1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 A plain ini-style text file that encodes configuration about a virtual
13 network device, used by systemd-networkd(8). See systemd.syntax(7) for
14 a general description of the syntax.
15 The main Virtual Network Device file must have the extension .netdev;
17 other extensions are ignored. Virtual network devices are created as
18 soon as networkd is started. If a netdev with the specified name
19 already exists, networkd will use that as-is rather than create its
20 own. Note that the settings of the pre-existing netdev will not be
21 changed by networkd.
22 The .netdev files are read from the files located in the system network
24 directory /usr/lib/systemd/network, the volatile runtime network
25 directory /run/systemd/network and the local administration network
26 directory /etc/systemd/network. All configuration files are
27 collectively sorted and processed in lexical order, regardless of the
28 directories in which they live. However, files with identical filenames
29 replace each other. Files in /etc/ have the highest priority, files in
30 /run/ take precedence over files with the same name in /usr/lib/. This
31 can be used to override a system-supplied configuration file with a
32 local file if needed. As a special case, an empty file (file size 0) or
33 symlink with the same name pointing to /dev/null disables the
34 configuration file entirely (it is "masked").
35 Along with the netdev file foo.netdev, a "drop-in" directory
37 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
38 directory will be parsed after the file itself is parsed. This is
39 useful to alter or add configuration settings, without having to modify
40 the main configuration file. Each drop-in file must have appropriate
41 section headers.
42 In addition to /etc/systemd/network, drop-in ".d" directories can be
44 placed in /usr/lib/systemd/network or /run/systemd/network directories.
45 Drop-in files in /etc/ take precedence over those in /run/ which in
46 turn take precedence over those in /usr/lib/. Drop-in files under any
47 of these directories take precedence over the main netdev file wherever
48 located. (Of course, since /run/ is temporary and /usr/lib/ is for
49 vendors, it is unlikely drop-ins should be used in either of those
50 places.)
51
53 The following kinds of virtual network devices may be configured in
54 .netdev files:
55 Table 1. Supported kinds of virtual network devices
57 ┌──────────┬────────────────────────────┐
58 │Kind │ Description │
59 ├──────────┼────────────────────────────┤
60 │bond │ A bond device is an │
61 │ │ aggregation of all its │
62 │ │ slave devices. See Linux │
63 │ │ Ethernet Bonding Driver │
64 │ │ HOWTO[1] for details. │
65 ├──────────┼────────────────────────────┤
66 │bridge │ A bridge device is a │
67 │ │ software switch, and each │
68 │ │ of its slave devices and │
69 │ │ the bridge itself are │
70 │ │ ports of the switch. │
71 ├──────────┼────────────────────────────┤
72 │dummy │ A dummy device drops all │
73 │ │ packets sent to it. │
74 ├──────────┼────────────────────────────┤
75 │gre │ A Level 3 GRE tunnel over │
76 │ │ IPv4. See RFC 2784[2] for │
77 │ │ details. │
78 ├──────────┼────────────────────────────┤
79 │gretap │ A Level 2 GRE tunnel over │
80 │ │ IPv4. │
81 ├──────────┼────────────────────────────┤
82 │erspan │ ERSPAN mirrors traffic on │
83 │ │ one or more source ports │
84 │ │ and delivers the mirrored │
85 │ │ traffic to one or more │
86 │ │ destination ports on │
87 │ │ another switch. The │
88 │ │ traffic is encapsulated in │
89 │ │ generic routing │
90 │ │ encapsulation (GRE) and is │
91 │ │ therefore routable across │
92 │ │ a layer 3 network between │
93 │ │ the source switch and the │
94 │ │ destination switch. │
95 ├──────────┼────────────────────────────┤
96 │ip6gre │ A Level 3 GRE tunnel over │
97 │ │ IPv6. │
98 ├──────────┼────────────────────────────┤
99 │ip6tnl │ An IPv4 or IPv6 tunnel │
100 │ │ over IPv6 │
101 ├──────────┼────────────────────────────┤
102 │ip6gretap │ A Level 2 GRE tunnel over │
103 │ │ IPv6. │
104 ├──────────┼────────────────────────────┤
105 │ipip │ An IPv4 over IPv4 tunnel. │
106 ├──────────┼────────────────────────────┤
107 │ipvlan │ An IPVLAN device is a │
108 │ │ stacked device which │
109 │ │ receives packets from its │
110 │ │ underlying device based on │
111 │ │ IP address filtering. │
112 ├──────────┼────────────────────────────┤
113 │ipvtap │ An IPVTAP device is a │
114 │ │ stacked device which │
115 │ │ receives packets from its │
116 │ │ underlying device based on │
117 │ │ IP address filtering and │
118 │ │ can be accessed using the │
119 │ │ tap user space interface. │
120 ├──────────┼────────────────────────────┤
121 │macvlan │ A macvlan device is a │
122 │ │ stacked device which │
123 │ │ receives packets from its │
124 │ │ underlying device based on │
125 │ │ MAC address filtering. │
126 ├──────────┼────────────────────────────┤
127 │macvtap │ A macvtap device is a │
128 │ │ stacked device which │
129 │ │ receives packets from its │
130 │ │ underlying device based on │
131 │ │ MAC address filtering. │
132 ├──────────┼────────────────────────────┤
133 │sit │ An IPv6 over IPv4 tunnel. │
134 ├──────────┼────────────────────────────┤
135 │tap │ A persistent Level 2 │
136 │ │ tunnel between a network │
137 │ │ device and a device node. │
138 ├──────────┼────────────────────────────┤
139 │tun │ A persistent Level 3 │
140 │ │ tunnel between a network │
141 │ │ device and a device node. │
142 ├──────────┼────────────────────────────┤
143 │veth │ An Ethernet tunnel between │
144 │ │ a pair of network devices. │
145 ├──────────┼────────────────────────────┤
146 │vlan │ A VLAN is a stacked device │
147 │ │ which receives packets │
148 │ │ from its underlying device │
149 │ │ based on VLAN tagging. See │
150 │ │ IEEE 802.1Q[3] for │
151 │ │ details. │
152 ├──────────┼────────────────────────────┤
153 │vti │ An IPv4 over IPSec tunnel. │
154 ├──────────┼────────────────────────────┤
155 │vti6 │ An IPv6 over IPSec tunnel. │
156 ├──────────┼────────────────────────────┤
157 │vxlan │ A virtual extensible LAN │
158 │ │ (vxlan), for connecting │
159 │ │ Cloud computing │
160 │ │ deployments. │
161 ├──────────┼────────────────────────────┤
162 │geneve │ A GEneric NEtwork │
163 │ │ Virtualization │
164 │ │ Encapsulation (GENEVE) │
165 │ │ netdev driver. │
166 ├──────────┼────────────────────────────┤
167 │l2tp │ A Layer 2 Tunneling │
168 │ │ Protocol (L2TP) is a │
169 │ │ tunneling protocol used to │
170 │ │ support virtual private │
171 │ │ networks (VPNs) or as part │
172 │ │ of the delivery of │
173 │ │ services by ISPs. It does │
174 │ │ not provide any encryption │
175 │ │ or confidentiality by │
176 │ │ itself │
177 ├──────────┼────────────────────────────┤
178 │macsec │ Media Access Control │
