1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ protodown_reason PREASON { on | off } ]
32 [ trailers { on | off } ]
33 [ txqueuelen PACKETS ]
34 [ name NEWNAME ]
35 [ address LLADDR ]
36 [ broadcast LLADDR ]
37 [ mtu MTU ]
38 [ netns { PID | NETNSNAME } ]
39 [ link-netnsid ID ]
40 [ alias NAME ]
41 [ vf NUM [ mac LLADDR ]
42 [ VFVLAN-LIST ]
43 [ rate TXRATE ]
44 [ max_tx_rate TXRATE ]
45 [ min_tx_rate TXRATE ]
46 [ spoofchk { on | off } ]
47 [ query_rss { on | off } ]
48 [ state { auto | enable | disable } ]
49 [ trust { on | off } ]
50 [ node_guid eui64 ]
51 [ port_guid eui64 ] ]
52 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
53 object FILE [ section NAME ] [ verbose ] |
54 pinned FILE } ]
55 [ master DEVICE ]
56 [ nomaster ]
57 [ vrf NAME ]
58 [ addrgenmode { eui64 | none | stable_secret | random } ]
59 [ macaddr [ MACADDR ]
60 [ { flush | add | del } MACADDR ]
61 [ set MACADDR ] ]
62 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
64 ] [ type ETYPE ] [ vrf NAME ]
65 ip link xstats type TYPE [ ARGS ]
67 ip link afstats [ dev DEVICE ]
69 ip link help [ TYPE ]
71 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
73 macvlan | macvtap | vcan | vxcan | veth | vlan |
74 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
75 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
76 | ipvtap | lowpan | geneve | bareudp | vrf | macsec |
77 netdevsim | rmnet | xfrm ]
78 ETYPE := [ TYPE | bridge_slave | bond_slave ]
80 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
82 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
84 ]
85 ip link property add [ altname NAME .. ]
87 ip link property del [ altname NAME .. ]
89
92 ip link add - add virtual link
93 link DEVICE
94 specifies the physical device to act operate on.
95 NAME specifies the name of the new virtual device.
97 TYPE specifies the type of the new device.
99 Link types:
101 bridge - Ethernet Bridge device
103 bond - Bonding device
105 dummy - Dummy network interface
107 hsr - High-availability Seamless Redundancy device
109 ifb - Intermediate Functional Block device
111 ipoib - IP over Infiniband device
113 macvlan - Virtual interface base on link layer address
115 (MAC)
116 macvtap - Virtual interface based on link layer address
118 (MAC) and TAP.
119 vcan - Virtual Controller Area Network interface
121 vxcan - Virtual Controller Area Network tunnel interface
123 veth - Virtual ethernet interface
125 vlan - 802.1q tagged virtual LAN interface
127 vxlan - Virtual eXtended LAN
129 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
131 ipip - Virtual tunnel interface IPv4 over IPv4
133 sit - Virtual tunnel interface IPv6 over IPv4
135 gre - Virtual tunnel interface GRE over IPv4
137 gretap - Virtual L2 tunnel interface GRE over IPv4
139 erspan - Encapsulated Remote SPAN over GRE and IPv4
141 ip6gre - Virtual tunnel interface GRE over IPv6
143 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
145 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
147 vti - Virtual tunnel interface
149 nlmon - Netlink monitoring device
151 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
153 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
155 TAP
156 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
158 / Bluetooth
159 geneve - GEneric NEtwork Virtualization Encapsulation
161 bareudp - Bare UDP L3 encapsulation support
163 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
165 sec)
166 vrf - Interface for L3 VRF domains
168 netdevsim - Interface for netdev API tests
170 rmnet - Qualcomm rmnet device
172 xfrm - Virtual xfrm interface
174 numtxqueues QUEUE_COUNT
177 specifies the number of transmit queues for new device.
178 numrxqueues QUEUE_COUNT
181 specifies the number of receive queues for new device.
182 gso_max_size BYTES
185 specifies the recommended maximum size of a Generic Segment Off‐
186 load packet the new device should accept.
187 gso_max_segs SEGMENTS
190 specifies the recommended maximum number of a Generic Segment
191 Offload segments the new device should accept.
192 index IDX
195 specifies the desired index of the new virtual device. The link
196 creation fails, if the index is busy.
197 VLAN Type Support
200 For a link of type VLAN the following additional arguments are
201 supported:
202 ip link add link DEVICE name NAME type vlan [ protocol
204 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
205 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
206 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
207 egress-qos-map QOS-MAP ]
208 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
211 id VLANID - specifies the VLAN Identifier to use. Note
213 that numbers with a leading " 0 " or " 0x " are inter‐
214 preted as octal or hexadecimal, respectively.
215 reorder_hdr { on | off } - specifies whether ethernet
217 headers are reordered or not (default is on).
218 If reorder_hdr is on then VLAN header will be not
220 inserted immediately but only before passing to the
221 physical device (if this device does not support
222 VLAN offloading), the similar on the RX direction -
223 by default the packet will be untagged before being
224 received by VLAN device. Reordering allows to accel‐
225 erate tagging on egress and to hide VLAN header on
226 ingress so the packet looks like regular Ethernet
227 packet, at the same time it might be confusing for
228 packet capture as the VLAN header does not exist
229 within the packet.
230 VLAN offloading can be checked by ethtool(8):
232 ethtool -k <phy_dev> | grep tx-vlan-offload
234 where <phy_dev> is the physical device to which VLAN
236 device is bound.
237 gvrp { on | off } - specifies whether this VLAN should
239 be registered using GARP VLAN
240 Registration Protocol.
241 mvrp { on | off } - specifies whether this VLAN should
243 be registered using Multiple VLAN
244 Registration Protocol.
245 loose_binding { on | off } - specifies whether the VLAN
247 device state is bound to the physical device state.
248 bridge_binding { on | off } - specifies whether the VLAN
250 device link state tracks the state of bridge ports that
251 are members of the VLAN.
