used.
573
574       IPv4ProxyARP=
575           Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
576           technique in which one host, usually a router, answers ARP requests
577           intended for another machine. By "faking" its identity, the router
578           accepts responsibility for routing packets to the "real"
579           destination. (see RFC 1027[9]. When unset, the kernel's default
580           will be used.
581
582       IPv6ProxyNDP=
583           Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
584           Discovery Protocol) is a technique for IPv6 to allow routing of
585           addresses to a different destination when peers expect them to be
586           present on a certain physical link. In this case a router answers
587           Neighbour Advertisement messages intended for another machine by
588           offering its own MAC address as destination. Unlike proxy ARP for
589           IPv4, it is not enabled globally, but will only send Neighbour
590           Advertisement messages for addresses in the IPv6 neighbor proxy
591           table, which can also be shown by ip -6 neighbour show proxy.
592           systemd-networkd will control the per-interface `proxy_ndp` switch
593           for each configured interface depending on this option. When unset,
594           the kernel's default will be used.
595
596       IPv6ProxyNDPAddress=
597           An IPv6 address, for which Neighbour Advertisement messages will be
598           proxied. This option may be specified more than once.
599           systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
600           kernel's IPv6 neighbor proxy table. This option implies
601           IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP has been set to
602           false. When unset, the kernel's default will be used.
603
604       IPv6PrefixDelegation=
605           Whether to enable or disable Router Advertisement sending on a
606           link. Allowed values are "static" which distributes prefixes as
607           defined in the "[IPv6PrefixDelegation]" and any "[IPv6Prefix]"
608           sections, "dhcpv6" which requests prefixes using a DHCPv6 client
609           configured for another link and any values configured in the
610           "[IPv6PrefixDelegation]" section while ignoring all static prefix
611           configuration sections, "yes" which uses both static configuration
612           and DHCPv6, and "false" which turns off IPv6 prefix delegation
613           altogether. Defaults to "false". See the "[IPv6PrefixDelegation]"
614           and the "[IPv6Prefix]" sections for more configuration options.
615
616       IPv6MTUBytes=
617           Configures IPv6 maximum transmission unit (MTU). An integer greater
618           than or equal to 1280 bytes. When unset, the kernel's default will
619           be used.
620
621       Bridge=
622           The name of the bridge to add the link to. See systemd.netdev(5).
623
624       Bond=
625           The name of the bond to add the link to. See systemd.netdev(5).
626
627       VRF=
628           The name of the VRF to add the link to. See systemd.netdev(5).
629
630       VLAN=
631           The name of a VLAN to create on the link. See systemd.netdev(5).
632           This option may be specified more than once.
633
634       IPVLAN=
635           The name of a IPVLAN to create on the link. See systemd.netdev(5).
636           This option may be specified more than once.
637
638       MACVLAN=
639           The name of a MACVLAN to create on the link. See systemd.netdev(5).
640           This option may be specified more than once.
641
642       VXLAN=
643           The name of a VXLAN to create on the link. See systemd.netdev(5).
644           This option may be specified more than once.
645
646       Tunnel=
647           The name of a Tunnel to create on the link. See systemd.netdev(5).
648           This option may be specified more than once.
649
650       MACsec=
651           The name of a MACsec device to create on the link. See
652           systemd.netdev(5). This option may be specified more than once.
653
654       ActiveSlave=
655           Takes a boolean. Specifies the new active slave. The "ActiveSlave="
656           option is only valid for following modes: "active-backup",
657           "balance-alb" and "balance-tlb". Defaults to false.
658
659       PrimarySlave=
660           Takes a boolean. Specifies which slave is the primary device. The
661           specified device will always be the active slave while it is
662           available. Only when the primary is off-line will alternate devices
663           be used. This is useful when one slave is preferred over another,
664           e.g. when one slave has higher throughput than another. The
665           "PrimarySlave=" option is only valid for following modes:
666           "active-backup", "balance-alb" and "balance-tlb". Defaults to
667           false.
668
669       ConfigureWithoutCarrier=
670           Takes a boolean. Allows networkd to configure a specific link even
671           if it has no carrier. Defaults to false.
672
673       IgnoreCarrierLoss=
674           A boolean. Allows networkd to retain both the static and dynamic
675           configuration of the interface even if its carrier is lost.
676           Defaults to false.
677
678       Xfrm=
679           The name of the xfrm to create on the link. See systemd.netdev(5).
680           This option may be specified more than once.
681
682       KeepConfiguration=
683           Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
684           "static", systemd-networkd will not drop static addresses and
685           routes on starting up process. When set to "dhcp-on-stop",
686           systemd-networkd will not drop addresses and routes on stopping the
687           daemon. When "dhcp", the addresses and routes provided by a DHCP
688           server will never be dropped even if the DHCP lease expires. This
689           is contrary to the DHCP specification, but may be the best choice
690           if, e.g., the root filesystem relies on this connection. The
691           setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
692           "static". Defaults to "no".
693

[ADDRESS] SECTION OPTIONS

695       An "[Address]" section accepts the following keys. Specify several
696       "[Address]" sections to configure several addresses.
697
698       Address=
699           As in the "[Network]" section. This key is mandatory. Each
700           "[Address]" section can contain one Address= setting.
701
702       Peer=
703           The peer address in a point-to-point connection. Accepts the same
704           format as the Address= key.
705
706       Broadcast=
707           The broadcast address, which must be in the format described in
708           inet_pton(3). This key only applies to IPv4 addresses. If it is not
709           given, it is derived from the Address= key.
710
711       Label=
712           An address label.
713
714       PreferredLifetime=
715           Allows the default "preferred lifetime" of the address to be
716           overridden. Only three settings are accepted: "forever" or
717           "infinity" which is the default and means that the address never
718           expires, and "0" which means that the address is considered
719           immediately "expired" and will not be used, unless explicitly
720           requested. A setting of PreferredLifetime=0 is useful for addresses
721           which are added to be used only by a specific application, which is
722           then configured to use them explicitly.
723
724       Scope=
725           The scope of the address, which can be "global", "link" or "host"
726           or an unsigned integer ranges 0 to 255. Defaults to "global".
727
728       HomeAddress=
729           Takes a boolean. Designates this address the "home address" as
730           defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
731
732       DuplicateAddressDetection=
733           Takes one of "ipv4", "ipv6", "both", "none". When "ipv4", performs
734           IPv4 Duplicate Address Detection. See RFC 5224[11]. When "ipv6",
735           performs IPv6 Duplicate Address Detection. See RFC 4862[12].
736           Defaults to "ipv6".
737
738       ManageTemporaryAddress=
739           Takes a boolean. If true the kernel manage temporary addresses
740           created from this one as template on behalf of Privacy Extensions
741           RFC 3041[13]. For this to become active, the use_tempaddr sysctl
742           setting has to be set to a value greater than zero. The given
743           address needs to have a prefix length of 64. This flag allows using
744           privacy extensions in a manually configured network, just like if
745           stateless auto-configuration was active. Defaults to false.
746
747       AddPrefixRoute=
748           Takes a boolean. When true, the prefix route for the address is
749           automatically added. Defaults to true.
750
751       AutoJoin=
752           Takes a boolean. Joining multicast group on ethernet level via ip
753           maddr command would not work if we have an Ethernet switch that
754           does IGMP snooping since the switch would not replicate multicast
755           packets on ports that did not have IGMP reports for the multicast
756           addresses. Linux vxlan interfaces created via ip link add vxlan or
757           networkd's netdev kind vxlan have the group option that enables
758           then to do the required join. By extending ip address command with
759           option "autojoin" we can get similar functionality for openvswitch
760           (OVS) vxlan interfaces as well as other tunneling mechanisms that
761           need to receive multicast traffic. Defaults to "no".
762

[NEIGHBOR] SECTION OPTIONS

764       A "[Neighbor]" section accepts the following keys. The neighbor section
765       adds a permanent, static entry to the neighbor table (IPv6) or ARP
766       table (IPv4) for the given hardware address on the links matched for
767       the network. Specify several "[Neighbor]" sections to configure several
768       static neighbors.
769
770       Address=
771           The IP address of the neighbor.
772
773       LinkLayerAddress=
774           The link layer address (MAC address or IP address) of the neighbor.
775

