1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ protodown_reason PREASON { on | off } ]
32 [ trailers { on | off } ]
33 [ txqueuelen PACKETS ]
34 [ name NEWNAME ]
35 [ address LLADDR ]
36 [ broadcast LLADDR ]
37 [ mtu MTU ]
38 [ netns { PID | NETNSNAME } ]
39 [ link-netnsid ID ]
40 [ alias NAME ]
41 [ vf NUM [ mac LLADDR ]
42 [ VFVLAN-LIST ]
43 [ rate TXRATE ]
44 [ max_tx_rate TXRATE ]
45 [ min_tx_rate TXRATE ]
46 [ spoofchk { on | off } ]
47 [ query_rss { on | off } ]
48 [ state { auto | enable | disable } ]
49 [ trust { on | off } ]
50 [ node_guid eui64 ]
51 [ port_guid eui64 ] ]
52 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
53 object FILE [ section NAME ] [ verbose ] |
54 pinned FILE } ]
55 [ master DEVICE ]
56 [ nomaster ]
57 [ vrf NAME ]
58 [ addrgenmode { eui64 | none | stable_secret | random } ]
59 [ macaddr [ MACADDR ]
60 [ { flush | add | del } MACADDR ]
61 [ set MACADDR ] ]
62 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
64 ] [ type ETYPE ] [ vrf NAME ]
65 ip link xstats type TYPE [ ARGS ]
67 ip link afstats [ dev DEVICE ]
69 ip link help [ TYPE ]
71 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
73 macvlan | macvtap | vcan | vxcan | veth | vlan |
74 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
75 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
76 | ipvtap | lowpan | geneve | bareudp | vrf | macsec |
77 netdevsim | rmnet | xfrm ]
78 ETYPE := [ TYPE | bridge_slave | bond_slave ]
80 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
82 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
84 ]
85 ip link property add dev DEVICE [ altname NAME .. ]
87 ip link property del dev DEVICE [ altname NAME .. ]
89
92 ip link add - add virtual link
93 link DEVICE
94 specifies the physical device to act operate on.
95 NAME specifies the name of the new virtual device.
97 TYPE specifies the type of the new device.
99 Link types:
101 bridge - Ethernet Bridge device
103 bond - Bonding device
105 dummy - Dummy network interface
107 hsr - High-availability Seamless Redundancy device
109 ifb - Intermediate Functional Block device
111 ipoib - IP over Infiniband device
113 macvlan - Virtual interface base on link layer address
115 (MAC)
116 macvtap - Virtual interface based on link layer address
118 (MAC) and TAP.
119 vcan - Virtual Controller Area Network interface
121 vxcan - Virtual Controller Area Network tunnel interface
123 veth - Virtual ethernet interface
125 vlan - 802.1q tagged virtual LAN interface
127 vxlan - Virtual eXtended LAN
129 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
131 ipip - Virtual tunnel interface IPv4 over IPv4
133 sit - Virtual tunnel interface IPv6 over IPv4
135 gre - Virtual tunnel interface GRE over IPv4
137 gretap - Virtual L2 tunnel interface GRE over IPv4
139 erspan - Encapsulated Remote SPAN over GRE and IPv4
141 ip6gre - Virtual tunnel interface GRE over IPv6
143 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
145 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
147 vti - Virtual tunnel interface
149 nlmon - Netlink monitoring device
151 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
153 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
155 TAP
156 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
158 / Bluetooth
159 geneve - GEneric NEtwork Virtualization Encapsulation
161 bareudp - Bare UDP L3 encapsulation support
163 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
165 sec)
166 vrf - Interface for L3 VRF domains
168 netdevsim - Interface for netdev API tests
170 rmnet - Qualcomm rmnet device
172 xfrm - Virtual xfrm interface
174 numtxqueues QUEUE_COUNT
177 specifies the number of transmit queues for new device.
178 numrxqueues QUEUE_COUNT
181 specifies the number of receive queues for new device.
182 gso_max_size BYTES
185 specifies the recommended maximum size of a Generic Segment Off‐
186 load packet the new device should accept.
187 gso_max_segs SEGMENTS
190 specifies the recommended maximum number of a Generic Segment
191 Offload segments the new device should accept.
192 index IDX
195 specifies the desired index of the new virtual device. The link
196 creation fails, if the index is busy.
197 VLAN Type Support
200 For a link of type VLAN the following additional arguments are
201 supported:
202 ip link add link DEVICE name NAME type vlan [ protocol
204 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
205 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
206 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
207 egress-qos-map QOS-MAP ]
208 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
211 id VLANID - specifies the VLAN Identifier to use. Note
213 that numbers with a leading " 0 " or " 0x " are inter‐
214 preted as octal or hexadecimal, respectively.
215 reorder_hdr { on | off } - specifies whether ethernet
217 headers are reordered or not (default is on).
218 If reorder_hdr is on then VLAN header will be not
220 inserted immediately but only before passing to the
221 physical device (if this device does not support
222 VLAN offloading), the similar on the RX direction -
223 by default the packet will be untagged before being
224 received by VLAN device. Reordering allows to accel‐
225 erate tagging on egress and to hide VLAN header on
226 ingress so the packet looks like regular Ethernet
227 packet, at the same time it might be confusing for
228 packet capture as the VLAN header does not exist
229 within the packet.
230 VLAN offloading can be checked by ethtool(8):
232 ethtool -k <phy_dev> | grep tx-vlan-offload
234 where <phy_dev> is the physical device to which VLAN
236 device is bound.
237 gvrp { on | off } - specifies whether this VLAN should
239 be registered using GARP VLAN
240 Registration Protocol.
241 mvrp { on | off } - specifies whether this VLAN should
243 be registered using Multiple VLAN
244 Registration Protocol.
245 loose_binding { on | off } - specifies whether the VLAN
247 device state is bound to the physical device state.
248 bridge_binding { on | off } - specifies whether the VLAN
250 device link state tracks the state of bridge ports that
251 are members of the VLAN.
252 ingress-qos-map QOS-MAP - defines a mapping of VLAN
254 header prio field to the Linux internal packet priority
255 on incoming frames. The format is FROM:TO with multiple
256 mappings separated by spaces.
