1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 A plain ini-style text file that encodes configuration about a virtual
13 network device, used by systemd-networkd(8). See systemd.syntax(7) for
14 a general description of the syntax.
15 The main Virtual Network Device file must have the extension .netdev;
17 other extensions are ignored. Virtual network devices are created as
18 soon as networkd is started. If a netdev with the specified name
19 already exists, networkd will use that as-is rather than create its
20 own. Note that the settings of the pre-existing netdev will not be
21 changed by networkd.
22 The .netdev files are read from the files located in the system network
24 directory /usr/lib/systemd/network, the volatile runtime network
25 directory /run/systemd/network and the local administration network
26 directory /etc/systemd/network. All configuration files are
27 collectively sorted and processed in lexical order, regardless of the
28 directories in which they live. However, files with identical filenames
29 replace each other. Files in /etc/ have the highest priority, files in
30 /run/ take precedence over files with the same name in /usr/lib/. This
31 can be used to override a system-supplied configuration file with a
32 local file if needed. As a special case, an empty file (file size 0) or
33 symlink with the same name pointing to /dev/null disables the
34 configuration file entirely (it is "masked").
35 Along with the netdev file foo.netdev, a "drop-in" directory
37 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
38 directory will be merged in the alphanumeric order and parsed after the
39 main file itself has been parsed. This is useful to alter or add
40 configuration settings, without having to modify the main configuration
41 file. Each drop-in file must have appropriate section headers.
42 In addition to /etc/systemd/network, drop-in ".d" directories can be
44 placed in /usr/lib/systemd/network or /run/systemd/network directories.
45 Drop-in files in /etc/ take precedence over those in /run/ which in
46 turn take precedence over those in /usr/lib/. Drop-in files under any
47 of these directories take precedence over the main netdev file wherever
48 located. (Of course, since /run/ is temporary and /usr/lib/ is for
49 vendors, it is unlikely drop-ins should be used in either of those
50 places.)
51
53 The following kinds of virtual network devices may be configured in
54 .netdev files:
55 Table 1. Supported kinds of virtual network devices
57 ┌──────────┬────────────────────────────┐
58 │Kind │ Description │
59 ├──────────┼────────────────────────────┤
60 │bond │ A bond device is an │
61 │ │ aggregation of all its │
62 │ │ slave devices. See Linux │
63 │ │ Ethernet Bonding Driver │
64 │ │ HOWTO[1] for details. │
65 ├──────────┼────────────────────────────┤
66 │bridge │ A bridge device is a │
67 │ │ software switch, and each │
68 │ │ of its slave devices and │
69 │ │ the bridge itself are │
70 │ │ ports of the switch. │
71 ├──────────┼────────────────────────────┤
72 │dummy │ A dummy device drops all │
73 │ │ packets sent to it. │
74 ├──────────┼────────────────────────────┤
75 │gre │ A Level 3 GRE tunnel over │
76 │ │ IPv4. See RFC 2784[2] for │
77 │ │ details. │
78 ├──────────┼────────────────────────────┤
79 │gretap │ A Level 2 GRE tunnel over │
80 │ │ IPv4. │
81 ├──────────┼────────────────────────────┤
82 │erspan │ ERSPAN mirrors traffic on │
83 │ │ one or more source ports │
84 │ │ and delivers the mirrored │
85 │ │ traffic to one or more │
86 │ │ destination ports on │
87 │ │ another switch. The │
88 │ │ traffic is encapsulated in │
89 │ │ generic routing │
90 │ │ encapsulation (GRE) and is │
91 │ │ therefore routable across │
92 │ │ a layer 3 network between │
93 │ │ the source switch and the │
94 │ │ destination switch. │
95 ├──────────┼────────────────────────────┤
96 │ip6gre │ A Level 3 GRE tunnel over │
97 │ │ IPv6. │
98 ├──────────┼────────────────────────────┤
99 │ip6tnl │ An IPv4 or IPv6 tunnel │
100 │ │ over IPv6 │
101 ├──────────┼────────────────────────────┤
102 │ip6gretap │ A Level 2 GRE tunnel over │
103 │ │ IPv6. │
104 ├──────────┼────────────────────────────┤
105 │ipip │ An IPv4 over IPv4 tunnel. │
106 ├──────────┼────────────────────────────┤
107 │ipvlan │ An IPVLAN device is a │
108 │ │ stacked device which │
109 │ │ receives packets from its │
110 │ │ underlying device based on │
111 │ │ IP address filtering. │
112 ├──────────┼────────────────────────────┤
113 │ipvtap │ An IPVTAP device is a │
114 │ │ stacked device which │
115 │ │ receives packets from its │
116 │ │ underlying device based on │
117 │ │ IP address filtering and │
118 │ │ can be accessed using the │
119 │ │ tap user space interface. │
120 ├──────────┼────────────────────────────┤
121 │macvlan │ A macvlan device is a │
122 │ │ stacked device which │
123 │ │ receives packets from its │
124 │ │ underlying device based on │
125 │ │ MAC address filtering. │
126 ├──────────┼────────────────────────────┤
127 │macvtap │ A macvtap device is a │
128 │ │ stacked device which │
129 │ │ receives packets from its │
130 │ │ underlying device based on │
131 │ │ MAC address filtering. │
132 ├──────────┼────────────────────────────┤
133 │sit │ An IPv6 over IPv4 tunnel. │
134 ├──────────┼────────────────────────────┤
135 │tap │ A persistent Level 2 │
136 │ │ tunnel between a network │
137 │ │ device and a device node. │
138 ├──────────┼────────────────────────────┤
139 │tun │ A persistent Level 3 │
140 │ │ tunnel between a network │
141 │ │ device and a device node. │
142 ├──────────┼────────────────────────────┤
143 │veth │ An Ethernet tunnel between │
144 │ │ a pair of network devices. │
145 ├──────────┼────────────────────────────┤
146 │vlan │ A VLAN is a stacked device │
147 │ │ which receives packets │
148 │ │ from its underlying device │
149 │ │ based on VLAN tagging. See │
150 │ │ IEEE 802.1Q[3] for │
151 │ │ details. │
152 ├──────────┼────────────────────────────┤
153 │vti │ An IPv4 over IPSec tunnel. │
154 ├──────────┼────────────────────────────┤
155 │vti6 │ An IPv6 over IPSec tunnel. │
156 ├──────────┼────────────────────────────┤
157 │vxlan │ A virtual extensible LAN │
158 │ │ (vxlan), for connecting │
159 │ │ Cloud computing │
160 │ │ deployments. │
161 ├──────────┼────────────────────────────┤
162 │geneve │ A GEneric NEtwork │
163 │ │ Virtualization │
164 │ │ Encapsulation (GENEVE) │
165 │ │ netdev driver. │
166 ├──────────┼────────────────────────────┤
167 │l2tp │ A Layer 2 Tunneling │
168 │ │ Protocol (L2TP) is a │
169 │ │ tunneling protocol used to │
170 │ │ support virtual private │
171 │ │ networks (VPNs) or as part │
172 │ │ of the delivery of │
173 │ │ services by ISPs. It does │
174 │ │ not provide any encryption │
175 │ │ or confidentiality by │
176 │ │ itself │
177 ├──────────┼────────────────────────────┤
178 │macsec │ Media Access Control │
179 │ │ Security (MACsec) is an │
180 │ │ 802.1AE IEEE │
181 │ │ industry-standard security │
182 │ │ technology that provides │