[IPV6ADDRESSLABEL] SECTION OPTIONS

777       An "[IPv6AddressLabel]" section accepts the following keys. Specify
778       several "[IPv6AddressLabel]" sections to configure several address
779       labels. IPv6 address labels are used for address selection. See RFC
780       3484[14]. Precedence is managed by userspace, and only the label itself
781       is stored in the kernel
782
783       Label=
784           The label for the prefix (an unsigned integer) ranges 0 to
785           4294967294. 0xffffffff is reserved. This key is mandatory.
786
787       Prefix=
788           IPv6 prefix is an address with a prefix length, separated by a
789           slash "/" character. This key is mandatory.
790

[ROUTINGPOLICYRULE] SECTION OPTIONS

792       An "[RoutingPolicyRule]" section accepts the following keys. Specify
793       several "[RoutingPolicyRule]" sections to configure several rules.
794
795       TypeOfService=
796           Specifies the type of service to match a number between 0 to 255.
797
798       From=
799           Specifies the source address prefix to match. Possibly followed by
800           a slash and the prefix length.
801
802       To=
803           Specifies the destination address prefix to match. Possibly
804           followed by a slash and the prefix length.
805
806       FirewallMark=
807           Specifies the iptables firewall mark value to match (a number
808           between 1 and 4294967295).
809
810       Table=
811           Specifies the routing table identifier to lookup if the rule
812           selector matches. Takes one of "default", "main", and "local", or a
813           number between 1 and 4294967295. Defaults to "main".
814
815       Priority=
816           Specifies the priority of this rule.  Priority= is an unsigned
817           integer. Higher number means lower priority, and rules get
818           processed in order of increasing number.
819
820       IncomingInterface=
821           Specifies incoming device to match. If the interface is loopback,
822           the rule only matches packets originating from this host.
823
824       OutgoingInterface=
825           Specifies the outgoing device to match. The outgoing interface is
826           only available for packets originating from local sockets that are
827           bound to a device.
828
829       SourcePort=
830           Specifies the source IP port or IP port range match in forwarding
831           information base (FIB) rules. A port range is specified by the
832           lower and upper port separated by a dash. Defaults to unset.
833
834       DestinationPort=
835           Specifies the destination IP port or IP port range match in
836           forwarding information base (FIB) rules. A port range is specified
837           by the lower and upper port separated by a dash. Defaults to unset.
838
839       IPProtocol=
840           Specifies the IP protocol to match in forwarding information base
841           (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
842           or IP protocol number such as "6" for "tcp" or "17" for "udp".
843           Defaults to unset.
844
845       InvertRule=
846           A boolean. Specifies whether the rule is to be inverted. Defaults
847           to false.
848
849       Family=
850           Takes a special value "ipv4", "ipv6", or "both". By default, the
851           address family is determined by the address specified in To= or
852           From=. If neither To= nor From= are specified, then defaults to
853           "ipv4".
854
855       User=
856           Takes a username, a user ID, or a range of user IDs separated by a
857           dash. Defaults to unset.
858
859       SuppressPrefixLength=
860           Takes a number N in the range 0-128 and rejects routing decisions
861           that have a prefix length of N or less. Defaults to unset.
862

[NEXTHOP] SECTION OPTIONS

864       The "[NextHop]" section accepts the following keys. Specify several
865       "[NextHop]" sections to configure several nexthop. Nexthop is used to
866       manipulate entries in the kernel's nexthop tables.
867
868       Gateway=
869           As in the "[Network]" section. This is mandatory.
870
871       Id=
872           The id of the nexthop (an unsigned integer). If unspecified or '0'
873           then automatically chosen by kernel.
874

[ROUTE] SECTION OPTIONS

876       The "[Route]" section accepts the following keys. Specify several
877       "[Route]" sections to configure several routes.
878
879       Gateway=
880           Takes the gateway address or special value "_dhcp". If "_dhcp",
881           then the gateway address provided by DHCP (or in the IPv6 case,
882           provided by IPv6 RA) is used.
883
884       GatewayOnLink=
885           Takes a boolean. If set to true, the kernel does not have to check
886           if the gateway is reachable directly by the current machine (i.e.,
887           the kernel does not need to check if the gateway is attached to the
888           local network), so that we can insert the route in the kernel table
889           without it being complained about. Defaults to "no".
890
891       Destination=
892           The destination prefix of the route. Possibly followed by a slash
893           and the prefix length. If omitted, a full-length host route is
894           assumed.
895
896       Source=
897           The source prefix of the route. Possibly followed by a slash and
898           the prefix length. If omitted, a full-length host route is assumed.
899
900       Metric=
901           The metric of the route (an unsigned integer).
902
903       IPv6Preference=
904           Specifies the route preference as defined in RFC4191[15] for Router
905           Discovery messages. Which can be one of "low" the route has a
906           lowest priority, "medium" the route has a default priority or
907           "high" the route has a highest priority.
908
909       Scope=
910           The scope of the route, which can be "global", "site", "link",
911           "host", or "nowhere". For IPv4 route, defaults to "host" if Type=
912           is "local" or "nat", and "link" if Type= is "broadcast",
913           "multicast", or "anycast". In other cases, defaults to "global".
914
915       PreferredSource=
916           The preferred source address of the route. The address must be in
917           the format described in inet_pton(3).
918
919       Table=
920           The table identifier for the route. Takes "default", "main",
921           "local" or a number between 1 and 4294967295. The table can be
922           retrieved using ip route show table num. If unset and Type= is
923           "local", "broadcast", "anycast", or "nat", then "local" is used. In
924           other cases, defaults to "main".
925
926       Protocol=
927           The protocol identifier for the route. Takes a number between 0 and
928           255 or the special values "kernel", "boot", "static", "ra" and
929           "dhcp". Defaults to "static".
930
931       Type=
932           Specifies the type for the route. Takes one of "unicast", "local",
933           "broadcast", "anycast", "multicast", "blackhole", "unreachable",
934           "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
935           route is defined, i.e. a route indicating the path to take to a
936           destination network address. If "blackhole", packets to the defined
937           route are discarded silently. If "unreachable", packets to the
938           defined route are discarded and the ICMP message "Host Unreachable"
939           is generated. If "prohibit", packets to the defined route are
940           discarded and the ICMP message "Communication Administratively
941           Prohibited" is generated. If "throw", route lookup in the current
942           routing table will fail and the route selection process will return
943           to Routing Policy Database (RPDB). Defaults to "unicast".
944
945       InitialCongestionWindow=
946           The TCP initial congestion window is used during the start of a TCP
947           connection. During the start of a TCP session, when a client
948           requests a resource, the server's initial congestion window
949           determines how many data bytes will be sent during the initial
950           burst of data. Takes a size in bytes between 1 and 4294967295 (2^32
951           - 1). The usual suffixes K, M, G are supported and are understood
952           to the base of 1024. When unset, the kernel's default will be used.
953
954       InitialAdvertisedReceiveWindow=
955           The TCP initial advertised receive window is the amount of receive
956           data (in bytes) that can initially be buffered at one time on a
957           connection. The sending host can send only that amount of data
958           before waiting for an acknowledgment and window update from the
959           receiving host. Takes a size in bytes between 1 and 4294967295
960           (2^32 - 1). The usual suffixes K, M, G are supported and are
961           understood to the base of 1024. When unset, the kernel's default
962           will be used.
963
964       QuickAck=
965           Takes a boolean. When true enables TCP quick ack mode for the
966           route. When unset, the kernel's default will be used.
967
968       FastOpenNoCookie=
969           Takes a boolean. When true enables TCP fastopen without a cookie on
970           a per-route basis. When unset, the kernel's default will be used.
971
972       TTLPropagate=
973           Takes a boolean. When true enables TTL propagation at Label
974           Switched Path (LSP) egress. When unset, the kernel's default will
975           be used.
976
977       MTUBytes=
978           The maximum transmission unit in bytes to set for the route. The
979           usual suffixes K, M, G, are supported and are understood to the
980           base of 1024.
981
982           Note that if IPv6 is enabled on the interface, and the MTU is
983           chosen below 1280 (the minimum MTU for IPv6) it will automatically
984           be increased to this value.
985
986       IPServiceType=
987           Takes string; "CS6" or "CS4". Used to set IP service type to CS6
988           (network control) or CS4 (Realtime). Defaults to CS6.
989
990       MultiPathRoute=address[@name] [weight]
991           Configures multipath route. Multipath routing is the technique of
992           using multiple alternative paths through a network. Takes gateway
993           address. Optionally, takes a network interface name or index
994           separated with "@", and a weight in 1..256 for this multipath route
995           separated with whitespace. This setting can be specified multiple
996           times. If an empty string is assigned, then the all previous
997           assignments are cleared.
998