257 egress-qos-map QOS-MAP - defines a mapping of Linux in‐
259 ternal packet priority to VLAN header prio field but for
260 outgoing frames. The format is the same as for ingress-
261 qos-map.
262 Linux packet priority can be set by iptables(8):
264 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
266 SIFY --set-class 0:4
267 and this "4" priority can be used in the egress qos
269 mapping to set VLAN prio "5":
270 ip link set veth0.10 type vlan egress 4:5
272 VXLAN Type Support
275 For a link of type VXLAN the following additional arguments are
276 supported:
277 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
279 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
280 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
281 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
282 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
283 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
284 ] [ [no]external ] [ gbp ] [ gpe ]
285 id VNI - specifies the VXLAN Network Identifier (or
288 VXLAN Segment Identifier) to use.
289 dev PHYS_DEV - specifies the physical device to use for
291 tunnel endpoint communication.
292 group IPADDR - specifies the multicast IP address to
295 join. This parameter cannot be specified with the re‐
296 mote parameter.
297 remote IPADDR - specifies the unicast destination IP ad‐
300 dress to use in outgoing packets when the destination
301 link layer address is not known in the VXLAN device for‐
302 warding database. This parameter cannot be specified
303 with the group parameter.
304 local IPADDR - specifies the source IP address to use in
307 outgoing packets.
308 ttl TTL - specifies the TTL value to use in outgoing
311 packets.
312 tos TOS - specifies the TOS value to use in outgoing
315 packets.
316 df DF - specifies the usage of the Don't Fragment flag
319 (DF) bit in outgoing packets with IPv4 headers. The
320 value inherit causes the bit to be copied from the orig‐
321 inal IP header. The values unset and set cause the bit
322 to be always unset or always set, respectively. By de‐
323 fault, the bit is not set.
324 flowlabel FLOWLABEL - specifies the flow label to use in
327 outgoing packets.
328 dstport PORT - specifies the UDP destination port to
331 communicate to the remote
332 VXLAN tunnel endpoint.
333 srcport MIN MAX - specifies the range of port numbers to
336 use as UDP source ports to communicate to the remote
337 VXLAN tunnel endpoint.
338 [no]learning - specifies if unknown source link layer
341 addresses and IP addresses are entered into the VXLAN
342 device forwarding database.
343 [no]rsc - specifies if route short circuit is turned on.
346 [no]proxy - specifies ARP proxy is turned on.
349 [no]l2miss - specifies if netlink LLADDR miss notifica‐
352 tions are generated.
353 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
356 tions are generated.
357 [no]udpcsum - specifies if UDP checksum is calculated
360 for transmitted packets over IPv4.
361 [no]udp6zerocsumtx - skip UDP checksum calculation for
364 transmitted packets over IPv6.
365 [no]udp6zerocsumrx - allow incoming UDP packets over
368 IPv6 with zero checksum field.
369 ageing SECONDS - specifies the lifetime in seconds of
372 FDB entries learnt by the kernel.
373 maxaddress NUMBER - specifies the maximum number of FDB
376 entries.
377 [no]external - specifies whether an external control
380 plane (e.g. ip route encap) or the internal FDB should
381 be used.
382 gbp - enables the Group Policy extension (VXLAN-GBP).
385 Allows to transport group policy context across
387 VXLAN network peers. If enabled, includes the mark
388 of a packet in the VXLAN header for outgoing packets
389 and fills the packet mark based on the information
390 found in the VXLAN header for incoming packets.
391 Format of upper 16 bits of packet mark (flags);
393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
395 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
396 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
397 D := Don't Learn bit. When set, this bit indicates
399 that the egress VTEP MUST NOT learn the source ad‐
400 dress of the encapsulated frame.
401 A := Indicates that the group policy has already
403 been applied to this packet. Policies MUST NOT be
404 applied by devices when the A bit is set.
405 Format of lower 16 bits of packet mark (policy ID):
407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
409 | Group Policy ID |
410 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
411 Example:
413 iptables -A OUTPUT [...] -j MARK --set-mark
414 0x800FF
415 gpe - enables the Generic Protocol extension (VXLAN-
419 GPE). Currently, this is only supported together with
420 the external keyword.
421 VETH, VXCAN Type Support
425 For a link of types VETH/VXCAN the following additional argu‐
426 ments are supported:
427 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
429 peer name NAME - specifies the virtual pair device name
432 of the VETH/VXCAN tunnel.
433 IPIP, SIT Type Support
437 For a link of type IPIPorSIT the following additional arguments
438 are supported:
439 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
441 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
442 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
443 mode { ip6ip | ipip | mplsip | any } ] [ external ]
444 remote ADDR - specifies the remote address of the tun‐
447 nel.
448 local ADDR - specifies the fixed local address for tun‐
451 neled packets. It must be an address on another inter‐
452 face on this host.
453 encap { fou | gue | none } - specifies type of secondary
456 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
457 indicates Generic UDP Encapsulation.
458 encap-sport { PORT | auto } - specifies the source port
461 in UDP encapsulation. PORT indicates the port by num‐
462 ber, "auto" indicates that the port number should be
463 chosen automatically (the kernel picks a flow based on
464 the flow hash of the encapsulated packet).
465 [no]encap-csum - specifies if UDP checksums are enabled
468 in the secondary encapsulation.
469 [no]encap-remcsum - specifies if Remote Checksum Offload
472 is enabled. This is only applicable for Generic UDP En‐
473 capsulation.
474 mode { ip6ip | ipip | mplsip | any } - specifies mode in
477 which device should run. "ip6ip" indicates IPv6-Over-
478 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
479 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
480 Over IPv4. Supported for SIT where the default is
481 "ip6ip" and IPIP where the default is "ipip".
482 IPv6-Over-IPv4 is not supported for IPIP.
483 external - make this tunnel externally controlled (e.g.
486 ip route encap).
487 GRE Type Support
490 For a link of type GRE or GRETAP the following additional argu‐
491 ments are supported:
492 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
494 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
495 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
496 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
497 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
498 remcsum ] [ external ]
499 remote ADDR - specifies the remote address of the tun‐
502 nel.
503 local ADDR - specifies the fixed local address for tun‐
506 neled packets. It must be an address on another inter‐
507 face on this host.