252 ingress-qos-map QOS-MAP - defines a mapping of VLAN
254 header prio field to the Linux internal packet priority
255 on incoming frames. The format is FROM:TO with multiple
256 mappings separated by spaces.
257 egress-qos-map QOS-MAP - defines a mapping of Linux in‐
259 ternal packet priority to VLAN header prio field but for
260 outgoing frames. The format is the same as for ingress-
261 qos-map.
262 Linux packet priority can be set by iptables(8):
264 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
266 SIFY --set-class 0:4
267 and this "4" priority can be used in the egress qos
269 mapping to set VLAN prio "5":
270 ip link set veth0.10 type vlan egress 4:5
272 VXLAN Type Support
275 For a link of type VXLAN the following additional arguments are
276 supported:
277 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
279 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
280 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
281 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
282 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
283 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
284 ] [ [no]external ] [ gbp ] [ gpe ]
285 id VNI - specifies the VXLAN Network Identifier (or
288 VXLAN Segment Identifier) to use.
289 dev PHYS_DEV - specifies the physical device to use for
291 tunnel endpoint communication.
292 group IPADDR - specifies the multicast IP address to
295 join. This parameter cannot be specified with the re‐
296 mote parameter.
297 remote IPADDR - specifies the unicast destination IP ad‐
300 dress to use in outgoing packets when the destination
301 link layer address is not known in the VXLAN device for‐
302 warding database. This parameter cannot be specified
303 with the group parameter.
304 local IPADDR - specifies the source IP address to use in
307 outgoing packets.
308 ttl TTL - specifies the TTL value to use in outgoing
311 packets.
312 tos TOS - specifies the TOS value to use in outgoing
315 packets.
316 df DF - specifies the usage of the Don't Fragment flag
319 (DF) bit in outgoing packets with IPv4 headers. The
320 value inherit causes the bit to be copied from the orig‐
321 inal IP header. The values unset and set cause the bit
322 to be always unset or always set, respectively. By de‐
323 fault, the bit is not set.
324 flowlabel FLOWLABEL - specifies the flow label to use in
327 outgoing packets.
328 dstport PORT - specifies the UDP destination port to
331 communicate to the remote
332 VXLAN tunnel endpoint.
333 srcport MIN MAX - specifies the range of port numbers to
336 use as UDP source ports to communicate to the remote
337 VXLAN tunnel endpoint.
338 [no]learning - specifies if unknown source link layer
341 addresses and IP addresses are entered into the VXLAN
342 device forwarding database.
343 [no]rsc - specifies if route short circuit is turned on.
346 [no]proxy - specifies ARP proxy is turned on.
349 [no]l2miss - specifies if netlink LLADDR miss notifica‐
352 tions are generated.
353 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
356 tions are generated.
357 [no]udpcsum - specifies if UDP checksum is calculated
360 for transmitted packets over IPv4.
361 [no]udp6zerocsumtx - skip UDP checksum calculation for
364 transmitted packets over IPv6.
365 [no]udp6zerocsumrx - allow incoming UDP packets over
368 IPv6 with zero checksum field.
369 ageing SECONDS - specifies the lifetime in seconds of
372 FDB entries learnt by the kernel.
373 maxaddress NUMBER - specifies the maximum number of FDB
376 entries.
377 [no]external - specifies whether an external control
380 plane (e.g. ip route encap) or the internal FDB should
381 be used.
382 gbp - enables the Group Policy extension (VXLAN-GBP).
385 Allows to transport group policy context across
387 VXLAN network peers. If enabled, includes the mark
388 of a packet in the VXLAN header for outgoing packets
389 and fills the packet mark based on the information
390 found in the VXLAN header for incoming packets.
391 Format of upper 16 bits of packet mark (flags);
393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
395 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
396 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
397 D := Don't Learn bit. When set, this bit indicates
399 that the egress VTEP MUST NOT learn the source ad‐
400 dress of the encapsulated frame.
401 A := Indicates that the group policy has already
403 been applied to this packet. Policies MUST NOT be
404 applied by devices when the A bit is set.
405 Format of lower 16 bits of packet mark (policy ID):
407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
409 | Group Policy ID |
410 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
411 Example:
413 iptables -A OUTPUT [...] -j MARK --set-mark
414 0x800FF
415 gpe - enables the Generic Protocol extension (VXLAN-
419 GPE). Currently, this is only supported together with
420 the external keyword.
421 VETH, VXCAN Type Support
425 For a link of types VETH/VXCAN the following additional argu‐
426 ments are supported:
427 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
429 peer name NAME - specifies the virtual pair device name
432 of the VETH/VXCAN tunnel.
433 IPIP, SIT Type Support
437 For a link of type IPIPorSIT the following additional arguments
438 are supported:
439 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
441 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
442 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
443 mode { ip6ip | ipip | mplsip | any } ] [ external ]
444 remote ADDR - specifies the remote address of the tun‐
447 nel.
448 local ADDR - specifies the fixed local address for tun‐
451 neled packets. It must be an address on another inter‐
452 face on this host.
453 encap { fou | gue | none } - specifies type of secondary
456 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
457 indicates Generic UDP Encapsulation.
458 encap-sport { PORT | auto } - specifies the source port
461 in UDP encapsulation. PORT indicates the port by num‐
462 ber, "auto" indicates that the port number should be
463 chosen automatically (the kernel picks a flow based on
464 the flow hash of the encapsulated packet).
465 [no]encap-csum - specifies if UDP checksums are enabled
468 in the secondary encapsulation.
469 [no]encap-remcsum - specifies if Remote Checksum Offload
472 is enabled. This is only applicable for Generic UDP En‐
473 capsulation.
474 mode { ip6ip | ipip | mplsip | any } - specifies mode in
477 which device should run. "ip6ip" indicates IPv6-Over-
478 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
479 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
480 Over IPv4. Supported for SIT where the default is
481 "ip6ip" and IPIP where the default is "ipip".
482 IPv6-Over-IPv4 is not supported for IPIP.
483 external - make this tunnel externally controlled (e.g.
486 ip route encap).