[DHCPV4] SECTION OPTIONS

1000       The "[DHCPv4]" section configures the DHCPv4 client, if it is enabled
1001       with the DHCP= setting described above:
1002
1003       UseDNS=
1004           When true (the default), the DNS servers received from the DHCP
1005           server will be used and take precedence over any statically
1006           configured ones.
1007
1008           This corresponds to the nameserver option in resolv.conf(5).
1009
1010       RoutesToDNS=
1011           When true, the routes to the DNS servers received from the DHCP
1012           server will be configured. When UseDNS= is disabled, this setting
1013           is ignored. Defaults to false.
1014
1015       UseNTP=
1016           When true (the default), the NTP servers received from the DHCP
1017           server will be used by systemd-timesyncd and take precedence over
1018           any statically configured ones.
1019
1020       UseSIP=
1021           When true (the default), the SIP servers received from the DHCP
1022           server will be saved at the state files and can be read via
1023           sd_network_link_get_sip_servers() function.
1024
1025       UseMTU=
1026           When true, the interface maximum transmission unit from the DHCP
1027           server will be used on the current link. If MTUBytes= is set, then
1028           this setting is ignored. Defaults to false.
1029
1030       Anonymize=
1031           Takes a boolean. When true, the options sent to the DHCP server
1032           will follow the RFC 7844[16] (Anonymity Profiles for DHCP Clients)
1033           to minimize disclosure of identifying information. Defaults to
1034           false.
1035
1036           This option should only be set to true when MACAddressPolicy= is
1037           set to "random" (see systemd.link(5)).
1038
1039           Note that this configuration will overwrite others. In concrete,
1040           the following variables will be ignored: SendHostname=,
1041           ClientIdentifier=, UseRoutes=, UseMTU=, VendorClassIdentifier=,
1042           UseTimezone=.
1043
1044           With this option enabled DHCP requests will mimic those generated
1045           by Microsoft Windows, in order to reduce the ability to fingerprint
1046           and recognize installations. This means DHCP request sizes will
1047           grow and lease data will be more comprehensive than normally,
1048           though most of the requested data is not actually used.
1049
1050       SendHostname=
1051           When true (the default), the machine's hostname will be sent to the
1052           DHCP server. Note that the machine's hostname must consist only of
1053           7-bit ASCII lower-case characters and no spaces or dots, and be
1054           formatted as a valid DNS domain name. Otherwise, the hostname is
1055           not sent even if this is set to true.
1056
1057       UseHostname=
1058           When true (the default), the hostname received from the DHCP server
1059           will be set as the transient hostname of the system.
1060
1061       Hostname=
1062           Use this value for the hostname which is sent to the DHCP server,
1063           instead of machine's hostname. Note that the specified hostname
1064           must consist only of 7-bit ASCII lower-case characters and no
1065           spaces or dots, and be formatted as a valid DNS domain name.
1066
1067       UseDomains=
1068           Takes a boolean, or the special value "route". When true, the
1069           domain name received from the DHCP server will be used as DNS
1070           search domain over this link, similar to the effect of the Domains=
1071           setting. If set to "route", the domain name received from the DHCP
1072           server will be used for routing DNS queries only, but not for
1073           searching, similar to the effect of the Domains= setting when the
1074           argument is prefixed with "~". Defaults to false.
1075
1076           It is recommended to enable this option only on trusted networks,
1077           as setting this affects resolution of all host names, in particular
1078           of single-label names. It is generally safer to use the supplied
1079           domain only as routing domain, rather than as search domain, in
1080           order to not have it affect local resolution of single-label names.
1081
1082           When set to true, this setting corresponds to the domain option in
1083           resolv.conf(5).
1084
1085       UseRoutes=
1086           When true (the default), the static routes will be requested from
1087           the DHCP server and added to the routing table with a metric of
1088           1024, and a scope of "global", "link" or "host", depending on the
1089           route's destination and gateway. If the destination is on the local
1090           host, e.g., 127.x.x.x, or the same as the link's own address, the
1091           scope will be set to "host". Otherwise if the gateway is null (a
1092           direct route), a "link" scope will be used. For anything else,
1093           scope defaults to "global".
1094
1095       UseTimezone=
1096           When true, the timezone received from the DHCP server will be set
1097           as timezone of the local system. Defaults to "no".
1098
1099       ClientIdentifier=
1100           The DHCPv4 client identifier to use. Takes one of "mac", "duid" or
1101           "duid-only". If set to "mac", the MAC address of the link is used.
1102           If set to "duid", an RFC4361-compliant Client ID, which is the
1103           combination of IAID and DUID (see below), is used. If set to
1104           "duid-only", only DUID is used, this may not be RFC compliant, but
1105           some setups may require to use this. Defaults to "duid".
1106
1107       VendorClassIdentifier=
1108           The vendor class identifier used to identify vendor type and
1109           configuration.
1110
1111       UserClass=
1112           A DHCPv4 client can use UserClass option to identify the type or
1113           category of user or applications it represents. The information
1114           contained in this option is a string that represents the user class
1115           of which the client is a member. Each class sets an identifying
1116           string of information to be used by the DHCP service to classify
1117           clients. Takes a whitespace-separated list of strings.
1118
1119       MaxAttempts=
1120           Specifies how many times the DHCPv4 client configuration should be
1121           attempted. Takes a number or "infinity". Defaults to "infinity".
1122           Note that the time between retries is increased exponentially, so
1123           the network will not be overloaded even if this number is high.
1124
1125       DUIDType=
1126           Override the global DUIDType setting for this network. See
1127           networkd.conf(5) for a description of possible values.
1128
1129       DUIDRawData=
1130           Override the global DUIDRawData setting for this network. See
1131           networkd.conf(5) for a description of possible values.
1132
1133       IAID=
1134           The DHCP Identity Association Identifier (IAID) for the interface,
1135           a 32-bit unsigned integer.
1136
1137       RequestBroadcast=
1138           Request the server to use broadcast messages before the IP address
1139           has been configured. This is necessary for devices that cannot
1140           receive RAW packets, or that cannot receive packets at all before
1141           an IP address has been configured. On the other hand, this must not
1142           be enabled on networks where broadcasts are filtered out.
1143
1144       RouteMetric=
1145           Set the routing metric for routes specified by the DHCP server.
1146
1147       RouteTable=num
1148           The table identifier for DHCP routes (a number between 1 and
1149           4294967295, or 0 to unset). The table can be retrieved using ip
1150           route show table num.
1151
1152           When used in combination with VRF= the VRF's routing table is used
1153           unless this parameter is specified.
1154
1155       RouteMTUBytes=
1156           Specifies the MTU for the DHCP routes. Please see the [Route]
1157           section for further details.
1158
1159       ListenPort=
1160           Allow setting custom port for the DHCP client to listen on.
1161
1162       SendRelease=
1163           When true, the DHCPv4 client sends a DHCP release packet when it
1164           stops. Defaults to true.
1165
1166       SendDecline=
1167           A boolen. When "true", DHCPv4 clients receives IP address from DHCP
1168           server. After new IP is received, DHCPv4 performs IPv4 Duplicate
1169           Address Detection. If duplicate use of IP is detected the DHCPv4
1170           client rejects the IP by sending a DHCPDECLINE packet DHCP clients
1171           try to obtain an IP address again. See RFC 5224[11]. Defaults to
1172           "unset".
1173
1174       BlackList=
1175           A whitespace-separated list of IPv4 addresses. DHCP offers from
1176           servers in the list are rejected.
1177
1178       RequestOptions=
1179           A whitespace-separated list of integers in the range 1–254.
1180
1181       SendOption=
1182           Send an arbitrary option in the DHCPv4 request. Takes a DHCP option
1183           number, data type and data separated with a colon
1184           ("option:type:value"). The option number must be an integer in the
1185           range 1..254. The type takes one of "uint8", "uint16", "uint32",
1186           "ipv4address", or "string". Special characters in the data string
1187           may be escaped using C-style escapes[17]. This setting can be
1188           specified multiple times. If an empty string is specified, then all
1189           options specified earlier are cleared. Defaults to unset.
1190