508 [no][i|o]seq - serialize packets. The oseq flag enables
511 sequencing of outgoing packets. The iseq flag requires
512 that all input packets are serialized.
513 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
516 KEY is either a number or an IPv4 address-like dotted
517 quad. The key parameter specifies the same key to use
518 in both directions. The ikey and okey parameters spec‐
519 ify different keys for input and output.
520 [no][i|o]csum - generate/require checksums for tunneled
523 packets. The ocsum flag calculates checksums for outgo‐
524 ing packets. The icsum flag requires that all input
525 packets have the correct checksum. The csum flag is
526 equivalent to the combination icsum ocsum .
527 ttl TTL - specifies the TTL value to use in outgoing
530 packets.
531 tos TOS - specifies the TOS value to use in outgoing
534 packets.
535 [no]pmtudisc - enables/disables Path MTU Discovery on
538 this tunnel. It is enabled by default. Note that a
539 fixed ttl is incompatible with this option: tunneling
540 with a fixed ttl always makes pmtu discovery.
541 [no]ignore-df - enables/disables IPv4 DF suppression on
544 this tunnel. Normally datagrams that exceed the MTU
545 will be fragmented; the presence of the DF flag inhibits
546 this, resulting instead in an ICMP Unreachable (Fragmen‐
547 tation Required) message. Enabling this attribute
548 causes the DF flag to be ignored.
549 dev PHYS_DEV - specifies the physical device to use for
552 tunnel endpoint communication.
553 encap { fou | gue | none } - specifies type of secondary
556 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
557 indicates Generic UDP Encapsulation.
558 encap-sport { PORT | auto } - specifies the source port
561 in UDP encapsulation. PORT indicates the port by num‐
562 ber, "auto" indicates that the port number should be
563 chosen automatically (the kernel picks a flow based on
564 the flow hash of the encapsulated packet).
565 [no]encap-csum - specifies if UDP checksums are enabled
568 in the secondary encapsulation.
569 [no]encap-remcsum - specifies if Remote Checksum Offload
572 is enabled. This is only applicable for Generic UDP En‐
573 capsulation.
574 external - make this tunnel externally controlled (e.g.
577 ip route encap).
578 IP6GRE/IP6GRETAP Type Support
582 For a link of type IP6GRE/IP6GRETAP the following additional ar‐
583 guments are supported:
584 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
586 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
587 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
588 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
589 localremote ] [ dev PHYS_DEV ] [ external ]
590 remote ADDR - specifies the remote IPv6 address of the
593 tunnel.
594 local ADDR - specifies the fixed local IPv6 address for
597 tunneled packets. It must be an address on another in‐
598 terface on this host.
599 [no][i|o]seq - serialize packets. The oseq flag enables
602 sequencing of outgoing packets. The iseq flag requires
603 that all input packets are serialized.
604 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
607 KEY is either a number or an IPv4 address-like dotted
608 quad. The key parameter specifies the same key to use
609 in both directions. The ikey and okey parameters spec‐
610 ify different keys for input and output.
611 [no][i|o]csum - generate/require checksums for tunneled
614 packets. The ocsum flag calculates checksums for outgo‐
615 ing packets. The icsum flag requires that all input
616 packets have the correct checksum. The csum flag is
617 equivalent to the combination icsum ocsum.
618 hoplimit TTL - specifies Hop Limit value to use in out‐
621 going packets.
622 encaplimit ELIM - specifies a fixed encapsulation limit.
625 Default is 4.
626 flowlabel FLOWLABEL - specifies a fixed flowlabel.
629 [no]allow-localremote - specifies whether to allow re‐
632 mote endpoint to have an address configured on local
633 host.
634 tclass TCLASS - specifies the traffic class field on
637 tunneled packets, which can be specified as either a
638 two-digit hex value (e.g. c0) or a predefined string
639 (e.g. internet). The value inherit causes the field to
640 be copied from the original IP header. The values in‐
641 herit/STRING or inherit/00..ff will set the field to
642 STRING or 00..ff when tunneling non-IP packets. The de‐
643 fault value is 00.
644 external - make this tunnel externally controlled (or
647 not, which is the default). In the kernel, this is re‐
648 ferred to as collect metadata mode. This flag is mutu‐
649 ally exclusive with the remote, local, seq, key, csum,
650 hoplimit, encaplimit, flowlabel and tclass options.
651 IPoIB Type Support
655 For a link of type IPoIB the following additional arguments are
656 supported:
657 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
659 MODE ]
660 pkey PKEY - specifies the IB P-Key to use.
663 mode MODE - specifies the mode (datagram or connected)
665 to use.
666 ERSPAN Type Support
669 For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
670 guments are supported:
671 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
673 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
674 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
675 mote ] [ external ]
676 remote ADDR - specifies the remote address of the tun‐
679 nel.
680 local ADDR - specifies the fixed local address for tun‐
683 neled packets. It must be an address on another inter‐
684 face on this host.
685 erspan_ver version - specifies the ERSPAN version num‐
688 ber. version indicates the ERSPAN version to be cre‐
689 ated: 0 for version 0 type I, 1 for version 1 (type II)
690 or 2 for version 2 (type III).
691 erspan IDX - specifies the ERSPAN v1 index field. IDX
694 indicates a 20 bit index/port number associated with the
695 ERSPAN traffic's source port and direction.
696 erspan_dir { ingress | egress } - specifies the ERSPAN
699 v2 mirrored traffic's direction.
700 erspan_hwid hwid - an unique identifier of an ERSPAN v2
703 engine within a system. hwid is a 6-bit value for users
704 to configure.
705 [no]allow-localremote - specifies whether to allow re‐
708 mote endpoint to have an address configured on local
709 host.
710 external - make this tunnel externally controlled (or
713 not, which is the default). In the kernel, this is re‐
714 ferred to as collect metadata mode. This flag is mutu‐
715 ally exclusive with the remote, local, erspan_ver,
716 erspan, erspan_dir and erspan_hwid options.
717 GENEVE Type Support
721 For a link of type GENEVE the following additional arguments are
722 supported:
723 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
725 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
726 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
727 [no]udp6zerocsumrx ]
728 id VNI - specifies the Virtual Network Identifier to
731 use.
732 remote IPADDR - specifies the unicast destination IP ad‐
735 dress to use in outgoing packets.
