1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
3
4
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 A plain ini-style text file that encodes configuration about a virtual
13 network device, used by systemd-networkd(8). See systemd.syntax(7) for
14 a general description of the syntax.
15
16 The main Virtual Network Device file must have the extension .netdev;
17 other extensions are ignored. Virtual network devices are created as
18 soon as networkd is started. If a netdev with the specified name
19 already exists, networkd will use that as-is rather than create its
20 own. Note that the settings of the pre-existing netdev will not be
21 changed by networkd.
22
23 The .netdev files are read from the files located in the system network
24 directory /usr/lib/systemd/network, the volatile runtime network
25 directory /run/systemd/network and the local administration network
26 directory /etc/systemd/network. All configuration files are
27 collectively sorted and processed in lexical order, regardless of the
28 directories in which they live. However, files with identical filenames
29 replace each other. Files in /etc/ have the highest priority, files in
30 /run/ take precedence over files with the same name in /usr/lib/. This
31 can be used to override a system-supplied configuration file with a
32 local file if needed. As a special case, an empty file (file size 0) or
33 symlink with the same name pointing to /dev/null disables the
34 configuration file entirely (it is "masked").
35
36 Along with the netdev file foo.netdev, a "drop-in" directory
37 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
38 directory will be merged in the alphanumeric order and parsed after the
39 main file itself has been parsed. This is useful to alter or add
40 configuration settings, without having to modify the main configuration
41 file. Each drop-in file must have appropriate section headers.
42
43 In addition to /etc/systemd/network, drop-in ".d" directories can be
44 placed in /usr/lib/systemd/network or /run/systemd/network directories.
45 Drop-in files in /etc/ take precedence over those in /run/ which in
46 turn take precedence over those in /usr/lib/. Drop-in files under any
47 of these directories take precedence over the main netdev file wherever
48 located. (Of course, since /run/ is temporary and /usr/lib/ is for
49 vendors, it is unlikely drop-ins should be used in either of those
50 places.)
51
53 The following kinds of virtual network devices may be configured in
54 .netdev files:
55
56 Table 1. Supported kinds of virtual network devices
57 ┌──────────┬────────────────────────────┐
58 │Kind │ Description │
59 ├──────────┼────────────────────────────┤
60 │bond │ A bond device is an │
61 │ │ aggregation of all its │
62 │ │ slave devices. See Linux │
63 │ │ Ethernet Bonding Driver │
64 │ │ HOWTO[1] for details. │
65 ├──────────┼────────────────────────────┤
66 │bridge │ A bridge device is a │
67 │ │ software switch, and each │
68 │ │ of its slave devices and │
69 │ │ the bridge itself are │
70 │ │ ports of the switch. │
71 ├──────────┼────────────────────────────┤
72 │dummy │ A dummy device drops all │
73 │ │ packets sent to it. │
74 ├──────────┼────────────────────────────┤
75 │gre │ A Level 3 GRE tunnel over │
76 │ │ IPv4. See RFC 2784[2] for │
77 │ │ details. │
78 ├──────────┼────────────────────────────┤
79 │gretap │ A Level 2 GRE tunnel over │
80 │ │ IPv4. │
81 ├──────────┼────────────────────────────┤
82 │erspan │ ERSPAN mirrors traffic on │
83 │ │ one or more source ports │
84 │ │ and delivers the mirrored │
85 │ │ traffic to one or more │
86 │ │ destination ports on │
87 │ │ another switch. The │
88 │ │ traffic is encapsulated in │
89 │ │ generic routing │
90 │ │ encapsulation (GRE) and is │
91 │ │ therefore routable across │
92 │ │ a layer 3 network between │
93 │ │ the source switch and the │
94 │ │ destination switch. │
95 ├──────────┼────────────────────────────┤
96 │ip6gre │ A Level 3 GRE tunnel over │
97 │ │ IPv6. │
98 ├──────────┼────────────────────────────┤
99 │ip6tnl │ An IPv4 or IPv6 tunnel │
100 │ │ over IPv6 │
101 ├──────────┼────────────────────────────┤
102 │ip6gretap │ A Level 2 GRE tunnel over │
103 │ │ IPv6. │
104 ├──────────┼────────────────────────────┤
105 │ipip │ An IPv4 over IPv4 tunnel. │
106 ├──────────┼────────────────────────────┤
107 │ipvlan │ An IPVLAN device is a │
108 │ │ stacked device which │
109 │ │ receives packets from its │
110 │ │ underlying device based on │
111 │ │ IP address filtering. │
112 ├──────────┼────────────────────────────┤
113 │ipvtap │ An IPVTAP device is a │
114 │ │ stacked device which │
115 │ │ receives packets from its │
116 │ │ underlying device based on │
117 │ │ IP address filtering and │
118 │ │ can be accessed using the │
119 │ │ tap user space interface. │
120 ├──────────┼────────────────────────────┤
121 │macvlan │ A macvlan device is a │
122 │ │ stacked device which │
123 │ │ receives packets from its │
124 │ │ underlying device based on │
125 │ │ MAC address filtering. │
126 ├──────────┼────────────────────────────┤
127 │macvtap │ A macvtap device is a │
128 │ │ stacked device which │
129 │ │ receives packets from its │
130 │ │ underlying device based on │
131 │ │ MAC address filtering. │
132 ├──────────┼────────────────────────────┤
133 │sit │ An IPv6 over IPv4 tunnel. │
134 ├──────────┼────────────────────────────┤
135 │tap │ A persistent Level 2 │
136 │ │ tunnel between a network │
137 │ │ device and a device node. │
138 ├──────────┼────────────────────────────┤
139 │tun │ A persistent Level 3 │
140 │ │ tunnel between a network │
141 │ │ device and a device node. │
142 ├──────────┼────────────────────────────┤
143 │veth │ An Ethernet tunnel between │
144 │ │ a pair of network devices. │
145 ├──────────┼────────────────────────────┤
146 │vlan │ A VLAN is a stacked device │
147 │ │ which receives packets │
148 │ │ from its underlying device │
149 │ │ based on VLAN tagging. See │
150 │ │ IEEE 802.1Q[3] for │
151 │ │ details. │
152 ├──────────┼────────────────────────────┤
153 │vti │ An IPv4 over IPSec tunnel. │
154 ├──────────┼────────────────────────────┤
155 │vti6 │ An IPv6 over IPSec tunnel. │
156 ├──────────┼────────────────────────────┤
157 │vxlan │ A virtual extensible LAN │
158 │ │ (vxlan), for connecting │
159 │ │ Cloud computing │
160 │ │ deployments. │
161 ├──────────┼────────────────────────────┤
162 │geneve │ A GEneric NEtwork │
163 │ │ Virtualization │
164 │ │ Encapsulation (GENEVE) │
165 │ │ netdev driver. │
166 ├──────────┼────────────────────────────┤
167 │l2tp │ A Layer 2 Tunneling │
168 │ │ Protocol (L2TP) is a │
169 │ │ tunneling protocol used to │
170 │ │ support virtual private │
171 │ │ networks (VPNs) or as part │
172 │ │ of the delivery of │
173 │ │ services by ISPs. It does │
174 │ │ not provide any encryption │
175 │ │ or confidentiality by │
176 │ │ itself │
177 ├──────────┼────────────────────────────┤
178 │macsec │ Media Access Control │
179 │ │ Security (MACsec) is an │
180 │ │ 802.1AE IEEE │
181 │ │ industry-standard security │
182 │ │ technology that provides │