487 GRE Type Support
490 For a link of type GRE or GRETAP the following additional argu‐
491 ments are supported:
492 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
494 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
495 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
496 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
497 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
498 remcsum ] [ external ]
499 remote ADDR - specifies the remote address of the tun‐
502 nel.
503 local ADDR - specifies the fixed local address for tun‐
506 neled packets. It must be an address on another inter‐
507 face on this host.
508 [no][i|o]seq - serialize packets. The oseq flag enables
511 sequencing of outgoing packets. The iseq flag requires
512 that all input packets are serialized.
513 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
516 KEY is either a number or an IPv4 address-like dotted
517 quad. The key parameter specifies the same key to use
518 in both directions. The ikey and okey parameters spec‐
519 ify different keys for input and output.
520 [no][i|o]csum - generate/require checksums for tunneled
523 packets. The ocsum flag calculates checksums for outgo‐
524 ing packets. The icsum flag requires that all input
525 packets have the correct checksum. The csum flag is
526 equivalent to the combination icsum ocsum .
527 ttl TTL - specifies the TTL value to use in outgoing
530 packets.
531 tos TOS - specifies the TOS value to use in outgoing
534 packets.
535 [no]pmtudisc - enables/disables Path MTU Discovery on
538 this tunnel. It is enabled by default. Note that a
539 fixed ttl is incompatible with this option: tunneling
540 with a fixed ttl always makes pmtu discovery.
541 [no]ignore-df - enables/disables IPv4 DF suppression on
544 this tunnel. Normally datagrams that exceed the MTU
545 will be fragmented; the presence of the DF flag inhibits
546 this, resulting instead in an ICMP Unreachable (Fragmen‐
547 tation Required) message. Enabling this attribute
548 causes the DF flag to be ignored.
549 dev PHYS_DEV - specifies the physical device to use for
552 tunnel endpoint communication.
553 encap { fou | gue | none } - specifies type of secondary
556 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
557 indicates Generic UDP Encapsulation.
558 encap-sport { PORT | auto } - specifies the source port
561 in UDP encapsulation. PORT indicates the port by num‐
562 ber, "auto" indicates that the port number should be
563 chosen automatically (the kernel picks a flow based on
564 the flow hash of the encapsulated packet).
565 [no]encap-csum - specifies if UDP checksums are enabled
568 in the secondary encapsulation.
569 [no]encap-remcsum - specifies if Remote Checksum Offload
572 is enabled. This is only applicable for Generic UDP En‐
573 capsulation.
574 external - make this tunnel externally controlled (e.g.
577 ip route encap).
578 IP6GRE/IP6GRETAP Type Support
582 For a link of type IP6GRE/IP6GRETAP the following additional ar‐
583 guments are supported:
584 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
586 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
587 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
588 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
589 localremote ] [ dev PHYS_DEV ] [ external ]
590 remote ADDR - specifies the remote IPv6 address of the
593 tunnel.
594 local ADDR - specifies the fixed local IPv6 address for
597 tunneled packets. It must be an address on another in‐
598 terface on this host.
599 [no][i|o]seq - serialize packets. The oseq flag enables
602 sequencing of outgoing packets. The iseq flag requires
603 that all input packets are serialized.
604 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
607 KEY is either a number or an IPv4 address-like dotted
608 quad. The key parameter specifies the same key to use
609 in both directions. The ikey and okey parameters spec‐
610 ify different keys for input and output.
611 [no][i|o]csum - generate/require checksums for tunneled
614 packets. The ocsum flag calculates checksums for outgo‐
615 ing packets. The icsum flag requires that all input
616 packets have the correct checksum. The csum flag is
617 equivalent to the combination icsum ocsum.
618 hoplimit TTL - specifies Hop Limit value to use in out‐
621 going packets.
622 encaplimit ELIM - specifies a fixed encapsulation limit.
625 Default is 4.
626 flowlabel FLOWLABEL - specifies a fixed flowlabel.
629 [no]allow-localremote - specifies whether to allow re‐
632 mote endpoint to have an address configured on local
633 host.
634 tclass TCLASS - specifies the traffic class field on
637 tunneled packets, which can be specified as either a
638 two-digit hex value (e.g. c0) or a predefined string
639 (e.g. internet). The value inherit causes the field to
640 be copied from the original IP header. The values in‐
641 herit/STRING or inherit/00..ff will set the field to
642 STRING or 00..ff when tunneling non-IP packets. The de‐
643 fault value is 00.
644 external - make this tunnel externally controlled (or
647 not, which is the default). In the kernel, this is re‐
648 ferred to as collect metadata mode. This flag is mutu‐
649 ally exclusive with the remote, local, seq, key, csum,
650 hoplimit, encaplimit, flowlabel and tclass options.
651 IPoIB Type Support
655 For a link of type IPoIB the following additional arguments are
656 supported:
657 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
659 MODE ]
660 pkey PKEY - specifies the IB P-Key to use.
663 mode MODE - specifies the mode (datagram or connected)
665 to use.
666 ERSPAN Type Support
669 For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
670 guments are supported:
671 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
673 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
674 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
675 mote ] [ external ]
676 remote ADDR - specifies the remote address of the tun‐
679 nel.
680 local ADDR - specifies the fixed local address for tun‐
683 neled packets. It must be an address on another inter‐
684 face on this host.
685 erspan_ver version - specifies the ERSPAN version num‐
688 ber. version indicates the ERSPAN version to be cre‐
689 ated: 0 for version 0 type I, 1 for version 1 (type II)
690 or 2 for version 2 (type III).
691 erspan IDX - specifies the ERSPAN v1 index field. IDX
694 indicates a 20 bit index/port number associated with the
695 ERSPAN traffic's source port and direction.
696 erspan_dir { ingress | egress } - specifies the ERSPAN
699 v2 mirrored traffic's direction.
700 erspan_hwid hwid - an unique identifier of an ERSPAN v2
703 engine within a system. hwid is a 6-bit value for users
704 to configure.
705 [no]allow-localremote - specifies whether to allow re‐
708 mote endpoint to have an address configured on local
709 host.