183 │ │ secure communication for │
184 │ │ all traffic on Ethernet │
185 │ │ links. MACsec provides │
186 │ │ point-to-point security on │
187 │ │ Ethernet links between │
188 │ │ directly connected nodes │
189 │ │ and is capable of │
190 │ │ identifying and preventing │
191 │ │ most security threats. │
192 ├──────────┼────────────────────────────┤
193 │vrf │ A Virtual Routing and │
194 │ │ Forwarding (VRF[4]) │
195 │ │ interface to create │
196 │ │ separate routing and │
197 │ │ forwarding domains. │
198 ├──────────┼────────────────────────────┤
199 │vcan │ The virtual CAN driver │
200 │ │ (vcan). Similar to the │
201 │ │ network loopback devices, │
202 │ │ vcan offers a virtual │
203 │ │ local CAN interface. │
204 ├──────────┼────────────────────────────┤
205 │vxcan │ The virtual CAN tunnel │
206 │ │ driver (vxcan). Similar to │
207 │ │ the virtual ethernet │
208 │ │ driver veth, vxcan │
209 │ │ implements a local CAN │
210 │ │ traffic tunnel between two │
211 │ │ virtual CAN network │
212 │ │ devices. When creating a │
213 │ │ vxcan, two vxcan devices │
214 │ │ are created as pair. When │
215 │ │ one end receives the │
216 │ │ packet it appears on its │
217 │ │ pair and vice versa. The │
218 │ │ vxcan can be used for │
219 │ │ cross namespace │
220 │ │ communication. │
221 ├──────────┼────────────────────────────┤
222 │wireguard │ WireGuard Secure Network │
223 │ │ Tunnel. │
224 ├──────────┼────────────────────────────┤
225 │nlmon │ A Netlink monitor device. │
226 │ │ Use an nlmon device when │
227 │ │ you want to monitor system │
228 │ │ Netlink messages. │
229 ├──────────┼────────────────────────────┤
230 │fou │ Foo-over-UDP tunneling. │
231 ├──────────┼────────────────────────────┤
232 │xfrm │ A virtual tunnel interface │
233 │ │ like vti/vti6 but with │
234 │ │ several advantages. │
235 ├──────────┼────────────────────────────┤
236 │ifb │ The Intermediate │
237 │ │ Functional Block (ifb) │
238 │ │ pseudo network interface │
239 │ │ acts as a QoS concentrator │
240 │ │ for multiple different │
241 │ │ sources of traffic. │
242 ├──────────┼────────────────────────────┤
243 │bareudp │ Bare UDP tunnels provide a │
244 │ │ generic L3 encapsulation │
245 │ │ support for tunnelling │
246 │ │ different L3 protocols │
247 │ │ like MPLS, IP etc. inside │
248 │ │ of an UDP tunnel. │
249 ├──────────┼────────────────────────────┤
250 │batadv │ B.A.T.M.A.N. Advanced[5] │
251 │ │ is a routing protocol for │
252 │ │ multi-hop mobile ad-hoc │
253 │ │ networks which operates on │
254 │ │ layer 2. │
255 └──────────┴────────────────────────────┘
256
258 A virtual network device is only created if the [Match] section matches
259 the current environment, or if the section is empty. The following keys
260 are accepted:
261 Host=
263 Matches against the hostname or machine ID of the host. See
264 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
265 an exclamation mark ("!"), the result is negated. If an empty
266 string is assigned, then previously assigned value is cleared.
267 Virtualization=
269 Checks whether the system is executed in a virtualized environment
270 and optionally test whether it is a specific implementation. See
271 "ConditionVirtualization=" in systemd.unit(5) for details. When
272 prefixed with an exclamation mark ("!"), the result is negated. If
273 an empty string is assigned, then previously assigned value is
274 cleared.
275 KernelCommandLine=
277 Checks whether a specific kernel command line option is set. See
278 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
279 prefixed with an exclamation mark ("!"), the result is negated. If
280 an empty string is assigned, then previously assigned value is
281 cleared.
282 KernelVersion=
284 Checks whether the kernel version (as reported by uname -r) matches
285 a certain expression. See "ConditionKernelVersion=" in
286 systemd.unit(5) for details. When prefixed with an exclamation mark
287 ("!"), the result is negated. If an empty string is assigned, then
288 previously assigned value is cleared.
289 Architecture=
291 Checks whether the system is running on a specific architecture.
292 See "ConditionArchitecture=" in systemd.unit(5) for details. When
293 prefixed with an exclamation mark ("!"), the result is negated. If
294 an empty string is assigned, then previously assigned value is
295 cleared.
296 Firmware=
298 Checks whether the system is running on a machine with the
299 specified firmware. See "ConditionFirmware=" in systemd.unit(5) for
300 details. When prefixed with an exclamation mark ("!"), the result
301 is negated. If an empty string is assigned, then previously
302 assigned value is cleared.
303
305 The [NetDev] section accepts the following keys:
306 Description=
308 A free-form description of the netdev.
309 Name=
311 The interface name used when creating the netdev. This setting is
312 compulsory.
313 Kind=
315 The netdev kind. This setting is compulsory. See the "Supported
316 netdev kinds" section for the valid keys.
317 MTUBytes=
319 The maximum transmission unit in bytes to set for the device. The
320 usual suffixes K, M, G are supported and are understood to the base
321 of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
322 currently supported in [NetDev] section. Please specify it in
323 [Link] section of corresponding systemd.network(5) files.
324 MACAddress=
326 The MAC address to use for the device. For "tun" or "tap" devices,
327 setting MACAddress= in the [NetDev] section is not supported.
328 Please specify it in [Link] section of the corresponding
329 systemd.network(5) file. If this option is not set, "vlan" devices
330 inherit the MAC address of the physical interface. For other kind
331 of netdevs, if this option is not set, then MAC address is
332 generated based on the interface name and the machine-id(5).
333
335 The [Bridge] section only applies for netdevs of kind "bridge", and
336 accepts the following keys:
337 HelloTimeSec=
339 HelloTimeSec specifies the number of seconds between two hello
340 packets sent out by the root bridge and the designated bridges.
341 Hello packets are used to communicate information about the
342 topology throughout the entire bridged local area network.
343 MaxAgeSec=
345 MaxAgeSec specifies the number of seconds of maximum message age.
346 If the last seen (received) hello packet is more than this number
347 of seconds old, the bridge in question will start the takeover
348 procedure in attempt to become the Root Bridge itself.
349 ForwardDelaySec=
351 ForwardDelaySec specifies the number of seconds spent in each of
352 the Listening and Learning states before the Forwarding state is
353 entered.
354 AgeingTimeSec=
356 This specifies the number of seconds a MAC Address will be kept in
357 the forwarding database after having a packet received from this
358 MAC Address.
359 Priority=
361 The priority of the bridge. An integer between 0 and 65535. A lower
362 value means higher priority. The bridge having the lowest priority
363 will be elected as root bridge.