183 │ │ secure communication for │
184 │ │ all traffic on Ethernet │
185 │ │ links. MACsec provides │
186 │ │ point-to-point security on │
187 │ │ Ethernet links between │
188 │ │ directly connected nodes │
189 │ │ and is capable of │
190 │ │ identifying and preventing │
191 │ │ most security threats. │
192 ├──────────┼────────────────────────────┤
193 │vrf │ A Virtual Routing and │
194 │ │ Forwarding (VRF[4]) │
195 │ │ interface to create │
196 │ │ separate routing and │
197 │ │ forwarding domains. │
198 ├──────────┼────────────────────────────┤
199 │vcan │ The virtual CAN driver │
200 │ │ (vcan). Similar to the │
201 │ │ network loopback devices, │
202 │ │ vcan offers a virtual │
203 │ │ local CAN interface. │
204 ├──────────┼────────────────────────────┤
205 │vxcan │ The virtual CAN tunnel │
206 │ │ driver (vxcan). Similar to │
207 │ │ the virtual ethernet │
208 │ │ driver veth, vxcan │
209 │ │ implements a local CAN │
210 │ │ traffic tunnel between two │
211 │ │ virtual CAN network │
212 │ │ devices. When creating a │
213 │ │ vxcan, two vxcan devices │
214 │ │ are created as pair. When │
215 │ │ one end receives the │
216 │ │ packet it appears on its │
217 │ │ pair and vice versa. The │
218 │ │ vxcan can be used for │
219 │ │ cross namespace │
220 │ │ communication. │
221 ├──────────┼────────────────────────────┤
222 │wireguard │ WireGuard Secure Network │
223 │ │ Tunnel. │
224 ├──────────┼────────────────────────────┤
225 │nlmon │ A Netlink monitor device. │
226 │ │ Use an nlmon device when │
227 │ │ you want to monitor system │
228 │ │ Netlink messages. │
229 ├──────────┼────────────────────────────┤
230 │fou │ Foo-over-UDP tunneling. │
231 ├──────────┼────────────────────────────┤
232 │xfrm │ A virtual tunnel interface │
233 │ │ like vti/vti6 but with │
234 │ │ several advantages. │
235 ├──────────┼────────────────────────────┤
236 │ifb │ The Intermediate │
237 │ │ Functional Block (ifb) │
238 │ │ pseudo network interface │
239 │ │ acts as a QoS concentrator │
240 │ │ for multiple different │
241 │ │ sources of traffic. │
242 ├──────────┼────────────────────────────┤
243 │bareudp │ Bare UDP tunnels provide a │
244 │ │ generic L3 encapsulation │
245 │ │ support for tunnelling │
246 │ │ different L3 protocols │
247 │ │ like MPLS, IP etc. inside │
248 │ │ of an UDP tunnel. │
249 ├──────────┼────────────────────────────┤
250 │batadv │ B.A.T.M.A.N. Advanced[5] │
251 │ │ is a routing protocol for │
252 │ │ multi-hop mobile ad-hoc │
253 │ │ networks which operates on │
254 │ │ layer 2. │
255 └──────────┴────────────────────────────┘
256
258 A virtual network device is only created if the [Match] section matches
259 the current environment, or if the section is empty. The following keys
260 are accepted:
261
262 Host=
263 Matches against the hostname or machine ID of the host. See
264 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
265 an exclamation mark ("!"), the result is negated. If an empty
266 string is assigned, then previously assigned value is cleared.
267
268 Virtualization=
269 Checks whether the system is executed in a virtualized environment
270 and optionally test whether it is a specific implementation. See
271 "ConditionVirtualization=" in systemd.unit(5) for details. When
272 prefixed with an exclamation mark ("!"), the result is negated. If
273 an empty string is assigned, then previously assigned value is
274 cleared.
275
276 KernelCommandLine=
277 Checks whether a specific kernel command line option is set. See
278 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
279 prefixed with an exclamation mark ("!"), the result is negated. If
280 an empty string is assigned, then previously assigned value is
281 cleared.
282
283 KernelVersion=
284 Checks whether the kernel version (as reported by uname -r) matches
285 a certain expression. See "ConditionKernelVersion=" in
286 systemd.unit(5) for details. When prefixed with an exclamation mark
287 ("!"), the result is negated. If an empty string is assigned, then
288 previously assigned value is cleared.
289
290 Architecture=
291 Checks whether the system is running on a specific architecture.
292 See "ConditionArchitecture=" in systemd.unit(5) for details. When
293 prefixed with an exclamation mark ("!"), the result is negated. If
294 an empty string is assigned, then previously assigned value is
295 cleared.
296
297 Firmware=
298 Checks whether the system is running on a machine with the
299 specified firmware. See "ConditionFirmware=" in systemd.unit(5) for
300 details. When prefixed with an exclamation mark ("!"), the result
301 is negated. If an empty string is assigned, then previously
302 assigned value is cleared.
303
305 The [NetDev] section accepts the following keys:
306
307 Description=
308 A free-form description of the netdev.
309
310 Name=
311 The interface name used when creating the netdev. This setting is
312 compulsory.
313
314 Kind=
315 The netdev kind. This setting is compulsory. See the "Supported
316 netdev kinds" section for the valid keys.
317
318 MTUBytes=
319 The maximum transmission unit in bytes to set for the device. The
320 usual suffixes K, M, G are supported and are understood to the base
321 of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
322 currently supported in [NetDev] section. Please specify it in
323 [Link] section of corresponding systemd.network(5) files.
324
325 MACAddress=
326 The MAC address to use for the device. For "tun" or "tap" devices,
327 setting MACAddress= in the [NetDev] section is not supported.
328 Please specify it in [Link] section of the corresponding
329 systemd.network(5) file. If this option is not set, "vlan" devices
330 inherit the MAC address of the physical interface. For other kind
331 of netdevs, if this option is not set, then MAC address is
332 generated based on the interface name and the machine-id(5).
333
335 The [Bridge] section only applies for netdevs of kind "bridge", and
336 accepts the following keys:
337
338 HelloTimeSec=
339 HelloTimeSec specifies the number of seconds between two hello
340 packets sent out by the root bridge and the designated bridges.
341 Hello packets are used to communicate information about the
342 topology throughout the entire bridged local area network.
343
344 MaxAgeSec=
345 MaxAgeSec specifies the number of seconds of maximum message age.
346 If the last seen (received) hello packet is more than this number
347 of seconds old, the bridge in question will start the takeover
348 procedure in attempt to become the Root Bridge itself.
349
350 ForwardDelaySec=
351 ForwardDelaySec specifies the number of seconds spent in each of
352 the Listening and Learning states before the Forwarding state is
353 entered.
354
355 AgeingTimeSec=
356 This specifies the number of seconds a MAC Address will be kept in
357 the forwarding database after having a packet received from this
358 MAC Address.
359
360 Priority=
361 The priority of the bridge. An integer between 0 and 65535. A lower
362 value means higher priority. The bridge having the lowest priority
363 will be elected as root bridge.