710 external - make this tunnel externally controlled (or
713 not, which is the default). In the kernel, this is re‐
714 ferred to as collect metadata mode. This flag is mutu‐
715 ally exclusive with the remote, local, erspan_ver,
716 erspan, erspan_dir and erspan_hwid options.
717 GENEVE Type Support
721 For a link of type GENEVE the following additional arguments are
722 supported:
723 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
725 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
726 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
727 [no]udp6zerocsumrx ]
728 id VNI - specifies the Virtual Network Identifier to
731 use.
732 remote IPADDR - specifies the unicast destination IP ad‐
735 dress to use in outgoing packets.
736 ttl TTL - specifies the TTL value to use in outgoing
739 packets. "0" or "auto" means use whatever default value,
740 "inherit" means inherit the inner protocol's ttl. De‐
741 fault option is "0".
742 tos TOS - specifies the TOS value to use in outgoing
745 packets.
746 df DF - specifies the usage of the Don't Fragment flag
749 (DF) bit in outgoing packets with IPv4 headers. The
750 value inherit causes the bit to be copied from the orig‐
751 inal IP header. The values unset and set cause the bit
752 to be always unset or always set, respectively. By de‐
753 fault, the bit is not set.
754 flowlabel FLOWLABEL - specifies the flow label to use in
757 outgoing packets.
758 dstport PORT - select a destination port other than the
761 default of 6081.
762 [no]external - make this tunnel externally controlled
765 (or not, which is the default). This flag is mutually
766 exclusive with the id, remote, ttl, tos and flowlabel
767 options.
768 [no]udpcsum - specifies if UDP checksum is calculated
771 for transmitted packets over IPv4.
772 [no]udp6zerocsumtx - skip UDP checksum calculation for
775 transmitted packets over IPv6.
776 [no]udp6zerocsumrx - allow incoming UDP packets over
779 IPv6 with zero checksum field.
780 Bareudp Type Support
784 For a link of type Bareudp the following additional arguments
785 are supported:
786 ip link add DEVICE type bareudp dstport PORT ethertype ETHERTYPE
788 [ srcportmin SRCPORTMIN ] [ [no]multiproto ]
789 dstport PORT - specifies the destination port for the
792 UDP tunnel.
793 ethertype ETHERTYPE - specifies the ethertype of the L3
796 protocol being tunnelled.
797 srcportmin SRCPORTMIN - selects the lowest value of the
800 UDP tunnel source port range.
801 [no]multiproto - activates support for protocols similar
804 to the one specified by ethertype. When ETHERTYPE is
805 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
806 nel to also handle multicast MPLS. When ETHERTYPE is
807 "ipv4", this allows the tunnel to also handle IPv6. This
808 option is disabled by default.
809 MACVLAN and MACVTAP Type Support
812 For a link of type MACVLAN or MACVTAP the following additional
813 arguments are supported:
814 ip link add link DEVICE name NAME type { macvlan | macvtap }
816 mode { private | vepa | bridge | passthru [ nopromisc ] |
817 source }
818 type { macvlan | macvtap } - specifies the link type to
821 use. macvlan creates just a virtual interface, while
822 macvtap in addition creates a character device /dev/tapX
823 to be used just like a tuntap device.
824 mode private - Do not allow communication between
826 macvlan instances on the same physical interface, even
827 if the external switch supports hairpin mode.
828 mode vepa - Virtual Ethernet Port Aggregator mode. Data
830 from one macvlan instance to the other on the same phys‐
831 ical interface is transmitted over the physical inter‐
832 face. Either the attached switch needs to support hair‐
833 pin mode, or there must be a TCP/IP router forwarding
834 the packets in order to allow communication. This is the
835 default mode.
836 mode bridge - In bridge mode, all endpoints are directly
838 connected to each other, communication is not redirected
839 through the physical interface's peer.
840 mode passthru [ nopromisc ] - This mode gives more power
842 to a single endpoint, usually in macvtap mode. It is not
843 allowed for more than one endpoint on the same physical
844 interface. All traffic will be forwarded to this end‐
845 point, allowing virtio guests to change MAC address or
846 set promiscuous mode in order to bridge the interface or
847 create vlan interfaces on top of it. By default, this
848 mode forces the underlying interface into promiscuous
849 mode. Passing the nopromisc flag prevents this, so the
850 promisc flag may be controlled using standard tools.
851 mode source - allows one to set a list of allowed mac
853 address, which is used to match against source mac ad‐
854 dress from received frames on underlying interface. This
855 allows creating mac based VLAN associations, instead of
856 standard port or tag based. The feature is useful to de‐
857 ploy 802.1x mac based behavior, where drivers of under‐
858 lying interfaces doesn't allows that.
859 High-availability Seamless Redundancy (HSR) Support
862 For a link of type HSR the following additional arguments are
863 supported:
864 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
866 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
867 proto { 0 | 1 } ]
868 type hsr - specifies the link type to use, here HSR.
871 slave1 SLAVE1-IF - Specifies the physical device used
873 for the first of the two ring ports.
874 slave2 SLAVE2-IF - Specifies the physical device used
876 for the second of the two ring ports.
877 supervision ADDR-BYTE - The last byte of the multicast
879 address used for HSR supervision frames. Default option
880 is "0", possible values 0-255.
881 version { 0 | 1 } - Selects the protocol version of the
883 interface. Default option is "0", which corresponds to
884 the 2010 version of the HSR standard. Option "1" acti‐
885 vates the 2012 version.
886 proto { 0 | 1 } - Selects the protocol at the interface.