[DHCPV6] SECTION OPTIONS

1192       The "[DHCPv6]" section configures the DHCPv6 client, if it is enabled
1193       with the DHCP= setting described above, or invoked by the IPv6 Router
1194       Advertisement:
1195
1196       UseDNS=, UseNTP=
1197           As in the "[DHCPv4]" section.
1198
1199       RapidCommit=
1200           Takes a boolean. The DHCPv6 client can obtain configuration
1201           parameters from a DHCPv6 server through a rapid two-message
1202           exchange (solicit and reply). When the rapid commit option is
1203           enabled by both the DHCPv6 client and the DHCPv6 server, the
1204           two-message exchange is used, rather than the default four-method
1205           exchange (solicit, advertise, request, and reply). The two-message
1206           exchange provides faster client configuration and is beneficial in
1207           environments in which networks are under a heavy load. See RFC
1208           3315[18] for details. Defaults to true.
1209
1210       ForceDHCPv6PDOtherInformation=
1211           Takes a boolean that enforces DHCPv6 stateful mode when the 'Other
1212           information' bit is set in Router Advertisement messages. By
1213           default setting only the 'O' bit in Router Advertisements makes
1214           DHCPv6 request network information in a stateless manner using a
1215           two-message Information Request and Information Reply message
1216           exchange.  RFC 7084[19], requirement WPD-4, updates this behavior
1217           for a Customer Edge router so that stateful DHCPv6 Prefix
1218           Delegation is also requested when only the 'O' bit is set in Router
1219           Advertisements. This option enables such a CE behavior as it is
1220           impossible to automatically distinguish the intention of the 'O'
1221           bit otherwise. By default this option is set to 'false', enable it
1222           if no prefixes are delegated when the device should be acting as a
1223           CE router.
1224
1225       PrefixDelegationHint=
1226           Takes an IPv6 address with prefix length as Address= in the
1227           "[Network]" section. Specifies the DHCPv6 client for the requesting
1228           router to include a prefix-hint in the DHCPv6 solicitation. Prefix
1229           ranges 1-128. Defaults to unset.
1230

[IPV6ACCEPTRA] SECTION OPTIONS

1232       The "[IPv6AcceptRA]" section configures the IPv6 Router Advertisement
1233       (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1234       above:
1235
1236       UseDNS=
1237           When true (the default), the DNS servers received in the Router
1238           Advertisement will be used and take precedence over any statically
1239           configured ones.
1240
1241           This corresponds to the nameserver option in resolv.conf(5).
1242
1243       UseDomains=
1244           Takes a boolean, or the special value "route". When true, the
1245           domain name received via IPv6 Router Advertisement (RA) will be
1246           used as DNS search domain over this link, similar to the effect of
1247           the Domains= setting. If set to "route", the domain name received
1248           via IPv6 RA will be used for routing DNS queries only, but not for
1249           searching, similar to the effect of the Domains= setting when the
1250           argument is prefixed with "~". Defaults to false.
1251
1252           It is recommended to enable this option only on trusted networks,
1253           as setting this affects resolution of all host names, in particular
1254           of single-label names. It is generally safer to use the supplied
1255           domain only as routing domain, rather than as search domain, in
1256           order to not have it affect local resolution of single-label names.
1257
1258           When set to true, this setting corresponds to the domain option in
1259           resolv.conf(5).
1260
1261       RouteTable=num
1262           The table identifier for the routes received in the Router
1263           Advertisement (a number between 1 and 4294967295, or 0 to unset).
1264           The table can be retrieved using ip route show table num.
1265
1266       UseAutonomousPrefix=
1267           When true (the default), the autonomous prefix received in the
1268           Router Advertisement will be used and take precedence over any
1269           statically configured ones.
1270
1271       UseOnLinkPrefix=
1272           When true (the default), the onlink prefix received in the Router
1273           Advertisement will be used and take precedence over any statically
1274           configured ones.
1275
1276       BlackList=
1277           A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1278           supplied via router advertisements in the list are ignored.
1279

[DHCPSERVER] SECTION OPTIONS

1281       The "[DHCPServer]" section contains settings for the DHCP server, if
1282       enabled via the DHCPServer= option described above:
1283
1284       PoolOffset=, PoolSize=
1285           Configures the pool of addresses to hand out. The pool is a
1286           contiguous sequence of IP addresses in the subnet configured for
1287           the server address, which does not include the subnet nor the
1288           broadcast address.  PoolOffset= takes the offset of the pool from
1289           the start of subnet, or zero to use the default value.  PoolSize=
1290           takes the number of IP addresses in the pool or zero to use the
1291           default value. By default, the pool starts at the first address
1292           after the subnet address and takes up the rest of the subnet,
1293           excluding the broadcast address. If the pool includes the server
1294           address (the default), this is reserved and not handed out to
1295           clients.
1296
1297       DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1298           Control the default and maximum DHCP lease time to pass to clients.
1299           These settings take time values in seconds or another common time
1300           unit, depending on the suffix. The default lease time is used for
1301           clients that did not ask for a specific lease time. If a client
1302           asks for a lease time longer than the maximum lease time, it is
1303           automatically shortened to the specified time. The default lease
1304           time defaults to 1h, the maximum lease time to 12h. Shorter lease
1305           times are beneficial if the configuration data in DHCP leases
1306           changes frequently and clients shall learn the new settings with
1307           shorter latencies. Longer lease times reduce the generated DHCP
1308           network traffic.
1309
1310       EmitDNS=, DNS=
1311           Takes a boolean. Configures whether the DHCP leases handed out to
1312           clients shall contain DNS server information. Defaults to "yes".
1313           The DNS servers to pass to clients may be configured with the DNS=
1314           option, which takes a list of IPv4 addresses. If the EmitDNS=
1315           option is enabled but no servers configured, the servers are
1316           automatically propagated from an "uplink" interface that has
1317           appropriate servers set. The "uplink" interface is determined by
1318           the default route of the system with the highest priority. Note
1319           that this information is acquired at the time the lease is handed
1320           out, and does not take uplink interfaces into account that acquire
1321           DNS or NTP server information at a later point. DNS server
1322           propagation does not take /etc/resolv.conf into account. Also, note
1323           that the leases are not refreshed if the uplink network
1324           configuration changes. To ensure clients regularly acquire the most
1325           current uplink DNS server information, it is thus advisable to
1326           shorten the DHCP lease time via MaxLeaseTimeSec= described above.
1327
1328       EmitNTP=, NTP=
1329           Similar to the EmitDNS= and DNS= settings described above, these
1330           settings configure whether and what NTP server information shall be
1331           emitted as part of the DHCP lease. The same syntax, propagation
1332           semantics and defaults apply as for EmitDNS= and DNS=.
1333
1334       EmitSIP=, SIP=
1335           Similar to the EmitDNS= and DNS= settings described above, these
1336           settings configure whether and what SIP server information shall be
1337           emitted as part of the DHCP lease. The same syntax, propagation
1338           semantics and defaults apply as for EmitDNS= and DNS=.
1339
1340       EmitRouter=
1341           Similar to the EmitDNS= setting described above, this setting
1342           configures whether the DHCP lease should contain the router option.
1343           The same syntax, propagation semantics and defaults apply as for
1344           EmitDNS=.
1345
1346       EmitTimezone=, Timezone=
1347           Takes a boolean. Configures whether the DHCP leases handed out to
1348           clients shall contain timezone information. Defaults to "yes". The
1349           Timezone= setting takes a timezone string (such as "Europe/Berlin"
1350           or "UTC") to pass to clients. If no explicit timezone is set, the
1351           system timezone of the local host is propagated, as determined by
1352           the /etc/localtime symlink.
1353
1354       SendOption=
1355           Send a raw option with value via DHCPv4 server. Takes a DHCP option
1356           number, data type and data ("option:type:value"). The option number
1357           is an integer in the range 1..254. The type takes one of "uint8",
1358           "uint16", "uint32", "ipv4address", or "string". Special characters
1359           in the data string may be escaped using C-style escapes[17]. This
1360           setting can be specified multiple times. If an empty string is
1361           specified, then all options specified earlier are cleared. Defaults
1362           to unset.
1363