364
365 GroupForwardMask=
366 A 16-bit bitmask represented as an integer which allows forwarding
367 of link local frames with 802.1D reserved addresses
368 (01:80:C2:00:00:0X). A logical AND is performed between the
369 specified bitmask and the exponentiation of 2^X, the lower nibble
370 of the last octet of the MAC address. For example, a value of 8
371 would allow forwarding of frames addressed to 01:80:C2:00:00:03
372 (802.1X PAE).
373
374 DefaultPVID=
375 This specifies the default port VLAN ID of a newly attached bridge
376 port. Set this to an integer in the range 1...4094 or "none" to
377 disable the PVID.
378
379 MulticastQuerier=
380 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
381 option in the kernel. If enabled, the kernel will send general ICMP
382 queries from a zero source address. This feature should allow
383 faster convergence on startup, but it causes some multicast-aware
384 switches to misbehave and disrupt forwarding of multicast packets.
385 When unset, the kernel's default will be used.
386
387 MulticastSnooping=
388 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
389 option in the kernel. If enabled, IGMP snooping monitors the
390 Internet Group Management Protocol (IGMP) traffic between hosts and
391 multicast routers. When unset, the kernel's default will be used.
392
393 VLANFiltering=
394 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
395 option in the kernel. If enabled, the bridge will be started in
396 VLAN-filtering mode. When unset, the kernel's default will be used.
397
398 VLANProtocol=
399 Allows setting the protocol used for VLAN filtering. Takes 802.1q
400 or, 802.1ad, and defaults to unset and kernel's default is used.
401
402 STP=
403 Takes a boolean. This enables the bridge's Spanning Tree Protocol
404 (STP). When unset, the kernel's default will be used.
405
406 MulticastIGMPVersion=
407 Allows changing bridge's multicast Internet Group Management
408 Protocol (IGMP) version. Takes an integer 2 or 3. When unset, the
409 kernel's default will be used.
410
412 The [VLAN] section only applies for netdevs of kind "vlan", and accepts
413 the following key:
414
415 Id=
416 The VLAN ID to use. An integer in the range 0...4094. This setting
417 is compulsory.
418
419 Protocol=
420 Allows setting the protocol used for the VLAN interface. Takes
421 "802.1q" or, "802.1ad", and defaults to unset and kernel's default
422 is used.
423
424 GVRP=
425 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
426 protocol that allows automatic learning of VLANs on a network. When
427 unset, the kernel's default will be used.
428
429 MVRP=
430 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
431 formerly known as GARP VLAN Registration Protocol (GVRP) is a
432 standards-based Layer 2 network protocol, for automatic
433 configuration of VLAN information on switches. It was defined in
434 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
435 default will be used.
436
437 LooseBinding=
438 Takes a boolean. The VLAN loose binding mode, in which only the
439 operational state is passed from the parent to the associated
440 VLANs, but the VLAN device state is not changed. When unset, the
441 kernel's default will be used.
442
443 ReorderHeader=
444 Takes a boolean. When enabled, the VLAN reorder header is used and
445 VLAN interfaces behave like physical interfaces. When unset, the
446 kernel's default will be used.
447
448 EgressQOSMaps=
449 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
450 to VLAN header PCP field for outgoing frames. Takes a
451 whitespace-separated list of unsigned integer pairs in the format
452 "from"-"to", e.g., "21-7 45-5" ranges 1–4294967294. Note that
453 "from" must be greater than or equal to "to". When unset, the
454 kernel's default will be used.
455
456 IngressQOSMaps=
457 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
458 to VLAN header PCP field for incoming frames. Takes a
459 whitespace-separated list of unsigned integer pairs in the format
460 "from"-"to", e.g., "21-7 45-5" ranges 1–4294967294. Note that
461 "from" must be greater than or equal to "to". When unset, the
462 kernel's default will be used.
463
465 The [MACVLAN] section only applies for netdevs of kind "macvlan", and
466 accepts the following key:
467
468 Mode=
469 The MACVLAN mode to use. The supported options are "private",
470 "vepa", "bridge", "passthru", and "source".
471
472 SourceMACAddress=
473 A whitespace-separated list of remote hardware addresses allowed on
474 the MACVLAN. This option only has an effect in source mode. Use
475 full colon-, hyphen- or dot-delimited hexadecimal. This option may
476 appear more than once, in which case the lists are merged. If the
477 empty string is assigned to this option, the list of hardware
478 addresses defined prior to this is reset. Defaults to unset.
479
480 BroadcastMulticastQueueLength=
481 Specifies the length of the receive queue for broadcast/multicast
482 packets. An unsigned integer in the range 0...4294967294. Defaults
483 to unset.
484
486 The [MACVTAP] section applies for netdevs of kind "macvtap" and accepts
487 the same keys as [MACVLAN].
488
490 The [IPVLAN] section only applies for netdevs of kind "ipvlan", and
491 accepts the following key:
492
493 Mode=
494 The IPVLAN mode to use. The supported options are "L2","L3" and
495 "L3S".
496
497 Flags=
498 The IPVLAN flags to use. The supported options are
499 "bridge","private" and "vepa".
500
502 The [IPVTAP] section only applies for netdevs of kind "ipvtap" and
503 accepts the same keys as [IPVLAN].
504
506 The [VXLAN] section only applies for netdevs of kind "vxlan", and
507 accepts the following keys:
508
509 VNI=
510 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
511 in the range 1...16777215.
512
513 Remote=
514 Configures destination IP address.
515
516 Local=
517 Configures local IP address.
518
519 Group=
520 Configures VXLAN multicast group IP address. All members of a VXLAN
521 must use the same multicast group address.
522
523 TOS=
524 The Type Of Service byte value for a vxlan interface.
525
526 TTL=
527 A fixed Time To Live N on Virtual eXtensible Local Area Network
528 packets. Takes "inherit" or a number in the range 0...255. 0 is a
529 special value meaning inherit the inner protocol's TTL value.
530 "inherit" means that it will inherit the outer protocol's TTL
531 value.
532
533 MacLearning=
534 Takes a boolean. When true, enables dynamic MAC learning to
535 discover remote MAC addresses.
536
537 FDBAgeingSec=
538 The lifetime of Forwarding Database entry learnt by the kernel, in
539 seconds.
540
541 MaximumFDBEntries=
542 Configures maximum number of FDB entries.
543
544 ReduceARPProxy=
545 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
546 answers ARP requests from the local bridge on behalf of remote
547 Distributed Overlay Virtual Ethernet (DVOE)[6] clients. Defaults to
548 false.
549
550 L2MissNotification=
551 Takes a boolean. When true, enables netlink LLADDR miss
552 notifications.
553
554 L3MissNotification=
555 Takes a boolean. When true, enables netlink IP address miss
556 notifications.
557
558 RouteShortCircuit=
559 Takes a boolean. When true, route short circuiting is turned on.
560
561 UDPChecksum=
562 Takes a boolean. When true, transmitting UDP checksums when doing
563 VXLAN/IPv4 is turned on.
564
565 UDP6ZeroChecksumTx=
566 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
567 turned on.
568
569 UDP6ZeroChecksumRx=
570 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
571 is turned on.
572
573 RemoteChecksumTx=
574 Takes a boolean. When true, remote transmit checksum offload of
575 VXLAN is turned on.
576
577 RemoteChecksumRx=
578 Takes a boolean. When true, remote receive checksum offload in
579 VXLAN is turned on.
580
581 GroupPolicyExtension=
582 Takes a boolean. When true, it enables Group Policy VXLAN extension
583 security label mechanism across network peers based on VXLAN. For
584 details about the Group Policy VXLAN, see the VXLAN Group Policy[7]
585 document. Defaults to false.