364 GroupForwardMask=
366 A 16-bit bitmask represented as an integer which allows forwarding
367 of link local frames with 802.1D reserved addresses
368 (01:80:C2:00:00:0X). A logical AND is performed between the
369 specified bitmask and the exponentiation of 2^X, the lower nibble
370 of the last octet of the MAC address. For example, a value of 8
371 would allow forwarding of frames addressed to 01:80:C2:00:00:03
372 (802.1X PAE).
373 DefaultPVID=
375 This specifies the default port VLAN ID of a newly attached bridge
376 port. Set this to an integer in the range 1...4094 or "none" to
377 disable the PVID.
378 MulticastQuerier=
380 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
381 option in the kernel. If enabled, the kernel will send general ICMP
382 queries from a zero source address. This feature should allow
383 faster convergence on startup, but it causes some multicast-aware
384 switches to misbehave and disrupt forwarding of multicast packets.
385 When unset, the kernel's default will be used.
386 MulticastSnooping=
388 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
389 option in the kernel. If enabled, IGMP snooping monitors the
390 Internet Group Management Protocol (IGMP) traffic between hosts and
391 multicast routers. When unset, the kernel's default will be used.
392 VLANFiltering=
394 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
395 option in the kernel. If enabled, the bridge will be started in
396 VLAN-filtering mode. When unset, the kernel's default will be used.
397 VLANProtocol=
399 Allows setting the protocol used for VLAN filtering. Takes 802.1q
400 or, 802.1ad, and defaults to unset and kernel's default is used.
401 STP=
403 Takes a boolean. This enables the bridge's Spanning Tree Protocol
404 (STP). When unset, the kernel's default will be used.
405 MulticastIGMPVersion=
407 Allows changing bridge's multicast Internet Group Management
408 Protocol (IGMP) version. Takes an integer 2 or 3. When unset, the
409 kernel's default will be used.
410
412 The [VLAN] section only applies for netdevs of kind "vlan", and accepts
413 the following key:
414 Id=
416 The VLAN ID to use. An integer in the range 0...4094. This setting
417 is compulsory.
418 Protocol=
420 Allows setting the protocol used for the VLAN interface. Takes
421 "802.1q" or, "802.1ad", and defaults to unset and kernel's default
422 is used.
423 GVRP=
425 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
426 protocol that allows automatic learning of VLANs on a network. When
427 unset, the kernel's default will be used.
428 MVRP=
430 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
431 formerly known as GARP VLAN Registration Protocol (GVRP) is a
432 standards-based Layer 2 network protocol, for automatic
433 configuration of VLAN information on switches. It was defined in
434 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
435 default will be used.
436 LooseBinding=
438 Takes a boolean. The VLAN loose binding mode, in which only the
439 operational state is passed from the parent to the associated
440 VLANs, but the VLAN device state is not changed. When unset, the
441 kernel's default will be used.
442 ReorderHeader=
444 Takes a boolean. When enabled, the VLAN reorder header is used and
445 VLAN interfaces behave like physical interfaces. When unset, the
446 kernel's default will be used.
447 EgressQOSMaps=
449 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
450 to VLAN header PCP field for outgoing frames. Takes a
451 whitespace-separated list of unsigned integer pairs in the format
452 "from"-"to", e.g., "21-7 45-5" ranges 1–4294967294. Note that
453 "from" must be greater than or equal to "to". When unset, the
454 kernel's default will be used.
455 IngressQOSMaps=
457 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
458 to VLAN header PCP field for incoming frames. Takes a
459 whitespace-separated list of unsigned integer pairs in the format
460 "from"-"to", e.g., "21-7 45-5" ranges 1–4294967294. Note that
461 "from" must be greater than or equal to "to". When unset, the
462 kernel's default will be used.
463
465 The [MACVLAN] section only applies for netdevs of kind "macvlan", and
466 accepts the following key:
467 Mode=
469 The MACVLAN mode to use. The supported options are "private",
470 "vepa", "bridge", "passthru", and "source".
471 SourceMACAddress=
473 A whitespace-separated list of remote hardware addresses allowed on
474 the MACVLAN. This option only has an effect in source mode. Use
475 full colon-, hyphen- or dot-delimited hexadecimal. This option may
476 appear more than once, in which case the lists are merged. If the
477 empty string is assigned to this option, the list of hardware
478 addresses defined prior to this is reset. Defaults to unset.
479 BroadcastMulticastQueueLength=
481 Specifies the length of the receive queue for broadcast/multicast
482 packets. An unsigned integer in the range 0...4294967294. Defaults
483 to unset.
484
486 The [MACVTAP] section applies for netdevs of kind "macvtap" and accepts
487 the same keys as [MACVLAN].
488
490 The [IPVLAN] section only applies for netdevs of kind "ipvlan", and
491 accepts the following key:
492 Mode=
494 The IPVLAN mode to use. The supported options are "L2","L3" and
495 "L3S".
496 Flags=
498 The IPVLAN flags to use. The supported options are
499 "bridge","private" and "vepa".
500
502 The [IPVTAP] section only applies for netdevs of kind "ipvtap" and
503 accepts the same keys as [IPVLAN].
504
506 The [VXLAN] section only applies for netdevs of kind "vxlan", and
507 accepts the following keys:
508 VNI=
510 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
511 in the range 1...16777215.
512 Remote=
514 Configures destination IP address.
515 Local=
517 Configures local IP address.
518 Group=
520 Configures VXLAN multicast group IP address. All members of a VXLAN
521 must use the same multicast group address.
522 TOS=
524 The Type Of Service byte value for a vxlan interface.
525 TTL=
527 A fixed Time To Live N on Virtual eXtensible Local Area Network
528 packets. Takes "inherit" or a number in the range 0...255. 0 is a
529 special value meaning inherit the inner protocol's TTL value.
530 "inherit" means that it will inherit the outer protocol's TTL
531 value.
532 MacLearning=
534 Takes a boolean. When true, enables dynamic MAC learning to
535 discover remote MAC addresses.
536 FDBAgeingSec=
538 The lifetime of Forwarding Database entry learnt by the kernel, in
539 seconds.
540 MaximumFDBEntries=
542 Configures maximum number of FDB entries.
543 ReduceARPProxy=
545 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
546 answers ARP requests from the local bridge on behalf of remote
547 Distributed Overlay Virtual Ethernet (DVOE)[6] clients. Defaults to
548 false.
549 L2MissNotification=
551 Takes a boolean. When true, enables netlink LLADDR miss
552 notifications.
553 L3MissNotification=
555 Takes a boolean. When true, enables netlink IP address miss
556 notifications.
557 RouteShortCircuit=
559 Takes a boolean. When true, route short circuiting is turned on.
560 UDPChecksum=
562 Takes a boolean. When true, transmitting UDP checksums when doing
563 VXLAN/IPv4 is turned on.
564 UDP6ZeroChecksumTx=
566 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
567 turned on.
568 UDP6ZeroChecksumRx=
570 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
571 is turned on.