888 Default option is "0", which corresponds to the HSR
889 standard. Option "1" activates the Parallel Redundancy
890 Protocol (PRP).
891 BRIDGE Type Support
894 For a link of type BRIDGE the following additional arguments are
895 supported:
896 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
898 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
899 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
900 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
901 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [ vlan_de‐
902 fault_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
903 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
904 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
905 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
906 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
907 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
908 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
909 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
910 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
911 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
912 val QUERY_INTERVAL ] [ mcast_query_response_interval QUERY_RE‐
913 SPONSE_INTERVAL ] [ mcast_startup_query_interval
914 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled MCAST_STATS_EN‐
915 ABLED ] [ mcast_igmp_version IGMP_VERSION ] [ mcast_mld_version
916 MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTABLES ] [
917 nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arptables
918 NF_CALL_ARPTABLES ]
919 ageing_time AGEING_TIME - configure the bridge's FDB en‐
922 tries ageing time, ie the number of seconds a MAC ad‐
923 dress will be kept in the FDB after a packet has been
924 received from that address. after this time has passed,
925 entries are cleaned up.
926 group_fwd_mask MASK - set the group forward mask. This
928 is the bitmask that is applied to decide whether to for‐
929 ward incoming frames destined to link-local addresses,
930 ie addresses of the form 01:80:C2:00:00:0X (defaults to
931 0, ie the bridge does not forward any link-local
932 frames).
933 group_address ADDRESS - set the MAC address of the mul‐
935 ticast group this bridge uses for STP. The address must
936 be a link-local address in standard Ethernet MAC address
937 format, ie an address of the form 01:80:C2:00:00:0X,
938 with X
939 in [0, 4..f].
940 forward_delay FORWARD_DELAY - set the forwarding delay
942 in seconds, ie the time spent in LISTENING state (before
943 moving to LEARNING) and in LEARNING state (before moving
944 to FORWARDING). Only relevant if STP is enabled. Valid
945 values are between 2 and 30.
946 hello_time HELLO_TIME - set the time in seconds between
948 hello packets sent by the bridge, when it is a root
949 bridge or a designated bridges. Only relevant if STP is
950 enabled. Valid values are between 1 and 10.
951 max_age MAX_AGE - set the hello packet timeout, ie the
953 time in seconds until another bridge in the spanning
954 tree is assumed to be dead, after reception of its last
955 hello message. Only relevant if STP is enabled. Valid
956 values are between 6 and 40.
957 stp_state STP_STATE - turn spanning tree protocol on
959 (STP_STATE > 0) or off (STP_STATE == 0). for this
960 bridge.
961 priority PRIORITY - set this bridge's spanning tree pri‐
963 ority, used during STP root bridge election. PRIORITY
964 is a 16bit unsigned integer.
965 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
967 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
968 disabled, the bridge will not consider the VLAN tag when
969 handling packets.
970 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
972 used for VLAN filtering.
973 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
975 PVID (native/untagged VLAN ID) for this bridge.
976 vlan_stats_enabled VLAN_STATS_ENABLED - enable
978 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
979 == 0) per-VLAN stats accounting.
980 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
982 (VLAN_STATS_PER_PORT == 1) or disable
983 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
984 counting. Can be changed only when there are no port
985 VLANs configured.
986 mcast_snooping MULTICAST_SNOOPING - turn multicast
988 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
989 CAST_SNOOPING == 0).
990 mcast_router MULTICAST_ROUTER - set bridge's multicast
992 router if IGMP snooping is enabled. MULTICAST_ROUTER is
993 an integer value having the following meaning:
994 0 - disabled.
996 1 - automatic (queried).
998 2 - permanently enabled.
1000 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1002 to use the bridge's own IP address as source address for
1003 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1004 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1005 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1007 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1008 IGMP querier, ie sending of multicast queries by the
1009 bridge (default: disabled).
1010 mcast_querier_interval QUERIER_INTERVAL - interval be‐
1012 tween queries sent by other routers. if no queries are
1013 seen after this delay has passed, the bridge will start
1014 to send its own queries (as if mcast_querier was en‐
1015 abled).
1016 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1018 database hash elasticity, ie the maximum chain length in
1019 the multicast hash table (defaults to 4).
1020 mcast_hash_max HASH_MAX - set maximum size of multicast
1022 hash table (defaults to 512, value must be a power of
1023 2).
1024 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1026 cast last member count, ie the number of queries the
1027 bridge will send before stopping forwarding a multicast
1028 group after a "leave" message has been received (de‐
1029 faults to 2).
1030 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1032 val between queries to find remaining members of a
1033 group, after a "leave" message is received.
1034 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1036 number of IGMP queries to send during startup phase (de‐
1037 faults to 2).
1038 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1040 interval between queries in the startup phase.
1041 mcast_query_interval QUERY_INTERVAL - interval between
1043 queries sent by the bridge after the end of the startup
1044 phase.
1045 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1047 set the Max Response Time/Maximum Response Delay for
1048 IGMP/MLD queries sent by the bridge.
1049 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1051 after which the bridge will leave a group, if no member‐
1052 ship reports for this group are received.
1053 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1055 (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1056 ABLED == 0) multicast (IGMP/MLD) stats accounting.
1057 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1059 mcast_mld_version MLD_VERSION - set the MLD version.
1061 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1063 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1064 hooks on the bridge.
1065 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1067 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1068 0) ip6tables hooks on the bridge.
1069 nf_call_arptables NF_CALL_ARPTABLES - enable
1071 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1072 0) arptables hooks on the bridge.
1073 MACsec Type Support
1078 For a link of type MACsec the following additional arguments are
1079 supported:
1080 ip link add link DEVICE name NAME type macsec [ [ address
1082 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1083 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1084 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1085 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1086 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1087 ]
1088 address <lladdr> - sets the system identifier component
1091 of secure channel for this MACsec device.
1092 port PORT - sets the port number component of secure
1095 channel for this MACsec device, in a range from 1 to
1096 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1097 are interpreted as octal and hexadecimal, respectively.
1098 sci SCI - sets the secure channel identifier for this
1101 MACsec device. SCI is a 64bit wide number in hexadeci‐
1102 mal format.
1103 cipher CIPHER_SUITE - defines the cipher suite to use.
1106 icvlen LENGTH - sets the length of the Integrity Check
1109 Value (ICV).
1110 encrypt on or encrypt off - switches between authenti‐
1113 cated encryption, or authenticity mode only.
1114 send_sci on or send_sci off - specifies whether the SCI
1117 is included in every packet, or only when it is neces‐
1118 sary.
