1IP-LINK(8)                           Linux                          IP-LINK(8)
2
3
4

NAME

6       ip-link - network device configuration
7

SYNOPSIS

9       ip link  { COMMAND | help }
10
11
12       ip link add [ link DEVICE ] [ name ] NAME
13               [ txqueuelen PACKETS ]
14               [ address LLADDR ] [ broadcast LLADDR ]
15               [ mtu MTU ] [ index IDX ]
16               [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17               [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18               type TYPE [ ARGS ]
19
20       ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21
22       ip link set { DEVICE | group GROUP }
23               [ { up | down } ]
24               [ type ETYPE TYPE_ARGS ]
25               [ arp { on | off } ]
26               [ dynamic { on | off } ]
27               [ multicast { on | off } ]
28               [ allmulticast { on | off } ]
29               [ promisc { on | off } ]
30               [ protodown { on | off } ]
31               [ trailers { on | off } ]
32               [ txqueuelen PACKETS ]
33               [ name NEWNAME ]
34               [ address LLADDR ]
35               [ broadcast LLADDR ]
36               [ mtu MTU ]
37               [ netns { PID | NETNSNAME } ]
38               [ link-netnsid ID ]
39               [ alias NAME ]
40               [ vf NUM [ mac LLADDR ]
41                        [ VFVLAN-LIST ]
42                        [ rate TXRATE ]
43                        [ max_tx_rate TXRATE ]
44                        [ min_tx_rate TXRATE ]
45                        [ spoofchk { on | off } ]
46                        [ query_rss { on | off } ]
47                        [ state { auto | enable | disable } ]
48                        [ trust { on | off } ]
49                        [ node_guid eui64 ]
50                        [ port_guid eui64 ] ]
51               [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52                       object FILE [ section NAME ] [ verbose ] |
53                       pinned FILE } ]
54               [ master DEVICE ]
55               [ nomaster ]
56               [ vrf NAME ]
57               [ addrgenmode { eui64 | none | stable_secret | random } ]
58               [ macaddr [ MACADDR ]
59                         [ { flush | add | del } MACADDR ]
60                         [ set MACADDR ] ]
61
62                 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63                         ] [ type ETYPE ] [ vrf NAME ]
64
65                 ip link xstats type TYPE [ ARGS ]
66
67                 ip link afstats [ dev DEVICE ]
68
69                 ip link help [ TYPE ]
70
71                 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72                         macvlan | macvtap | vcan | vxcan | veth | vlan |
73                         vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74                         ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75                         | ipvtap | lowpan | geneve | bareudp | vrf | macsec |
76                         netdevsim | rmnet | xfrm ]
77
78                 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79
80                 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81
82                 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83                         ]
84
85         ip link property add [ altname NAME .. ]
86
87         ip link property del [ altname NAME .. ]
88
89

DESCRIPTION

91   ip link add - add virtual link
92       link DEVICE
93              specifies the physical device to act operate on.
94
95              NAME specifies the name of the new virtual device.
96
97              TYPE specifies the type of the new device.
98
99              Link types:
100
101                      bridge - Ethernet Bridge device
102
103                      bond - Bonding device
104
105                      dummy - Dummy network interface
106
107                      hsr - High-availability Seamless Redundancy device
108
109                      ifb - Intermediate Functional Block device
110
111                      ipoib - IP over Infiniband device
112
113                      macvlan - Virtual interface base on link layer address
114                      (MAC)
115
116                      macvtap - Virtual interface based on link layer address
117                      (MAC) and TAP.
118
119                      vcan - Virtual Controller Area Network interface
120
121                      vxcan - Virtual Controller Area Network tunnel interface
122
123                      veth - Virtual ethernet interface
124
125                      vlan - 802.1q tagged virtual LAN interface
126
127                      vxlan - Virtual eXtended LAN
128
129                      ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
130
131                      ipip - Virtual tunnel interface IPv4 over IPv4
132
133                      sit - Virtual tunnel interface IPv6 over IPv4
134
135                      gre - Virtual tunnel interface GRE over IPv4
136
137                      gretap - Virtual L2 tunnel interface GRE over IPv4
138
139                      erspan - Encapsulated Remote SPAN over GRE and IPv4
140
141                      ip6gre - Virtual tunnel interface GRE over IPv6
142
143                      ip6gretap - Virtual L2 tunnel interface GRE over IPv6
144
145                      ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
146
147                      vti - Virtual tunnel interface
148
149                      nlmon - Netlink monitoring device
150
151                      ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
152
153                      ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
154                      TAP
155
156                      lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
157                      / Bluetooth
158
159                      geneve - GEneric NEtwork Virtualization Encapsulation
160
161                      bareudp - Bare UDP L3 encapsulation support
162
163                      macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
164                      sec)
165
166                      vrf - Interface for L3 VRF domains
167
168                      netdevsim - Interface for netdev API tests
169
170                      rmnet - Qualcomm rmnet device
171
172                      xfrm - Virtual xfrm interface
173
174
175       numtxqueues QUEUE_COUNT
176              specifies the number of transmit queues for new device.
177
178
179       numrxqueues QUEUE_COUNT
180              specifies the number of receive queues for new device.
181
182
183       gso_max_size BYTES
184              specifies the recommended maximum size of a Generic Segment Off‐
185              load packet the new device should accept.
186
187
188       gso_max_segs SEGMENTS
189              specifies the recommended maximum number of a Generic Segment
190              Offload segments the new device should accept.
191
192
193       index IDX
194              specifies the desired index of the new virtual device. The link
195              creation fails, if the index is busy.
196
197
198       VLAN Type Support
199              For a link of type VLAN the following additional arguments are
200              supported:
201
202              ip link add link DEVICE name NAME type vlan [ protocol
203              VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
204              | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
205              bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
206              egress-qos-map QOS-MAP ]
207
208
209                      protocol VLAN_PROTO - either 802.1Q or 802.1ad.
210
211                      id VLANID - specifies the VLAN Identifer to use. Note
212                      that numbers with a leading " 0 " or " 0x " are inter‐
213                      preted as octal or hexadeimal, respectively.
214
215                      reorder_hdr { on | off } - specifies whether ethernet
216                      headers are reordered or not (default is on).
217
218                          If reorder_hdr is on then VLAN header will be not
219                          inserted immediately but only before passing to the
220                          physical device (if this device does not support
221                          VLAN offloading), the similar on the RX direction -
222                          by default the packet will be untagged before being
223                          received by VLAN device. Reordering allows to accel‐
224                          erate tagging on egress and to hide VLAN header on
225                          ingress so the packet looks like regular Ethernet
226                          packet, at the same time it might be confusing for
227                          packet capture as the VLAN header does not exist
228                          within the packet.
229
230                          VLAN offloading can be checked by ethtool(8):
231
232                              ethtool -k <phy_dev> | grep tx-vlan-offload
233
234                          where <phy_dev> is the physical device to which VLAN
235                          device is bound.