736 ttl TTL - specifies the TTL value to use in outgoing
739 packets. "0" or "auto" means use whatever default value,
740 "inherit" means inherit the inner protocol's ttl. De‐
741 fault option is "0".
742 tos TOS - specifies the TOS value to use in outgoing
745 packets.
746 df DF - specifies the usage of the Don't Fragment flag
749 (DF) bit in outgoing packets with IPv4 headers. The
750 value inherit causes the bit to be copied from the orig‐
751 inal IP header. The values unset and set cause the bit
752 to be always unset or always set, respectively. By de‐
753 fault, the bit is not set.
754 flowlabel FLOWLABEL - specifies the flow label to use in
757 outgoing packets.
758 dstport PORT - select a destination port other than the
761 default of 6081.
762 [no]external - make this tunnel externally controlled
765 (or not, which is the default). This flag is mutually
766 exclusive with the id, remote, ttl, tos and flowlabel
767 options.
768 [no]udpcsum - specifies if UDP checksum is calculated
771 for transmitted packets over IPv4.
772 [no]udp6zerocsumtx - skip UDP checksum calculation for
775 transmitted packets over IPv6.
776 [no]udp6zerocsumrx - allow incoming UDP packets over
779 IPv6 with zero checksum field.
780 Bareudp Type Support
784 For a link of type Bareudp the following additional arguments
785 are supported:
786 ip link add DEVICE type bareudp dstport PORT ethertype PROTO [
788 srcportmin PORT ] [ [no]multiproto ]
789 dstport PORT - specifies the destination port for the
792 UDP tunnel.
793 ethertype PROTO - specifies the ethertype of the L3 pro‐
796 tocol being tunnelled. ethertype can be given as plain
797 Ethernet protocol number or using the protocol name
798 ("ipv4", "ipv6", "mpls_uc", etc.).
799 srcportmin PORT - selects the lowest value of the UDP
802 tunnel source port range.
803 [no]multiproto - activates support for protocols similar
806 to the one specified by ethertype. When ethertype is
807 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
808 nel to also handle multicast MPLS. When ethertype is
809 "ipv4", this allows the tunnel to also handle IPv6. This
810 option is disabled by default.
811 MACVLAN and MACVTAP Type Support
814 For a link of type MACVLAN or MACVTAP the following additional
815 arguments are supported:
816 ip link add link DEVICE name NAME type { macvlan | macvtap }
818 mode { private | vepa | bridge | passthru [ nopromisc ] |
819 source } [ bcqueuelen { LENGTH } ]
820 type { macvlan | macvtap } - specifies the link type to
823 use. macvlan creates just a virtual interface, while
824 macvtap in addition creates a character device /dev/tapX
825 to be used just like a tuntap device.
826 mode private - Do not allow communication between
828 macvlan instances on the same physical interface, even
829 if the external switch supports hairpin mode.
830 mode vepa - Virtual Ethernet Port Aggregator mode. Data
832 from one macvlan instance to the other on the same phys‐
833 ical interface is transmitted over the physical inter‐
834 face. Either the attached switch needs to support hair‐
835 pin mode, or there must be a TCP/IP router forwarding
836 the packets in order to allow communication. This is the
837 default mode.
838 mode bridge - In bridge mode, all endpoints are directly
840 connected to each other, communication is not redirected
841 through the physical interface's peer.
842 mode passthru [ nopromisc ] - This mode gives more power
844 to a single endpoint, usually in macvtap mode. It is not
845 allowed for more than one endpoint on the same physical
846 interface. All traffic will be forwarded to this end‐
847 point, allowing virtio guests to change MAC address or
848 set promiscuous mode in order to bridge the interface or
849 create vlan interfaces on top of it. By default, this
850 mode forces the underlying interface into promiscuous
851 mode. Passing the nopromisc flag prevents this, so the
852 promisc flag may be controlled using standard tools.
853 mode source - allows one to set a list of allowed mac
855 address, which is used to match against source mac ad‐
856 dress from received frames on underlying interface. This
857 allows creating mac based VLAN associations, instead of
858 standard port or tag based. The feature is useful to de‐
859 ploy 802.1x mac based behavior, where drivers of under‐
860 lying interfaces doesn't allows that.
861 bcqueuelen { LENGTH } - Set the length of the RX queue
863 used to process broadcast and multicast packets. LENGTH
864 must be a positive integer in the range [0-4294967295].
865 Setting a length of 0 will effectively drop all broad‐
866 cast/multicast traffic. If not specified the macvlan
867 driver default (1000) is used. Note that all macvlans
868 that share the same underlying device are using the same
869 queue. The parameter here is a request, the actual queue
870 length used will be the maximum length that any macvlan
871 interface has requested. When listing device parameters
872 both the bcqueuelen parameter as well as the actual used
873 bcqueuelen are listed to better help the user understand
874 the setting.
875 High-availability Seamless Redundancy (HSR) Support
878 For a link of type HSR the following additional arguments are
879 supported:
880 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
882 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
883 proto { 0 | 1 } ]
884 type hsr - specifies the link type to use, here HSR.
887 slave1 SLAVE1-IF - Specifies the physical device used
889 for the first of the two ring ports.
890 slave2 SLAVE2-IF - Specifies the physical device used
892 for the second of the two ring ports.
893 supervision ADDR-BYTE - The last byte of the multicast
895 address used for HSR supervision frames. Default option
896 is "0", possible values 0-255.
897 version { 0 | 1 } - Selects the protocol version of the
899 interface. Default option is "0", which corresponds to
900 the 2010 version of the HSR standard. Option "1" acti‐
901 vates the 2012 version.
902 proto { 0 | 1 } - Selects the protocol at the interface.
904 Default option is "0", which corresponds to the HSR
905 standard. Option "1" activates the Parallel Redundancy
906 Protocol (PRP).
907 BRIDGE Type Support
910 For a link of type BRIDGE the following additional arguments are
911 supported:
912 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
914 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
915 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
916 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
917 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [ vlan_de‐
918 fault_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
919 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
920 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
921 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
922 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
923 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
924 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
925 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
926 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
927 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
928 val QUERY_INTERVAL ] [ mcast_query_response_interval QUERY_RE‐
929 SPONSE_INTERVAL ] [ mcast_startup_query_interval
930 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled MCAST_STATS_EN‐
931 ABLED ] [ mcast_igmp_version IGMP_VERSION ] [ mcast_mld_version
932 MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTABLES ] [
933 nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arptables
934 NF_CALL_ARPTABLES ]
935 ageing_time AGEING_TIME - configure the bridge's FDB en‐
938 tries ageing time, ie the number of seconds a MAC ad‐
939 dress will be kept in the FDB after a packet has been
940 received from that address. after this time has passed,
941 entries are cleaned up.