572 RemoteChecksumTx=
574 Takes a boolean. When true, remote transmit checksum offload of
575 VXLAN is turned on.
576 RemoteChecksumRx=
578 Takes a boolean. When true, remote receive checksum offload in
579 VXLAN is turned on.
580 GroupPolicyExtension=
582 Takes a boolean. When true, it enables Group Policy VXLAN extension
583 security label mechanism across network peers based on VXLAN. For
584 details about the Group Policy VXLAN, see the VXLAN Group Policy[7]
585 document. Defaults to false.
586 GenericProtocolExtension=
588 Takes a boolean. When true, Generic Protocol Extension extends the
589 existing VXLAN protocol to provide protocol typing, OAM, and
590 versioning capabilities. For details about the VXLAN GPE Header,
591 see the Generic Protocol Extension for VXLAN[8] document. If
592 destination port is not specified and Generic Protocol Extension is
593 set then default port of 4790 is used. Defaults to false.
594 DestinationPort=
596 Configures the default destination UDP port. If the destination
597 port is not specified then Linux kernel default will be used. Set
598 to 4789 to get the IANA assigned value.
599 PortRange=
601 Configures the source port range for the VXLAN. The kernel assigns
602 the source UDP port based on the flow to help the receiver to do
603 load balancing. When this option is not set, the normal range of
604 local UDP ports is used.
605 FlowLabel=
607 Specifies the flow label to use in outgoing packets. The valid
608 range is 0-1048575.
609 IPDoNotFragment=
611 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
612 packets, or to inherit its value from the IPv4 inner header. Takes
613 a boolean value, or "inherit". Set to "inherit" if the encapsulated
614 protocol is IPv6. When unset, the kernel's default will be used.
615
617 The [GENEVE] section only applies for netdevs of kind "geneve", and
618 accepts the following keys:
619 Id=
621 Specifies the Virtual Network Identifier (VNI) to use, a number
622 between 0 and 16777215. This field is mandatory.
623 Remote=
625 Specifies the unicast destination IP address to use in outgoing
626 packets.
627 TOS=
629 Specifies the TOS value to use in outgoing packets. Takes a number
630 between 1 and 255.
631 TTL=
633 Accepts the same values as in the [VXLAN] section, except that when
634 unset or set to 0, the kernel's default will be used, meaning that
635 packet TTL will be set from /proc/sys/net/ipv4/ip_default_ttl.
636 UDPChecksum=
638 Takes a boolean. When true, specifies that UDP checksum is
639 calculated for transmitted packets over IPv4.
640 UDP6ZeroChecksumTx=
642 Takes a boolean. When true, skip UDP checksum calculation for
643 transmitted packets over IPv6.
644 UDP6ZeroChecksumRx=
646 Takes a boolean. When true, allows incoming UDP packets over IPv6
647 with zero checksum field.
648 DestinationPort=
650 Specifies destination port. Defaults to 6081. If not set or
651 assigned the empty string, the default port of 6081 is used.
652 FlowLabel=
654 Specifies the flow label to use in outgoing packets.
655 IPDoNotFragment=
657 Accepts the same key as in [VXLAN] section.
658 Independent=
660 Takes a boolean. When true, the vxlan interface is created without
661 any underlying network interface. Defaults to false, which means
662 that a .network file that requests this tunnel using Tunnel= is
663 required for the tunnel to be created.
664
666 The [BareUDP] section only applies for netdevs of kind "bareudp", and
667 accepts the following keys:
668 DestinationPort=
670 Specifies the destination UDP port (in range 1...65535). This is
671 mandatory.
672 EtherType=
674 Specifies the L3 protocol. Takes one of "ipv4", "ipv6", "mpls-uc"
675 or "mpls-mc". This is mandatory.
676
678 The [L2TP] section only applies for netdevs of kind "l2tp", and accepts
679 the following keys:
680 TunnelId=
682 Specifies the tunnel identifier. Takes an number in the range
683 1...4294967295. The value used must match the "PeerTunnelId=" value
684 being used at the peer. This setting is compulsory.
685 PeerTunnelId=
687 Specifies the peer tunnel id. Takes a number in the range
688 1...4294967295. The value used must match the "TunnelId=" value
689 being used at the peer. This setting is compulsory.
690 Remote=
692 Specifies the IP address of the remote peer. This setting is
693 compulsory.
694 Local=
696 Specifies the IP address of the local interface. Takes an IP
697 address, or the special values "auto", "static", or "dynamic". When
698 an address is set, then the local interface must have the address.
699 If "auto", then one of the addresses on the local interface is
700 used. Similarly, if "static" or "dynamic" is set, then one of the
701 static or dynamic addresses on the local interface is used.
702 Defaults to "auto".
703 EncapsulationType=
705 Specifies the encapsulation type of the tunnel. Takes one of "udp"
706 or "ip".
707 UDPSourcePort=
709 Specifies the UDP source port to be used for the tunnel. When UDP
710 encapsulation is selected it's mandatory. Ignored when IP
711 encapsulation is selected.
712 UDPDestinationPort=
714 Specifies destination port. When UDP encapsulation is selected it's
715 mandatory. Ignored when IP encapsulation is selected.
716 UDPChecksum=
718 Takes a boolean. When true, specifies that UDP checksum is
719 calculated for transmitted packets over IPv4.
720 UDP6ZeroChecksumTx=
722 Takes a boolean. When true, skip UDP checksum calculation for
723 transmitted packets over IPv6.
724 UDP6ZeroChecksumRx=
726 Takes a boolean. When true, allows incoming UDP packets over IPv6
727 with zero checksum field.
728
730 The [L2TPSession] section only applies for netdevs of kind "l2tp", and
731 accepts the following keys:
732 Name=
734 Specifies the name of the session. This setting is compulsory.
735 SessionId=
737 Specifies the session identifier. Takes an number in the range
738 1...4294967295. The value used must match the "SessionId=" value
739 being used at the peer. This setting is compulsory.
740 PeerSessionId=
742 Specifies the peer session identifier. Takes an number in the range
743 1...4294967295. The value used must match the "PeerSessionId="
744 value being used at the peer. This setting is compulsory.
745 Layer2SpecificHeader=
747 Specifies layer2specific header type of the session. One of "none"
748 or "default". Defaults to "default".
749
751 The [MACsec] section only applies for network devices of kind "macsec",
752 and accepts the following keys:
753 Port=
755 Specifies the port to be used for the MACsec transmit channel. The
756 port is used to make secure channel identifier (SCI). Takes a value
757 between 1 and 65535. Defaults to unset.
758 Encrypt=
760 Takes a boolean. When true, enable encryption. Defaults to unset.
761
763 The [MACsecReceiveChannel] section only applies for network devices of
764 kind "macsec", and accepts the following keys:
765 Port=
767 Specifies the port to be used for the MACsec receive channel. The
768 port is used to make secure channel identifier (SCI). Takes a value
769 between 1 and 65535. This option is compulsory, and is not set by
770 default.
771 MACAddress=
773 Specifies the MAC address to be used for the MACsec receive
774 channel. The MAC address used to make secure channel identifier
775 (SCI). This setting is compulsory, and is not set by default.