236
237                      gvrp { on | off } - specifies whether this VLAN should
238                      be registered using GARP VLAN
239                        Registration Protocol.
240
241                      mvrp { on | off } - specifies whether this VLAN should
242                      be registered using Multiple VLAN
243                        Registration Protocol.
244
245                      loose_binding { on | off } - specifies whether the VLAN
246                      device state is bound to the physical device state.
247
248                      bridge_binding { on | off } - specifies whether the VLAN
249                      device link state tracks the state of bridge ports that
250                      are members of the VLAN.
251
252                      ingress-qos-map QOS-MAP - defines a mapping of VLAN
253                      header prio field to the Linux internal packet priority
254                      on incoming frames. The format is FROM:TO with multiple
255                      mappings separated by spaces.
256
257                      egress-qos-map QOS-MAP - defines a mapping of Linux
258                      internal packet priority to VLAN header prio field but
259                      for outgoing frames. The format is the same as for
260                      ingress-qos-map.
261
262                          Linux packet priority can be set by iptables(8):
263
264                              iptables -t mangle -A POSTROUTING [...] -j CLAS‐
265                              SIFY --set-class 0:4
266
267                          and this "4" priority can be used in the egress qos
268                          mapping to set VLAN prio "5":
269
270                              ip link set veth0.10 type vlan egress 4:5
271
272
273       VXLAN Type Support
274              For a link of type VXLAN the following additional arguments are
275              supported:
276
277              ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV  ] [ { group
278              | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
279              TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
280              port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
281              [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
282              ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
283              ] [ [no]external ] [ gbp ] [ gpe ]
284
285
286                      id VNI - specifies the VXLAN Network Identifer (or VXLAN
287                      Segment Identifier) to use.
288
289                      dev PHYS_DEV - specifies the physical device to use for
290                      tunnel endpoint communication.
291
292
293                      group IPADDR - specifies the multicast IP address to
294                      join.  This parameter cannot be specified with the
295                      remote parameter.
296
297
298                      remote IPADDR - specifies the unicast destination IP
299                      address to use in outgoing packets when the destination
300                      link layer address is not known in the VXLAN device for‐
301                      warding database. This parameter cannot be specified
302                      with the group parameter.
303
304
305                      local IPADDR - specifies the source IP address to use in
306                      outgoing packets.
307
308
309                      ttl TTL - specifies the TTL value to use in outgoing
310                      packets.
311
312
313                      tos TOS - specifies the TOS value to use in outgoing
314                      packets.
315
316
317                      df DF - specifies the usage of the Don't Fragment flag
318                      (DF) bit in outgoing packets with IPv4 headers. The
319                      value inherit causes the bit to be copied from the orig‐
320                      inal IP header. The values unset and set cause the bit
321                      to be always unset or always set, respectively. By
322                      default, the bit is not set.
323
324
325                      flowlabel FLOWLABEL - specifies the flow label to use in
326                      outgoing packets.
327
328
329                      dstport PORT - specifies the UDP destination port to
330                      communicate to the remote
331                        VXLAN tunnel endpoint.
332
333
334                      srcport MIN MAX - specifies the range of port numbers to
335                      use as UDP source ports to communicate to the remote
336                      VXLAN tunnel endpoint.
337
338
339                      [no]learning - specifies if unknown source link layer
340                      addresses and IP addresses are entered into the VXLAN
341                      device forwarding database.
342
343
344                      [no]rsc - specifies if route short circuit is turned on.
345
346
347                      [no]proxy - specifies ARP proxy is turned on.
348
349
350                      [no]l2miss - specifies if netlink LLADDR miss notifica‐
351                      tions are generated.
352
353
354                      [no]l3miss - specifies if netlink IP ADDR miss notifica‐
355                      tions are generated.
356
357
358                      [no]udpcsum - specifies if UDP checksum is calculated
359                      for transmitted packets over IPv4.
360
361
362                      [no]udp6zerocsumtx - skip UDP checksum calculation for
363                      transmitted packets over IPv6.
364
365
366                      [no]udp6zerocsumrx - allow incoming UDP packets over
367                      IPv6 with zero checksum field.
368
369
370                      ageing SECONDS - specifies the lifetime in seconds of
371                      FDB entries learnt by the kernel.
372
373
374                      maxaddress NUMBER - specifies the maximum number of FDB
375                      entries.
376
377
378                      [no]external - specifies whether an external control
379                      plane (e.g. ip route encap) or the internal FDB should
380                      be used.
381
382
383                      gbp - enables the Group Policy extension (VXLAN-GBP).
384
385                          Allows to transport group policy context across
386                          VXLAN network peers.  If enabled, includes the mark
387                          of a packet in the VXLAN header for outgoing packets
388                          and fills the packet mark based on the information
389                          found in the VXLAN header for incoming packets.
390
391                          Format of upper 16 bits of packet mark (flags);
392
393                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
394                            |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
395                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
396
397                            D := Don't Learn bit. When set, this bit indicates
398                            that the egress VTEP MUST NOT learn the source
399                            address of the encapsulated frame.
400
401                            A := Indicates that the group policy has already
402                            been applied to this packet. Policies MUST NOT be
403                            applied by devices when the A bit is set.
404
405                          Format of lower 16 bits of packet mark (policy ID):
406
407                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
408                            |        Group Policy ID        |
409                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
410
411                          Example:
412                            iptables -A OUTPUT [...] -j MARK --set-mark
413                          0x800FF
414
415
416
417                      gpe - enables the Generic Protocol extension (VXLAN-
418                      GPE). Currently, this is only supported together with
419                      the external keyword.
420
421
422
423       VETH, VXCAN Type Support
424              For a link of types VETH/VXCAN the following additional argu‐
425              ments are supported:
426
427              ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
428
429
430                      peer name NAME - specifies the virtual pair device name
431                      of the VETH/VXCAN tunnel.
432
433
434
435       IPIP, SIT Type Support
436              For a link of type IPIPorSIT the following additional arguments
437              are supported:
438
439              ip link add DEVICE type { ipip | sit }  remote ADDR local ADDR [
440              encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
441              encap-dport PORT ] [ [no]encap-csum ] [  [no]encap-remcsum ] [
442              mode  { ip6ip | ipip | mplsip | any } ] [ external ]
443
444
445                      remote ADDR - specifies the remote address of the tun‐
446                      nel.
447
448
449                      local ADDR - specifies the fixed local address for tun‐
450                      neled packets.  It must be an address on another inter‐
451                      face on this host.
452
453
454                      encap { fou | gue | none } - specifies type of secondary
455                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
456                      indicates Generic UDP Encapsulation.
457
458
459                      encap-sport { PORT | auto } - specifies the source port
460                      in UDP encapsulation.  PORT indicates the port by num‐
461                      ber, "auto" indicates that the port number should be
462                      chosen automatically (the kernel picks a flow based on
463                      the flow hash of the encapsulated packet).
464
465
466                      [no]encap-csum - specifies if UDP checksums are enabled
467                      in the secondary encapsulation.