942 group_fwd_mask MASK - set the group forward mask. This
944 is the bitmask that is applied to decide whether to for‐
945 ward incoming frames destined to link-local addresses,
946 ie addresses of the form 01:80:C2:00:00:0X (defaults to
947 0, ie the bridge does not forward any link-local
948 frames).
949 group_address ADDRESS - set the MAC address of the mul‐
951 ticast group this bridge uses for STP. The address must
952 be a link-local address in standard Ethernet MAC address
953 format, ie an address of the form 01:80:C2:00:00:0X,
954 with X
955 in [0, 4..f].
956 forward_delay FORWARD_DELAY - set the forwarding delay
958 in seconds, ie the time spent in LISTENING state (before
959 moving to LEARNING) and in LEARNING state (before moving
960 to FORWARDING). Only relevant if STP is enabled. Valid
961 values are between 2 and 30.
962 hello_time HELLO_TIME - set the time in seconds between
964 hello packets sent by the bridge, when it is a root
965 bridge or a designated bridges. Only relevant if STP is
966 enabled. Valid values are between 1 and 10.
967 max_age MAX_AGE - set the hello packet timeout, ie the
969 time in seconds until another bridge in the spanning
970 tree is assumed to be dead, after reception of its last
971 hello message. Only relevant if STP is enabled. Valid
972 values are between 6 and 40.
973 stp_state STP_STATE - turn spanning tree protocol on
975 (STP_STATE > 0) or off (STP_STATE == 0). for this
976 bridge.
977 priority PRIORITY - set this bridge's spanning tree pri‐
979 ority, used during STP root bridge election. PRIORITY
980 is a 16bit unsigned integer.
981 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
983 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
984 disabled, the bridge will not consider the VLAN tag when
985 handling packets.
986 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
988 used for VLAN filtering.
989 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
991 PVID (native/untagged VLAN ID) for this bridge.
992 vlan_stats_enabled VLAN_STATS_ENABLED - enable
994 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
995 == 0) per-VLAN stats accounting.
996 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
998 (VLAN_STATS_PER_PORT == 1) or disable
999 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
1000 counting. Can be changed only when there are no port
1001 VLANs configured.
1002 mcast_snooping MULTICAST_SNOOPING - turn multicast
1004 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
1005 CAST_SNOOPING == 0).
1006 mcast_router MULTICAST_ROUTER - set bridge's multicast
1008 router if IGMP snooping is enabled. MULTICAST_ROUTER is
1009 an integer value having the following meaning:
1010 0 - disabled.
1012 1 - automatic (queried).
1014 2 - permanently enabled.
1016 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1018 to use the bridge's own IP address as source address for
1019 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1020 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1021 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1023 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1024 IGMP querier, ie sending of multicast queries by the
1025 bridge (default: disabled).
1026 mcast_querier_interval QUERIER_INTERVAL - interval be‐
1028 tween queries sent by other routers. if no queries are
1029 seen after this delay has passed, the bridge will start
1030 to send its own queries (as if mcast_querier was en‐
1031 abled).
1032 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1034 database hash elasticity, ie the maximum chain length in
1035 the multicast hash table (defaults to 4).
1036 mcast_hash_max HASH_MAX - set maximum size of multicast
1038 hash table (defaults to 512, value must be a power of
1039 2).
1040 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1042 cast last member count, ie the number of queries the
1043 bridge will send before stopping forwarding a multicast
1044 group after a "leave" message has been received (de‐
1045 faults to 2).
1046 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1048 val between queries to find remaining members of a
1049 group, after a "leave" message is received.
1050 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1052 number of IGMP queries to send during startup phase (de‐
1053 faults to 2).
1054 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1056 interval between queries in the startup phase.
1057 mcast_query_interval QUERY_INTERVAL - interval between
1059 queries sent by the bridge after the end of the startup
1060 phase.
1061 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1063 set the Max Response Time/Maximum Response Delay for
1064 IGMP/MLD queries sent by the bridge.
1065 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1067 after which the bridge will leave a group, if no member‐
1068 ship reports for this group are received.
1069 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1071 (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1072 ABLED == 0) multicast (IGMP/MLD) stats accounting.
1073 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1075 mcast_mld_version MLD_VERSION - set the MLD version.
1077 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1079 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1080 hooks on the bridge.
1081 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1083 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1084 0) ip6tables hooks on the bridge.
1085 nf_call_arptables NF_CALL_ARPTABLES - enable
1087 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1088 0) arptables hooks on the bridge.
1089 MACsec Type Support
1094 For a link of type MACsec the following additional arguments are
1095 supported:
1096 ip link add link DEVICE name NAME type macsec [ [ address
1098 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1099 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1100 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1101 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1102 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1103 ]
1104 address <lladdr> - sets the system identifier component
1107 of secure channel for this MACsec device.
1108 port PORT - sets the port number component of secure
1111 channel for this MACsec device, in a range from 1 to
1112 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1113 are interpreted as octal and hexadecimal, respectively.
1114 sci SCI - sets the secure channel identifier for this
1117 MACsec device. SCI is a 64bit wide number in hexadeci‐
1118 mal format.
1119 cipher CIPHER_SUITE - defines the cipher suite to use.
1122 icvlen LENGTH - sets the length of the Integrity Check
1125 Value (ICV).
1126 encrypt on or encrypt off - switches between authenti‐
1129 cated encryption, or authenticity mode only.
1130 send_sci on or send_sci off - specifies whether the SCI
1133 is included in every packet, or only when it is neces‐
1134 sary.
1135 end_station on or end_station off - sets the End Station
1138 bit.
1139 scb on or scb off - sets the Single Copy Broadcast bit.
1142 protect on or protect off - enables MACsec protection on
1145 the device.