776
778 The [MACsecTransmitAssociation] section only applies for network
779 devices of kind "macsec", and accepts the following keys:
780 PacketNumber=
782 Specifies the packet number to be used for replay protection and
783 the construction of the initialization vector (along with the
784 secure channel identifier [SCI]). Takes a value between
785 1-4,294,967,295. Defaults to unset.
786 KeyId=
788 Specifies the identification for the key. Takes a number between
789 0-255. This option is compulsory, and is not set by default.
790 Key=
792 Specifies the encryption key used in the transmission channel. The
793 same key must be configured on the peer’s matching receive channel.
794 This setting is compulsory, and is not set by default. Takes a
795 128-bit key encoded in a hexadecimal string, for example
796 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
797 KeyFile=
799 Takes an absolute path to a file which contains a 128-bit key
800 encoded in a hexadecimal string, which will be used in the
801 transmission channel. When this option is specified, Key= is
802 ignored. Note that the file must be readable by the user
803 "systemd-network", so it should be, e.g., owned by
804 "root:systemd-network" with a "0640" file mode. If the path refers
805 to an AF_UNIX stream socket in the file system a connection is made
806 to it and the key read from it.
807 Activate=
809 Takes a boolean. If enabled, then the security association is
810 activated. Defaults to unset.
811 UseForEncoding=
813 Takes a boolean. If enabled, then the security association is used
814 for encoding. Only one [MACsecTransmitAssociation] section can
815 enable this option. When enabled, Activate=yes is implied. Defaults
816 to unset.
817
819 The [MACsecReceiveAssociation] section only applies for network devices
820 of kind "macsec", and accepts the following keys:
821 Port=
823 Accepts the same key as in [MACsecReceiveChannel] section.
824 MACAddress=
826 Accepts the same key as in [MACsecReceiveChannel] section.
827 PacketNumber=
829 Accepts the same key as in [MACsecTransmitAssociation] section.
830 KeyId=
832 Accepts the same key as in [MACsecTransmitAssociation] section.
833 Key=
835 Accepts the same key as in [MACsecTransmitAssociation] section.
836 KeyFile=
838 Accepts the same key as in [MACsecTransmitAssociation] section.
839 Activate=
841 Accepts the same key as in [MACsecTransmitAssociation] section.
842
844 The [Tunnel] section only applies for netdevs of kind "ipip", "sit",
845 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
846 "erspan" and accepts the following keys:
847 Local=
849 A static local address for tunneled packets. It must be an address
850 on another interface of this host, or the special value "any".
851 Remote=
853 The remote endpoint of the tunnel. Takes an IP address or the
854 special value "any".
855 TOS=
857 The Type Of Service byte value for a tunnel interface. For details
858 about the TOS, see the Type of Service in the Internet Protocol
859 Suite[9] document.
860 TTL=
862 A fixed Time To Live N on tunneled packets. N is a number in the
863 range 1...255. 0 is a special value meaning that packets inherit
864 the TTL value. The default value for IPv4 tunnels is 0 (inherit).
865 The default value for IPv6 tunnels is 64.
866 DiscoverPathMTU=
868 Takes a boolean. When true, enables Path MTU Discovery on the
869 tunnel.
870 IPv6FlowLabel=
872 Configures the 20-bit flow label (see RFC 6437[10]) field in the
873 IPv6 header (see RFC 2460[11]), which is used by a node to label
874 packets of a flow. It is only used for IPv6 tunnels. A flow label
875 of zero is used to indicate packets that have not been labeled. It
876 can be configured to a value in the range 0...0xFFFFF, or be set to
877 "inherit", in which case the original flowlabel is used.
878 CopyDSCP=
880 Takes a boolean. When true, the Differentiated Service Code Point
881 (DSCP) field will be copied to the inner header from outer header
882 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
883 in an IP packet that enables different levels of service to be
884 assigned to network traffic. Defaults to "no".
885 EncapsulationLimit=
887 The Tunnel Encapsulation Limit option specifies how many additional
888 levels of encapsulation are permitted to be prepended to the
889 packet. For example, a Tunnel Encapsulation Limit option containing
890 a limit value of zero means that a packet carrying that option may
891 not enter another tunnel before exiting the current tunnel. (see
892 RFC 2473[12]). The valid range is 0–255 and "none". Defaults to 4.
893 Key=
895 The Key= parameter specifies the same key to use in both directions
896 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
897 address-like dotted quad. It is used as mark-configured SAD/SPD
898 entry as part of the lookup key (both in data and control path) in
899 IP XFRM (framework used to implement IPsec protocol). See ip-xfrm —
900 transform configuration[13] for details. It is only used for
901 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
902 InputKey=
904 The InputKey= parameter specifies the key to use for input. The
905 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
906 and ERSPAN tunnels.
907 OutputKey=
909 The OutputKey= parameter specifies the key to use for output. The
910 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
911 and ERSPAN tunnels.
912 Mode=
914 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
915 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
916 Independent=
918 Takes a boolean. When false (the default), the tunnel is always
919 created over some network device, and a .network file that requests
920 this tunnel using Tunnel= is required for the tunnel to be created.
921 When true, the tunnel is created independently of any network as
922 "tunnel@NONE".
923 AssignToLoopback=
925 Takes a boolean. If set to "yes", the loopback interface "lo" is
926 used as the underlying device of the tunnel interface. Defaults to
927 "no".
928 AllowLocalRemote=
930 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
931 where the remote endpoint is a local host address. When unset, the
932 kernel's default will be used.
933 FooOverUDP=
935 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
936 configured. Defaults to false. This takes effects only for IPIP,
937 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
938 over UDP[14]
939 FOUDestinationPort=
941 This setting specifies the UDP destination port for encapsulation.
942 This field is mandatory when FooOverUDP=yes, and is not set by
943 default.
944 FOUSourcePort=
946 This setting specifies the UDP source port for encapsulation.
947 Defaults to 0 — that is, the source port for packets is left to the
948 network stack to decide.
949 Encapsulation=
951 Accepts the same key as in the [FooOverUDP] section.
952 IPv6RapidDeploymentPrefix=
954 Reconfigure the tunnel for IPv6 Rapid Deployment[15], also known as
955 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
956 length. Only applicable to SIT tunnels.
957 ISATAP=
959 Takes a boolean. If set, configures the tunnel as Intra-Site
960 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
961 applicable to SIT tunnels. When unset, the kernel's default will be
962 used.
963 SerializeTunneledPackets=
965 Takes a boolean. If set to yes, then packets are serialized. Only
966 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
967 kernel's default will be used.
968 ERSPANIndex=
970 Specifies the ERSPAN index field for the interface, an integer in
971 the range 1...1048575 associated with the ERSPAN traffic's source
972 port and direction. This field is mandatory.
973
975 The [FooOverUDP] section only applies for netdevs of kind "fou" and
976 accepts the following keys:
977 Encapsulation=
979 Specifies the encapsulation mechanism used to store networking
980 packets of various protocols inside the UDP packets. Supports the
981 following values: "FooOverUDP" provides the simplest no-frills
982 model of UDP encapsulation, it simply encapsulates packets directly
983 in the UDP payload. "GenericUDPEncapsulation" is a generic and
984 extensible encapsulation, it allows encapsulation of packets for
985 any IP protocol and optional data as part of the encapsulation. For
986 more detailed information see Generic UDP Encapsulation[16].