468
469
470                      [no]encap-remcsum - specifies if Remote Checksum Offload
471                      is enabled. This is only applicable for Generic UDP
472                      Encapsulation.
473
474
475                      mode { ip6ip | ipip | mplsip | any } - specifies mode in
476                      which device should run. "ip6ip" indicates IPv6-Over-
477                      IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
478                      cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
479                      Over IPv4. Supported for SIT where the default is
480                      "ip6ip" and IPIP where the default is "ipip".
481                      IPv6-Over-IPv4 is not supported for IPIP.
482
483
484                      external - make this tunnel externally controlled (e.g.
485                      ip route encap).
486
487
488       GRE Type Support
489              For a link of type GRE or GRETAP the following additional argu‐
490              ments are supported:
491
492              ip link add DEVICE type { gre | gretap }  remote ADDR local ADDR
493              [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
494              [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
495              PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
496              auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
497              remcsum ] [ external ]
498
499
500                      remote ADDR - specifies the remote address of the tun‐
501                      nel.
502
503
504                      local ADDR - specifies the fixed local address for tun‐
505                      neled packets.  It must be an address on another inter‐
506                      face on this host.
507
508
509                      [no][i|o]seq - serialize packets.  The oseq flag enables
510                      sequencing of outgoing packets.  The iseq flag requires
511                      that all input packets are serialized.
512
513
514                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
515                      KEY is either a number or an IPv4 address-like dotted
516                      quad.  The key parameter specifies the same key to use
517                      in both directions.  The ikey and okey parameters spec‐
518                      ify different keys for input and output.
519
520
521                      [no][i|o]csum - generate/require checksums for tunneled
522                      packets.  The ocsum flag calculates checksums for outgo‐
523                      ing packets.  The icsum flag requires that all input
524                      packets have the correct checksum. The csum flag is
525                      equivalent to the combination icsum ocsum .
526
527
528                      ttl TTL - specifies the TTL value to use in outgoing
529                      packets.
530
531
532                      tos TOS - specifies the TOS value to use in outgoing
533                      packets.
534
535
536                      [no]pmtudisc - enables/disables Path MTU Discovery on
537                      this tunnel.  It is enabled by default. Note that a
538                      fixed ttl is incompatible with this option: tunneling
539                      with a fixed ttl always makes pmtu discovery.
540
541
542                      [no]ignore-df - enables/disables IPv4 DF suppression on
543                      this tunnel.  Normally datagrams that exceed the MTU
544                      will be fragmented; the presence of the DF flag inhibits
545                      this, resulting instead in an ICMP Unreachable (Fragmen‐
546                      tation Required) message.  Enabling this attribute
547                      causes the DF flag to be ignored.
548
549
550                      dev PHYS_DEV - specifies the physical device to use for
551                      tunnel endpoint communication.
552
553
554                      encap { fou | gue | none } - specifies type of secondary
555                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
556                      indicates Generic UDP Encapsulation.
557
558
559                      encap-sport { PORT | auto } - specifies the source port
560                      in UDP encapsulation.  PORT indicates the port by num‐
561                      ber, "auto" indicates that the port number should be
562                      chosen automatically (the kernel picks a flow based on
563                      the flow hash of the encapsulated packet).
564
565
566                      [no]encap-csum - specifies if UDP checksums are enabled
567                      in the secondary encapsulation.
568
569
570                      [no]encap-remcsum - specifies if Remote Checksum Offload
571                      is enabled. This is only applicable for Generic UDP
572                      Encapsulation.
573
574
575                      external - make this tunnel externally controlled (e.g.
576                      ip route encap).
577
578
579
580       IP6GRE/IP6GRETAP Type Support
581              For a link of type IP6GRE/IP6GRETAP the following additional
582              arguments are supported:
583
584              ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
585              ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
586              [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
587              TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
588              localremote ] [ dev PHYS_DEV ] [ external ]
589
590
591                      remote ADDR - specifies the remote IPv6 address of the
592                      tunnel.
593
594
595                      local ADDR - specifies the fixed local IPv6 address for
596                      tunneled packets.  It must be an address on another
597                      interface on this host.
598
599
600                      [no][i|o]seq - serialize packets.  The oseq flag enables
601                      sequencing of outgoing packets.  The iseq flag requires
602                      that all input packets are serialized.
603
604
605                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
606                      KEY is either a number or an IPv4 address-like dotted
607                      quad.  The key parameter specifies the same key to use
608                      in both directions.  The ikey and okey parameters spec‐
609                      ify different keys for input and output.
610
611
612                      [no][i|o]csum - generate/require checksums for tunneled
613                      packets.  The ocsum flag calculates checksums for outgo‐
614                      ing packets.  The icsum flag requires that all input
615                      packets have the correct checksum. The csum flag is
616                      equivalent to the combination icsum ocsum.
617
618
619                      hoplimit TTL - specifies Hop Limit value to use in out‐
620                      going packets.
621
622
623                      encaplimit ELIM - specifies a fixed encapsulation limit.
624                      Default is 4.
625
626
627                      flowlabel FLOWLABEL - specifies a fixed flowlabel.
628
629
630                      [no]allow-localremote - specifies whether to allow
631                      remote endpoint to have an address configured on local
632                      host.
633
634
635                      tclass TCLASS - specifies the traffic class field on
636                      tunneled packets, which can be specified as either a
637                      two-digit hex value (e.g. c0) or a predefined string
638                      (e.g. internet).  The value inherit causes the field to
639                      be copied from the original IP header. The values
640                      inherit/STRING or inherit/00..ff will set the field to
641                      STRING or 00..ff when tunneling non-IP packets. The
642                      default value is 00.
643
644
645                      external - make this tunnel externally controlled (or
646                      not, which is the default).  In the kernel, this is
647                      referred to as collect metadata mode.  This flag is
648                      mutually exclusive with the remote, local, seq, key,
649                      csum, hoplimit, encaplimit, flowlabel and tclass
650                      options.
651
652
653
654       IPoIB Type Support
655              For a link of type IPoIB the following additional arguments are
656              supported:
657
658              ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
659              MODE ]
660
661
662                      pkey PKEY - specifies the IB P-Key to use.
663
664                      mode MODE - specifies the mode (datagram or connected)
665                      to use.
666
667
668       ERSPAN Type Support
669              For a link of type ERSPAN/IP6ERSPAN the following additional
670              arguments are supported:
671
672              ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
673              ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
674              { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
675              mote ] [ external ]
676
677
678                      remote ADDR - specifies the remote address of the tun‐
679                      nel.
680
681
682                      local ADDR - specifies the fixed local address for tun‐
683                      neled packets.  It must be an address on another inter‐
684                      face on this host.
685
686
687                      erspan_ver version - specifies the ERSPAN version num‐
688                      ber.  version indicates the ERSPAN version to be cre‐
689                      ated: 0 for version 0 type I, 1 for version 1 (type II)
690                      or 2 for version 2 (type III).