586
587 GenericProtocolExtension=
588 Takes a boolean. When true, Generic Protocol Extension extends the
589 existing VXLAN protocol to provide protocol typing, OAM, and
590 versioning capabilities. For details about the VXLAN GPE Header,
591 see the Generic Protocol Extension for VXLAN[8] document. If
592 destination port is not specified and Generic Protocol Extension is
593 set then default port of 4790 is used. Defaults to false.
594
595 DestinationPort=
596 Configures the default destination UDP port. If the destination
597 port is not specified then Linux kernel default will be used. Set
598 to 4789 to get the IANA assigned value.
599
600 PortRange=
601 Configures the source port range for the VXLAN. The kernel assigns
602 the source UDP port based on the flow to help the receiver to do
603 load balancing. When this option is not set, the normal range of
604 local UDP ports is used.
605
606 FlowLabel=
607 Specifies the flow label to use in outgoing packets. The valid
608 range is 0-1048575.
609
610 IPDoNotFragment=
611 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
612 packets, or to inherit its value from the IPv4 inner header. Takes
613 a boolean value, or "inherit". Set to "inherit" if the encapsulated
614 protocol is IPv6. When unset, the kernel's default will be used.
615
617 The [GENEVE] section only applies for netdevs of kind "geneve", and
618 accepts the following keys:
619
620 Id=
621 Specifies the Virtual Network Identifier (VNI) to use, a number
622 between 0 and 16777215. This field is mandatory.
623
624 Remote=
625 Specifies the unicast destination IP address to use in outgoing
626 packets.
627
628 TOS=
629 Specifies the TOS value to use in outgoing packets. Takes a number
630 between 1 and 255.
631
632 TTL=
633 Accepts the same values as in the [VXLAN] section, except that when
634 unset or set to 0, the kernel's default will be used, meaning that
635 packet TTL will be set from /proc/sys/net/ipv4/ip_default_ttl.
636
637 UDPChecksum=
638 Takes a boolean. When true, specifies that UDP checksum is
639 calculated for transmitted packets over IPv4.
640
641 UDP6ZeroChecksumTx=
642 Takes a boolean. When true, skip UDP checksum calculation for
643 transmitted packets over IPv6.
644
645 UDP6ZeroChecksumRx=
646 Takes a boolean. When true, allows incoming UDP packets over IPv6
647 with zero checksum field.
648
649 DestinationPort=
650 Specifies destination port. Defaults to 6081. If not set or
651 assigned the empty string, the default port of 6081 is used.
652
653 FlowLabel=
654 Specifies the flow label to use in outgoing packets.
655
656 IPDoNotFragment=
657 Accepts the same key as in [VXLAN] section.
658
659 Independent=
660 Takes a boolean. When true, the vxlan interface is created without
661 any underlying network interface. Defaults to false, which means
662 that a .network file that requests this tunnel using Tunnel= is
663 required for the tunnel to be created.
664
666 The [BareUDP] section only applies for netdevs of kind "bareudp", and
667 accepts the following keys:
668
669 DestinationPort=
670 Specifies the destination UDP port (in range 1...65535). This is
671 mandatory.
672
673 EtherType=
674 Specifies the L3 protocol. Takes one of "ipv4", "ipv6", "mpls-uc"
675 or "mpls-mc". This is mandatory.
676
678 The [L2TP] section only applies for netdevs of kind "l2tp", and accepts
679 the following keys:
680
681 TunnelId=
682 Specifies the tunnel identifier. Takes an number in the range
683 1...4294967295. The value used must match the "PeerTunnelId=" value
684 being used at the peer. This setting is compulsory.
685
686 PeerTunnelId=
687 Specifies the peer tunnel id. Takes a number in the range
688 1...4294967295. The value used must match the "TunnelId=" value
689 being used at the peer. This setting is compulsory.
690
691 Remote=
692 Specifies the IP address of the remote peer. This setting is
693 compulsory.
694
695 Local=
696 Specifies the IP address of the local interface. Takes an IP
697 address, or the special values "auto", "static", or "dynamic". When
698 an address is set, then the local interface must have the address.
699 If "auto", then one of the addresses on the local interface is
700 used. Similarly, if "static" or "dynamic" is set, then one of the
701 static or dynamic addresses on the local interface is used.
702 Defaults to "auto".
703
704 EncapsulationType=
705 Specifies the encapsulation type of the tunnel. Takes one of "udp"
706 or "ip".
707
708 UDPSourcePort=
709 Specifies the UDP source port to be used for the tunnel. When UDP
710 encapsulation is selected it's mandatory. Ignored when IP
711 encapsulation is selected.
712
713 UDPDestinationPort=
714 Specifies destination port. When UDP encapsulation is selected it's
715 mandatory. Ignored when IP encapsulation is selected.
716
717 UDPChecksum=
718 Takes a boolean. When true, specifies that UDP checksum is
719 calculated for transmitted packets over IPv4.
720
721 UDP6ZeroChecksumTx=
722 Takes a boolean. When true, skip UDP checksum calculation for
723 transmitted packets over IPv6.
724
725 UDP6ZeroChecksumRx=
726 Takes a boolean. When true, allows incoming UDP packets over IPv6
727 with zero checksum field.
728
730 The [L2TPSession] section only applies for netdevs of kind "l2tp", and
731 accepts the following keys:
732
733 Name=
734 Specifies the name of the session. This setting is compulsory.
735
736 SessionId=
737 Specifies the session identifier. Takes an number in the range
738 1...4294967295. The value used must match the "SessionId=" value
739 being used at the peer. This setting is compulsory.
740
741 PeerSessionId=
742 Specifies the peer session identifier. Takes an number in the range
743 1...4294967295. The value used must match the "PeerSessionId="
744 value being used at the peer. This setting is compulsory.
745
746 Layer2SpecificHeader=
747 Specifies layer2specific header type of the session. One of "none"
748 or "default". Defaults to "default".
749
751 The [MACsec] section only applies for network devices of kind "macsec",
752 and accepts the following keys:
753
754 Port=
755 Specifies the port to be used for the MACsec transmit channel. The
756 port is used to make secure channel identifier (SCI). Takes a value
757 between 1 and 65535. Defaults to unset.
758
759 Encrypt=
760 Takes a boolean. When true, enable encryption. Defaults to unset.
761
763 The [MACsecReceiveChannel] section only applies for network devices of
764 kind "macsec", and accepts the following keys:
765
766 Port=
767 Specifies the port to be used for the MACsec receive channel. The
768 port is used to make secure channel identifier (SCI). Takes a value
769 between 1 and 65535. This option is compulsory, and is not set by
770 default.
771
772 MACAddress=
773 Specifies the MAC address to be used for the MACsec receive
774 channel. The MAC address used to make secure channel identifier
775 (SCI). This setting is compulsory, and is not set by default.
776
778 The [MACsecTransmitAssociation] section only applies for network
779 devices of kind "macsec", and accepts the following keys:
780
781 PacketNumber=
782 Specifies the packet number to be used for replay protection and
783 the construction of the initialization vector (along with the
784 secure channel identifier [SCI]). Takes a value between
785 1-4,294,967,295. Defaults to unset.