987 Defaults to "FooOverUDP".
988 Port=
990 Specifies the port number where the encapsulated packets will
991 arrive. Those packets will be removed and manually fed back into
992 the network stack with the encapsulation removed to be sent to the
993 real destination. This option is mandatory.
994 PeerPort=
996 Specifies the peer port number. Defaults to unset. Note that when
997 peer port is set "Peer=" address is mandatory.
998 Protocol=
1000 The Protocol= specifies the protocol number of the packets arriving
1001 at the UDP port. When Encapsulation=FooOverUDP, this field is
1002 mandatory and is not set by default. Takes an IP protocol name such
1003 as "gre" or "ipip", or an integer within the range 1...255. When
1004 Encapsulation=GenericUDPEncapsulation, this must not be specified.
1005 Peer=
1007 Configures peer IP address. Note that when peer address is set
1008 "PeerPort=" is mandatory.
1009 Local=
1011 Configures local IP address.
1012
1014 The [Peer] section only applies for netdevs of kind "veth" and accepts
1015 the following keys:
1016 Name=
1018 The interface name used when creating the netdev. This setting is
1019 compulsory.
1020 MACAddress=
1022 The peer MACAddress, if not set, it is generated in the same way as
1023 the MAC address of the main interface.
1024
1026 The [VXCAN] section only applies for netdevs of kind "vxcan" and
1027 accepts the following key:
1028 Peer=
1030 The peer interface name used when creating the netdev. This setting
1031 is compulsory.
1032
1034 The [Tun] section only applies for netdevs of kind "tun", and accepts
1035 the following keys:
1036 MultiQueue=
1038 Takes a boolean. Configures whether to use multiple file
1039 descriptors (queues) to parallelize packets sending and receiving.
1040 Defaults to "no".
1041 PacketInfo=
1043 Takes a boolean. Configures whether packets should be prepended
1044 with four extra bytes (two flag bytes and two protocol bytes). If
1045 disabled, it indicates that the packets will be pure IP packets.
1046 Defaults to "no".
1047 VNetHeader=
1049 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
1050 device. It allows sending and receiving larger Generic Segmentation
1051 Offload (GSO) packets. This may increase throughput significantly.
1052 Defaults to "no".
1053 User=
1055 User to grant access to the /dev/net/tun device.
1056 Group=
1058 Group to grant access to the /dev/net/tun device.
1059
1061 The [Tap] section only applies for netdevs of kind "tap", and accepts
1062 the same keys as the [Tun] section.
1063
1065 The [WireGuard] section accepts the following keys:
1066 PrivateKey=
1068 The Base64 encoded private key for the interface. It can be
1069 generated using the wg genkey command (see wg(8)). This option or
1070 PrivateKeyFile= is mandatory to use WireGuard. Note that because
1071 this information is secret, you may want to set the permissions of
1072 the .netdev file to be owned by "root:systemd-network" with a
1073 "0640" file mode.
1074 PrivateKeyFile=
1076 Takes an absolute path to a file which contains the Base64 encoded
1077 private key for the interface. When this option is specified, then
1078 PrivateKey= is ignored. Note that the file must be readable by the
1079 user "systemd-network", so it should be, e.g., owned by
1080 "root:systemd-network" with a "0640" file mode. If the path refers
1081 to an AF_UNIX stream socket in the file system a connection is made
1082 to it and the key read from it.
1083 ListenPort=
1085 Sets UDP port for listening. Takes either value between 1 and 65535
1086 or "auto". If "auto" is specified, the port is automatically
1087 generated based on interface name. Defaults to "auto".
1088 FirewallMark=
1090 Sets a firewall mark on outgoing WireGuard packets from this
1091 interface. Takes a number between 1 and 4294967295.
1092
1094 The [WireGuardPeer] section accepts the following keys:
1095 PublicKey=
1097 Sets a Base64 encoded public key calculated by wg pubkey (see
1098 wg(8)) from a private key, and usually transmitted out of band to
1099 the author of the configuration file. This option is mandatory for
1100 this section.
1101 PresharedKey=
1103 Optional preshared key for the interface. It can be generated by
1104 the wg genpsk command. This option adds an additional layer of
1105 symmetric-key cryptography to be mixed into the already existing
1106 public-key cryptography, for post-quantum resistance. Note that
1107 because this information is secret, you may want to set the
1108 permissions of the .netdev file to be owned by
1109 "root:systemd-network" with a "0640" file mode.
1110 PresharedKeyFile=
1112 Takes an absolute path to a file which contains the Base64 encoded
1113 preshared key for the peer. When this option is specified, then
1114 PresharedKey= is ignored. Note that the file must be readable by
1115 the user "systemd-network", so it should be, e.g., owned by
1116 "root:systemd-network" with a "0640" file mode. If the path refers
1117 to an AF_UNIX stream socket in the file system a connection is made
1118 to it and the key read from it.
1119 AllowedIPs=
1121 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1122 masks from which this peer is allowed to send incoming traffic and
1123 to which outgoing traffic for this peer is directed.
1124 The catch-all 0.0.0.0/0 may be specified for matching all IPv4
1126 addresses, and ::/0 may be specified for matching all IPv6
1127 addresses.
1128 Note that this only affects routing inside the network interface
1130 itself, i.e. the packets that pass through the tunnel itself. To
1131 cause packets to be sent via the tunnel in the first place, an
1132 appropriate route needs to be added as well — either in the
1133 "[Routes]" section on the ".network" matching the wireguard
1134 interface, or externally to systemd-networkd.
1135 Endpoint=
1137 Sets an endpoint IP address or hostname, followed by a colon, and
1138 then a port number. This endpoint will be updated automatically
1139 once to the most recent source IP address and port of correctly
1140 authenticated packets from the peer at configuration time.
1141 PersistentKeepalive=
1143 Sets a seconds interval, between 1 and 65535 inclusive, of how
1144 often to send an authenticated empty packet to the peer for the
1145 purpose of keeping a stateful firewall or NAT mapping valid
1146 persistently. For example, if the interface very rarely sends
1147 traffic, but it might at anytime receive traffic from a peer, and
1148 it is behind NAT, the interface might benefit from having a
1149 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1150 this option is disabled. By default or when unspecified, this
1151 option is off. Most users will not need this.
1152
1154 The [Bond] section accepts the following key:
1155 Mode=
1157 Specifies one of the bonding policies. The default is "balance-rr"
1158 (round robin). Possible values are "balance-rr", "active-backup",
1159 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1160 "balance-alb".
1161 TransmitHashPolicy=
1163 Selects the transmit hash policy to use for slave selection in
1164 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1165 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1166 LACPTransmitRate=
1168 Specifies the rate with which link partner transmits Link
1169 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1170 Possible values are "slow", which requests partner to transmit
1171 LACPDUs every 30 seconds, and "fast", which requests partner to
1172 transmit LACPDUs every second. The default value is "slow".