691
692
693                      erspan IDX - specifies the ERSPAN v1 index field.  IDX
694                      indicates a 20 bit index/port number associated with the
695                      ERSPAN traffic's source port and direction.
696
697
698                      erspan_dir { ingress | egress } - specifies the ERSPAN
699                      v2 mirrored traffic's direction.
700
701
702                      erspan_hwid hwid - an unique identifier of an ERSPAN v2
703                      engine within a system.  hwid is a 6-bit value for users
704                      to configure.
705
706
707                      [no]allow-localremote - specifies whether to allow
708                      remote endpoint to have an address configured on local
709                      host.
710
711
712                      external - make this tunnel externally controlled (or
713                      not, which is the default).  In the kernel, this is
714                      referred to as collect metadata mode.  This flag is
715                      mutually exclusive with the remote, local, erspan_ver,
716                      erspan, erspan_dir and erspan_hwid options.
717
718
719
720       GENEVE Type Support
721              For a link of type GENEVE the following additional arguments are
722              supported:
723
724              ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
725              [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
726              [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
727              [no]udp6zerocsumrx ]
728
729
730                      id VNI - specifies the Virtual Network Identifer to use.
731
732
733                      remote IPADDR - specifies the unicast destination IP
734                      address to use in outgoing packets.
735
736
737                      ttl TTL - specifies the TTL value to use in outgoing
738                      packets. "0" or "auto" means use whatever default value,
739                      "inherit" means inherit the inner protocol's ttl.
740                      Default option is "0".
741
742
743                      tos TOS - specifies the TOS value to use in outgoing
744                      packets.
745
746
747                      df DF - specifies the usage of the Don't Fragment flag
748                      (DF) bit in outgoing packets with IPv4 headers. The
749                      value inherit causes the bit to be copied from the orig‐
750                      inal IP header. The values unset and set cause the bit
751                      to be always unset or always set, respectively. By
752                      default, the bit is not set.
753
754
755                      flowlabel FLOWLABEL - specifies the flow label to use in
756                      outgoing packets.
757
758
759                      dstport PORT - select a destination port other than the
760                      default of 6081.
761
762
763                      [no]external - make this tunnel externally controlled
764                      (or not, which is the default). This flag is mutually
765                      exclusive with the id, remote, ttl, tos and flowlabel
766                      options.
767
768
769                      [no]udpcsum - specifies if UDP checksum is calculated
770                      for transmitted packets over IPv4.
771
772
773                      [no]udp6zerocsumtx - skip UDP checksum calculation for
774                      transmitted packets over IPv6.
775
776
777                      [no]udp6zerocsumrx - allow incoming UDP packets over
778                      IPv6 with zero checksum field.
779
780
781
782       Bareudp Type Support
783              For a link of type Bareudp the following additional arguments
784              are supported:
785
786              ip link add DEVICE type bareudp dstport PORT ethertype ETHERTYPE
787              [ srcportmin SRCPORTMIN ] [ [no]multiproto ]
788
789
790                      dstport PORT - specifies the destination port for the
791                      UDP tunnel.
792
793
794                      ethertype ETHERTYPE - specifies the ethertype of the L3
795                      protocol being tunnelled.
796
797
798                      srcportmin SRCPORTMIN - selects the lowest value of the
799                      UDP tunnel source port range.
800
801
802                      [no]multiproto - activates support for protocols similar
803                      to the one specified by ethertype.  When ETHERTYPE is
804                      "mpls_uc" (that is, unicast MPLS), this allows the tun‐
805                      nel to also handle multicast MPLS.  When ETHERTYPE is
806                      "ipv4", this allows the tunnel to also handle IPv6. This
807                      option is disabled by default.
808
809
810       MACVLAN and MACVTAP Type Support
811              For a link of type MACVLAN or MACVTAP the following additional
812              arguments are supported:
813
814              ip link add link DEVICE name NAME type { macvlan | macvtap }
815              mode { private | vepa | bridge | passthru  [ nopromisc ] |
816              source }
817
818
819                      type { macvlan | macvtap } - specifies the link type to
820                      use.  macvlan creates just a virtual interface, while
821                      macvtap in addition creates a character device /dev/tapX
822                      to be used just like a tuntap device.
823
824                      mode private - Do not allow communication between
825                      macvlan instances on the same physical interface, even
826                      if the external switch supports hairpin mode.
827
828                      mode vepa - Virtual Ethernet Port Aggregator mode. Data
829                      from one macvlan instance to the other on the same phys‐
830                      ical interface is transmitted over the physical inter‐
831                      face. Either the attached switch needs to support hair‐
832                      pin mode, or there must be a TCP/IP router forwarding
833                      the packets in order to allow communication. This is the
834                      default mode.
835
836                      mode bridge - In bridge mode, all endpoints are directly
837                      connected to each other, communication is not redirected
838                      through the physical interface's peer.
839
840                      mode passthru [ nopromisc ] - This mode gives more power
841                      to a single endpoint, usually in macvtap mode. It is not
842                      allowed for more than one endpoint on the same physical
843                      interface. All traffic will be forwarded to this end‐
844                      point, allowing virtio guests to change MAC address or
845                      set promiscuous mode in order to bridge the interface or
846                      create vlan interfaces on top of it. By default, this
847                      mode forces the underlying interface into promiscuous
848                      mode. Passing the nopromisc flag prevents this, so the
849                      promisc flag may be controlled using standard tools.
850
851                      mode source - allows one to set a list of allowed mac
852                      address, which is used to match against source mac
853                      address from received frames on underlying interface.
854                      This allows creating mac based VLAN associations,
855                      instead of standard port or tag based. The feature is
856                      useful to deploy 802.1x mac based behavior, where driv‐
857                      ers of underlying interfaces doesn't allows that.
858
859
860       High-availability Seamless Redundancy (HSR) Support
861              For a link of type HSR the following additional arguments are
862              supported:
863
864              ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
865              slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
866              proto { 0 | 1 } ]
867
868
869                      type hsr - specifies the link type to use, here HSR.
870
871                      slave1 SLAVE1-IF - Specifies the physical device used
872                      for the first of the two ring ports.
873
874                      slave2 SLAVE2-IF - Specifies the physical device used
875                      for the second of the two ring ports.
876
877                      supervision ADDR-BYTE - The last byte of the multicast
878                      address used for HSR supervision frames.  Default option
879                      is "0", possible values 0-255.
880
881                      version { 0 | 1 } - Selects the protocol version of the
882                      interface. Default option is "0", which corresponds to
883                      the 2010 version of the HSR standard. Option "1" acti‐
884                      vates the 2012 version.
885
886                      proto { 0 | 1 } - Selects the protocol at the interface.