[IPV6PREFIXDELEGATION] SECTION OPTIONS

1365       The "[IPv6PrefixDelegation]" section contains settings for sending IPv6
1366       Router Advertisements and whether to act as a router, if enabled via
1367       the IPv6PrefixDelegation= option described above. IPv6 network prefixes
1368       are defined with one or more "[IPv6Prefix]" sections.
1369
1370       Managed=, OtherInformation=
1371           Takes a boolean. Controls whether a DHCPv6 server is used to
1372           acquire IPv6 addresses on the network link when Managed= is set to
1373           "true" or if only additional network information can be obtained
1374           via DHCPv6 for the network link when OtherInformation= is set to
1375           "true". Both settings default to "false", which means that a DHCPv6
1376           server is not being used.
1377
1378       RouterLifetimeSec=
1379           Takes a timespan. Configures the IPv6 router lifetime in seconds.
1380           If set, this host also announces itself in Router Advertisements as
1381           an IPv6 router for the network link. When unset, the host is not
1382           acting as a router.
1383
1384       RouterPreference=
1385           Configures IPv6 router preference if RouterLifetimeSec= is
1386           non-zero. Valid values are "high", "medium" and "low", with
1387           "normal" and "default" added as synonyms for "medium" just to make
1388           configuration easier. See RFC 4191[15] for details. Defaults to
1389           "medium".
1390
1391       EmitDNS=, DNS=
1392           DNS= specifies a list of recursive DNS server IPv6 addresses that
1393           are distributed via Router Advertisement messages when EmitDNS= is
1394           true.  DNS= also takes special value "_link_local"; in that case
1395           the IPv6 link local address is distributed. If DNS= is empty, DNS
1396           servers are read from the "[Network]" section. If the "[Network]"
1397           section does not contain any DNS servers either, DNS servers from
1398           the uplink with the highest priority default route are used. When
1399           EmitDNS= is false, no DNS server information is sent in Router
1400           Advertisement messages.  EmitDNS= defaults to true.
1401
1402       EmitDomains=, Domains=
1403           A list of DNS search domains distributed via Router Advertisement
1404           messages when EmitDomains= is true. If Domains= is empty, DNS
1405           search domains are read from the "[Network]" section. If the
1406           "[Network]" section does not contain any DNS search domains either,
1407           DNS search domains from the uplink with the highest priority
1408           default route are used. When EmitDomains= is false, no DNS search
1409           domain information is sent in Router Advertisement messages.
1410           EmitDomains= defaults to true.
1411
1412       DNSLifetimeSec=
1413           Lifetime in seconds for the DNS server addresses listed in DNS= and
1414           search domains listed in Domains=.
1415

[IPV6PREFIX] SECTION OPTIONS

1417       One or more "[IPv6Prefix]" sections contain the IPv6 prefixes that are
1418       announced via Router Advertisements. See RFC 4861[20] for further
1419       details.
1420
1421       AddressAutoconfiguration=, OnLink=
1422           Takes a boolean to specify whether IPv6 addresses can be
1423           autoconfigured with this prefix and whether the prefix can be used
1424           for onlink determination. Both settings default to "true" in order
1425           to ease configuration.
1426
1427       Prefix=
1428           The IPv6 prefix that is to be distributed to hosts. Similarly to
1429           configuring static IPv6 addresses, the setting is configured as an
1430           IPv6 prefix and its prefix length, separated by a "/" character.
1431           Use multiple "[IPv6Prefix]" sections to configure multiple IPv6
1432           prefixes since prefix lifetimes, address autoconfiguration and
1433           onlink status may differ from one prefix to another.
1434
1435       PreferredLifetimeSec=, ValidLifetimeSec=
1436           Preferred and valid lifetimes for the prefix measured in seconds.
1437           PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1438           ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1439

[IPV6ROUTEPREFIX] SECTION OPTIONS

1441       One or more "[IPv6RoutePrefix]" sections contain the IPv6 prefix routes
1442       that are announced via Router Advertisements. See RFC 4191[15] for
1443       further details.
1444
1445       Route=
1446           The IPv6 route that is to be distributed to hosts. Similarly to
1447           configuring static IPv6 routes, the setting is configured as an
1448           IPv6 prefix routes and its prefix route length, separated by a"/"
1449           character. Use multiple "[IPv6PrefixRoutes]" sections to configure
1450           multiple IPv6 prefix routes.
1451
1452       LifetimeSec=
1453           Lifetime for the route prefix measured in seconds.  LifetimeSec=
1454           defaults to 604800 seconds (one week).
1455

[BRIDGE] SECTION OPTIONS

1457       The "[Bridge]" section accepts the following keys.
1458
1459       UnicastFlood=
1460           Takes a boolean. Controls whether the bridge should flood traffic
1461           for which an FDB entry is missing and the destination is unknown
1462           through this port. When unset, the kernel's default will be used.
1463
1464       MulticastFlood=
1465           Takes a boolean. Controls whether the bridge should flood traffic
1466           for which an MDB entry is missing and the destination is unknown
1467           through this port. When unset, the kernel's default will be used.
1468
1469       MulticastToUnicast=
1470           Takes a boolean. Multicast to unicast works on top of the multicast
1471           snooping feature of the bridge. Which means unicast copies are only
1472           delivered to hosts which are interested in it. When unset, the
1473           kernel's default will be used.
1474
1475       NeighborSuppression=
1476           Takes a boolean. Configures whether ARP and ND neighbor suppression
1477           is enabled for this port. When unset, the kernel's default will be
1478           used.
1479
1480       Learning=
1481           Takes a boolean. Configures whether MAC address learning is enabled
1482           for this port. When unset, the kernel's default will be used.
1483
1484       HairPin=
1485           Takes a boolean. Configures whether traffic may be sent back out of
1486           the port on which it was received. When this flag is false, and the
1487           bridge will not forward traffic back out of the receiving port.
1488           When unset, the kernel's default will be used.
1489
1490       UseBPDU=
1491           Takes a boolean. Configures whether STP Bridge Protocol Data Units
1492           will be processed by the bridge port. When unset, the kernel's
1493           default will be used.
1494
1495       FastLeave=
1496           Takes a boolean. This flag allows the bridge to immediately stop
1497           multicast traffic on a port that receives an IGMP Leave message. It
1498           is only used with IGMP snooping if enabled on the bridge. When
1499           unset, the kernel's default will be used.
1500
1501       AllowPortToBeRoot=
1502           Takes a boolean. Configures whether a given port is allowed to
1503           become a root port. Only used when STP is enabled on the bridge.
1504           When unset, the kernel's default will be used.
1505
1506       ProxyARP=
1507           Takes a boolean. Configures whether proxy ARP to be enabled on this
1508           port. When unset, the kernel's default will be used.
1509
1510       ProxyARPWiFi=
1511           Takes a boolean. Configures whether proxy ARP to be enabled on this
1512           port which meets extended requirements by IEEE 802.11 and Hotspot
1513           2.0 specifications. When unset, the kernel's default will be used.
1514
1515       MulticastRouter=
1516           Configures this port for having multicast routers attached. A port
1517           with a multicast router will receive all multicast traffic. Takes
1518           one of "no" to disable multicast routers on this port, "query" to
1519           let the system detect the presence of routers, "permanent" to
1520           permanently enable multicast traffic forwarding on this port, or
1521           "temporary" to enable multicast routers temporarily on this port,
1522           not depending on incoming queries. When unset, the kernel's default
1523           will be used.
1524
1525       Cost=
1526           Sets the "cost" of sending packets of this interface. Each port in
1527           a bridge may have a different speed and the cost is used to decide
1528           which link to use. Faster interfaces should have lower costs. It is
1529           an integer value between 1 and 65535.
1530
1531       Priority=
1532           Sets the "priority" of sending packets on this interface. Each port
1533           in a bridge may have a different priority which is used to decide
1534           which link to use. Lower value means higher priority. It is an
1535           integer value between 0 to 63. Networkd does not set any default,
1536           meaning the kernel default value of 32 is used.
1537