1173 MIIMonitorSec=
1175 Specifies the frequency that Media Independent Interface link
1176 monitoring will occur. A value of zero disables MII link
1177 monitoring. This value is rounded down to the nearest millisecond.
1178 The default value is 0.
1179 UpDelaySec=
1181 Specifies the delay before a link is enabled after a link up status
1182 has been detected. This value is rounded down to a multiple of
1183 MIIMonitorSec. The default value is 0.
1184 DownDelaySec=
1186 Specifies the delay before a link is disabled after a link down
1187 status has been detected. This value is rounded down to a multiple
1188 of MIIMonitorSec. The default value is 0.
1189 LearnPacketIntervalSec=
1191 Specifies the number of seconds between instances where the bonding
1192 driver sends learning packets to each slave peer switch. The valid
1193 range is 1–0x7fffffff; the default value is 1. This option has an
1194 effect only for the balance-tlb and balance-alb modes.
1195 AdSelect=
1197 Specifies the 802.3ad aggregation selection logic to use. Possible
1198 values are "stable", "bandwidth" and "count".
1199 AdActorSystemPriority=
1201 Specifies the 802.3ad actor system priority. Takes a number in the
1202 range 1...65535.
1203 AdUserPortKey=
1205 Specifies the 802.3ad user defined portion of the port key. Takes a
1206 number in the range 0...1023.
1207 AdActorSystem=
1209 Specifies the 802.3ad system MAC address. This cannot be a null or
1210 multicast address.
1211 FailOverMACPolicy=
1213 Specifies whether the active-backup mode should set all slaves to
1214 the same MAC address at the time of enslavement or, when enabled,
1215 to perform special handling of the bond's MAC address in accordance
1216 with the selected policy. The default policy is none. Possible
1217 values are "none", "active" and "follow".
1218 ARPValidate=
1220 Specifies whether or not ARP probes and replies should be validated
1221 in any mode that supports ARP monitoring, or whether non-ARP
1222 traffic should be filtered (disregarded) for link monitoring
1223 purposes. Possible values are "none", "active", "backup" and "all".
1224 ARPIntervalSec=
1226 Specifies the ARP link monitoring frequency. A value of 0 disables
1227 ARP monitoring. The default value is 0, and the default unit
1228 seconds.
1229 ARPIPTargets=
1231 Specifies the IP addresses to use as ARP monitoring peers when
1232 ARPIntervalSec is greater than 0. These are the targets of the ARP
1233 request sent to determine the health of the link to the targets.
1234 Specify these values in IPv4 dotted decimal format. At least one IP
1235 address must be given for ARP monitoring to function. The maximum
1236 number of targets that can be specified is 16. The default value is
1237 no IP addresses.
1238 ARPAllTargets=
1240 Specifies the quantity of ARPIPTargets that must be reachable in
1241 order for the ARP monitor to consider a slave as being up. This
1242 option affects only active-backup mode for slaves with ARPValidate
1243 enabled. Possible values are "any" and "all".
1244 PrimaryReselectPolicy=
1246 Specifies the reselection policy for the primary slave. This
1247 affects how the primary slave is chosen to become the active slave
1248 when failure of the active slave or recovery of the primary slave
1249 occurs. This option is designed to prevent flip-flopping between
1250 the primary slave and other slaves. Possible values are "always",
1251 "better" and "failure".
1252 ResendIGMP=
1254 Specifies the number of IGMP membership reports to be issued after
1255 a failover event. One membership report is issued immediately after
1256 the failover, subsequent packets are sent in each 200ms interval.
1257 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
1258 IGMP membership report from being issued in response to the
1259 failover event.
1260 PacketsPerSlave=
1262 Specify the number of packets to transmit through a slave before
1263 moving to the next one. When set to 0, then a slave is chosen at
1264 random. The valid range is 0–65535. Defaults to 1. This option only
1265 has effect when in balance-rr mode.
1266 GratuitousARP=
1268 Specify the number of peer notifications (gratuitous ARPs and
1269 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1270 failover event. As soon as the link is up on the new slave, a peer
1271 notification is sent on the bonding device and each VLAN
1272 sub-device. This is repeated at each link monitor interval
1273 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1274 number is greater than 1. The valid range is 0–255. The default
1275 value is 1. These options affect only the active-backup mode.
1276 AllSlavesActive=
1278 Takes a boolean. Specifies that duplicate frames (received on
1279 inactive ports) should be dropped when false, or delivered when
1280 true. Normally, bonding will drop duplicate frames (received on
1281 inactive ports), which is desirable for most users. But there are
1282 some times it is nice to allow duplicate frames to be delivered.
1283 The default value is false (drop duplicate frames received on
1284 inactive ports).
1285 DynamicTransmitLoadBalancing=
1287 Takes a boolean. Specifies if dynamic shuffling of flows is
1288 enabled. Applies only for balance-tlb mode. Defaults to unset.
1289 MinLinks=
1291 Specifies the minimum number of links that must be active before
1292 asserting carrier. The default value is 0.
1293 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1295
1297 The [Xfrm] section accepts the following keys:
1298 InterfaceId=
1300 Sets the ID/key of the xfrm interface which needs to be associated
1301 with a SA/policy. Can be decimal or hexadecimal, valid range is
1302 0-0xffffffff, defaults to 0.
1303 Independent=
1305 Takes a boolean. If false (the default), the xfrm interface must
1306 have an underlying device which can be used for hardware
1307 offloading.
1308 For more detail information see Virtual XFRM Interfaces[17].
1310
1312 The [VRF] section only applies for netdevs of kind "vrf" and accepts
1313 the following key:
1314 Table=
1316 The numeric routing table identifier. This setting is compulsory.
1317
1319 The [BatmanAdvanced] section only applies for netdevs of kind "batadv"
1320 and accepts the following keys:
1321 GatewayMode=
1323 Takes one of "off", "server", or "client". A batman-adv node can
1324 either run in server mode (sharing its internet connection with the
1325 mesh) or in client mode (searching for the most suitable internet
1326 connection in the mesh) or having the gateway support turned off
1327 entirely (which is the default setting).
1328 Aggregation=
1330 Takes a boolean value. Enables or disables aggregation of
1331 originator messages. Defaults to true.
1332 BridgeLoopAvoidance=
1334 Takes a boolean value. Enables or disables avoidance of loops on
1335 bridges. Defaults to true.
1336 DistributedArpTable=
1338 Takes a boolean value. Enables or disables the distributed ARP
1339 table. Defaults to true.
1340 Fragmentation=
1342 Takes a boolean value. Enables or disables fragmentation. Defaults
1343 to true.
1344 HopPenalty=
1346 The hop penalty setting allows to modify batctl(8) preference for
1347 multihop routes vs. short routes. This integer value is applied to
1348 the TQ (Transmit Quality) of each forwarded OGM (Originator
1349 Message), thereby propagating the cost of an extra hop (the packet
1350 has to be received and retransmitted which costs airtime). A higher
1351 hop penalty will make it more unlikely that other nodes will choose
1352 this node as intermediate hop towards any given destination. The
1353 default hop penalty of '15' is a reasonable value for most setups
1354 and probably does not need to be changed. However, mobile nodes
1355 could choose a value of 255 (maximum value) to avoid being chosen
1356 as a router by other nodes. The minimum value is 0.