1146 replay on or replay off - enables replay protection on
1149 the device.
1150 window SIZE - sets the size of the replay win‐
1154 dow.
1155 validate strict or validate check or validate disabled -
1159 sets the validation mode on the device.
1160 encodingsa AN - sets the active secure association for
1163 transmission.
1164 VRF Type Support
1168 For a link of type VRF the following additional arguments are
1169 supported:
1170 ip link add DEVICE type vrf table TABLE
1172 table table id associated with VRF device
1175 RMNET Type Support
1179 For a link of type RMNET the following additional arguments are
1180 supported:
1181 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1183 mux_id MUXID - specifies the mux identifier for the rm‐
1186 net device, possible values 1-254.
1187 XFRM Type Support
1191 For a link of type XFRM the following additional arguments are
1192 supported:
1193 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1195 dev PHYS_DEV - specifies the underlying physical inter‐
1198 face from which transform traffic is sent and received.
1199 if_id IF-ID - specifies the hexadecimal lookup key used
1202 to send traffic to and from specific xfrm policies.
1203 Policies must be configured with the same key. If not
1204 set, the key defaults to 0 and will match any policies
1205 which similarly do not have a lookup key configuration.
1206 ip link delete - delete virtual link
1210 dev DEVICE
1211 specifies the virtual device to act operate on.
1212 group GROUP
1215 specifies the group of virtual links to delete. Group 0 is not
1216 allowed to be deleted since it is the default group.
1217 type TYPE
1220 specifies the type of the device.
1221 ip link set - change device attributes
1224 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1225 ately after any of the changes have failed. This is the only case when
1226 ip can move the system to an unpredictable state. The solution is to
1227 avoid changing several parameters with one ip link set call. The modi‐
1228 fier change is equivalent to set.
1229 dev DEVICE
1233 DEVICE specifies network device to operate on. When configuring
1234 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1235 ify the associated Physical Function (PF) device.
1236 group GROUP
1239 GROUP has a dual role: If both group and dev are present, then
1240 move the device to the specified group. If only a group is spec‐
1241 ified, then the command operates on all devices in that group.
1242 up and down
1245 change the state of the device to UP or DOWN.
1246 arp on or arp off
1249 change the NOARP flag on the device.
1250 multicast on or multicast off
1253 change the MULTICAST flag on the device.
1254 allmulticast on or allmulticast off
1257 change the ALLMULTI flag on the device. When enabled, instructs
1258 network driver to retrieve all multicast packets from the net‐
1259 work to the kernel for further processing.
1260 promisc on or promisc off
1263 change the PROMISC flag on the device. When enabled, activates
1264 promiscuous operation of the network device.
1265 trailers on or trailers off
1268 change the NOTRAILERS flag on the device, NOT used by the Linux
1269 and exists for BSD compatibility.
1270 protodown on or protodown off
1273 change the PROTODOWN state on the device. Indicates that a pro‐
1274 tocol error has been detected on the port. Switch drivers can
1275 react to this error by doing a phys down on the switch port.
1276 protodown_reason PREASON on or off
1279 set PROTODOWN reasons on the device. protodown reason bit names
1280 can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1281 sible reasons bits 0-31
1282 dynamic on or dynamic off
1285 change the DYNAMIC flag on the device. Indicates that address
1286 can change when interface goes down (currently NOT used by the
1287 Linux).
1288 name NAME
1291 change the name of the device. This operation is not recommended
1292 if the device is running or has some addresses already config‐
1293 ured.
1294 txqueuelen NUMBER
1297 txqlen NUMBER
1299 change the transmit queue length of the device.
1300 mtu NUMBER
1303 change the MTU of the device.
1304 address LLADDRESS
1307 change the station address of the interface.
1308 broadcast LLADDRESS
1311 brd LLADDRESS
1313 peer LLADDRESS
1315 change the link layer broadcast address or the peer address when
1316 the interface is POINTOPOINT.
1317 netns NETNSNAME | PID
1320 move the device to the network namespace associated with name
1321 NETNSNAME or process PID.
1322 Some devices are not allowed to change network namespace: loop‐
1324 back, bridge, wireless. These are network namespace local de‐
1325 vices. In such case ip tool will return "Invalid argument" er‐
1326 ror. It is possible to find out if device is local to a single
1327 network namespace by checking netns-local flag in the output of
1328 the ethtool:
1329 ethtool -k DEVICE
1331 To change network namespace for wireless devices the iw tool can
1333 be used. But it allows to change network namespace only for
1334 physical devices and by process PID.
1335 alias NAME
1338 give the device a symbolic name for easy reference.
1339 group GROUP
1342 specify the group the device belongs to. The available groups
1343 are listed in file /etc/iproute2/group.
1344 vf NUM specify a Virtual Function device to be configured. The associ‐
1347 ated PF device must be specified using the dev parameter.
1348 mac LLADDRESS - change the station address for the spec‐
1350 ified VF. The vf parameter must be specified.
1351 vlan VLANID - change the assigned VLAN for the specified
1354 VF. When specified, all traffic sent from the VF will be
1355 tagged with the specified VLAN ID. Incoming traffic will
1356 be filtered for the specified VLAN ID, and will have all
1357 VLAN tags stripped before being passed to the VF. Set‐
1358 ting this parameter to 0 disables VLAN tagging and fil‐
1359 tering. The vf parameter must be specified.
1360 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1363 VLAN tag. When specified, all VLAN tags transmitted by
1364 the VF will include the specified priority bits in the
1365 VLAN tag. If not specified, the value is assumed to be
1366 0. Both the vf and vlan parameters must be specified.
1367 Setting both vlan and qos as 0 disables VLAN tagging and
1368 filtering for the VF.
1369 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1372 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1373 traffic sent from the VF will be tagged with VLAN S-Tag.
1374 Incoming traffic will have VLAN S-Tags stripped before
1375 being passed to the VF. Setting to 802.1ad also enables
1376 an option to concatenate another VLAN tag, so both S-TAG
1377 and C-TAG will be inserted/stripped for outgoing/incom‐
1378 ing traffic, respectively. If not specified, the value
1379 is assumed to be 802.1Q. Both the vf and vlan parameters
1380 must be specified.