179 │ │ Security (MACsec) is an │
180 │ │ 802.1AE IEEE │
181 │ │ industry-standard security │
182 │ │ technology that provides │
183 │ │ secure communication for │
184 │ │ all traffic on Ethernet │
185 │ │ links. MACsec provides │
186 │ │ point-to-point security on │
187 │ │ Ethernet links between │
188 │ │ directly connected nodes │
189 │ │ and is capable of │
190 │ │ identifying and preventing │
191 │ │ most security threats. │
192 ├──────────┼────────────────────────────┤
193 │vrf │ A Virtual Routing and │
194 │ │ Forwarding (VRF[4]) │
195 │ │ interface to create │
196 │ │ separate routing and │
197 │ │ forwarding domains. │
198 ├──────────┼────────────────────────────┤
199 │vcan │ The virtual CAN driver │
200 │ │ (vcan). Similar to the │
201 │ │ network loopback devices, │
202 │ │ vcan offers a virtual │
203 │ │ local CAN interface. │
204 ├──────────┼────────────────────────────┤
205 │vxcan │ The virtual CAN tunnel │
206 │ │ driver (vxcan). Similar to │
207 │ │ the virtual ethernet │
208 │ │ driver veth, vxcan │
209 │ │ implements a local CAN │
210 │ │ traffic tunnel between two │
211 │ │ virtual CAN network │
212 │ │ devices. When creating a │
213 │ │ vxcan, two vxcan devices │
214 │ │ are created as pair. When │
215 │ │ one end receives the │
216 │ │ packet it appears on its │
217 │ │ pair and vice versa. The │
218 │ │ vxcan can be used for │
219 │ │ cross namespace │
220 │ │ communication. │
221 ├──────────┼────────────────────────────┤
222 │wireguard │ WireGuard Secure Network │
223 │ │ Tunnel. │
224 ├──────────┼────────────────────────────┤
225 │nlmon │ A Netlink monitor device. │
226 │ │ Use an nlmon device when │
227 │ │ you want to monitor system │
228 │ │ Netlink messages. │
229 ├──────────┼────────────────────────────┤
230 │fou │ Foo-over-UDP tunneling. │
231 ├──────────┼────────────────────────────┤
232 │xfrm │ A virtual tunnel interface │
233 │ │ like vti/vti6 but with │
234 │ │ several advantages. │
235 ├──────────┼────────────────────────────┤
236 │ifb │ The Intermediate │
237 │ │ Functional Block (ifb) │
238 │ │ pseudo network interface │
239 │ │ acts as a QoS concentrator │
240 │ │ for multiple different │
241 │ │ sources of traffic. │
242 ├──────────┼────────────────────────────┤
243 │bareudp │ Bare UDP tunnels provide a │
244 │ │ generic L3 encapsulation │
245 │ │ support for tunnelling │
246 │ │ different L3 protocols │
247 │ │ like MPLS, IP etc. inside │
248 │ │ of an UDP tunnel. │
249 ├──────────┼────────────────────────────┤
250 │batadv │ B.A.T.M.A.N. Advanced[5] │
251 │ │ is a routing protocol for │
252 │ │ multi-hop mobile ad-hoc │
253 │ │ networks which operates on │
254 │ │ layer 2. │
255 └──────────┴────────────────────────────┘
256
258 A virtual network device is only created if the [Match] section matches
259 the current environment, or if the section is empty. The following keys
260 are accepted:
261 Host=
263 Matches against the hostname or machine ID of the host. See
264 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
265 an exclamation mark ("!"), the result is negated. If an empty
266 string is assigned, then previously assigned value is cleared.
267 Virtualization=
269 Checks whether the system is executed in a virtualized environment
270 and optionally test whether it is a specific implementation. See
271 "ConditionVirtualization=" in systemd.unit(5) for details. When
272 prefixed with an exclamation mark ("!"), the result is negated. If
273 an empty string is assigned, then previously assigned value is
274 cleared.
275 KernelCommandLine=
277 Checks whether a specific kernel command line option is set. See
278 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
279 prefixed with an exclamation mark ("!"), the result is negated. If
280 an empty string is assigned, then previously assigned value is
281 cleared.
282 KernelVersion=
284 Checks whether the kernel version (as reported by uname -r) matches
285 a certain expression. See "ConditionKernelVersion=" in
286 systemd.unit(5) for details. When prefixed with an exclamation mark
287 ("!"), the result is negated. If an empty string is assigned, then
288 previously assigned value is cleared.
289 Architecture=
291 Checks whether the system is running on a specific architecture.
292 See "ConditionArchitecture=" in systemd.unit(5) for details. When
293 prefixed with an exclamation mark ("!"), the result is negated. If
294 an empty string is assigned, then previously assigned value is
295 cleared.
296
298 The [NetDev] section accepts the following keys:
299 Description=
301 A free-form description of the netdev.
302 Name=
304 The interface name used when creating the netdev. This setting is
305 compulsory.
306 Kind=
308 The netdev kind. This setting is compulsory. See the "Supported
309 netdev kinds" section for the valid keys.
310 MTUBytes=
312 The maximum transmission unit in bytes to set for the device. The
313 usual suffixes K, M, G are supported and are understood to the base
314 of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
315 currently supported in [NetDev] section. Please specify it in
316 [Link] section of corresponding systemd.network(5) files.
317 MACAddress=
319 The MAC address to use for the device. For "tun" or "tap" devices,
320 setting MACAddress= in the [NetDev] section is not supported.
321 Please specify it in [Link] section of the corresponding
322 systemd.network(5) file. If this option is not set, "vlan" devices
323 inherit the MAC address of the physical interface. For other kind
324 of netdevs, if this option is not set, then MAC address is
325 generated based on the interface name and the machine-id(5).
326
328 The [Bridge] section only applies for netdevs of kind "bridge", and
329 accepts the following keys:
330 HelloTimeSec=
332 HelloTimeSec specifies the number of seconds between two hello
333 packets sent out by the root bridge and the designated bridges.
334 Hello packets are used to communicate information about the
335 topology throughout the entire bridged local area network.
336 MaxAgeSec=
338 MaxAgeSec specifies the number of seconds of maximum message age.
339 If the last seen (received) hello packet is more than this number
340 of seconds old, the bridge in question will start the takeover
341 procedure in attempt to become the Root Bridge itself.
342 ForwardDelaySec=
344 ForwardDelaySec specifies the number of seconds spent in each of
345 the Listening and Learning states before the Forwarding state is
346 entered.
347 AgeingTimeSec=
349 This specifies the number of seconds a MAC Address will be kept in
350 the forwarding database after having a packet received from this
351 MAC Address.
352 Priority=
354 The priority of the bridge. An integer between 0 and 65535. A lower
355 value means higher priority. The bridge having the lowest priority
356 will be elected as root bridge.