1119 end_station on or end_station off - sets the End Station
1122 bit.
1123 scb on or scb off - sets the Single Copy Broadcast bit.
1126 protect on or protect off - enables MACsec protection on
1129 the device.
1130 replay on or replay off - enables replay protection on
1133 the device.
1134 window SIZE - sets the size of the replay win‐
1138 dow.
1139 validate strict or validate check or validate disabled -
1143 sets the validation mode on the device.
1144 encodingsa AN - sets the active secure association for
1147 transmission.
1148 VRF Type Support
1152 For a link of type VRF the following additional arguments are
1153 supported:
1154 ip link add DEVICE type vrf table TABLE
1156 table table id associated with VRF device
1159 RMNET Type Support
1163 For a link of type RMNET the following additional arguments are
1164 supported:
1165 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1167 mux_id MUXID - specifies the mux identifier for the rm‐
1170 net device, possible values 1-254.
1171 XFRM Type Support
1175 For a link of type XFRM the following additional arguments are
1176 supported:
1177 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1179 dev PHYS_DEV - specifies the underlying physical inter‐
1182 face from which transform traffic is sent and received.
1183 if_id IF-ID - specifies the hexadecimal lookup key used
1186 to send traffic to and from specific xfrm policies.
1187 Policies must be configured with the same key. If not
1188 set, the key defaults to 0 and will match any policies
1189 which similarly do not have a lookup key configuration.
1190 ip link delete - delete virtual link
1194 dev DEVICE
1195 specifies the virtual device to act operate on.
1196 group GROUP
1199 specifies the group of virtual links to delete. Group 0 is not
1200 allowed to be deleted since it is the default group.
1201 type TYPE
1204 specifies the type of the device.
1205 ip link set - change device attributes
1208 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1209 ately after any of the changes have failed. This is the only case when
1210 ip can move the system to an unpredictable state. The solution is to
1211 avoid changing several parameters with one ip link set call. The modi‐
1212 fier change is equivalent to set.
1213 dev DEVICE
1217 DEVICE specifies network device to operate on. When configuring
1218 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1219 ify the associated Physical Function (PF) device.
1220 group GROUP
1223 GROUP has a dual role: If both group and dev are present, then
1224 move the device to the specified group. If only a group is spec‐
1225 ified, then the command operates on all devices in that group.
1226 up and down
1229 change the state of the device to UP or DOWN.
1230 arp on or arp off
1233 change the NOARP flag on the device.
1234 multicast on or multicast off
1237 change the MULTICAST flag on the device.
1238 allmulticast on or allmulticast off
1241 change the ALLMULTI flag on the device. When enabled, instructs
1242 network driver to retrieve all multicast packets from the net‐
1243 work to the kernel for further processing.
1244 promisc on or promisc off
1247 change the PROMISC flag on the device. When enabled, activates
1248 promiscuous operation of the network device.
1249 trailers on or trailers off
1252 change the NOTRAILERS flag on the device, NOT used by the Linux
1253 and exists for BSD compatibility.
1254 protodown on or protodown off
1257 change the PROTODOWN state on the device. Indicates that a pro‐
1258 tocol error has been detected on the port. Switch drivers can
1259 react to this error by doing a phys down on the switch port.
1260 protodown_reason PREASON on or off
1263 set PROTODOWN reasons on the device. protodown reason bit names
1264 can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1265 sible reasons bits 0-31
1266 dynamic on or dynamic off
1269 change the DYNAMIC flag on the device. Indicates that address
1270 can change when interface goes down (currently NOT used by the
1271 Linux).
1272 name NAME
1275 change the name of the device. This operation is not recommended
1276 if the device is running or has some addresses already config‐
1277 ured.
1278 txqueuelen NUMBER
1281 txqlen NUMBER
1283 change the transmit queue length of the device.
1284 mtu NUMBER
1287 change the MTU of the device.
1288 address LLADDRESS
1291 change the station address of the interface.
1292 broadcast LLADDRESS
1295 brd LLADDRESS
1297 peer LLADDRESS
1299 change the link layer broadcast address or the peer address when
1300 the interface is POINTOPOINT.
1301 netns NETNSNAME | PID
1304 move the device to the network namespace associated with name
1305 NETNSNAME or process PID.
1306 Some devices are not allowed to change network namespace: loop‐
1308 back, bridge, wireless. These are network namespace local de‐
1309 vices. In such case ip tool will return "Invalid argument" er‐
1310 ror. It is possible to find out if device is local to a single
1311 network namespace by checking netns-local flag in the output of
1312 the ethtool:
1313 ethtool -k DEVICE
1315 To change network namespace for wireless devices the iw tool can
1317 be used. But it allows to change network namespace only for
1318 physical devices and by process PID.
1319 alias NAME
1322 give the device a symbolic name for easy reference.
1323 group GROUP
1326 specify the group the device belongs to. The available groups
1327 are listed in file /etc/iproute2/group.
1328 vf NUM specify a Virtual Function device to be configured. The associ‐
1331 ated PF device must be specified using the dev parameter.
1332 mac LLADDRESS - change the station address for the spec‐
1334 ified VF. The vf parameter must be specified.
1335 vlan VLANID - change the assigned VLAN for the specified
1338 VF. When specified, all traffic sent from the VF will be
1339 tagged with the specified VLAN ID. Incoming traffic will
1340 be filtered for the specified VLAN ID, and will have all
1341 VLAN tags stripped before being passed to the VF. Set‐
1342 ting this parameter to 0 disables VLAN tagging and fil‐
1343 tering. The vf parameter must be specified.
1344 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1347 VLAN tag. When specified, all VLAN tags transmitted by
1348 the VF will include the specified priority bits in the
1349 VLAN tag. If not specified, the value is assumed to be
1350 0. Both the vf and vlan parameters must be specified.
1351 Setting both vlan and qos as 0 disables VLAN tagging and
1352 filtering for the VF.
1353 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1356 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1357 traffic sent from the VF will be tagged with VLAN S-Tag.