1381 rate TXRATE -- change the allowed transmit bandwidth, in
1384 Mbps, for the specified VF. Setting this parameter to 0
1385 disables rate limiting. vf parameter must be specified.
1386 Please use new API max_tx_rate option instead.
1387 max_tx_rate TXRATE - change the allowed maximum transmit
1390 bandwidth, in Mbps, for the specified VF. Setting this
1391 parameter to 0 disables rate limiting. vf parameter
1392 must be specified.
1393 min_tx_rate TXRATE - change the allowed minimum transmit
1396 bandwidth, in Mbps, for the specified VF. Minimum
1397 TXRATE should be always <= Maximum TXRATE. Setting this
1398 parameter to 0 disables rate limiting. vf parameter
1399 must be specified.
1400 spoofchk on|off - turn packet spoof checking on or off
1403 for the specified VF.
1404 query_rss on|off - toggle the ability of querying the
1406 RSS configuration of a specific
1407 VF. VF RSS information like RSS hash key may be con‐
1408 sidered sensitive
1409 on some devices where this information is shared be‐
1410 tween VF and PF
1411 and thus its querying may be prohibited by default.
1412 state auto|enable|disable - set the virtual link state
1414 as seen by the specified VF. Setting to auto means a re‐
1415 flection of the PF link state, enable lets the VF to
1416 communicate with other VFs on this host even if the PF
1417 link state is down, disable causes the HW to drop any
1418 packets sent by the VF.
1419 trust on|off - trust the specified VF user. This enables
1421 that VF user can set a specific feature which may impact
1422 security and/or performance. (e.g. VF multicast promis‐
1423 cuous mode)
1424 node_guid eui64 - configure node GUID for Infiniband
1426 VFs.
1427 port_guid eui64 - configure port GUID for Infiniband
1429 VFs.
1430 xdp object | pinned | off
1433 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1434 every packet at driver level. ip link output will indicate a
1435 xdp flag for the networking device. If the driver does not have
1436 native XDP support, the kernel will fall back to a slower,
1437 driver-independent "generic" XDP variant. The ip link output
1438 will in that case indicate xdpgeneric instead of xdp only. If
1439 the driver does have native XDP support, but the program is
1440 loaded under xdpgeneric object | pinned then the kernel will use
1441 the generic XDP variant instead of the native one. xdpdrv has
1442 the opposite effect of requestsing that the automatic fallback
1443 to the generic XDP variant be disabled and in case driver is not
1444 XDP-capable error should be returned. xdpdrv also disables
1445 hardware offloads. xdpoffload in ip link output indicates that
1446 the program has been offloaded to hardware and can also be used
1447 to request the "offload" mode, much like xdpgeneric it forces
1448 program to be installed specifically in HW/FW of the apater.
1449 off (or none ) - Detaches any currently attached XDP/BPF program
1451 from the given device.
1452 object FILE - Attaches a XDP/BPF program to the given device.
1454 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1455 contains the BPF program code, map specifications, etc. If a
1456 XDP/BPF program is already attached to the given device, an er‐
1457 ror will be thrown. If no XDP/BPF program is currently attached,
1458 the device supports XDP and the program from the BPF ELF file
1459 passes the kernel verifier, then it will be attached to the de‐
1460 vice. If the option -force is passed to ip then any prior at‐
1461 tached XDP/BPF program will be atomically overridden and no er‐
1462 ror will be thrown in this case. If no section option is passed,
1463 then the default section name ("prog") will be assumed, other‐
1464 wise the provided section name will be used. If no verbose op‐
1465 tion is passed, then a verifier log will only be dumped on load
1466 error. See also EXAMPLES section for usage examples.
1467 section NAME - Specifies a section name that contains the BPF
1469 program code. If no section name is specified, the default one
1470 ("prog") will be used. This option is to be passed with the ob‐
1471 ject option.
1472 verbose - Act in verbose mode. For example, even in case of suc‐
1474 cess, this will print the verifier log in case a program was
1475 loaded from a BPF ELF file.
1476 pinned FILE - Attaches a XDP/BPF program to the given device.
1478 The FILE points to an already pinned BPF program in the BPF file
1479 system. The option section doesn't apply here, but otherwise se‐
1480 mantics are the same as with the option object described al‐
1481 ready.
1482 master DEVICE
1485 set master device of the device (enslave device).
1486 nomaster
1489 unset master device of the device (release device).
1490 addrgenmode eui64|none|stable_secret|random
1493 set the IPv6 address generation mode
1494 eui64 - use a Modified EUI-64 format interface identifier
1496 none - disable automatic address generation
1498 stable_secret - generate the interface identifier based on a
1500 preset
1501 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1502 random - like stable_secret, but auto-generate a new random se‐
1504 cret if none is set
1505 link-netnsid
1508 set peer netnsid for a cross-netns interface
1509 type ETYPE TYPE_ARGS
1512 Change type-specific settings. For a list of supported types and
1513 arguments refer to the description of ip link add above. In ad‐
1514 dition to that, it is possible to manipulate settings to slave
1515 devices:
1516 Bridge Slave Support
1519 For a link with master bridge the following additional arguments
1520 are supported:
1521 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1523 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1524 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1525 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1526 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1527 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1528 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1529 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1530 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1531 backup_port DEVICE ] [ nobackup_port ]
1532 fdb_flush - flush bridge slave's fdb dynamic entries.
1535 state STATE - Set port state. STATE is a number repre‐
1537 senting the following states: 0 (disabled), 1 (listen‐
1538 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1539 priority PRIO - set port priority (allowed values are
1541 between 0 and 63, inclusively).
1542 cost COST - set port cost (allowed values are between 1
1544 and 65535, inclusively).
1545 guard { on | off } - block incoming BPDU packets on this
1547 port.
1548 hairpin { on | off } - enable hairpin mode on this port.
1550 This will allow incoming packets on this port to be re‐
1551 flected back.
1552 fastleave { on | off } - enable multicast fast leave on
1554 this port.
1555 root_block { on | off } - block this port from becoming
1557 the bridge's root port.
1558 learning { on | off } - allow MAC address learning on
1560 this port.
1561 flood { on | off } - open the flood gates on this port,
1563 i.e. forward all unicast frames to this port also. Re‐
1564 quires proxy_arp and proxy_arp_wifi to be turned off.