887                      Default option is "0", which corresponds to the HSR
888                      standard. Option "1" activates the Parallel Redundancy
889                      Protocol (PRP).
890
891
892       BRIDGE Type Support
893              For a link of type BRIDGE the following additional arguments are
894              supported:
895
896              ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
897              group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
898              FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
899              stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
900              VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
901              vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
902              VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
903              [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
904              CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
905              [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
906              HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
907              ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
908              STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
909              BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
910              [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
911              val QUERY_INTERVAL ] [ mcast_query_response_interval
912              QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
913              STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
914              MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
915              mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
916              BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
917              bles NF_CALL_ARPTABLES ]
918
919
920                      ageing_time AGEING_TIME - configure the bridge's FDB
921                      entries ageing time, ie the number of seconds a MAC
922                      address will be kept in the FDB after a packet has been
923                      received from that address. after this time has passed,
924                      entries are cleaned up.
925
926                      group_fwd_mask MASK - set the group forward mask. This
927                      is the bitmask that is applied to decide whether to for‐
928                      ward incoming frames destined to link-local addresses,
929                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
930                      0, ie the bridge does not forward any link-local
931                      frames).
932
933                      group_address ADDRESS - set the MAC address of the mul‐
934                      ticast group this bridge uses for STP.  The address must
935                      be a link-local address in standard Ethernet MAC address
936                      format, ie an address of the form 01:80:C2:00:00:0X,
937                      with X
938                       in [0, 4..f].
939
940                      forward_delay FORWARD_DELAY - set the forwarding delay
941                      in seconds, ie the time spent in LISTENING state (before
942                      moving to LEARNING) and in LEARNING state (before moving
943                      to FORWARDING). Only relevant if STP is enabled. Valid
944                      values are between 2 and 30.
945
946                      hello_time HELLO_TIME - set the time in seconds between
947                      hello packets sent by the bridge, when it is a root
948                      bridge or a designated bridges.  Only relevant if STP is
949                      enabled. Valid values are between 1 and 10.
950
951                      max_age MAX_AGE - set the hello packet timeout, ie the
952                      time in seconds until another bridge in the spanning
953                      tree is assumed to be dead, after reception of its last
954                      hello message. Only relevant if STP is enabled. Valid
955                      values are between 6 and 40.
956
957                      stp_state STP_STATE - turn spanning tree protocol on
958                      (STP_STATE > 0) or off (STP_STATE == 0).  for this
959                      bridge.
960
961                      priority PRIORITY - set this bridge's spanning tree pri‐
962                      ority, used during STP root bridge election.  PRIORITY
963                      is a 16bit unsigned integer.
964
965                      vlan_filtering VLAN_FILTERING - turn VLAN filtering on
966                      (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0).  When
967                      disabled, the bridge will not consider the VLAN tag when
968                      handling packets.
969
970                      vlan_protocol { 802.1Q | 802.1ad } - set the protocol
971                      used for VLAN filtering.
972
973                      vlan_default_pvid VLAN_DEFAULT_PVID - set the default
974                      PVID (native/untagged VLAN ID) for this bridge.
975
976                      vlan_stats_enabled VLAN_STATS_ENABLED - enable
977                      (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
978                      == 0) per-VLAN stats accounting.
979
980                      vlan_stats_per_port VLAN_STATS_PER_PORT - enable
981                      (VLAN_STATS_PER_PORT == 1) or disable
982                      (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
983                      accounting. Can be changed only when there are no port
984                      VLANs configured.
985
986                      mcast_snooping MULTICAST_SNOOPING - turn multicast
987                      snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
988                      CAST_SNOOPING == 0).
989
990                      mcast_router MULTICAST_ROUTER - set bridge's multicast
991                      router if IGMP snooping is enabled.  MULTICAST_ROUTER is
992                      an integer value having the following meaning:
993
994                              0 - disabled.
995
996                              1 - automatic (queried).
997
998                              2 - permanently enabled.
999
1000                      mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1001                      to use the bridge's own IP address as source address for
1002                      IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1003                      of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1004
1005                      mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1006                      CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1007                      IGMP querier, ie sending of multicast queries by the
1008                      bridge (default: disabled).
1009
1010                      mcast_querier_interval QUERIER_INTERVAL - interval
1011                      between queries sent by other routers. if no queries are
1012                      seen after this delay has passed, the bridge will start
1013                      to send its own queries (as if mcast_querier was
1014                      enabled).
1015
1016                      mcast_hash_elasticity HASH_ELASTICITY - set multicast
1017                      database hash elasticity, ie the maximum chain length in
1018                      the multicast hash table (defaults to 4).
1019
1020                      mcast_hash_max HASH_MAX - set maximum size of multicast
1021                      hash table (defaults to 512, value must be a power of
1022                      2).
1023
1024                      mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1025                      cast last member count, ie the number of queries the
1026                      bridge will send before stopping forwarding a multicast
1027                      group after a "leave" message has been received
1028                      (defaults to 2).
1029
1030                      mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1031                      val between queries to find remaining members of a
1032                      group, after a "leave" message is received.
1033
1034                      mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1035                      number of IGMP queries to send during startup phase
1036                      (defaults to 2).
1037
1038                      mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1039                      interval between queries in the startup phase.
1040
1041                      mcast_query_interval QUERY_INTERVAL - interval between
1042                      queries sent by the bridge after the end of the startup
1043                      phase.
1044
1045                      mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1046                      set the Max Response Time/Maximum Response Delay for
1047                      IGMP/MLD queries sent by the bridge.
1048
1049                      mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1050                      after which the bridge will leave a group, if no member‐
1051                      ship reports for this group are received.
1052
1053                      mcast_stats_enabled MCAST_STATS_ENABLED - enable
1054                      (MCAST_STATS_ENABLED > 0) or disable
1055                      (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1056                      accounting.
1057
1058                      mcast_igmp_version IGMP_VERSION - set the IGMP version.
1059
1060                      mcast_mld_version MLD_VERSION - set the MLD version.
1061
1062                      nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1063                      ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1064                      hooks on the bridge.
1065
1066                      nf_call_ip6tables NF_CALL_IP6TABLES - enable
1067                      (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1068                      0) ip6tables hooks on the bridge.
1069
1070                      nf_call_arptables NF_CALL_ARPTABLES - enable
1071                      (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1072                      0) arptables hooks on the bridge.
1073
1074
1075
1076
1077       MACsec Type Support
1078              For a link of type MACsec the following additional arguments are
1079              supported:
1080
1081              ip link add link DEVICE name NAME type macsec [ [ address
1082              <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1083              icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1084              off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1085              tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1086              [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1087              ]
1088
1089
1090                      address <lladdr> - sets the system identifier component
1091                      of secure channel for this MACsec device.
1092
1093
1094                      port PORT - sets the port number component of secure
1095                      channel for this MACsec device, in a range from 1 to
1096                      65535 inclusive. Numbers with a leading " 0 " or " 0x "
1097                      are interpreted as octal and hexadecimal, respectively.
1098
1099
1100                      sci SCI - sets the secure channel identifier for this
1101                      MACsec device.  SCI is a 64bit wide number in hexadeci‐
1102                      mal format.
1103
1104
1105                      cipher CIPHER_SUITE - defines the cipher suite to use.