357 GroupForwardMask=
359 A 16-bit bitmask represented as an integer which allows forwarding
360 of link local frames with 802.1D reserved addresses
361 (01:80:C2:00:00:0X). A logical AND is performed between the
362 specified bitmask and the exponentiation of 2^X, the lower nibble
363 of the last octet of the MAC address. For example, a value of 8
364 would allow forwarding of frames addressed to 01:80:C2:00:00:03
365 (802.1X PAE).
366 DefaultPVID=
368 This specifies the default port VLAN ID of a newly attached bridge
369 port. Set this to an integer in the range 1–4094 or "none" to
370 disable the PVID.
371 MulticastQuerier=
373 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
374 option in the kernel. If enabled, the kernel will send general ICMP
375 queries from a zero source address. This feature should allow
376 faster convergence on startup, but it causes some multicast-aware
377 switches to misbehave and disrupt forwarding of multicast packets.
378 When unset, the kernel's default will be used.
379 MulticastSnooping=
381 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
382 option in the kernel. If enabled, IGMP snooping monitors the
383 Internet Group Management Protocol (IGMP) traffic between hosts and
384 multicast routers. When unset, the kernel's default will be used.
385 VLANFiltering=
387 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
388 option in the kernel. If enabled, the bridge will be started in
389 VLAN-filtering mode. When unset, the kernel's default will be used.
390 VLANProtocol=
392 Allows setting the protocol used for VLAN filtering. Takes 802.1q
393 or, 802.1ad, and defaults to unset and kernel's default is used.
394 STP=
396 Takes a boolean. This enables the bridge's Spanning Tree Protocol
397 (STP). When unset, the kernel's default will be used.
398 MulticastIGMPVersion=
400 Allows changing bridge's multicast Internet Group Management
401 Protocol (IGMP) version. Takes an integer 2 or 3. When unset, the
402 kernel's default will be used.
403
405 The [VLAN] section only applies for netdevs of kind "vlan", and accepts
406 the following key:
407 Id=
409 The VLAN ID to use. An integer in the range 0–4094. This setting is
410 compulsory.
411 Protocol=
413 Allows setting the protocol used for the VLAN interface. Takes
414 "802.1q" or, "802.1ad", and defaults to unset and kernel's default
415 is used.
416 GVRP=
418 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
419 protocol that allows automatic learning of VLANs on a network. When
420 unset, the kernel's default will be used.
421 MVRP=
423 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
424 formerly known as GARP VLAN Registration Protocol (GVRP) is a
425 standards-based Layer 2 network protocol, for automatic
426 configuration of VLAN information on switches. It was defined in
427 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
428 default will be used.
429 LooseBinding=
431 Takes a boolean. The VLAN loose binding mode, in which only the
432 operational state is passed from the parent to the associated
433 VLANs, but the VLAN device state is not changed. When unset, the
434 kernel's default will be used.
435 ReorderHeader=
437 Takes a boolean. When enabled, the VLAN reorder header is used and
438 VLAN interfaces behave like physical interfaces. When unset, the
439 kernel's default will be used.
440 EgressQOSMaps=
442 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
443 to VLAN header PCP field for outgoing frames. Takes a
444 whitespace-separated list of unsigned integer pairs in the format
445 "from"-"to", e.g., "21-7 45-5" ranges 1–4294967294. Note that
446 "from" must be greater than or equal to "to". When unset, the
447 kernel's default will be used.
448 IngressQOSMaps=
450 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
451 to VLAN header PCP field for incoming frames. Takes a
452 whitespace-separated list of unsigned integer pairs in the format
453 "from"-"to", e.g., "21-7 45-5" ranges 1–4294967294. Note that
454 "from" must be greater than or equal to "to". When unset, the
455 kernel's default will be used.
456
458 The [MACVLAN] section only applies for netdevs of kind "macvlan", and
459 accepts the following key:
460 Mode=
462 The MACVLAN mode to use. The supported options are "private",
463 "vepa", "bridge", "passthru", and "source".
464 SourceMACAddress=
466 A whitespace-separated list of remote hardware addresses allowed on
467 the MACVLAN. This option only has an effect in source mode. Use
468 full colon-, hyphen- or dot-delimited hexadecimal. This option may
469 appear more than once, in which case the lists are merged. If the
470 empty string is assigned to this option, the list of hardware
471 addresses defined prior to this is reset. Defaults to unset.
472 BroadcastMulticastQueueLength=
474 Specifies the length of the receive queue for broadcast/multicast
475 packets. An unsigned integer in the range 0...4294967294. Defaults
476 to unset.
477
479 The [MACVTAP] section applies for netdevs of kind "macvtap" and accepts
480 the same keys as [MACVLAN].
481
483 The [IPVLAN] section only applies for netdevs of kind "ipvlan", and
484 accepts the following key:
485 Mode=
487 The IPVLAN mode to use. The supported options are "L2","L3" and
488 "L3S".
489 Flags=
491 The IPVLAN flags to use. The supported options are
492 "bridge","private" and "vepa".
493
495 The [IPVTAP] section only applies for netdevs of kind "ipvtap" and
496 accepts the same keys as [IPVLAN].
497
499 The [VXLAN] section only applies for netdevs of kind "vxlan", and
500 accepts the following keys:
501 VNI=
503 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
504 in the range 1...16777215.
505 Remote=
507 Configures destination IP address.
508 Local=
510 Configures local IP address.
511 Group=
513 Configures VXLAN multicast group IP address. All members of a VXLAN
514 must use the same multicast group address.
515 TOS=
517 The Type Of Service byte value for a vxlan interface.
518 TTL=
520 A fixed Time To Live N on Virtual eXtensible Local Area Network
521 packets. Takes "inherit" or a number in the range 0–255. 0 is a
522 special value meaning inherit the inner protocol's TTL value.
523 "inherit" means that it will inherit the outer protocol's TTL
524 value.
525 MacLearning=
527 Takes a boolean. When true, enables dynamic MAC learning to
528 discover remote MAC addresses.
529 FDBAgeingSec=
531 The lifetime of Forwarding Database entry learnt by the kernel, in
532 seconds.
533 MaximumFDBEntries=
535 Configures maximum number of FDB entries.
536 ReduceARPProxy=
538 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
539 answers ARP requests from the local bridge on behalf of remote
540 Distributed Overlay Virtual Ethernet (DVOE)[6] clients. Defaults to
541 false.
542 L2MissNotification=
544 Takes a boolean. When true, enables netlink LLADDR miss
545 notifications.
546 L3MissNotification=
548 Takes a boolean. When true, enables netlink IP address miss
549 notifications.
550 RouteShortCircuit=
552 Takes a boolean. When true, route short circuiting is turned on.
553 UDPChecksum=
555 Takes a boolean. When true, transmitting UDP checksums when doing
556 VXLAN/IPv4 is turned on.
557 UDP6ZeroChecksumTx=
559 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
560 turned on.
561 UDP6ZeroChecksumRx=
563 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
564 is turned on.