[BRIDGEFDB] SECTION OPTIONS

1539       The "[BridgeFDB]" section manages the forwarding database table of a
1540       port and accepts the following keys. Specify several "[BridgeFDB]"
1541       sections to configure several static MAC table entries.
1542
1543       MACAddress=
1544           As in the "[Network]" section. This key is mandatory.
1545
1546       Destination=
1547           Takes an IP address of the destination VXLAN tunnel endpoint.
1548
1549       VLANId=
1550           The VLAN ID for the new static MAC table entry. If omitted, no VLAN
1551           ID information is appended to the new static MAC table entry.
1552
1553       VNI=
1554           The VXLAN Network Identifier (or VXLAN Segment ID) to use to
1555           connect to the remote VXLAN tunnel endpoint. Takes a number in the
1556           range 1-16777215. Defaults to unset.
1557
1558       AssociatedWith=
1559           Specifies where the address is associated with. Takes one of "use",
1560           "self", "master" or "router".  "use" means the address is in use.
1561           User space can use this option to indicate to the kernel that the
1562           fdb entry is in use.  "self" means the address is associated with
1563           the port drivers fdb. Usually hardware.  "master" means the address
1564           is associated with master devices fdb.  "router" means the
1565           destination address is associated with a router. Note that it's
1566           valid if the referenced device is a VXLAN type device and has route
1567           shortcircuit enabled. Defaults to "self".
1568

[CAN] SECTION OPTIONS

1570       The "[CAN]" section manages the Controller Area Network (CAN bus) and
1571       accepts the following keys.
1572
1573       BitRate=
1574           The bitrate of CAN device in bits per second. The usual SI prefixes
1575           (K, M) with the base of 1000 can be used here.
1576
1577       SamplePoint=
1578           Optional sample point in percent with one decimal (e.g.  "75%",
1579           "87.5%") or permille (e.g.  "875‰").
1580
1581       RestartSec=
1582           Automatic restart delay time. If set to a non-zero value, a restart
1583           of the CAN controller will be triggered automatically in case of a
1584           bus-off condition after the specified delay time. Subsecond delays
1585           can be specified using decimals (e.g.  "0.1s") or a "ms" or "us"
1586           postfix. Using "infinity" or "0" will turn the automatic restart
1587           off. By default automatic restart is disabled.
1588
1589       TripleSampling=
1590           Takes a boolean. When "yes", three samples (instead of one) are
1591           used to determine the value of a received bit by majority rule.
1592           When unset, the kernel's default will be used.
1593

[QDISC] SECTION OPTIONS

1595       The "[QDisc]" section manages the traffic control queueing discipline
1596       (qdisc).
1597
1598       Parent=
1599           Specifies the parent Queueing Discipline (qdisc). Takes one of
1600           "clsact" or "ingress". This is mandatory.
1601
1602       Handle=
1603           Specifies the major number of unique identifier of the qdisc, known
1604           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1605           Defaults to unset.
1606

[NETWORKEMULATOR] SECTION OPTIONS

1608       The "[NetworkEmulator]" section manages the queueing discipline (qdisc)
1609       of the network emulator. It can be used to configure the kernel packet
1610       scheduler and simulate packet delay and loss for UDP or TCP
1611       applications, or limit the bandwidth usage of a particular service to
1612       simulate internet connections.
1613
1614       Parent=
1615           Specifies the parent Queueing Discipline (qdisc). Takes one of
1616           "root", "clsact" or "ingress". Defaults to "root".
1617
1618       Handle=
1619           Specifies the major number of unique identifier of the qdisc, known
1620           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1621           Defaults to unset.
1622
1623       DelaySec=
1624           Specifies the fixed amount of delay to be added to all packets
1625           going out of the interface. Defaults to unset.
1626
1627       DelayJitterSec=
1628           Specifies the chosen delay to be added to the packets outgoing to
1629           the network interface. Defaults to unset.
1630
1631       PacketLimit=
1632           Specifies the maximum number of packets the qdisc may hold queued
1633           at a time. An unsigned integer ranges 0 to 4294967294. Defaults to
1634           1000.
1635
1636       LossRate=
1637           Specifies an independent loss probability to be added to the
1638           packets outgoing from the network interface. Takes a percentage
1639           value, suffixed with "%". Defaults to unset.
1640
1641       DuplicateRate=
1642           Specifies that the chosen percent of packets is duplicated before
1643           queuing them. Takes a percentage value, suffixed with "%". Defaults
1644           to unset.
1645

[TOKENBUCKETFILTER] SECTION OPTIONS

1647       The "[TokenBucketFilter]" section manages the queueing discipline
1648       (qdisc) of token bucket filter (tbf).
1649
1650       Parent=
1651           Specifies the parent Queueing Discipline (qdisc). Takes one of
1652           "root", "clsact" or "ingress". Defaults to "root".
1653
1654       Handle=
1655           Specifies the major number of unique identifier of the qdisc, known
1656           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1657           Defaults to unset.
1658
1659       LatencySec=
1660           Specifies the latency parameter, which specifies the maximum amount
1661           of time a packet can sit in the Token Bucket Filter (TBF). Defaults
1662           to unset.
1663
1664       LimitSize=
1665           Takes the number of bytes that can be queued waiting for tokens to
1666           become available. When the size is suffixed with K, M, or G, it is
1667           parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
1668           base of 1000. Defaults to unset.
1669
1670       Burst=
1671           Specifies the size of the bucket. This is the maximum amount of
1672           bytes that tokens can be available for instantaneous transfer. When
1673           the size is suffixed with K, M, or G, it is parsed as Kilobytes,
1674           Megabytes, or Gigabytes, respectively, to the base of 1000.
1675           Defaults to unset.
1676
1677       Rate=
1678           Specifies the device specific bandwidth. When suffixed with K, M,
1679           or G, the specified bandwidth is parsed as Kilobits, Megabits, or
1680           Gigabits, respectively, to the base of 1000. Defaults to unset.
1681
1682       MPUBytes=
1683           The Minimum Packet Unit (MPU) determines the minimal token usage
1684           (specified in bytes) for a packet. When suffixed with K, M, or G,
1685           the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
1686           respectively, to the base of 1000. Defaults to zero.
1687
1688       PeakRate=
1689           Takes the maximum depletion rate of the bucket. When suffixed with
1690           K, M, or G, the specified size is parsed as Kilobits, Megabits, or
1691           Gigabits, respectively, to the base of 1000. Defaults to unset.
1692
1693       MTUBytes=
1694           Specifies the size of the peakrate bucket. When suffixed with K, M,
1695           or G, the specified size is parsed as Kilobytes, Megabytes, or
1696           Gigabytes, respectively, to the base of 1000. Defaults to unset.
1697

[STOCHASTICFAIRNESSQUEUEING] SECTION OPTIONS

1699       The "[StochasticFairnessQueueing]" section manages the queueing
1700       discipline (qdisc) of stochastic fairness queueing (sfq).
1701
1702       Parent=
1703           Specifies the parent Queueing Discipline (qdisc). Takes one of
1704           "root", "clsact" or "ingress". Defaults to "root".
1705
1706       Handle=
1707           Specifies the major number of unique identifier of the qdisc, known
1708           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1709           Defaults to unset.
1710
1711       PerturbPeriodSec=
1712           Specifies the interval in seconds for queue algorithm perturbation.
1713           Defaults to unset.
1714