1106
1107
1108                      icvlen LENGTH - sets the length of the Integrity Check
1109                      Value (ICV).
1110
1111
1112                      encrypt on or encrypt off - switches between authenti‐
1113                      cated encryption, or authenticity mode only.
1114
1115
1116                      send_sci on or send_sci off - specifies whether the SCI
1117                      is included in every packet, or only when it is neces‐
1118                      sary.
1119
1120
1121                      end_station on or end_station off - sets the End Station
1122                      bit.
1123
1124
1125                      scb on or scb off - sets the Single Copy Broadcast bit.
1126
1127
1128                      protect on or protect off - enables MACsec protection on
1129                      the device.
1130
1131
1132                      replay on or replay off - enables replay protection on
1133                      the device.
1134
1135
1136
1137                              window SIZE - sets the size of the replay win‐
1138                              dow.
1139
1140
1141
1142                      validate strict or validate check or validate disabled -
1143                      sets the validation mode on the device.
1144
1145
1146                      encodingsa AN - sets the active secure association for
1147                      transmission.
1148
1149
1150
1151       VRF Type Support
1152              For a link of type VRF the following additional arguments are
1153              supported:
1154
1155              ip link add DEVICE type vrf table TABLE
1156
1157
1158                      table table id associated with VRF device
1159
1160
1161
1162       RMNET Type Support
1163              For a link of type RMNET the following additional arguments are
1164              supported:
1165
1166              ip link add link DEVICE name NAME type rmnet mux_id MUXID
1167
1168
1169                      mux_id MUXID - specifies the mux identifier for the
1170                      rmnet device, possible values 1-254.
1171
1172
1173
1174       XFRM Type Support
1175              For a link of type XFRM the following additional arguments are
1176              supported:
1177
1178              ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1179
1180
1181                      dev PHYS_DEV - specifies the underlying physical inter‐
1182                      face from which transform traffic is sent and received.
1183
1184
1185                      if_id IF-ID - specifies the hexadecimal lookup key used
1186                      to send traffic to and from specific xfrm policies.
1187                      Policies must be configured with the same key. If not
1188                      set, the key defaults to 0 and will match any policies
1189                      which similarly do not have a lookup key configuration.
1190
1191
1192
1193   ip link delete - delete virtual link
1194       dev DEVICE
1195              specifies the virtual device to act operate on.
1196
1197
1198       group GROUP
1199              specifies the group of virtual links to delete. Group 0 is not
1200              allowed to be deleted since it is the default group.
1201
1202
1203       type TYPE
1204              specifies the type of the device.
1205
1206
1207   ip link set - change device attributes
1208       Warning: If multiple parameter changes are requested, ip aborts immedi‐
1209       ately after any of the changes have failed.  This is the only case when
1210       ip can move the system to an unpredictable state. The solution is to
1211       avoid changing several parameters with one ip link set call.  The modi‐
1212       fier change is equivalent to set.
1213
1214
1215
1216       dev DEVICE
1217              DEVICE specifies network device to operate on. When configuring
1218              SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1219              ify the associated Physical Function (PF) device.
1220
1221
1222       group GROUP
1223              GROUP has a dual role: If both group and dev are present, then
1224              move the device to the specified group. If only a group is spec‐
1225              ified, then the command operates on all devices in that group.
1226
1227
1228       up and down
1229              change the state of the device to UP or DOWN.
1230
1231
1232       arp on or arp off
1233              change the NOARP flag on the device.
1234
1235
1236       multicast on or multicast off
1237              change the MULTICAST flag on the device.
1238
1239
1240       allmulticast on or allmulticast off
1241              change the ALLMULTI flag on the device. When enabled, instructs
1242              network driver to retrieve all multicast packets from the net‐
1243              work to the kernel for further processing.
1244
1245
1246       promisc on or promisc off
1247              change the PROMISC flag on the device. When enabled, activates
1248              promiscuous operation of the network device.
1249
1250
1251       trailers on or trailers off
1252              change the NOTRAILERS flag on the device, NOT used by the Linux
1253              and exists for BSD compatibility.
1254
1255
1256       protodown on or protodown off
1257              change the PROTODOWN state on the device. Indicates that a pro‐
1258              tocol error has been detected on the port. Switch drivers can
1259              react to this error by doing a phys down on the switch port.
1260
1261
1262       dynamic on or dynamic off
1263              change the DYNAMIC flag on the device. Indicates that address
1264              can change when interface goes down (currently NOT used by the
1265              Linux).
1266
1267
1268       name NAME
1269              change the name of the device. This operation is not recommended
1270              if the device is running or has some addresses already config‐
1271              ured.
1272
1273
1274       txqueuelen NUMBER
1275
1276       txqlen NUMBER
1277              change the transmit queue length of the device.
1278
1279
1280       mtu NUMBER
1281              change the MTU of the device.
1282
1283
1284       address LLADDRESS
1285              change the station address of the interface.
1286
1287
1288       broadcast LLADDRESS
1289
1290       brd LLADDRESS
1291
1292       peer LLADDRESS
1293              change the link layer broadcast address or the peer address when
1294              the interface is POINTOPOINT.
1295
1296
1297       netns NETNSNAME | PID
1298              move the device to the network namespace associated with name
1299              NETNSNAME or process PID.
1300
1301              Some devices are not allowed to change network namespace: loop‐
1302              back, bridge, wireless. These are network namespace local
1303              devices. In such case ip tool will return "Invalid argument"
1304              error. It is possible to find out if device is local to a single
1305              network namespace by checking netns-local flag in the output of
1306              the ethtool:
1307
1308                      ethtool -k DEVICE
1309
1310              To change network namespace for wireless devices the iw tool can
1311              be used. But it allows to change network namespace only for
1312              physical devices and by process PID.
1313
1314
1315       alias NAME
1316              give the device a symbolic name for easy reference.
1317
1318
1319       group GROUP
1320              specify the group the device belongs to.  The available groups
1321              are listed in file /etc/iproute2/group.
1322
1323
1324       vf NUM specify a Virtual Function device to be configured. The associ‐
1325              ated PF device must be specified using the dev parameter.
1326
1327                      mac LLADDRESS - change the station address for the spec‐
1328                      ified VF. The vf parameter must be specified.
1329
1330
1331                      vlan VLANID - change the assigned VLAN for the specified
1332                      VF. When specified, all traffic sent from the VF will be
1333                      tagged with the specified VLAN ID. Incoming traffic will
1334                      be filtered for the specified VLAN ID, and will have all
1335                      VLAN tags stripped before being passed to the VF. Set‐
1336                      ting this parameter to 0 disables VLAN tagging and fil‐
1337                      tering. The vf parameter must be specified.
1338
1339
1340                      qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1341                      VLAN tag. When specified, all VLAN tags transmitted by
1342                      the VF will include the specified priority bits in the
1343                      VLAN tag. If not specified, the value is assumed to be
1344                      0. Both the vf and vlan parameters must be specified.