786
787 KeyId=
788 Specifies the identification for the key. Takes a number between
789 0-255. This option is compulsory, and is not set by default.
790
791 Key=
792 Specifies the encryption key used in the transmission channel. The
793 same key must be configured on the peer’s matching receive channel.
794 This setting is compulsory, and is not set by default. Takes a
795 128-bit key encoded in a hexadecimal string, for example
796 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
797
798 KeyFile=
799 Takes an absolute path to a file which contains a 128-bit key
800 encoded in a hexadecimal string, which will be used in the
801 transmission channel. When this option is specified, Key= is
802 ignored. Note that the file must be readable by the user
803 "systemd-network", so it should be, e.g., owned by
804 "root:systemd-network" with a "0640" file mode. If the path refers
805 to an AF_UNIX stream socket in the file system a connection is made
806 to it and the key read from it.
807
808 Activate=
809 Takes a boolean. If enabled, then the security association is
810 activated. Defaults to unset.
811
812 UseForEncoding=
813 Takes a boolean. If enabled, then the security association is used
814 for encoding. Only one [MACsecTransmitAssociation] section can
815 enable this option. When enabled, Activate=yes is implied. Defaults
816 to unset.
817
819 The [MACsecReceiveAssociation] section only applies for network devices
820 of kind "macsec", and accepts the following keys:
821
822 Port=
823 Accepts the same key as in [MACsecReceiveChannel] section.
824
825 MACAddress=
826 Accepts the same key as in [MACsecReceiveChannel] section.
827
828 PacketNumber=
829 Accepts the same key as in [MACsecTransmitAssociation] section.
830
831 KeyId=
832 Accepts the same key as in [MACsecTransmitAssociation] section.
833
834 Key=
835 Accepts the same key as in [MACsecTransmitAssociation] section.
836
837 KeyFile=
838 Accepts the same key as in [MACsecTransmitAssociation] section.
839
840 Activate=
841 Accepts the same key as in [MACsecTransmitAssociation] section.
842
844 The [Tunnel] section only applies for netdevs of kind "ipip", "sit",
845 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
846 "erspan" and accepts the following keys:
847
848 Local=
849 A static local address for tunneled packets. It must be an address
850 on another interface of this host, or the special value "any".
851
852 Remote=
853 The remote endpoint of the tunnel. Takes an IP address or the
854 special value "any".
855
856 TOS=
857 The Type Of Service byte value for a tunnel interface. For details
858 about the TOS, see the Type of Service in the Internet Protocol
859 Suite[9] document.
860
861 TTL=
862 A fixed Time To Live N on tunneled packets. N is a number in the
863 range 1...255. 0 is a special value meaning that packets inherit
864 the TTL value. The default value for IPv4 tunnels is 0 (inherit).
865 The default value for IPv6 tunnels is 64.
866
867 DiscoverPathMTU=
868 Takes a boolean. When true, enables Path MTU Discovery on the
869 tunnel.
870
871 IPv6FlowLabel=
872 Configures the 20-bit flow label (see RFC 6437[10]) field in the
873 IPv6 header (see RFC 2460[11]), which is used by a node to label
874 packets of a flow. It is only used for IPv6 tunnels. A flow label
875 of zero is used to indicate packets that have not been labeled. It
876 can be configured to a value in the range 0...0xFFFFF, or be set to
877 "inherit", in which case the original flowlabel is used.
878
879 CopyDSCP=
880 Takes a boolean. When true, the Differentiated Service Code Point
881 (DSCP) field will be copied to the inner header from outer header
882 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
883 in an IP packet that enables different levels of service to be
884 assigned to network traffic. Defaults to "no".
885
886 EncapsulationLimit=
887 The Tunnel Encapsulation Limit option specifies how many additional
888 levels of encapsulation are permitted to be prepended to the
889 packet. For example, a Tunnel Encapsulation Limit option containing
890 a limit value of zero means that a packet carrying that option may
891 not enter another tunnel before exiting the current tunnel. (see
892 RFC 2473[12]). The valid range is 0–255 and "none". Defaults to 4.
893
894 Key=
895 The Key= parameter specifies the same key to use in both directions
896 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
897 address-like dotted quad. It is used as mark-configured SAD/SPD
898 entry as part of the lookup key (both in data and control path) in
899 IP XFRM (framework used to implement IPsec protocol). See ip-xfrm —
900 transform configuration[13] for details. It is only used for
901 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
902
903 InputKey=
904 The InputKey= parameter specifies the key to use for input. The
905 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
906 and ERSPAN tunnels.
907
908 OutputKey=
909 The OutputKey= parameter specifies the key to use for output. The
910 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
911 and ERSPAN tunnels.
912
913 Mode=
914 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
915 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
916
917 Independent=
918 Takes a boolean. When false (the default), the tunnel is always
919 created over some network device, and a .network file that requests
920 this tunnel using Tunnel= is required for the tunnel to be created.
921 When true, the tunnel is created independently of any network as
922 "tunnel@NONE".
923
924 AssignToLoopback=
925 Takes a boolean. If set to "yes", the loopback interface "lo" is
926 used as the underlying device of the tunnel interface. Defaults to
927 "no".
928
929 AllowLocalRemote=
930 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
931 where the remote endpoint is a local host address. When unset, the
932 kernel's default will be used.
933
934 FooOverUDP=
935 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
936 configured. Defaults to false. This takes effects only for IPIP,
937 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
938 over UDP[14]
939
940 FOUDestinationPort=
941 This setting specifies the UDP destination port for encapsulation.
942 This field is mandatory when FooOverUDP=yes, and is not set by
943 default.
944
945 FOUSourcePort=
946 This setting specifies the UDP source port for encapsulation.
947 Defaults to 0 — that is, the source port for packets is left to the
948 network stack to decide.
949
950 Encapsulation=
951 Accepts the same key as in the [FooOverUDP] section.
952
953 IPv6RapidDeploymentPrefix=
954 Reconfigure the tunnel for IPv6 Rapid Deployment[15], also known as
955 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
956 length. Only applicable to SIT tunnels.
957
958 ISATAP=
959 Takes a boolean. If set, configures the tunnel as Intra-Site
960 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
961 applicable to SIT tunnels. When unset, the kernel's default will be
962 used.
963
964 SerializeTunneledPackets=
965 Takes a boolean. If set to yes, then packets are serialized. Only
966 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
967 kernel's default will be used.
968
969 ERSPANIndex=
970 Specifies the ERSPAN index field for the interface, an integer in
971 the range 1...1048575 associated with the ERSPAN traffic's source
972 port and direction. This field is mandatory.
973
975 The [FooOverUDP] section only applies for netdevs of kind "fou" and
976 accepts the following keys:
977
978 Encapsulation=
979 Specifies the encapsulation mechanism used to store networking
980 packets of various protocols inside the UDP packets. Supports the
981 following values: "FooOverUDP" provides the simplest no-frills
982 model of UDP encapsulation, it simply encapsulates packets directly
983 in the UDP payload. "GenericUDPEncapsulation" is a generic and
984 extensible encapsulation, it allows encapsulation of packets for
985 any IP protocol and optional data as part of the encapsulation. For
986 more detailed information see Generic UDP Encapsulation[16].
987 Defaults to "FooOverUDP".
988
989 Port=
990 Specifies the port number where the encapsulated packets will
991 arrive. Those packets will be removed and manually fed back into
992 the network stack with the encapsulation removed to be sent to the
993 real destination. This option is mandatory.