[CONTROLLEDDELAY] SECTION OPTIONS

1716       The "[ControlledDelay]" section manages the queueing discipline (qdisc)
1717       of controlled delay (CoDel).
1718
1719       Parent=
1720           Specifies the parent Queueing Discipline (qdisc). Takes one of
1721           "root", "clsact" or "ingress". Defaults to "root".
1722
1723       Handle=
1724           Specifies the major number of unique identifier of the qdisc, known
1725           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1726           Defaults to unset.
1727
1728       PacketLimit=
1729           Specifies the hard limit on the queue size in number of packets.
1730           When this limit is reached, incoming packets are dropped. An
1731           unsigned integer ranges 0 to 4294967294. Defaults to unset and
1732           kernel's default is used.
1733
1734       TargetSec=
1735           Takes a timespan. Specifies the acceptable minimum
1736           standing/persistent queue delay. Defaults to unset and kernel's
1737           default is used.
1738
1739       IntervalSec=
1740           Takes a timespan. This is used to ensure that the measured minimum
1741           delay does not become too stale. Defaults to unset and kernel's
1742           default is used.
1743
1744       ECN=
1745           Takes a boolean. This can be used to mark packets instead of
1746           dropping them. Defaults to unset and kernel's default is used.
1747
1748       CEThresholdSec=
1749           Takes a timespan. This sets a threshold above which all packets are
1750           marked with ECN Congestion Experienced (CE). Defaults to unset and
1751           kernel's default is used.
1752

[FAIRQUEUEINGCONTROLLEDDELAY] SECTION OPTIONS

1754       The "[FairQueueingControlledDelay]" section manages the queueing
1755       discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
1756
1757       Parent=
1758           Specifies the parent Queueing Discipline (qdisc). Takes one of
1759           "root", "clsact" or "ingress". Defaults to "root".
1760
1761       Handle=
1762           Specifies the major number of unique identifier of the qdisc, known
1763           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1764           Defaults to unset.
1765
1766       PacketLimit=
1767           Specifies the hard limit on the real queue size. When this limit is
1768           reached, incoming packets are dropped. Defaults to unset and
1769           kernel's default is used.
1770
1771       MemoryLimit=
1772           Specifies the limit on the total number of bytes that can be queued
1773           in this FQ-CoDel instance. When suffixed with K, M, or G, the
1774           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
1775           respectively, to the base of 1024. Defaults to unset and kernel's
1776           default is used.
1777
1778       Flows=
1779           Specifies the number of flows into which the incoming packets are
1780           classified. Defaults to unset and kernel's default is used.
1781
1782       TargetSec=
1783           Takes a timespan. Specifies the acceptable minimum
1784           standing/persistent queue delay. Defaults to unset and kernel's
1785           default is used.
1786
1787       IntervalSec=
1788           Takes a timespan. This is used to ensure that the measured minimum
1789           delay does not become too stale. Defaults to unset and kernel's
1790           default is used.
1791
1792       Quantum=
1793           Specifies the number of bytes used as 'deficit' in the fair queuing
1794           algorithmtimespan. When suffixed with K, M, or G, the specified
1795           size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
1796           to the base of 1024. Defaults to unset and kernel's default is
1797           used.
1798
1799       ECN=
1800           Takes a boolean. This can be used to mark packets instead of
1801           dropping them. Defaults to unset and kernel's default is used.
1802
1803       CEThresholdSec=
1804           Takes a timespan. This sets a threshold above which all packets are
1805           marked with ECN Congestion Experienced (CE). Defaults to unset and
1806           kernel's default is used.
1807

[FAIRQUEUEING] SECTION OPTIONS

1809       The "[FairQueueing]" section manages the queueing discipline (qdisc) of
1810       fair queue traffic policing (FQ).
1811
1812       Parent=
1813           Specifies the parent Queueing Discipline (qdisc). Takes one of
1814           "root", "clsact" or "ingress". Defaults to "root".
1815
1816       Handle=
1817           Specifies the major number of unique identifier of the qdisc, known
1818           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1819           Defaults to unset.
1820
1821       PacketLimit=
1822           Specifies the hard limit on the real queue size. When this limit is
1823           reached, incoming packets are dropped. Defaults to unset and
1824           kernel's default is used.
1825
1826       FlowLimit=
1827           Specifies the hard limit on the maximum number of packets queued
1828           per flow. Defaults to unset and kernel's default is used.
1829
1830       Quantum=
1831           Specifies the credit per dequeue RR round, i.e. the amount of bytes
1832           a flow is allowed to dequeue at once. When suffixed with K, M, or
1833           G, the specified size is parsed as Kilobytes, Megabytes, or
1834           Gigabytes, respectively, to the base of 1024. Defaults to unset and
1835           kernel's default is used.
1836
1837       InitialQuantum=
1838           Specifies the initial sending rate credit, i.e. the amount of bytes
1839           a new flow is allowed to dequeue initially. When suffixed with K,
1840           M, or G, the specified size is parsed as Kilobytes, Megabytes, or
1841           Gigabytes, respectively, to the base of 1024. Defaults to unset and
1842           kernel's default is used.
1843
1844       MaximumRate=
1845           Specifies the maximum sending rate of a flow. When suffixed with K,
1846           M, or G, the specified size is parsed as Kilobits, Megabits, or
1847           Gigabits, respectively, to the base of 1000. Defaults to unset and
1848           kernel's default is used.
1849
1850       Buckets=
1851           Specifies the size of the hash table used for flow lookups.
1852           Defaults to unset and kernel's default is used.
1853
1854       OrphanMask=
1855           Takes an unsigned integer. For packets not owned by a socket, fq is
1856           able to mask a part of hash and reduce number of buckets associated
1857           with the traffic. Defaults to unset and kernel's default is used.
1858
1859       Pacing=
1860           Takes a boolean, and enables or disables flow pacing. Defaults to
1861           unset and kernel's default is used.
1862
1863       CEThresholdSec=
1864           Takes a timespan. This sets a threshold above which all packets are
1865           marked with ECN Congestion Experienced (CE). Defaults to unset and
1866           kernel's default is used.
1867

[TRIVIALLINKEQUALIZER] SECTION OPTIONS

1869       The "[TrivialLinkEqualizer]" section manages the queueing discipline
1870       (qdisc) of trivial link equalizer (teql).
1871
1872       Parent=
1873           Specifies the parent Queueing Discipline (qdisc). Takes one of
1874           "root", "clsact" or "ingress". Defaults to "root".
1875
1876       Handle=
1877           Specifies the major number of unique identifier of the qdisc, known
1878           as the handle. Takes a number in hexadecimal ranges 1 to ffff.
1879           Defaults to unset.
1880
1881       Id=
1882           Specifies the interface ID "N" of teql. Defaults to "0". Note that
1883           when teql is used, currently, the module sch_teql with
1884           max_equalizers=N+1 option must be loaded before systemd-networkd is
1885           started.
1886

[BRIDGEVLAN] SECTION OPTIONS

1888       The "[BridgeVLAN]" section manages the VLAN ID configuration of a
1889       bridge port and accepts the following keys. Specify several
1890       "[BridgeVLAN]" sections to configure several VLAN entries. The
1891       VLANFiltering= option has to be enabled, see "[Bridge]" section in
1892       systemd.netdev(5).
1893
1894       VLAN=
1895           The VLAN ID allowed on the port. This can be either a single ID or
1896           a range M-N. VLAN IDs are valid from 1 to 4094.
1897
1898       EgressUntagged=
1899           The VLAN ID specified here will be used to untag frames on egress.
1900           Configuring EgressUntagged= implicates the use of VLAN= above and
1901           will enable the VLAN ID for ingress as well. This can be either a
1902           single ID or a range M-N.
1903
1904       PVID=
1905           The Port VLAN ID specified here is assigned to all untagged frames
1906           at ingress.  PVID= can be used only once. Configuring PVID=
1907           implicates the use of VLAN= above and will enable the VLAN ID for
1908           ingress as well.
1909