1345                      Setting both vlan and qos as 0 disables VLAN tagging and
1346                      filtering for the VF.
1347
1348
1349                      proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1350                      tag, either 802.1Q or 802.1ad.  Setting to 802.1ad, all
1351                      traffic sent from the VF will be tagged with VLAN S-Tag.
1352                      Incoming traffic will have VLAN S-Tags stripped before
1353                      being passed to the VF.  Setting to 802.1ad also enables
1354                      an option to concatenate another VLAN tag, so both S-TAG
1355                      and C-TAG will be inserted/stripped for outgoing/incom‐
1356                      ing traffic, respectively.  If not specified, the value
1357                      is assumed to be 802.1Q. Both the vf and vlan parameters
1358                      must be specified.
1359
1360
1361                      rate TXRATE -- change the allowed transmit bandwidth, in
1362                      Mbps, for the specified VF.  Setting this parameter to 0
1363                      disables rate limiting.  vf parameter must be specified.
1364                      Please use new API max_tx_rate option instead.
1365
1366
1367                      max_tx_rate TXRATE - change the allowed maximum transmit
1368                      bandwidth, in Mbps, for the specified VF.  Setting this
1369                      parameter to 0 disables rate limiting.  vf parameter
1370                      must be specified.
1371
1372
1373                      min_tx_rate TXRATE - change the allowed minimum transmit
1374                      bandwidth, in Mbps, for the specified VF.  Minimum
1375                      TXRATE should be always <= Maximum TXRATE.  Setting this
1376                      parameter to 0 disables rate limiting.  vf parameter
1377                      must be specified.
1378
1379
1380                      spoofchk on|off - turn packet spoof checking on or off
1381                      for the specified VF.
1382
1383                      query_rss on|off - toggle the ability of querying the
1384                      RSS configuration of a specific
1385                        VF. VF RSS information like RSS hash key may be con‐
1386                      sidered sensitive
1387                        on some devices where this information is shared
1388                      between VF and PF
1389                        and thus its querying may be prohibited by default.
1390
1391                      state auto|enable|disable - set the virtual link state
1392                      as seen by the specified VF. Setting to auto means a
1393                      reflection of the PF link state, enable lets the VF to
1394                      communicate with other VFs on this host even if the PF
1395                      link state is down, disable causes the HW to drop any
1396                      packets sent by the VF.
1397
1398                      trust on|off - trust the specified VF user. This enables
1399                      that VF user can set a specific feature which may impact
1400                      security and/or performance. (e.g. VF multicast promis‐
1401                      cuous mode)
1402
1403                      node_guid eui64 - configure node GUID for Infiniband
1404                      VFs.
1405
1406                      port_guid eui64 - configure port GUID for Infiniband
1407                      VFs.
1408
1409
1410       xdp object | pinned | off
1411              set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1412              every packet at driver level.  ip link output will indicate a
1413              xdp flag for the networking device. If the driver does not have
1414              native XDP support, the kernel will fall back to a slower,
1415              driver-independent "generic" XDP variant. The ip link output
1416              will in that case indicate xdpgeneric instead of xdp only. If
1417              the driver does have native XDP support, but the program is
1418              loaded under xdpgeneric object | pinned then the kernel will use
1419              the generic XDP variant instead of the native one.  xdpdrv has
1420              the opposite effect of requestsing that the automatic fallback
1421              to the generic XDP variant be disabled and in case driver is not
1422              XDP-capable error should be returned.  xdpdrv also disables
1423              hardware offloads.  xdpoffload in ip link output indicates that
1424              the program has been offloaded to hardware and can also be used
1425              to request the "offload" mode, much like xdpgeneric it forces
1426              program to be installed specifically in HW/FW of the apater.
1427
1428              off (or none ) - Detaches any currently attached XDP/BPF program
1429              from the given device.
1430
1431              object FILE - Attaches a XDP/BPF program to the given device.
1432              The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1433              contains the BPF program code, map specifications, etc. If a
1434              XDP/BPF program is already attached to the given device, an
1435              error will be thrown. If no XDP/BPF program is currently
1436              attached, the device supports XDP and the program from the BPF
1437              ELF file passes the kernel verifier, then it will be attached to
1438              the device. If the option -force is passed to ip then any prior
1439              attached XDP/BPF program will be atomically overridden and no
1440              error will be thrown in this case. If no section option is
1441              passed, then the default section name ("prog") will be assumed,
1442              otherwise the provided section name will be used. If no verbose
1443              option is passed, then a verifier log will only be dumped on
1444              load error.  See also EXAMPLES section for usage examples.
1445
1446              section NAME - Specifies a section name that contains the BPF
1447              program code. If no section name is specified, the default one
1448              ("prog") will be used. This option is to be passed with the
1449              object option.
1450
1451              verbose - Act in verbose mode. For example, even in case of suc‐
1452              cess, this will print the verifier log in case a program was
1453              loaded from a BPF ELF file.
1454
1455              pinned FILE - Attaches a XDP/BPF program to the given device.
1456              The FILE points to an already pinned BPF program in the BPF file
1457              system. The option section doesn't apply here, but otherwise
1458              semantics are the same as with the option object described
1459              already.
1460
1461
1462       master DEVICE
1463              set master device of the device (enslave device).
1464
1465
1466       nomaster
1467              unset master device of the device (release device).
1468
1469
1470       addrgenmode eui64|none|stable_secret|random
1471              set the IPv6 address generation mode
1472
1473              eui64 - use a Modified EUI-64 format interface identifier
1474
1475              none - disable automatic address generation
1476
1477              stable_secret - generate the interface identifier based on a
1478              preset
1479                /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1480
1481              random - like stable_secret, but auto-generate a new random
1482              secret if none is set
1483
1484
1485       link-netnsid
1486              set peer netnsid for a cross-netns interface
1487
1488
1489       type ETYPE TYPE_ARGS
1490              Change type-specific settings. For a list of supported types and
1491              arguments refer to the description of ip link add above. In
1492              addition to that, it is possible to manipulate settings to slave
1493              devices:
1494
1495
1496       Bridge Slave Support
1497              For a link with master bridge the following additional arguments
1498              are supported:
1499
1500              ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1501              priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1502              on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1503              } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1504              { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1505              MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1506              mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1507              group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1508              vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1509              backup_port DEVICE ] [ nobackup_port ]
1510
1511
1512                      fdb_flush - flush bridge slave's fdb dynamic entries.
1513
1514                      state STATE - Set port state.  STATE is a number repre‐
1515                      senting the following states: 0 (disabled), 1 (listen‐
1516                      ing), 2 (learning), 3 (forwarding), 4 (blocking).
1517
1518                      priority PRIO - set port priority (allowed values are
1519                      between 0 and 63, inclusively).
1520
1521                      cost COST - set port cost (allowed values are between 1
1522                      and 65535, inclusively).
1523
1524                      guard { on | off } - block incoming BPDU packets on this
1525                      port.