565 RemoteChecksumTx=
567 Takes a boolean. When true, remote transmit checksum offload of
568 VXLAN is turned on.
569 RemoteChecksumRx=
571 Takes a boolean. When true, remote receive checksum offload in
572 VXLAN is turned on.
573 GroupPolicyExtension=
575 Takes a boolean. When true, it enables Group Policy VXLAN extension
576 security label mechanism across network peers based on VXLAN. For
577 details about the Group Policy VXLAN, see the VXLAN Group Policy[7]
578 document. Defaults to false.
579 GenericProtocolExtension=
581 Takes a boolean. When true, Generic Protocol Extension extends the
582 existing VXLAN protocol to provide protocol typing, OAM, and
583 versioning capabilities. For details about the VXLAN GPE Header,
584 see the Generic Protocol Extension for VXLAN[8] document. If
585 destination port is not specified and Generic Protocol Extension is
586 set then default port of 4790 is used. Defaults to false.
587 DestinationPort=
589 Configures the default destination UDP port. If the destination
590 port is not specified then Linux kernel default will be used. Set
591 to 4789 to get the IANA assigned value.
592 PortRange=
594 Configures the source port range for the VXLAN. The kernel assigns
595 the source UDP port based on the flow to help the receiver to do
596 load balancing. When this option is not set, the normal range of
597 local UDP ports is used.
598 FlowLabel=
600 Specifies the flow label to use in outgoing packets. The valid
601 range is 0-1048575.
602 IPDoNotFragment=
604 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
605 packets, or to inherit its value from the IPv4 inner header. Takes
606 a boolean value, or "inherit". Set to "inherit" if the encapsulated
607 protocol is IPv6. When unset, the kernel's default will be used.
608
610 The [GENEVE] section only applies for netdevs of kind "geneve", and
611 accepts the following keys:
612 Id=
614 Specifies the Virtual Network Identifier (VNI) to use, a number
615 between 0 and 16777215. This field is mandatory.
616 Remote=
618 Specifies the unicast destination IP address to use in outgoing
619 packets.
620 TOS=
622 Specifies the TOS value to use in outgoing packets. Takes a number
623 between 1 and 255.
624 TTL=
626 Accepts the same values as in the [VXLAN] section, except that when
627 unset or set to 0, the kernel's default will be used, meaning that
628 packet TTL will be set from /proc/sys/net/ipv4/ip_default_ttl.
629 UDPChecksum=
631 Takes a boolean. When true, specifies that UDP checksum is
632 calculated for transmitted packets over IPv4.
633 UDP6ZeroChecksumTx=
635 Takes a boolean. When true, skip UDP checksum calculation for
636 transmitted packets over IPv6.
637 UDP6ZeroChecksumRx=
639 Takes a boolean. When true, allows incoming UDP packets over IPv6
640 with zero checksum field.
641 DestinationPort=
643 Specifies destination port. Defaults to 6081. If not set or
644 assigned the empty string, the default port of 6081 is used.
645 FlowLabel=
647 Specifies the flow label to use in outgoing packets.
648 IPDoNotFragment=
650 Accepts the same key as in [VXLAN] section.
651 Independent=
653 Takes a boolean. When true, the vxlan interface is created without
654 any underlying network interface. Defaults to false, which means
655 that a .network file that requests this tunnel using Tunnel= is
656 required for the tunnel to be created.
657
659 The [BareUDP] section only applies for netdevs of kind "bareudp", and
660 accepts the following keys:
661 DestinationPort=
663 Specifies the destination UDP port (in range 1...65535). This is
664 mandatory.
665 EtherType=
667 Specifies the L3 protocol. Takes one of "ipv4", "ipv6", "mpls-uc"
668 or "mpls-mc". This is mandatory.
669
671 The [L2TP] section only applies for netdevs of kind "l2tp", and accepts
672 the following keys:
673 TunnelId=
675 Specifies the tunnel identifier. Takes an number in the range
676 1–4294967295. The value used must match the "PeerTunnelId=" value
677 being used at the peer. This setting is compulsory.
678 PeerTunnelId=
680 Specifies the peer tunnel id. Takes a number in the range
681 1...4294967295. The value used must match the "TunnelId=" value
682 being used at the peer. This setting is compulsory.
683 Remote=
685 Specifies the IP address of the remote peer. This setting is
686 compulsory.
687 Local=
689 Specifies the IP address of the local interface. Takes an IP
690 address, or the special values "auto", "static", or "dynamic". When
691 an address is set, then the local interface must have the address.
692 If "auto", then one of the addresses on the local interface is
693 used. Similarly, if "static" or "dynamic" is set, then one of the
694 static or dynamic addresses on the local interface is used.
695 Defaults to "auto".
696 EncapsulationType=
698 Specifies the encapsulation type of the tunnel. Takes one of "udp"
699 or "ip".
700 UDPSourcePort=
702 Specifies the UDP source port to be used for the tunnel. When UDP
703 encapsulation is selected it's mandatory. Ignored when IP
704 encapsulation is selected.
705 UDPDestinationPort=
707 Specifies destination port. When UDP encapsulation is selected it's
708 mandatory. Ignored when IP encapsulation is selected.
709 UDPChecksum=
711 Takes a boolean. When true, specifies that UDP checksum is
712 calculated for transmitted packets over IPv4.
713 UDP6ZeroChecksumTx=
715 Takes a boolean. When true, skip UDP checksum calculation for
716 transmitted packets over IPv6.
717 UDP6ZeroChecksumRx=
719 Takes a boolean. When true, allows incoming UDP packets over IPv6
720 with zero checksum field.
721
723 The [L2TPSession] section only applies for netdevs of kind "l2tp", and
724 accepts the following keys:
725 Name=
727 Specifies the name of the session. This setting is compulsory.
728 SessionId=
730 Specifies the session identifier. Takes an number in the range
731 1–4294967295. The value used must match the "SessionId=" value
732 being used at the peer. This setting is compulsory.
733 PeerSessionId=
735 Specifies the peer session identifier. Takes an number in the range
736 1–4294967295. The value used must match the "PeerSessionId=" value
737 being used at the peer. This setting is compulsory.
738 Layer2SpecificHeader=
740 Specifies layer2specific header type of the session. One of "none"
741 or "default". Defaults to "default".
742
744 The [MACsec] section only applies for network devices of kind "macsec",
745 and accepts the following keys:
746 Port=
748 Specifies the port to be used for the MACsec transmit channel. The
749 port is used to make secure channel identifier (SCI). Takes a value
750 between 1 and 65535. Defaults to unset.
751 Encrypt=
753 Takes a boolean. When true, enable encryption. Defaults to unset.
754
756 The [MACsecReceiveChannel] section only applies for network devices of
757 kind "macsec", and accepts the following keys:
758 Port=
760 Specifies the port to be used for the MACsec receive channel. The
761 port is used to make secure channel identifier (SCI). Takes a value
762 between 1 and 65535. This option is compulsory, and is not set by
763 default.
764 MACAddress=
766 Specifies the MAC address to be used for the MACsec receive
767 channel. The MAC address used to make secure channel identifier
768 (SCI). This setting is compulsory, and is not set by default.
769
771 The [MACsecTransmitAssociation] section only applies for network
772 devices of kind "macsec", and accepts the following keys:
773 PacketNumber=
775 Specifies the packet number to be used for replay protection and
776 the construction of the initialization vector (along with the
777 secure channel identifier [SCI]). Takes a value between
778 1-4,294,967,295. Defaults to unset.