994
995 PeerPort=
996 Specifies the peer port number. Defaults to unset. Note that when
997 peer port is set "Peer=" address is mandatory.
998
999 Protocol=
1000 The Protocol= specifies the protocol number of the packets arriving
1001 at the UDP port. When Encapsulation=FooOverUDP, this field is
1002 mandatory and is not set by default. Takes an IP protocol name such
1003 as "gre" or "ipip", or an integer within the range 1...255. When
1004 Encapsulation=GenericUDPEncapsulation, this must not be specified.
1005
1006 Peer=
1007 Configures peer IP address. Note that when peer address is set
1008 "PeerPort=" is mandatory.
1009
1010 Local=
1011 Configures local IP address.
1012
1014 The [Peer] section only applies for netdevs of kind "veth" and accepts
1015 the following keys:
1016
1017 Name=
1018 The interface name used when creating the netdev. This setting is
1019 compulsory.
1020
1021 MACAddress=
1022 The peer MACAddress, if not set, it is generated in the same way as
1023 the MAC address of the main interface.
1024
1026 The [VXCAN] section only applies for netdevs of kind "vxcan" and
1027 accepts the following key:
1028
1029 Peer=
1030 The peer interface name used when creating the netdev. This setting
1031 is compulsory.
1032
1034 The [Tun] section only applies for netdevs of kind "tun", and accepts
1035 the following keys:
1036
1037 MultiQueue=
1038 Takes a boolean. Configures whether to use multiple file
1039 descriptors (queues) to parallelize packets sending and receiving.
1040 Defaults to "no".
1041
1042 PacketInfo=
1043 Takes a boolean. Configures whether packets should be prepended
1044 with four extra bytes (two flag bytes and two protocol bytes). If
1045 disabled, it indicates that the packets will be pure IP packets.
1046 Defaults to "no".
1047
1048 VNetHeader=
1049 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
1050 device. It allows sending and receiving larger Generic Segmentation
1051 Offload (GSO) packets. This may increase throughput significantly.
1052 Defaults to "no".
1053
1054 User=
1055 User to grant access to the /dev/net/tun device.
1056
1057 Group=
1058 Group to grant access to the /dev/net/tun device.
1059
1061 The [Tap] section only applies for netdevs of kind "tap", and accepts
1062 the same keys as the [Tun] section.
1063
1065 The [WireGuard] section accepts the following keys:
1066
1067 PrivateKey=
1068 The Base64 encoded private key for the interface. It can be
1069 generated using the wg genkey command (see wg(8)). This option or
1070 PrivateKeyFile= is mandatory to use WireGuard. Note that because
1071 this information is secret, you may want to set the permissions of
1072 the .netdev file to be owned by "root:systemd-network" with a
1073 "0640" file mode.
1074
1075 PrivateKeyFile=
1076 Takes an absolute path to a file which contains the Base64 encoded
1077 private key for the interface. When this option is specified, then
1078 PrivateKey= is ignored. Note that the file must be readable by the
1079 user "systemd-network", so it should be, e.g., owned by
1080 "root:systemd-network" with a "0640" file mode. If the path refers
1081 to an AF_UNIX stream socket in the file system a connection is made
1082 to it and the key read from it.
1083
1084 ListenPort=
1085 Sets UDP port for listening. Takes either value between 1 and 65535
1086 or "auto". If "auto" is specified, the port is automatically
1087 generated based on interface name. Defaults to "auto".
1088
1089 FirewallMark=
1090 Sets a firewall mark on outgoing WireGuard packets from this
1091 interface. Takes a number between 1 and 4294967295.
1092
1094 The [WireGuardPeer] section accepts the following keys:
1095
1096 PublicKey=
1097 Sets a Base64 encoded public key calculated by wg pubkey (see
1098 wg(8)) from a private key, and usually transmitted out of band to
1099 the author of the configuration file. This option is mandatory for
1100 this section.
1101
1102 PresharedKey=
1103 Optional preshared key for the interface. It can be generated by
1104 the wg genpsk command. This option adds an additional layer of
1105 symmetric-key cryptography to be mixed into the already existing
1106 public-key cryptography, for post-quantum resistance. Note that
1107 because this information is secret, you may want to set the
1108 permissions of the .netdev file to be owned by
1109 "root:systemd-network" with a "0640" file mode.
1110
1111 PresharedKeyFile=
1112 Takes an absolute path to a file which contains the Base64 encoded
1113 preshared key for the peer. When this option is specified, then
1114 PresharedKey= is ignored. Note that the file must be readable by
1115 the user "systemd-network", so it should be, e.g., owned by
1116 "root:systemd-network" with a "0640" file mode. If the path refers
1117 to an AF_UNIX stream socket in the file system a connection is made
1118 to it and the key read from it.
1119
1120 AllowedIPs=
1121 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1122 masks from which this peer is allowed to send incoming traffic and
1123 to which outgoing traffic for this peer is directed.
1124
1125 The catch-all 0.0.0.0/0 may be specified for matching all IPv4
1126 addresses, and ::/0 may be specified for matching all IPv6
1127 addresses.
1128
1129 Note that this only affects routing inside the network interface
1130 itself, i.e. the packets that pass through the tunnel itself. To
1131 cause packets to be sent via the tunnel in the first place, an
1132 appropriate route needs to be added as well — either in the
1133 "[Routes]" section on the ".network" matching the wireguard
1134 interface, or externally to systemd-networkd.
1135
1136 Endpoint=
1137 Sets an endpoint IP address or hostname, followed by a colon, and
1138 then a port number. This endpoint will be updated automatically
1139 once to the most recent source IP address and port of correctly
1140 authenticated packets from the peer at configuration time.
1141
1142 PersistentKeepalive=
1143 Sets a seconds interval, between 1 and 65535 inclusive, of how
1144 often to send an authenticated empty packet to the peer for the
1145 purpose of keeping a stateful firewall or NAT mapping valid
1146 persistently. For example, if the interface very rarely sends
1147 traffic, but it might at anytime receive traffic from a peer, and
1148 it is behind NAT, the interface might benefit from having a
1149 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1150 this option is disabled. By default or when unspecified, this
1151 option is off. Most users will not need this.
1152
1154 The [Bond] section accepts the following key:
1155
1156 Mode=
1157 Specifies one of the bonding policies. The default is "balance-rr"
1158 (round robin). Possible values are "balance-rr", "active-backup",
1159 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1160 "balance-alb".
1161
1162 TransmitHashPolicy=
1163 Selects the transmit hash policy to use for slave selection in
1164 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1165 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1166
1167 LACPTransmitRate=
1168 Specifies the rate with which link partner transmits Link
1169 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1170 Possible values are "slow", which requests partner to transmit
1171 LACPDUs every 30 seconds, and "fast", which requests partner to
1172 transmit LACPDUs every second. The default value is "slow".
1173
1174 MIIMonitorSec=
1175 Specifies the frequency that Media Independent Interface link
1176 monitoring will occur. A value of zero disables MII link
1177 monitoring. This value is rounded down to the nearest millisecond.