1526
1527                      hairpin { on | off } - enable hairpin mode on this port.
1528                      This will allow incoming packets on this port to be
1529                      reflected back.
1530
1531                      fastleave { on | off } - enable multicast fast leave on
1532                      this port.
1533
1534                      root_block { on | off } - block this port from becoming
1535                      the bridge's root port.
1536
1537                      learning { on | off } - allow MAC address learning on
1538                      this port.
1539
1540                      flood { on | off } - open the flood gates on this port,
1541                      i.e. forward all unicast frames to this port also.
1542                      Requires proxy_arp and proxy_arp_wifi to be turned off.
1543
1544                      proxy_arp { on | off } - enable proxy ARP on this port.
1545
1546                      proxy_arp_wifi { on | off } - enable proxy ARP on this
1547                      port which meets extended requirements by IEEE 802.11
1548                      and Hotspot 2.0 specifications.
1549
1550                      mcast_router MULTICAST_ROUTER - configure this port for
1551                      having multicast routers attached. A port with a multi‐
1552                      cast router will receive all multicast traffic.  MULTI‐
1553                      CAST_ROUTER may be either 0 to disable multicast routers
1554                      on this port, 1 to let the system detect the presence of
1555                      of routers (this is the default), 2 to permanently
1556                      enable multicast traffic forwarding on this port or 3 to
1557                      enable multicast routers temporarily on this port, not
1558                      depending on incoming queries.
1559
1560                      mcast_fast_leave { on | off } - this is a synonym to the
1561                      fastleave option above.
1562
1563                      mcast_flood { on | off } - controls whether a given port
1564                      will flood multicast traffic for which
1565                        there is no MDB entry.
1566
1567                      mcast_to_unicast { on | off } - controls whether a given
1568                      port will replicate packets using unicast
1569                        instead of multicast. By default this flag is off.
1570
1571                      group_fwd_mask MASK - set the group forward mask. This
1572                      is the bitmask that is applied to decide whether to for‐
1573                      ward incoming frames destined to link-local addresses,
1574                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
1575                      0, ie the bridge does not forward any link-local frames
1576                      coming on this port).
1577
1578                      neigh_suppress { on | off } - controls whether neigh
1579                      discovery (arp and nd) proxy and suppression is enabled
1580                      on the port. By default this flag is off.
1581
1582                      vlan_tunnel { on | off } - controls whether vlan to tun‐
1583                      nel mapping is enabled on the port. By default this flag
1584                      is off.
1585
1586                      backup_port DEVICE - if the port loses carrier all traf‐
1587                      fic will be redirected to the configured backup port
1588
1589                      nobackup_port - removes the currently configured backup
1590                      port
1591
1592
1593
1594       Bonding Slave Support
1595              For a link with master bond the following additional arguments
1596              are supported:
1597
1598              ip link set type bond_slave [ queue_id ID ]
1599
1600
1601                      queue_id ID - set the slave's queue ID (a 16bit unsigned
1602                      value).
1603
1604
1605
1606       MACVLAN and MACVTAP Support
1607              Modify list of allowed macaddr for link in source mode.
1608
1609              ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1610              ...  ]
1611
1612              Commands:
1613                      add - add MACADDR to allowed list
1614
1615                      set - replace allowed list
1616
1617                      del - remove MACADDR from allowed list
1618
1619                      flush - flush whole allowed list
1620
1621
1622
1623
1624   ip link show - display device attributes
1625       dev NAME (default)
1626              NAME specifies the network device to show.
1627
1628
1629       group GROUP
1630              GROUP specifies what group of devices to show.
1631
1632
1633       up     only display running interfaces.
1634
1635
1636       master DEVICE
1637              DEVICE specifies the master device which enslaves devices to
1638              show.
1639
1640
1641       vrf NAME
1642              NAME speficies the VRF which enslaves devices to show.
1643
1644
1645       type TYPE
1646              TYPE specifies the type of devices to show.
1647
1648              Note that the type name is not checked against the list of sup‐
1649              ported types - instead it is sent as-is to the kernel. Later it
1650              is used to filter the returned interface list by comparing it
1651              with the relevant attribute in case the kernel didn't filter
1652              already. Therefore any string is accepted, but may lead to empty
1653              output.
1654
1655
1656   ip link xstats - display extended statistics
1657       type TYPE
1658              TYPE specifies the type of devices to display extended statis‐
1659              tics for.
1660
1661
1662   ip link afstats - display address-family specific statistics
1663       dev DEVICE
1664              DEVICE specifies the device to display address-family statistics
1665              for.
1666
1667
1668   ip link help - display help
1669       TYPE specifies which help of link type to dislpay.
1670
1671
1672   GROUP
1673       may be a number or a string from the file /etc/iproute2/group which can
1674       be manually filled.
1675
1676

EXAMPLES

1678       ip link show
1679           Shows the state of all network interfaces on the system.
1680
1681       ip link show type bridge
1682           Shows the bridge devices.
1683
1684       ip link show type vlan
1685           Shows the vlan devices.
1686
1687       ip link show master br0
1688           Shows devices enslaved by br0
1689
1690       ip link set dev ppp0 mtu 1400
1691           Change the MTU the ppp0 device.
1692
1693       ip link add link eth0 name eth0.10 type vlan id 10
1694           Creates a new vlan device eth0.10 on device eth0.
1695
1696       ip link delete dev eth0.10
1697           Removes vlan device.
1698
1699       ip link help gre
1700           Display help for the gre link type.
1701
1702       ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1703       ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1704       remcsum
1705           Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1706           tion, and the outer UDP checksum and remote checksum offload are
1707           enabled.
1708
1709       ip link set dev eth0 xdp obj prog.o
1710           Attaches a XDP/BPF program to device eth0, where the program is
1711           located in prog.o, section "prog" (default section). In case a
1712           XDP/BPF program is already attached, throw an error.
1713
1714       ip -force link set dev eth0 xdp obj prog.o sec foo
1715           Attaches a XDP/BPF program to device eth0, where the program is
1716           located in prog.o, section "foo". In case a XDP/BPF program is
1717           already attached, it will be overridden by the new one.
1718
1719       ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1720           Attaches a XDP/BPF program to device eth0, where the program was
1721           previously pinned as an object node into BPF file system under name
1722           foo.
1723
1724       ip link set dev eth0 xdp off
1725           If a XDP/BPF program is attached on device eth0, detach it and
1726           effectively turn off XDP for device eth0.
1727
1728       ip link add link wpan0 lowpan0 type lowpan
1729           Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1730           802.15.4 device wpan0.
1731
1732       ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1733       fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1734       erspan_hwid 17
1735           Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1736
1737

SEE ALSO

1739       ip(8), ip-netns(8), ethtool(8), iptables(8)
1740
1741

AUTHOR

1743       Original Manpage by Michail Litvak <mci@owl.openwall.com>
1744
1745
1746
1747iproute2                          13 Dec 2012                       IP-LINK(8)
Impressum