779 KeyId=
781 Specifies the identification for the key. Takes a number between
782 0-255. This option is compulsory, and is not set by default.
783 Key=
785 Specifies the encryption key used in the transmission channel. The
786 same key must be configured on the peer’s matching receive channel.
787 This setting is compulsory, and is not set by default. Takes a
788 128-bit key encoded in a hexadecimal string, for example
789 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
790 KeyFile=
792 Takes a absolute path to a file which contains a 128-bit key
793 encoded in a hexadecimal string, which will be used in the
794 transmission channel. When this option is specified, Key= is
795 ignored. Note that the file must be readable by the user
796 "systemd-network", so it should be, e.g., owned by
797 "root:systemd-network" with a "0640" file mode. If the path refers
798 to an AF_UNIX stream socket in the file system a connection is made
799 to it and the key read from it.
800 Activate=
802 Takes a boolean. If enabled, then the security association is
803 activated. Defaults to unset.
804 UseForEncoding=
806 Takes a boolean. If enabled, then the security association is used
807 for encoding. Only one [MACsecTransmitAssociation] section can
808 enable this option. When enabled, Activate=yes is implied. Defaults
809 to unset.
810
812 The [MACsecReceiveAssociation] section only applies for network devices
813 of kind "macsec", and accepts the following keys:
814 Port=
816 Accepts the same key as in [MACsecReceiveChannel] section.
817 MACAddress=
819 Accepts the same key as in [MACsecReceiveChannel] section.
820 PacketNumber=
822 Accepts the same key as in [MACsecTransmitAssociation] section.
823 KeyId=
825 Accepts the same key as in [MACsecTransmitAssociation] section.
826 Key=
828 Accepts the same key as in [MACsecTransmitAssociation] section.
829 KeyFile=
831 Accepts the same key as in [MACsecTransmitAssociation] section.
832 Activate=
834 Accepts the same key as in [MACsecTransmitAssociation] section.
835
837 The [Tunnel] section only applies for netdevs of kind "ipip", "sit",
838 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
839 "erspan" and accepts the following keys:
840 Local=
842 A static local address for tunneled packets. It must be an address
843 on another interface of this host, or the special value "any".
844 Remote=
846 The remote endpoint of the tunnel. Takes an IP address or the
847 special value "any".
848 TOS=
850 The Type Of Service byte value for a tunnel interface. For details
851 about the TOS, see the Type of Service in the Internet Protocol
852 Suite[9] document.
853 TTL=
855 A fixed Time To Live N on tunneled packets. N is a number in the
856 range 1–255. 0 is a special value meaning that packets inherit the
857 TTL value. The default value for IPv4 tunnels is 0 (inherit). The
858 default value for IPv6 tunnels is 64.
859 DiscoverPathMTU=
861 Takes a boolean. When true, enables Path MTU Discovery on the
862 tunnel.
863 IPv6FlowLabel=
865 Configures the 20-bit flow label (see RFC 6437[10]) field in the
866 IPv6 header (see RFC 2460[11]), which is used by a node to label
867 packets of a flow. It is only used for IPv6 tunnels. A flow label
868 of zero is used to indicate packets that have not been labeled. It
869 can be configured to a value in the range 0–0xFFFFF, or be set to
870 "inherit", in which case the original flowlabel is used.
871 CopyDSCP=
873 Takes a boolean. When true, the Differentiated Service Code Point
874 (DSCP) field will be copied to the inner header from outer header
875 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
876 in an IP packet that enables different levels of service to be
877 assigned to network traffic. Defaults to "no".
878 EncapsulationLimit=
880 The Tunnel Encapsulation Limit option specifies how many additional
881 levels of encapsulation are permitted to be prepended to the
882 packet. For example, a Tunnel Encapsulation Limit option containing
883 a limit value of zero means that a packet carrying that option may
884 not enter another tunnel before exiting the current tunnel. (see
885 RFC 2473[12]). The valid range is 0–255 and "none". Defaults to 4.
886 Key=
888 The Key= parameter specifies the same key to use in both directions
889 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
890 address-like dotted quad. It is used as mark-configured SAD/SPD
891 entry as part of the lookup key (both in data and control path) in
892 IP XFRM (framework used to implement IPsec protocol). See ip-xfrm —
893 transform configuration[13] for details. It is only used for
894 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
895 InputKey=
897 The InputKey= parameter specifies the key to use for input. The
898 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
899 and ERSPAN tunnels.
900 OutputKey=
902 The OutputKey= parameter specifies the key to use for output. The
903 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
904 and ERSPAN tunnels.
905 Mode=
907 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
908 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
909 Independent=
911 Takes a boolean. When false (the default), the tunnel is always
912 created over some network device, and a .network file that requests
913 this tunnel using Tunnel= is required for the tunnel to be created.
914 When true, the tunnel is created independently of any network as
915 "tunnel@NONE".
916 AssignToLoopback=
918 Takes a boolean. If set to "yes", the loopback interface "lo" is
919 used as the underlying device of the tunnel interface. Defaults to
920 "no".
921 AllowLocalRemote=
923 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
924 where the remote endpoint is a local host address. When unset, the
925 kernel's default will be used.
926 FooOverUDP=
928 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
929 configured. Defaults to false. This takes effects only for IPIP,
930 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
931 over UDP[14]
932 FOUDestinationPort=
934 This setting specifies the UDP destination port for encapsulation.
935 This field is mandatory when FooOverUDP=yes, and is not set by
936 default.
937 FOUSourcePort=
939 This setting specifies the UDP source port for encapsulation.
940 Defaults to 0 — that is, the source port for packets is left to the
941 network stack to decide.
942 Encapsulation=
944 Accepts the same key as in the [FooOverUDP] section.
945 IPv6RapidDeploymentPrefix=
947 Reconfigure the tunnel for IPv6 Rapid Deployment[15], also known as
948 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
949 length. Only applicable to SIT tunnels.
950 ISATAP=
952 Takes a boolean. If set, configures the tunnel as Intra-Site
953 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
954 applicable to SIT tunnels. When unset, the kernel's default will be
955 used.
956 SerializeTunneledPackets=
958 Takes a boolean. If set to yes, then packets are serialized. Only
959 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
960 kernel's default will be used.
961 ERSPANIndex=
963 Specifies the ERSPAN index field for the interface, an integer in
964 the range 1...1048575 associated with the ERSPAN traffic's source
965 port and direction. This field is mandatory.
966
968 The [FooOverUDP] section only applies for netdevs of kind "fou" and
969 accepts the following keys:
970 Encapsulation=
972 Specifies the encapsulation mechanism used to store networking
973 packets of various protocols inside the UDP packets. Supports the
974 following values: "FooOverUDP" provides the simplest no-frills
975 model of UDP encapsulation, it simply encapsulates packets directly
976 in the UDP payload. "GenericUDPEncapsulation" is a generic and
977 extensible encapsulation, it allows encapsulation of packets for
978 any IP protocol and optional data as part of the encapsulation. For
979 more detailed information see Generic UDP Encapsulation[16].