EXAMPLES

1911       Example 1. Static network configuration
1912
1913           # /etc/systemd/network/50-static.network
1914           [Match]
1915           Name=enp2s0
1916
1917           [Network]
1918           Address=192.168.0.15/24
1919           Gateway=192.168.0.1
1920
1921       This brings interface "enp2s0" up with a static address. The specified
1922       gateway will be used for a default route.
1923
1924       Example 2. DHCP on ethernet links
1925
1926           # /etc/systemd/network/80-dhcp.network
1927           [Match]
1928           Name=en*
1929
1930           [Network]
1931           DHCP=yes
1932
1933       This will enable DHCPv4 and DHCPv6 on all interfaces with names
1934       starting with "en" (i.e. ethernet interfaces).
1935
1936       Example 3. IPv6 Prefix Delegation
1937
1938           # /etc/systemd/network/55-ipv6-pd-upstream.network
1939           [Match]
1940           Name=enp1s0
1941
1942           [Network]
1943           DHCP=ipv6
1944
1945           # /etc/systemd/network/56-ipv6-pd-downstream.network
1946           [Match]
1947           Name=enp2s0
1948
1949           [Network]
1950           IPv6PrefixDelegation=dhcpv6
1951
1952       This will enable IPv6 PD on the interface enp1s0 as an upstream
1953       interface where the DHCPv6 client is running and enp2s0 as a downstream
1954       interface where the prefix is delegated to.
1955
1956       Example 4. A bridge with two enslaved links
1957
1958           # /etc/systemd/network/25-bridge-static.network
1959           [Match]
1960           Name=bridge0
1961
1962           [Network]
1963           Address=192.168.0.15/24
1964           Gateway=192.168.0.1
1965           DNS=192.168.0.1
1966
1967           # /etc/systemd/network/25-bridge-slave-interface-1.network
1968           [Match]
1969           Name=enp2s0
1970
1971           [Network]
1972           Bridge=bridge0
1973
1974           # /etc/systemd/network/25-bridge-slave-interface-2.network
1975           [Match]
1976           Name=wlp3s0
1977
1978           [Network]
1979           Bridge=bridge0
1980
1981       This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
1982       The bridge will have the specified static address and network assigned,
1983       and a default route via the specified gateway will be added. The
1984       specified DNS server will be added to the global list of DNS resolvers.
1985
1986       Example 5.
1987
1988           # /etc/systemd/network/20-bridge-slave-interface-vlan.network
1989           [Match]
1990           Name=enp2s0
1991
1992           [Network]
1993           Bridge=bridge0
1994
1995           [BridgeVLAN]
1996           VLAN=1-32
1997           PVID=42
1998           EgressUntagged=42
1999
2000           [BridgeVLAN]
2001           VLAN=100-200
2002
2003           [BridgeVLAN]
2004           EgressUntagged=300-400
2005
2006       This overrides the configuration specified in the previous example for
2007       the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
2008       1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
2009       300-400 will be untagged when they leave on this interface. Untagged
2010       packets which arrive on this interface will be assigned VLAN ID 42.
2011
2012       Example 6. Various tunnels
2013
2014           /etc/systemd/network/25-tunnels.network
2015           [Match]
2016           Name=ens1
2017
2018           [Network]
2019           Tunnel=ipip-tun
2020           Tunnel=sit-tun
2021           Tunnel=gre-tun
2022           Tunnel=vti-tun
2023
2024
2025           /etc/systemd/network/25-tunnel-ipip.netdev
2026           [NetDev]
2027           Name=ipip-tun
2028           Kind=ipip
2029
2030
2031           /etc/systemd/network/25-tunnel-sit.netdev
2032           [NetDev]
2033           Name=sit-tun
2034           Kind=sit
2035
2036
2037           /etc/systemd/network/25-tunnel-gre.netdev
2038           [NetDev]
2039           Name=gre-tun
2040           Kind=gre
2041
2042
2043           /etc/systemd/network/25-tunnel-vti.netdev
2044           [NetDev]
2045           Name=vti-tun
2046           Kind=vti
2047
2048
2049       This will bring interface "ens1" up and create an IPIP tunnel, a SIT
2050       tunnel, a GRE tunnel, and a VTI tunnel using it.
2051
2052       Example 7. A bond device
2053
2054           # /etc/systemd/network/30-bond1.network
2055           [Match]
2056           Name=bond1
2057
2058           [Network]
2059           DHCP=ipv6
2060
2061           # /etc/systemd/network/30-bond1.netdev
2062           [NetDev]
2063           Name=bond1
2064           Kind=bond
2065
2066           # /etc/systemd/network/30-bond1-dev1.network
2067           [Match]
2068           MACAddress=52:54:00:e9:64:41
2069
2070           [Network]
2071           Bond=bond1
2072
2073           # /etc/systemd/network/30-bond1-dev2.network
2074           [Match]
2075           MACAddress=52:54:00:e9:64:42
2076
2077           [Network]
2078           Bond=bond1
2079
2080       This will create a bond device "bond1" and enslave the two devices with
2081       MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
2082       will be used to acquire an address.
2083
2084       Example 8. Virtual Routing and Forwarding (VRF)
2085
2086       Add the "bond1" interface to the VRF master interface "vrf1". This will
2087       redirect routes generated on this interface to be within the routing
2088       table defined during VRF creation. For kernels before 4.8 traffic won't
2089       be redirected towards the VRFs routing table unless specific ip-rules
2090       are added.
2091
2092           # /etc/systemd/network/25-vrf.network
2093           [Match]
2094           Name=bond1
2095
2096           [Network]
2097           VRF=vrf1
2098
2099       Example 9. MacVTap
2100
2101       This brings up a network interface "macvtap-test" and attaches it to
2102       "enp0s25".
2103
2104           # /usr/lib/systemd/network/25-macvtap.network
2105           [Match]
2106           Name=enp0s25
2107
2108           [Network]
2109           MACVTAP=macvtap-test
2110
2111       Example 10. A Xfrm interface with physical underlying device.
2112
2113           # /etc/systemd/network/27-xfrm.netdev
2114           [NetDev]
2115           Name=xfrm0
2116
2117           [Xfrm]
2118           InterfaceId=7
2119
2120           # /etc/systemd/network/27-eth0.network
2121           [Match]
2122           Name=eth0
2123
2124           [Network]
2125           Xfrm=xfrm0
2126
2127       This creates a "xfrm0" interface and binds it to the "eth0" device.
2128       This allows hardware based ipsec offloading to the "eth0" nic. If
2129       offloading is not needed, xfrm interfaces can be assigned to the "lo"
2130       device.
2131

SEE ALSO

2133       systemd(1), systemd-networkd.service(8), systemd.link(5),
2134       systemd.netdev(5), systemd-resolved.service(8)
2135

NOTES

2137        1. RFC 7217
2138           https://tools.ietf.org/html/rfc7217
2139
2140        2. Link-Local Multicast Name Resolution
2141           https://tools.ietf.org/html/rfc4795
2142
2143        3. Multicast DNS
2144           https://tools.ietf.org/html/rfc6762
2145
2146        4. DNS-over-TLS
2147           https://tools.ietf.org/html/rfc7858
2148
2149        5. DNSSEC
2150           https://tools.ietf.org/html/rfc4033
2151
2152        6. IEEE 802.1AB-2016
2153           https://standards.ieee.org/findstds/standard/802.1AB-2016.html
2154
2155        7. ip-sysctl.txt
2156           https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
2157
2158        8. RFC 4941
2159           https://tools.ietf.org/html/rfc4941
2160
2161        9. RFC 1027
2162           https://tools.ietf.org/html/rfc1027
2163
2164       10. RFC 6275
2165           https://tools.ietf.org/html/rfc6275
2166
2167       11. RFC 5224
2168           https://tools.ietf.org/html/rfc5227
2169
2170       12. RFC 4862
2171           https://tools.ietf.org/html/rfc4862
2172
2173       13. RFC 3041
2174           https://tools.ietf.org/html/rfc3041
2175
2176       14. RFC 3484
2177           https://tools.ietf.org/html/rfc3484
2178
2179       15. RFC4191
2180           https://tools.ietf.org/html/rfc4191
2181
2182       16. RFC 7844
2183           https://tools.ietf.org/html/rfc7844
2184
2185       17. C-style escapes
2186           https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
2187
2188       18. RFC 3315
2189           https://tools.ietf.org/html/rfc3315#section-17.2.1
2190
2191       19. RFC 7084
2192           https://tools.ietf.org/html/rfc7084
2193
2194       20. RFC 4861
2195           https://tools.ietf.org/html/rfc4861
2196
2197
2198
2199systemd 245                                                 SYSTEMD.NETWORK(5)
Impressum