1178 The default value is 0.
1179
1180 UpDelaySec=
1181 Specifies the delay before a link is enabled after a link up status
1182 has been detected. This value is rounded down to a multiple of
1183 MIIMonitorSec. The default value is 0.
1184
1185 DownDelaySec=
1186 Specifies the delay before a link is disabled after a link down
1187 status has been detected. This value is rounded down to a multiple
1188 of MIIMonitorSec. The default value is 0.
1189
1190 LearnPacketIntervalSec=
1191 Specifies the number of seconds between instances where the bonding
1192 driver sends learning packets to each slave peer switch. The valid
1193 range is 1–0x7fffffff; the default value is 1. This option has an
1194 effect only for the balance-tlb and balance-alb modes.
1195
1196 AdSelect=
1197 Specifies the 802.3ad aggregation selection logic to use. Possible
1198 values are "stable", "bandwidth" and "count".
1199
1200 AdActorSystemPriority=
1201 Specifies the 802.3ad actor system priority. Takes a number in the
1202 range 1...65535.
1203
1204 AdUserPortKey=
1205 Specifies the 802.3ad user defined portion of the port key. Takes a
1206 number in the range 0...1023.
1207
1208 AdActorSystem=
1209 Specifies the 802.3ad system MAC address. This cannot be a null or
1210 multicast address.
1211
1212 FailOverMACPolicy=
1213 Specifies whether the active-backup mode should set all slaves to
1214 the same MAC address at the time of enslavement or, when enabled,
1215 to perform special handling of the bond's MAC address in accordance
1216 with the selected policy. The default policy is none. Possible
1217 values are "none", "active" and "follow".
1218
1219 ARPValidate=
1220 Specifies whether or not ARP probes and replies should be validated
1221 in any mode that supports ARP monitoring, or whether non-ARP
1222 traffic should be filtered (disregarded) for link monitoring
1223 purposes. Possible values are "none", "active", "backup" and "all".
1224
1225 ARPIntervalSec=
1226 Specifies the ARP link monitoring frequency. A value of 0 disables
1227 ARP monitoring. The default value is 0, and the default unit
1228 seconds.
1229
1230 ARPIPTargets=
1231 Specifies the IP addresses to use as ARP monitoring peers when
1232 ARPIntervalSec is greater than 0. These are the targets of the ARP
1233 request sent to determine the health of the link to the targets.
1234 Specify these values in IPv4 dotted decimal format. At least one IP
1235 address must be given for ARP monitoring to function. The maximum
1236 number of targets that can be specified is 16. The default value is
1237 no IP addresses.
1238
1239 ARPAllTargets=
1240 Specifies the quantity of ARPIPTargets that must be reachable in
1241 order for the ARP monitor to consider a slave as being up. This
1242 option affects only active-backup mode for slaves with ARPValidate
1243 enabled. Possible values are "any" and "all".
1244
1245 PrimaryReselectPolicy=
1246 Specifies the reselection policy for the primary slave. This
1247 affects how the primary slave is chosen to become the active slave
1248 when failure of the active slave or recovery of the primary slave
1249 occurs. This option is designed to prevent flip-flopping between
1250 the primary slave and other slaves. Possible values are "always",
1251 "better" and "failure".
1252
1253 ResendIGMP=
1254 Specifies the number of IGMP membership reports to be issued after
1255 a failover event. One membership report is issued immediately after
1256 the failover, subsequent packets are sent in each 200ms interval.
1257 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
1258 IGMP membership report from being issued in response to the
1259 failover event.
1260
1261 PacketsPerSlave=
1262 Specify the number of packets to transmit through a slave before
1263 moving to the next one. When set to 0, then a slave is chosen at
1264 random. The valid range is 0–65535. Defaults to 1. This option only
1265 has effect when in balance-rr mode.
1266
1267 GratuitousARP=
1268 Specify the number of peer notifications (gratuitous ARPs and
1269 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1270 failover event. As soon as the link is up on the new slave, a peer
1271 notification is sent on the bonding device and each VLAN
1272 sub-device. This is repeated at each link monitor interval
1273 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1274 number is greater than 1. The valid range is 0–255. The default
1275 value is 1. These options affect only the active-backup mode.
1276
1277 AllSlavesActive=
1278 Takes a boolean. Specifies that duplicate frames (received on
1279 inactive ports) should be dropped when false, or delivered when
1280 true. Normally, bonding will drop duplicate frames (received on
1281 inactive ports), which is desirable for most users. But there are
1282 some times it is nice to allow duplicate frames to be delivered.
1283 The default value is false (drop duplicate frames received on
1284 inactive ports).
1285
1286 DynamicTransmitLoadBalancing=
1287 Takes a boolean. Specifies if dynamic shuffling of flows is
1288 enabled. Applies only for balance-tlb mode. Defaults to unset.
1289
1290 MinLinks=
1291 Specifies the minimum number of links that must be active before
1292 asserting carrier. The default value is 0.
1293
1294 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1295
1297 The [Xfrm] section accepts the following keys:
1298
1299 InterfaceId=
1300 Sets the ID/key of the xfrm interface which needs to be associated
1301 with a SA/policy. Can be decimal or hexadecimal, valid range is
1302 0-0xffffffff, defaults to 0.
1303
1304 Independent=
1305 Takes a boolean. If false (the default), the xfrm interface must
1306 have an underlying device which can be used for hardware
1307 offloading.
1308
1309 For more detail information see Virtual XFRM Interfaces[17].
1310
1312 The [VRF] section only applies for netdevs of kind "vrf" and accepts
1313 the following key:
1314
1315 Table=
1316 The numeric routing table identifier. This setting is compulsory.
1317
1319 The [BatmanAdvanced] section only applies for netdevs of kind "batadv"
1320 and accepts the following keys:
1321
1322 GatewayMode=
1323 Takes one of "off", "server", or "client". A batman-adv node can
1324 either run in server mode (sharing its internet connection with the
1325 mesh) or in client mode (searching for the most suitable internet
1326 connection in the mesh) or having the gateway support turned off
1327 entirely (which is the default setting).
1328
1329 Aggregation=
1330 Takes a boolean value. Enables or disables aggregation of
1331 originator messages. Defaults to true.
1332
1333 BridgeLoopAvoidance=
1334 Takes a boolean value. Enables or disables avoidance of loops on
1335 bridges. Defaults to true.
1336
1337 DistributedArpTable=
1338 Takes a boolean value. Enables or disables the distributed ARP
1339 table. Defaults to true.
1340
1341 Fragmentation=
1342 Takes a boolean value. Enables or disables fragmentation. Defaults
1343 to true.
1344
1345 HopPenalty=
1346 The hop penalty setting allows to modify batctl(8) preference for
1347 multihop routes vs. short routes. This integer value is applied to
1348 the TQ (Transmit Quality) of each forwarded OGM (Originator
1349 Message), thereby propagating the cost of an extra hop (the packet
1350 has to be received and retransmitted which costs airtime). A higher
1351 hop penalty will make it more unlikely that other nodes will choose
1352 this node as intermediate hop towards any given destination. The
1353 default hop penalty of '15' is a reasonable value for most setups
1354 and probably does not need to be changed. However, mobile nodes
1355 could choose a value of 255 (maximum value) to avoid being chosen
1356 as a router by other nodes. The minimum value is 0.
1357
1358 OriginatorIntervalSec=
1359 The value specifies the interval in seconds, unless another time
1360 unit is specified in which batman-adv floods the network with its
1361 protocol information. See systemd.time(7) for more information.