980 Defaults to "FooOverUDP".
981 Port=
983 Specifies the port number where the encapsulated packets will
984 arrive. Those packets will be removed and manually fed back into
985 the network stack with the encapsulation removed to be sent to the
986 real destination. This option is mandatory.
987 PeerPort=
989 Specifies the peer port number. Defaults to unset. Note that when
990 peer port is set "Peer=" address is mandatory.
991 Protocol=
993 The Protocol= specifies the protocol number of the packets arriving
994 at the UDP port. When Encapsulation=FooOverUDP, this field is
995 mandatory and is not set by default. Takes an IP protocol name such
996 as "gre" or "ipip", or an integer within the range 1...255. When
997 Encapsulation=GenericUDPEncapsulation, this must not be specified.
998 Peer=
1000 Configures peer IP address. Note that when peer address is set
1001 "PeerPort=" is mandatory.
1002 Local=
1004 Configures local IP address.
1005
1007 The [Peer] section only applies for netdevs of kind "veth" and accepts
1008 the following keys:
1009 Name=
1011 The interface name used when creating the netdev. This setting is
1012 compulsory.
1013 MACAddress=
1015 The peer MACAddress, if not set, it is generated in the same way as
1016 the MAC address of the main interface.
1017
1019 The [VXCAN] section only applies for netdevs of kind "vxcan" and
1020 accepts the following key:
1021 Peer=
1023 The peer interface name used when creating the netdev. This setting
1024 is compulsory.
1025
1027 The [Tun] section only applies for netdevs of kind "tun", and accepts
1028 the following keys:
1029 MultiQueue=
1031 Takes a boolean. Configures whether to use multiple file
1032 descriptors (queues) to parallelize packets sending and receiving.
1033 Defaults to "no".
1034 PacketInfo=
1036 Takes a boolean. Configures whether packets should be prepended
1037 with four extra bytes (two flag bytes and two protocol bytes). If
1038 disabled, it indicates that the packets will be pure IP packets.
1039 Defaults to "no".
1040 VNetHeader=
1042 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
1043 device. It allows sending and receiving larger Generic Segmentation
1044 Offload (GSO) packets. This may increase throughput significantly.
1045 Defaults to "no".
1046 User=
1048 User to grant access to the /dev/net/tun device.
1049 Group=
1051 Group to grant access to the /dev/net/tun device.
1052
1054 The [Tap] section only applies for netdevs of kind "tap", and accepts
1055 the same keys as the [Tun] section.
1056
1058 The [WireGuard] section accepts the following keys:
1059 PrivateKey=
1061 The Base64 encoded private key for the interface. It can be
1062 generated using the wg genkey command (see wg(8)). This option or
1063 PrivateKeyFile= is mandatory to use WireGuard. Note that because
1064 this information is secret, you may want to set the permissions of
1065 the .netdev file to be owned by "root:systemd-network" with a
1066 "0640" file mode.
1067 PrivateKeyFile=
1069 Takes an absolute path to a file which contains the Base64 encoded
1070 private key for the interface. When this option is specified, then
1071 PrivateKey= is ignored. Note that the file must be readable by the
1072 user "systemd-network", so it should be, e.g., owned by
1073 "root:systemd-network" with a "0640" file mode. If the path refers
1074 to an AF_UNIX stream socket in the file system a connection is made
1075 to it and the key read from it.
1076 ListenPort=
1078 Sets UDP port for listening. Takes either value between 1 and 65535
1079 or "auto". If "auto" is specified, the port is automatically
1080 generated based on interface name. Defaults to "auto".
1081 FirewallMark=
1083 Sets a firewall mark on outgoing WireGuard packets from this
1084 interface. Takes a number between 1 and 4294967295.
1085
1087 The [WireGuardPeer] section accepts the following keys:
1088 PublicKey=
1090 Sets a Base64 encoded public key calculated by wg pubkey (see
1091 wg(8)) from a private key, and usually transmitted out of band to
1092 the author of the configuration file. This option is mandatory for
1093 this section.
1094 PresharedKey=
1096 Optional preshared key for the interface. It can be generated by
1097 the wg genpsk command. This option adds an additional layer of
1098 symmetric-key cryptography to be mixed into the already existing
1099 public-key cryptography, for post-quantum resistance. Note that
1100 because this information is secret, you may want to set the
1101 permissions of the .netdev file to be owned by
1102 "root:systemd-network" with a "0640" file mode.
1103 PresharedKeyFile=
1105 Takes an absolute path to a file which contains the Base64 encoded
1106 preshared key for the peer. When this option is specified, then
1107 PresharedKey= is ignored. Note that the file must be readable by
1108 the user "systemd-network", so it should be, e.g., owned by
1109 "root:systemd-network" with a "0640" file mode. If the path refers
1110 to an AF_UNIX stream socket in the file system a connection is made
1111 to it and the key read from it.
1112 AllowedIPs=
1114 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1115 masks from which this peer is allowed to send incoming traffic and
1116 to which outgoing traffic for this peer is directed.
1117 The catch-all 0.0.0.0/0 may be specified for matching all IPv4
1119 addresses, and ::/0 may be specified for matching all IPv6
1120 addresses.
1121 Note that this only affects "routing inside the network interface
1123 itself", as in, which wireguard peer packets with a specific
1124 destination address are sent to, and what source addresses are
1125 accepted from which peer.
1126 To cause packets to be sent via wireguard in first place, a route
1128 needs to be added, as well - either in the "[Routes]" section on
1129 the ".network" matching the wireguard interface, or outside of
1130 networkd.
1131 Endpoint=
1133 Sets an endpoint IP address or hostname, followed by a colon, and
1134 then a port number. This endpoint will be updated automatically
1135 once to the most recent source IP address and port of correctly
1136 authenticated packets from the peer at configuration time.
1137 PersistentKeepalive=
1139 Sets a seconds interval, between 1 and 65535 inclusive, of how
1140 often to send an authenticated empty packet to the peer for the
1141 purpose of keeping a stateful firewall or NAT mapping valid
1142 persistently. For example, if the interface very rarely sends
1143 traffic, but it might at anytime receive traffic from a peer, and
1144 it is behind NAT, the interface might benefit from having a
1145 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1146 this option is disabled. By default or when unspecified, this
1147 option is off. Most users will not need this.
1148
1150 The [Bond] section accepts the following key:
1151 Mode=
1153 Specifies one of the bonding policies. The default is "balance-rr"
1154 (round robin). Possible values are "balance-rr", "active-backup",
1155 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1156 "balance-alb".
1157 TransmitHashPolicy=
1159 Selects the transmit hash policy to use for slave selection in
1160 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1161 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1162 LACPTransmitRate=
1164 Specifies the rate with which link partner transmits Link
1165 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1166 Possible values are "slow", which requests partner to transmit
1167 LACPDUs every 30 seconds, and "fast", which requests partner to
1168 transmit LACPDUs every second. The default value is "slow".