1565 proxy_arp { on | off } - enable proxy ARP on this port.
1567 proxy_arp_wifi { on | off } - enable proxy ARP on this
1569 port which meets extended requirements by IEEE 802.11
1570 and Hotspot 2.0 specifications.
1571 mcast_router MULTICAST_ROUTER - configure this port for
1573 having multicast routers attached. A port with a multi‐
1574 cast router will receive all multicast traffic. MULTI‐
1575 CAST_ROUTER may be either 0 to disable multicast routers
1576 on this port, 1 to let the system detect the presence of
1577 of routers (this is the default), 2 to permanently en‐
1578 able multicast traffic forwarding on this port or 3 to
1579 enable multicast routers temporarily on this port, not
1580 depending on incoming queries.
1581 mcast_fast_leave { on | off } - this is a synonym to the
1583 fastleave option above.
1584 mcast_flood { on | off } - controls whether a given port
1586 will flood multicast traffic for which
1587 there is no MDB entry.
1588 mcast_to_unicast { on | off } - controls whether a given
1590 port will replicate packets using unicast
1591 instead of multicast. By default this flag is off.
1592 group_fwd_mask MASK - set the group forward mask. This
1594 is the bitmask that is applied to decide whether to for‐
1595 ward incoming frames destined to link-local addresses,
1596 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1597 0, ie the bridge does not forward any link-local frames
1598 coming on this port).
1599 neigh_suppress { on | off } - controls whether neigh
1601 discovery (arp and nd) proxy and suppression is enabled
1602 on the port. By default this flag is off.
1603 vlan_tunnel { on | off } - controls whether vlan to tun‐
1605 nel mapping is enabled on the port. By default this flag
1606 is off.
1607 backup_port DEVICE - if the port loses carrier all traf‐
1609 fic will be redirected to the configured backup port
1610 nobackup_port - removes the currently configured backup
1612 port
1613 Bonding Slave Support
1617 For a link with master bond the following additional arguments
1618 are supported:
1619 ip link set type bond_slave [ queue_id ID ]
1621 queue_id ID - set the slave's queue ID (a 16bit unsigned
1624 value).
1625 MACVLAN and MACVTAP Support
1629 Modify list of allowed macaddr for link in source mode.
1630 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1632 ... ]
1633 Commands:
1635 add - add MACADDR to allowed list
1636 set - replace allowed list
1638 del - remove MACADDR from allowed list
1640 flush - flush whole allowed list
1642 Update the broadcast/multicast queue length.
1645 ip link set type { macvlan | macvap } [ bcqueuelen LENGTH ]
1647 bcqueuelen LENGTH - Set the length of the RX queue used
1649 to process broadcast and multicast packets. LENGTH must
1650 be a positive integer in the range [0-4294967295]. Set‐
1651 ting a length of 0 will effectively drop all broad‐
1652 cast/multicast traffic. If not specified the macvlan
1653 driver default (1000) is used. Note that all macvlans
1654 that share the same underlying device are using the same
1655 queue. The parameter here is a request, the actual queue
1656 length used will be the maximum length that any macvlan
1657 interface has requested. When listing device parameters
1658 both the bcqueuelen parameter as well as the actual used
1659 bcqueuelen are listed to better help the user understand
1660 the setting.
1661 ip link show - display device attributes
1664 dev NAME (default)
1665 NAME specifies the network device to show.
1666 group GROUP
1669 GROUP specifies what group of devices to show.
1670 up only display running interfaces.
1673 master DEVICE
1676 DEVICE specifies the master device which enslaves devices to
1677 show.
1678 vrf NAME
1681 NAME speficies the VRF which enslaves devices to show.
1682 type TYPE
1685 TYPE specifies the type of devices to show.
1686 Note that the type name is not checked against the list of sup‐
1688 ported types - instead it is sent as-is to the kernel. Later it
1689 is used to filter the returned interface list by comparing it
1690 with the relevant attribute in case the kernel didn't filter al‐
1691 ready. Therefore any string is accepted, but may lead to empty
1692 output.
1693 ip link xstats - display extended statistics
1696 type TYPE
1697 TYPE specifies the type of devices to display extended statis‐
1698 tics for.
1699 ip link afstats - display address-family specific statistics
1702 dev DEVICE
1703 DEVICE specifies the device to display address-family statistics
1704 for.
1705 ip link help - display help
1708 TYPE specifies which help of link type to display.
1709 GROUP
1712 may be a number or a string from the file /etc/iproute2/group which can
1713 be manually filled.
1714
1717 ip link show
1718 Shows the state of all network interfaces on the system.
1719 ip link show type bridge
1721 Shows the bridge devices.
1722 ip link show type vlan
1724 Shows the vlan devices.
1725 ip link show master br0
1727 Shows devices enslaved by br0
1728 ip link set dev ppp0 mtu 1400
1730 Change the MTU the ppp0 device.
1731 ip link add link eth0 name eth0.10 type vlan id 10
1733 Creates a new vlan device eth0.10 on device eth0.
1734 ip link delete dev eth0.10
1736 Removes vlan device.
1737 ip link help gre
1739 Display help for the gre link type.
1740 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1742 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1743 remcsum
1744 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1745 tion, and the outer UDP checksum and remote checksum offload are
1746 enabled.
1747 ip link set dev eth0 xdp obj prog.o
1749 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1750 cated in prog.o, section "prog" (default section). In case a
1751 XDP/BPF program is already attached, throw an error.
1752 ip -force link set dev eth0 xdp obj prog.o sec foo
1754 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1755 cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1756 ready attached, it will be overridden by the new one.
1757 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1759 Attaches a XDP/BPF program to device eth0, where the program was
1760 previously pinned as an object node into BPF file system under name
1761 foo.
1762 ip link set dev eth0 xdp off
1764 If a XDP/BPF program is attached on device eth0, detach it and ef‐
1765 fectively turn off XDP for device eth0.
1766 ip link add link wpan0 lowpan0 type lowpan
1768 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1769 802.15.4 device wpan0.
1770 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1772 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1773 erspan_hwid 17
1774 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1775
1778 ip(8), ip-netns(8), ethtool(8), iptables(8)
1779
1782 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1783iproute2 13 Dec 2012 IP-LINK(8)