1357 OriginatorIntervalSec=
1359 The value specifies the interval in seconds, unless another time
1360 unit is specified in which batman-adv floods the network with its
1361 protocol information. See systemd.time(7) for more information.
1362 GatewayBandwidthDown=
1364 If the node is a server, this parameter is used to inform other
1365 nodes in the network about this node's internet connection download
1366 bandwidth in bits per second. Just enter any number suffixed with
1367 K, M, G or T (base 1000) and the batman-adv module will propagate
1368 the entered value in the mesh.
1369 GatewayBandwidthUp=
1371 If the node is a server, this parameter is used to inform other
1372 nodes in the network about this node's internet connection upload
1373 bandwidth in bits per second. Just enter any number suffixed with
1374 K, M, G or T (base 1000) and the batman-adv module will propagate
1375 the entered value in the mesh.
1376 RoutingAlgorithm=
1378 This can be either "batman-v" or "batman-iv" and describes which
1379 routing_algo of batctl(8) to use. The algorithm cannot be changed
1380 after interface creation. Defaults to "batman-v".
1381
1383 Example 1. /etc/systemd/network/25-bridge.netdev
1384 [NetDev]
1386 Name=bridge0
1387 Kind=bridge
1388 Example 2. /etc/systemd/network/25-vlan1.netdev
1390 [Match]
1392 Virtualization=no
1393 [NetDev]
1395 Name=vlan1
1396 Kind=vlan
1397 [VLAN]
1399 Id=1
1400 Example 3. /etc/systemd/network/25-ipip.netdev
1402 [NetDev]
1404 Name=ipip-tun
1405 Kind=ipip
1406 MTUBytes=1480
1407 [Tunnel]
1409 Local=192.168.223.238
1410 Remote=192.169.224.239
1411 TTL=64
1412 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1414 [NetDev]
1416 Name=fou-tun
1417 Kind=fou
1418 [FooOverUDP]
1420 Port=5555
1421 Protocol=4
1422 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1425 [NetDev]
1427 Name=ipip-tun
1428 Kind=ipip
1429 [Tunnel]
1431 Independent=yes
1432 Local=10.65.208.212
1433 Remote=10.65.208.211
1434 FooOverUDP=yes
1435 FOUDestinationPort=5555
1436 Example 6. /etc/systemd/network/25-tap.netdev
1439 [NetDev]
1441 Name=tap-test
1442 Kind=tap
1443 [Tap]
1445 MultiQueue=yes
1446 PacketInfo=yes
1447 Example 7. /etc/systemd/network/25-sit.netdev
1449 [NetDev]
1451 Name=sit-tun
1452 Kind=sit
1453 MTUBytes=1480
1454 [Tunnel]
1456 Local=10.65.223.238
1457 Remote=10.65.223.239
1458 Example 8. /etc/systemd/network/25-6rd.netdev
1460 [NetDev]
1462 Name=6rd-tun
1463 Kind=sit
1464 MTUBytes=1480
1465 [Tunnel]
1467 Local=10.65.223.238
1468 IPv6RapidDeploymentPrefix=2602::/24
1469 Example 9. /etc/systemd/network/25-gre.netdev
1471 [NetDev]
1473 Name=gre-tun
1474 Kind=gre
1475 MTUBytes=1480
1476 [Tunnel]
1478 Local=10.65.223.238
1479 Remote=10.65.223.239
1480 Example 10. /etc/systemd/network/25-ip6gre.netdev
1482 [NetDev]
1484 Name=ip6gre-tun
1485 Kind=ip6gre
1486 [Tunnel]
1488 Key=123
1489 Example 11. /etc/systemd/network/25-vti.netdev
1491 [NetDev]
1493 Name=vti-tun
1494 Kind=vti
1495 MTUBytes=1480
1496 [Tunnel]
1498 Local=10.65.223.238
1499 Remote=10.65.223.239
1500 Example 12. /etc/systemd/network/25-veth.netdev
1502 [NetDev]
1504 Name=veth-test
1505 Kind=veth
1506 [Peer]
1508 Name=veth-peer
1509 Example 13. /etc/systemd/network/25-bond.netdev
1511 [NetDev]
1513 Name=bond1
1514 Kind=bond
1515 [Bond]
1517 Mode=802.3ad
1518 TransmitHashPolicy=layer3+4
1519 MIIMonitorSec=1s
1520 LACPTransmitRate=fast
1521 Example 14. /etc/systemd/network/25-dummy.netdev
1523 [NetDev]
1525 Name=dummy-test
1526 Kind=dummy
1527 MACAddress=12:34:56:78:9a:bc
1528 Example 15. /etc/systemd/network/25-vrf.netdev
1530 Create a VRF interface with table 42.
1532 [NetDev]
1534 Name=vrf-test
1535 Kind=vrf
1536 [VRF]
1538 Table=42
1539 Example 16. /etc/systemd/network/25-macvtap.netdev
1541 Create a MacVTap device.
1543 [NetDev]
1545 Name=macvtap-test
1546 Kind=macvtap
1547 Example 17. /etc/systemd/network/25-wireguard.netdev
1550 [NetDev]
1552 Name=wg0
1553 Kind=wireguard
1554 [WireGuard]
1556 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1557 ListenPort=51820
1558 [WireGuardPeer]
1560 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1561 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1562 Endpoint=wireguard.example.com:51820
1563 Example 18. /etc/systemd/network/27-xfrm.netdev
1565 [NetDev]
1567 Name=xfrm0
1568 Kind=xfrm
1569 [Xfrm]
1571 Independent=yes
1572
1574 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1575
1577 1. Linux Ethernet Bonding Driver HOWTO
1578 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1579 2. RFC 2784
1581 https://tools.ietf.org/html/rfc2784
1582 3. IEEE 802.1Q
1584 http://www.ieee802.org/1/pages/802.1Q.html
1585 4. VRF
1587 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1588 5. B.A.T.M.A.N. Advanced
1590 https://www.open-mesh.org/projects/open-mesh/wiki
1591 6. (DVOE)
1593 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1594 7. VXLAN Group Policy
1596 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1597 8. Generic Protocol Extension for VXLAN
1599 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1600 9. Type of Service in the Internet Protocol Suite
1602 http://tools.ietf.org/html/rfc1349
1603 10. RFC 6437
1605 https://tools.ietf.org/html/rfc6437
1606 11. RFC 2460
1608 https://tools.ietf.org/html/rfc2460
1609 12. RFC 2473
1611 https://tools.ietf.org/html/rfc2473#section-4.1.1
1612 13. ip-xfrm — transform configuration
1614 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1615 14. Foo over UDP
1617 https://lwn.net/Articles/614348
1618 15. IPv6 Rapid Deployment
1620 https://tools.ietf.org/html/rfc5569
1621 16. Generic UDP Encapsulation
1623 https://lwn.net/Articles/615044
1624 17. Virtual XFRM Interfaces
1626 https://lwn.net/Articles/757391
1627systemd 249 SYSTEMD.NETDEV(5)