1169 MIIMonitorSec=
1171 Specifies the frequency that Media Independent Interface link
1172 monitoring will occur. A value of zero disables MII link
1173 monitoring. This value is rounded down to the nearest millisecond.
1174 The default value is 0.
1175 UpDelaySec=
1177 Specifies the delay before a link is enabled after a link up status
1178 has been detected. This value is rounded down to a multiple of
1179 MIIMonitorSec. The default value is 0.
1180 DownDelaySec=
1182 Specifies the delay before a link is disabled after a link down
1183 status has been detected. This value is rounded down to a multiple
1184 of MIIMonitorSec. The default value is 0.
1185 LearnPacketIntervalSec=
1187 Specifies the number of seconds between instances where the bonding
1188 driver sends learning packets to each slave peer switch. The valid
1189 range is 1–0x7fffffff; the default value is 1. This option has an
1190 effect only for the balance-tlb and balance-alb modes.
1191 AdSelect=
1193 Specifies the 802.3ad aggregation selection logic to use. Possible
1194 values are "stable", "bandwidth" and "count".
1195 AdActorSystemPriority=
1197 Specifies the 802.3ad actor system priority. Takes a number in the
1198 range 1...65535.
1199 AdUserPortKey=
1201 Specifies the 802.3ad user defined portion of the port key. Takes a
1202 number in the range 0–1023.
1203 AdActorSystem=
1205 Specifies the 802.3ad system MAC address. This cannot be a null or
1206 multicast address.
1207 FailOverMACPolicy=
1209 Specifies whether the active-backup mode should set all slaves to
1210 the same MAC address at the time of enslavement or, when enabled,
1211 to perform special handling of the bond's MAC address in accordance
1212 with the selected policy. The default policy is none. Possible
1213 values are "none", "active" and "follow".
1214 ARPValidate=
1216 Specifies whether or not ARP probes and replies should be validated
1217 in any mode that supports ARP monitoring, or whether non-ARP
1218 traffic should be filtered (disregarded) for link monitoring
1219 purposes. Possible values are "none", "active", "backup" and "all".
1220 ARPIntervalSec=
1222 Specifies the ARP link monitoring frequency. A value of 0 disables
1223 ARP monitoring. The default value is 0, and the default unit
1224 seconds.
1225 ARPIPTargets=
1227 Specifies the IP addresses to use as ARP monitoring peers when
1228 ARPIntervalSec is greater than 0. These are the targets of the ARP
1229 request sent to determine the health of the link to the targets.
1230 Specify these values in IPv4 dotted decimal format. At least one IP
1231 address must be given for ARP monitoring to function. The maximum
1232 number of targets that can be specified is 16. The default value is
1233 no IP addresses.
1234 ARPAllTargets=
1236 Specifies the quantity of ARPIPTargets that must be reachable in
1237 order for the ARP monitor to consider a slave as being up. This
1238 option affects only active-backup mode for slaves with ARPValidate
1239 enabled. Possible values are "any" and "all".
1240 PrimaryReselectPolicy=
1242 Specifies the reselection policy for the primary slave. This
1243 affects how the primary slave is chosen to become the active slave
1244 when failure of the active slave or recovery of the primary slave
1245 occurs. This option is designed to prevent flip-flopping between
1246 the primary slave and other slaves. Possible values are "always",
1247 "better" and "failure".
1248 ResendIGMP=
1250 Specifies the number of IGMP membership reports to be issued after
1251 a failover event. One membership report is issued immediately after
1252 the failover, subsequent packets are sent in each 200ms interval.
1253 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
1254 IGMP membership report from being issued in response to the
1255 failover event.
1256 PacketsPerSlave=
1258 Specify the number of packets to transmit through a slave before
1259 moving to the next one. When set to 0, then a slave is chosen at
1260 random. The valid range is 0–65535. Defaults to 1. This option only
1261 has effect when in balance-rr mode.
1262 GratuitousARP=
1264 Specify the number of peer notifications (gratuitous ARPs and
1265 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1266 failover event. As soon as the link is up on the new slave, a peer
1267 notification is sent on the bonding device and each VLAN
1268 sub-device. This is repeated at each link monitor interval
1269 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1270 number is greater than 1. The valid range is 0–255. The default
1271 value is 1. These options affect only the active-backup mode.
1272 AllSlavesActive=
1274 Takes a boolean. Specifies that duplicate frames (received on
1275 inactive ports) should be dropped when false, or delivered when
1276 true. Normally, bonding will drop duplicate frames (received on
1277 inactive ports), which is desirable for most users. But there are
1278 some times it is nice to allow duplicate frames to be delivered.
1279 The default value is false (drop duplicate frames received on
1280 inactive ports).
1281 DynamicTransmitLoadBalancing=
1283 Takes a boolean. Specifies if dynamic shuffling of flows is
1284 enabled. Applies only for balance-tlb mode. Defaults to unset.
1285 MinLinks=
1287 Specifies the minimum number of links that must be active before
1288 asserting carrier. The default value is 0.
1289 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1291
1293 The [Xfrm] section accepts the following keys:
1294 InterfaceId=
1296 Sets the ID/key of the xfrm interface which needs to be associated
1297 with a SA/policy. Can be decimal or hexadecimal, valid range is
1298 0-0xffffffff, defaults to 0.
1299 Independent=
1301 Takes a boolean. If false (the default), the xfrm interface must
1302 have an underlying device which can be used for hardware
1303 offloading.
1304 For more detail information see Virtual XFRM Interfaces[17].
1306
1308 The [VRF] section only applies for netdevs of kind "vrf" and accepts
1309 the following key:
1310 Table=
1312 The numeric routing table identifier. This setting is compulsory.
1313
1315 The [BatmanAdvanced] section only applies for netdevs of kind "batadv"
1316 and accepts the following keys:
1317 GatewayMode=
1319 Takes one of "off", "server", or "client". A batman-adv node can
1320 either run in server mode (sharing its internet connection with the
1321 mesh) or in client mode (searching for the most suitable internet
1322 connection in the mesh) or having the gateway support turned off
1323 entirely (which is the default setting).
1324 Aggregation=
1326 Takes a boolean value. Enables or disables aggregation of
1327 originator messages. Defaults to true.
1328 BridgeLoopAvoidance=
1330 Takes a boolean value. Enables or disables avoidance of loops on
1331 bridges. Defaults to true.
1332 DistributedArpTable=
1334 Takes a boolean value. Enables or disables the distributed ARP
1335 table. Defaults to true.
1336 Fragmentation=
1338 Takes a boolean value. Enables or disables fragmentation. Defaults
1339 to true.
1340 HopPenalty=
1342 The hop penalty setting allows to modify batctl(8) preference for
1343 multihop routes vs. short routes. This integer value is applied to
1344 the TQ (Transmit Quality) of each forwarded OGM (Originator
1345 Message), thereby propagating the cost of an extra hop (the packet
1346 has to be received and retransmitted which costs airtime). A higher
1347 hop penalty will make it more unlikely that other nodes will choose
1348 this node as intermediate hop towards any given destination. The
1349 default hop penalty of '15' is a reasonable value for most setups
1350 and probably does not need to be changed. However, mobile nodes
1351 could choose a value of 255 (maximum value) to avoid being chosen
1352 as a router by other nodes. The minimum value is 0.