1362
1363 GatewayBandwidthDown=
1364 If the node is a server, this parameter is used to inform other
1365 nodes in the network about this node's internet connection download
1366 bandwidth in bits per second. Just enter any number suffixed with
1367 K, M, G or T (base 1000) and the batman-adv module will propagate
1368 the entered value in the mesh.
1369
1370 GatewayBandwidthUp=
1371 If the node is a server, this parameter is used to inform other
1372 nodes in the network about this node's internet connection upload
1373 bandwidth in bits per second. Just enter any number suffixed with
1374 K, M, G or T (base 1000) and the batman-adv module will propagate
1375 the entered value in the mesh.
1376
1377 RoutingAlgorithm=
1378 This can be either "batman-v" or "batman-iv" and describes which
1379 routing_algo of batctl(8) to use. The algorithm cannot be changed
1380 after interface creation. Defaults to "batman-v".
1381
1383 Example 1. /etc/systemd/network/25-bridge.netdev
1384
1385 [NetDev]
1386 Name=bridge0
1387 Kind=bridge
1388
1389 Example 2. /etc/systemd/network/25-vlan1.netdev
1390
1391 [Match]
1392 Virtualization=no
1393
1394 [NetDev]
1395 Name=vlan1
1396 Kind=vlan
1397
1398 [VLAN]
1399 Id=1
1400
1401 Example 3. /etc/systemd/network/25-ipip.netdev
1402
1403 [NetDev]
1404 Name=ipip-tun
1405 Kind=ipip
1406 MTUBytes=1480
1407
1408 [Tunnel]
1409 Local=192.168.223.238
1410 Remote=192.169.224.239
1411 TTL=64
1412
1413 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1414
1415 [NetDev]
1416 Name=fou-tun
1417 Kind=fou
1418
1419 [FooOverUDP]
1420 Port=5555
1421 Protocol=4
1422
1423
1424 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1425
1426 [NetDev]
1427 Name=ipip-tun
1428 Kind=ipip
1429
1430 [Tunnel]
1431 Independent=yes
1432 Local=10.65.208.212
1433 Remote=10.65.208.211
1434 FooOverUDP=yes
1435 FOUDestinationPort=5555
1436
1437
1438 Example 6. /etc/systemd/network/25-tap.netdev
1439
1440 [NetDev]
1441 Name=tap-test
1442 Kind=tap
1443
1444 [Tap]
1445 MultiQueue=yes
1446 PacketInfo=yes
1447
1448 Example 7. /etc/systemd/network/25-sit.netdev
1449
1450 [NetDev]
1451 Name=sit-tun
1452 Kind=sit
1453 MTUBytes=1480
1454
1455 [Tunnel]
1456 Local=10.65.223.238
1457 Remote=10.65.223.239
1458
1459 Example 8. /etc/systemd/network/25-6rd.netdev
1460
1461 [NetDev]
1462 Name=6rd-tun
1463 Kind=sit
1464 MTUBytes=1480
1465
1466 [Tunnel]
1467 Local=10.65.223.238
1468 IPv6RapidDeploymentPrefix=2602::/24
1469
1470 Example 9. /etc/systemd/network/25-gre.netdev
1471
1472 [NetDev]
1473 Name=gre-tun
1474 Kind=gre
1475 MTUBytes=1480
1476
1477 [Tunnel]
1478 Local=10.65.223.238
1479 Remote=10.65.223.239
1480
1481 Example 10. /etc/systemd/network/25-ip6gre.netdev
1482
1483 [NetDev]
1484 Name=ip6gre-tun
1485 Kind=ip6gre
1486
1487 [Tunnel]
1488 Key=123
1489
1490 Example 11. /etc/systemd/network/25-vti.netdev
1491
1492 [NetDev]
1493 Name=vti-tun
1494 Kind=vti
1495 MTUBytes=1480
1496
1497 [Tunnel]
1498 Local=10.65.223.238
1499 Remote=10.65.223.239
1500
1501 Example 12. /etc/systemd/network/25-veth.netdev
1502
1503 [NetDev]
1504 Name=veth-test
1505 Kind=veth
1506
1507 [Peer]
1508 Name=veth-peer
1509
1510 Example 13. /etc/systemd/network/25-bond.netdev
1511
1512 [NetDev]
1513 Name=bond1
1514 Kind=bond
1515
1516 [Bond]
1517 Mode=802.3ad
1518 TransmitHashPolicy=layer3+4
1519 MIIMonitorSec=1s
1520 LACPTransmitRate=fast
1521
1522 Example 14. /etc/systemd/network/25-dummy.netdev
1523
1524 [NetDev]
1525 Name=dummy-test
1526 Kind=dummy
1527 MACAddress=12:34:56:78:9a:bc
1528
1529 Example 15. /etc/systemd/network/25-vrf.netdev
1530
1531 Create a VRF interface with table 42.
1532
1533 [NetDev]
1534 Name=vrf-test
1535 Kind=vrf
1536
1537 [VRF]
1538 Table=42
1539
1540 Example 16. /etc/systemd/network/25-macvtap.netdev
1541
1542 Create a MacVTap device.
1543
1544 [NetDev]
1545 Name=macvtap-test
1546 Kind=macvtap
1547
1548
1549 Example 17. /etc/systemd/network/25-wireguard.netdev
1550
1551 [NetDev]
1552 Name=wg0
1553 Kind=wireguard
1554
1555 [WireGuard]
1556 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1557 ListenPort=51820
1558
1559 [WireGuardPeer]
1560 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1561 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1562 Endpoint=wireguard.example.com:51820
1563
1564 Example 18. /etc/systemd/network/27-xfrm.netdev
1565
1566 [NetDev]
1567 Name=xfrm0
1568 Kind=xfrm
1569
1570 [Xfrm]
1571 Independent=yes
1572
1574 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1575
1577 1. Linux Ethernet Bonding Driver HOWTO
1578 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1579
1580 2. RFC 2784
1581 https://tools.ietf.org/html/rfc2784
1582
1583 3. IEEE 802.1Q
1584 http://www.ieee802.org/1/pages/802.1Q.html
1585
1586 4. VRF
1587 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1588
1589 5. B.A.T.M.A.N. Advanced
1590 https://www.open-mesh.org/projects/open-mesh/wiki
1591
1592 6. (DVOE)
1593 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1594
1595 7. VXLAN Group Policy
1596 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1597
1598 8. Generic Protocol Extension for VXLAN
1599 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1600
1601 9. Type of Service in the Internet Protocol Suite
1602 http://tools.ietf.org/html/rfc1349
1603
1604 10. RFC 6437
1605 https://tools.ietf.org/html/rfc6437
1606
1607 11. RFC 2460
1608 https://tools.ietf.org/html/rfc2460
1609
1610 12. RFC 2473
1611 https://tools.ietf.org/html/rfc2473#section-4.1.1
1612
1613 13. ip-xfrm — transform configuration
1614 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1615
1616 14. Foo over UDP
1617 https://lwn.net/Articles/614348
1618
1619 15. IPv6 Rapid Deployment
1620 https://tools.ietf.org/html/rfc5569
1621
1622 16. Generic UDP Encapsulation
1623 https://lwn.net/Articles/615044
1624
1625 17. Virtual XFRM Interfaces
1626 https://lwn.net/Articles/757391
1627
1628
1629
1630systemd 249 SYSTEMD.NETDEV(5)