1358 Incoming traffic will have VLAN S-Tags stripped before
1359 being passed to the VF. Setting to 802.1ad also enables
1360 an option to concatenate another VLAN tag, so both S-TAG
1361 and C-TAG will be inserted/stripped for outgoing/incom‐
1362 ing traffic, respectively. If not specified, the value
1363 is assumed to be 802.1Q. Both the vf and vlan parameters
1364 must be specified.
1365 rate TXRATE -- change the allowed transmit bandwidth, in
1368 Mbps, for the specified VF. Setting this parameter to 0
1369 disables rate limiting. vf parameter must be specified.
1370 Please use new API max_tx_rate option instead.
1371 max_tx_rate TXRATE - change the allowed maximum transmit
1374 bandwidth, in Mbps, for the specified VF. Setting this
1375 parameter to 0 disables rate limiting. vf parameter
1376 must be specified.
1377 min_tx_rate TXRATE - change the allowed minimum transmit
1380 bandwidth, in Mbps, for the specified VF. Minimum
1381 TXRATE should be always <= Maximum TXRATE. Setting this
1382 parameter to 0 disables rate limiting. vf parameter
1383 must be specified.
1384 spoofchk on|off - turn packet spoof checking on or off
1387 for the specified VF.
1388 query_rss on|off - toggle the ability of querying the
1390 RSS configuration of a specific
1391 VF. VF RSS information like RSS hash key may be con‐
1392 sidered sensitive
1393 on some devices where this information is shared be‐
1394 tween VF and PF
1395 and thus its querying may be prohibited by default.
1396 state auto|enable|disable - set the virtual link state
1398 as seen by the specified VF. Setting to auto means a re‐
1399 flection of the PF link state, enable lets the VF to
1400 communicate with other VFs on this host even if the PF
1401 link state is down, disable causes the HW to drop any
1402 packets sent by the VF.
1403 trust on|off - trust the specified VF user. This enables
1405 that VF user can set a specific feature which may impact
1406 security and/or performance. (e.g. VF multicast promis‐
1407 cuous mode)
1408 node_guid eui64 - configure node GUID for Infiniband
1410 VFs.
1411 port_guid eui64 - configure port GUID for Infiniband
1413 VFs.
1414 xdp object | pinned | off
1417 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1418 every packet at driver level. ip link output will indicate a
1419 xdp flag for the networking device. If the driver does not have
1420 native XDP support, the kernel will fall back to a slower,
1421 driver-independent "generic" XDP variant. The ip link output
1422 will in that case indicate xdpgeneric instead of xdp only. If
1423 the driver does have native XDP support, but the program is
1424 loaded under xdpgeneric object | pinned then the kernel will use
1425 the generic XDP variant instead of the native one. xdpdrv has
1426 the opposite effect of requestsing that the automatic fallback
1427 to the generic XDP variant be disabled and in case driver is not
1428 XDP-capable error should be returned. xdpdrv also disables
1429 hardware offloads. xdpoffload in ip link output indicates that
1430 the program has been offloaded to hardware and can also be used
1431 to request the "offload" mode, much like xdpgeneric it forces
1432 program to be installed specifically in HW/FW of the apater.
1433 off (or none ) - Detaches any currently attached XDP/BPF program
1435 from the given device.
1436 object FILE - Attaches a XDP/BPF program to the given device.
1438 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1439 contains the BPF program code, map specifications, etc. If a
1440 XDP/BPF program is already attached to the given device, an er‐
1441 ror will be thrown. If no XDP/BPF program is currently attached,
1442 the device supports XDP and the program from the BPF ELF file
1443 passes the kernel verifier, then it will be attached to the de‐
1444 vice. If the option -force is passed to ip then any prior at‐
1445 tached XDP/BPF program will be atomically overridden and no er‐
1446 ror will be thrown in this case. If no section option is passed,
1447 then the default section name ("prog") will be assumed, other‐
1448 wise the provided section name will be used. If no verbose op‐
1449 tion is passed, then a verifier log will only be dumped on load
1450 error. See also EXAMPLES section for usage examples.
1451 section NAME - Specifies a section name that contains the BPF
1453 program code. If no section name is specified, the default one
1454 ("prog") will be used. This option is to be passed with the ob‐
1455 ject option.
1456 verbose - Act in verbose mode. For example, even in case of suc‐
1458 cess, this will print the verifier log in case a program was
1459 loaded from a BPF ELF file.
1460 pinned FILE - Attaches a XDP/BPF program to the given device.
1462 The FILE points to an already pinned BPF program in the BPF file
1463 system. The option section doesn't apply here, but otherwise se‐
1464 mantics are the same as with the option object described al‐
1465 ready.
1466 master DEVICE
1469 set master device of the device (enslave device).
1470 nomaster
1473 unset master device of the device (release device).
1474 addrgenmode eui64|none|stable_secret|random
1477 set the IPv6 address generation mode
1478 eui64 - use a Modified EUI-64 format interface identifier
1480 none - disable automatic address generation
1482 stable_secret - generate the interface identifier based on a
1484 preset
1485 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1486 random - like stable_secret, but auto-generate a new random se‐
1488 cret if none is set
1489 link-netnsid
1492 set peer netnsid for a cross-netns interface
1493 type ETYPE TYPE_ARGS
1496 Change type-specific settings. For a list of supported types and
1497 arguments refer to the description of ip link add above. In ad‐
1498 dition to that, it is possible to manipulate settings to slave
1499 devices:
1500 Bridge Slave Support
1503 For a link with master bridge the following additional arguments
1504 are supported:
1505 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1507 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1508 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1509 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1510 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1511 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1512 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1513 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1514 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1515 backup_port DEVICE ] [ nobackup_port ]
1516 fdb_flush - flush bridge slave's fdb dynamic entries.
1519 state STATE - Set port state. STATE is a number repre‐
1521 senting the following states: 0 (disabled), 1 (listen‐
1522 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1523 priority PRIO - set port priority (allowed values are
1525 between 0 and 63, inclusively).
1526 cost COST - set port cost (allowed values are between 1
1528 and 65535, inclusively).