1353 OriginatorIntervalSec=
1355 The value specifies the interval in seconds, unless another time
1356 unit is specified in which batman-adv floods the network with its
1357 protocol information. See systemd.time(7) for more information.
1358 GatewayBandwidthDown=
1360 If the node is a server, this parameter is used to inform other
1361 nodes in the network about this node's internet connection download
1362 bandwidth in bits per second. Just enter any number suffixed with
1363 K, M, G or T (base 1000) and the batman-adv module will propagate
1364 the entered value in the mesh.
1365 GatewayBandwidthUp=
1367 If the node is a server, this parameter is used to inform other
1368 nodes in the network about this node's internet connection upload
1369 bandwidth in bits per second. Just enter any number suffixed with
1370 K, M, G or T (base 1000) and the batman-adv module will propagate
1371 the entered value in the mesh.
1372 RoutingAlgorithm=
1374 This can be either "batman-v" or "batman-iv" and describes which
1375 routing_algo of batctl(8) to use. The algorithm cannot be changed
1376 after interface creation. Defaults to "batman-v".
1377
1379 Example 1. /etc/systemd/network/25-bridge.netdev
1380 [NetDev]
1382 Name=bridge0
1383 Kind=bridge
1384 Example 2. /etc/systemd/network/25-vlan1.netdev
1386 [Match]
1388 Virtualization=no
1389 [NetDev]
1391 Name=vlan1
1392 Kind=vlan
1393 [VLAN]
1395 Id=1
1396 Example 3. /etc/systemd/network/25-ipip.netdev
1398 [NetDev]
1400 Name=ipip-tun
1401 Kind=ipip
1402 MTUBytes=1480
1403 [Tunnel]
1405 Local=192.168.223.238
1406 Remote=192.169.224.239
1407 TTL=64
1408 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1410 [NetDev]
1412 Name=fou-tun
1413 Kind=fou
1414 [FooOverUDP]
1416 Port=5555
1417 Protocol=4
1418 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1421 [NetDev]
1423 Name=ipip-tun
1424 Kind=ipip
1425 [Tunnel]
1427 Independent=yes
1428 Local=10.65.208.212
1429 Remote=10.65.208.211
1430 FooOverUDP=yes
1431 FOUDestinationPort=5555
1432 Example 6. /etc/systemd/network/25-tap.netdev
1435 [NetDev]
1437 Name=tap-test
1438 Kind=tap
1439 [Tap]
1441 MultiQueue=yes
1442 PacketInfo=yes
1443 Example 7. /etc/systemd/network/25-sit.netdev
1445 [NetDev]
1447 Name=sit-tun
1448 Kind=sit
1449 MTUBytes=1480
1450 [Tunnel]
1452 Local=10.65.223.238
1453 Remote=10.65.223.239
1454 Example 8. /etc/systemd/network/25-6rd.netdev
1456 [NetDev]
1458 Name=6rd-tun
1459 Kind=sit
1460 MTUBytes=1480
1461 [Tunnel]
1463 Local=10.65.223.238
1464 IPv6RapidDeploymentPrefix=2602::/24
1465 Example 9. /etc/systemd/network/25-gre.netdev
1467 [NetDev]
1469 Name=gre-tun
1470 Kind=gre
1471 MTUBytes=1480
1472 [Tunnel]
1474 Local=10.65.223.238
1475 Remote=10.65.223.239
1476 Example 10. /etc/systemd/network/25-ip6gre.netdev
1478 [NetDev]
1480 Name=ip6gre-tun
1481 Kind=ip6gre
1482 [Tunnel]
1484 Key=123
1485 Example 11. /etc/systemd/network/25-vti.netdev
1487 [NetDev]
1489 Name=vti-tun
1490 Kind=vti
1491 MTUBytes=1480
1492 [Tunnel]
1494 Local=10.65.223.238
1495 Remote=10.65.223.239
1496 Example 12. /etc/systemd/network/25-veth.netdev
1498 [NetDev]
1500 Name=veth-test
1501 Kind=veth
1502 [Peer]
1504 Name=veth-peer
1505 Example 13. /etc/systemd/network/25-bond.netdev
1507 [NetDev]
1509 Name=bond1
1510 Kind=bond
1511 [Bond]
1513 Mode=802.3ad
1514 TransmitHashPolicy=layer3+4
1515 MIIMonitorSec=1s
1516 LACPTransmitRate=fast
1517 Example 14. /etc/systemd/network/25-dummy.netdev
1519 [NetDev]
1521 Name=dummy-test
1522 Kind=dummy
1523 MACAddress=12:34:56:78:9a:bc
1524 Example 15. /etc/systemd/network/25-vrf.netdev
1526 Create a VRF interface with table 42.
1528 [NetDev]
1530 Name=vrf-test
1531 Kind=vrf
1532 [VRF]
1534 Table=42
1535 Example 16. /etc/systemd/network/25-macvtap.netdev
1537 Create a MacVTap device.
1539 [NetDev]
1541 Name=macvtap-test
1542 Kind=macvtap
1543 Example 17. /etc/systemd/network/25-wireguard.netdev
1546 [NetDev]
1548 Name=wg0
1549 Kind=wireguard
1550 [WireGuard]
1552 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1553 ListenPort=51820
1554 [WireGuardPeer]
1556 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1557 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1558 Endpoint=wireguard.example.com:51820
1559 Example 18. /etc/systemd/network/27-xfrm.netdev
1561 [NetDev]
1563 Name=xfrm0
1564 Kind=xfrm
1565 [Xfrm]
1567 Independent=yes
1568
1570 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1571
1573 1. Linux Ethernet Bonding Driver HOWTO
1574 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1575 2. RFC 2784
1577 https://tools.ietf.org/html/rfc2784
1578 3. IEEE 802.1Q
1580 http://www.ieee802.org/1/pages/802.1Q.html
1581 4. VRF
1583 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1584 5. B.A.T.M.A.N. Advanced
1586 https://www.open-mesh.org/projects/open-mesh/wiki
1587 6. (DVOE)
1589 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1590 7. VXLAN Group Policy
1592 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1593 8. Generic Protocol Extension for VXLAN
1595 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1596 9. Type of Service in the Internet Protocol Suite
1598 http://tools.ietf.org/html/rfc1349
1599 10. RFC 6437
1601 https://tools.ietf.org/html/rfc6437
1602 11. RFC 2460
1604 https://tools.ietf.org/html/rfc2460
1605 12. RFC 2473
1607 https://tools.ietf.org/html/rfc2473#section-4.1.1
1608 13. ip-xfrm — transform configuration
1610 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1611 14. Foo over UDP
1613 https://lwn.net/Articles/614348
1614 15. IPv6 Rapid Deployment
1616 https://tools.ietf.org/html/rfc5569
1617 16. Generic UDP Encapsulation
1619 https://lwn.net/Articles/615044
1620 17. Virtual XFRM Interfaces
1622 https://lwn.net/Articles/757391
1623systemd 248 SYSTEMD.NETDEV(5)