1529 guard { on | off } - block incoming BPDU packets on this
1531 port.
1532 hairpin { on | off } - enable hairpin mode on this port.
1534 This will allow incoming packets on this port to be re‐
1535 flected back.
1536 fastleave { on | off } - enable multicast fast leave on
1538 this port.
1539 root_block { on | off } - block this port from becoming
1541 the bridge's root port.
1542 learning { on | off } - allow MAC address learning on
1544 this port.
1545 flood { on | off } - open the flood gates on this port,
1547 i.e. forward all unicast frames to this port also. Re‐
1548 quires proxy_arp and proxy_arp_wifi to be turned off.
1549 proxy_arp { on | off } - enable proxy ARP on this port.
1551 proxy_arp_wifi { on | off } - enable proxy ARP on this
1553 port which meets extended requirements by IEEE 802.11
1554 and Hotspot 2.0 specifications.
1555 mcast_router MULTICAST_ROUTER - configure this port for
1557 having multicast routers attached. A port with a multi‐
1558 cast router will receive all multicast traffic. MULTI‐
1559 CAST_ROUTER may be either 0 to disable multicast routers
1560 on this port, 1 to let the system detect the presence of
1561 of routers (this is the default), 2 to permanently en‐
1562 able multicast traffic forwarding on this port or 3 to
1563 enable multicast routers temporarily on this port, not
1564 depending on incoming queries.
1565 mcast_fast_leave { on | off } - this is a synonym to the
1567 fastleave option above.
1568 mcast_flood { on | off } - controls whether a given port
1570 will flood multicast traffic for which
1571 there is no MDB entry.
1572 mcast_to_unicast { on | off } - controls whether a given
1574 port will replicate packets using unicast
1575 instead of multicast. By default this flag is off.
1576 group_fwd_mask MASK - set the group forward mask. This
1578 is the bitmask that is applied to decide whether to for‐
1579 ward incoming frames destined to link-local addresses,
1580 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1581 0, ie the bridge does not forward any link-local frames
1582 coming on this port).
1583 neigh_suppress { on | off } - controls whether neigh
1585 discovery (arp and nd) proxy and suppression is enabled
1586 on the port. By default this flag is off.
1587 vlan_tunnel { on | off } - controls whether vlan to tun‐
1589 nel mapping is enabled on the port. By default this flag
1590 is off.
1591 backup_port DEVICE - if the port loses carrier all traf‐
1593 fic will be redirected to the configured backup port
1594 nobackup_port - removes the currently configured backup
1596 port
1597 Bonding Slave Support
1601 For a link with master bond the following additional arguments
1602 are supported:
1603 ip link set type bond_slave [ queue_id ID ]
1605 queue_id ID - set the slave's queue ID (a 16bit unsigned
1608 value).
1609 MACVLAN and MACVTAP Support
1613 Modify list of allowed macaddr for link in source mode.
1614 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1616 ... ]
1617 Commands:
1619 add - add MACADDR to allowed list
1620 set - replace allowed list
1622 del - remove MACADDR from allowed list
1624 flush - flush whole allowed list
1626 ip link show - display device attributes
1631 dev NAME (default)
1632 NAME specifies the network device to show.
1633 group GROUP
1636 GROUP specifies what group of devices to show.
1637 up only display running interfaces.
1640 master DEVICE
1643 DEVICE specifies the master device which enslaves devices to
1644 show.
1645 vrf NAME
1648 NAME speficies the VRF which enslaves devices to show.
1649 type TYPE
1652 TYPE specifies the type of devices to show.
1653 Note that the type name is not checked against the list of sup‐
1655 ported types - instead it is sent as-is to the kernel. Later it
1656 is used to filter the returned interface list by comparing it
1657 with the relevant attribute in case the kernel didn't filter al‐
1658 ready. Therefore any string is accepted, but may lead to empty
1659 output.
1660 ip link xstats - display extended statistics
1663 type TYPE
1664 TYPE specifies the type of devices to display extended statis‐
1665 tics for.
1666 ip link afstats - display address-family specific statistics
1669 dev DEVICE
1670 DEVICE specifies the device to display address-family statistics
1671 for.
1672 ip link help - display help
1675 TYPE specifies which help of link type to display.
1676 GROUP
1679 may be a number or a string from the file /etc/iproute2/group which can
1680 be manually filled.
1681
1684 ip link show
1685 Shows the state of all network interfaces on the system.
1686 ip link show type bridge
1688 Shows the bridge devices.
1689 ip link show type vlan
1691 Shows the vlan devices.
1692 ip link show master br0
1694 Shows devices enslaved by br0
1695 ip link set dev ppp0 mtu 1400
1697 Change the MTU the ppp0 device.
1698 ip link add link eth0 name eth0.10 type vlan id 10
1700 Creates a new vlan device eth0.10 on device eth0.
1701 ip link delete dev eth0.10
1703 Removes vlan device.
1704 ip link help gre
1706 Display help for the gre link type.
1707 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1709 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1710 remcsum
1711 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1712 tion, and the outer UDP checksum and remote checksum offload are
1713 enabled.
1714 ip link set dev eth0 xdp obj prog.o
1716 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1717 cated in prog.o, section "prog" (default section). In case a
1718 XDP/BPF program is already attached, throw an error.
1719 ip -force link set dev eth0 xdp obj prog.o sec foo
1721 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1722 cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1723 ready attached, it will be overridden by the new one.
1724 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1726 Attaches a XDP/BPF program to device eth0, where the program was
1727 previously pinned as an object node into BPF file system under name
1728 foo.
1729 ip link set dev eth0 xdp off
1731 If a XDP/BPF program is attached on device eth0, detach it and ef‐
1732 fectively turn off XDP for device eth0.
1733 ip link add link wpan0 lowpan0 type lowpan
1735 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1736 802.15.4 device wpan0.
1737 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1739 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1740 erspan_hwid 17
1741 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1742
1745 ip(8), ip-netns(8), ethtool(8), iptables(8)
1746
1749 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1750iproute2 13 Dec 2012 IP-LINK(8)