1SYSTEMD.NETWORK(5)              systemd.network             SYSTEMD.NETWORK(5)
2
3
4

NAME

6       systemd.network - Network configuration
7

SYNOPSIS

9       network.network
10

DESCRIPTION

12       A plain ini-style text file that encodes network configuration for
13       matching network interfaces, used by systemd-networkd(8). See
14       systemd.syntax(7) for a general description of the syntax.
15
16       The main network file must have the extension .network; other
17       extensions are ignored. Networks are applied to links whenever the
18       links appear.
19
20       The .network files are read from the files located in the system
21       network directories /usr/lib/systemd/network and
22       /usr/local/lib/systemd/network, the volatile runtime network directory
23       /run/systemd/network and the local administration network directory
24       /etc/systemd/network. All configuration files are collectively sorted
25       and processed in lexical order, regardless of the directories in which
26       they live. However, files with identical filenames replace each other.
27       Files in /etc/ have the highest priority, files in /run/ take
28       precedence over files with the same name under /usr/. This can be used
29       to override a system-supplied configuration file with a local file if
30       needed. As a special case, an empty file (file size 0) or symlink with
31       the same name pointing to /dev/null disables the configuration file
32       entirely (it is "masked").
33
34       Along with the network file foo.network, a "drop-in" directory
35       foo.network.d/ may exist. All files with the suffix ".conf" from this
36       directory will be merged in the alphanumeric order and parsed after the
37       main file itself has been parsed. This is useful to alter or add
38       configuration settings, without having to modify the main configuration
39       file. Each drop-in file must have appropriate section headers.
40
41       In addition to /etc/systemd/network, drop-in ".d" directories can be
42       placed in /usr/lib/systemd/network or /run/systemd/network directories.
43       Drop-in files in /etc/ take precedence over those in /run/ which in
44       turn take precedence over those in /usr/lib/. Drop-in files under any
45       of these directories take precedence over the main network file
46       wherever located.
47

[MATCH] SECTION OPTIONS

49       The network file contains a [Match] section, which determines if a
50       given network file may be applied to a given device; and a [Network]
51       section specifying how the device should be configured. The first (in
52       lexical order) of the network files that matches a given device is
53       applied, all later files are ignored, even if they match as well.
54
55       A network file is said to match a network interface if all matches
56       specified by the [Match] section are satisfied. When a network file
57       does not contain valid settings in [Match] section, then the file will
58       match all interfaces and systemd-networkd warns about that. Hint: to
59       avoid the warning and to make it clear that all interfaces shall be
60       matched, add the following:
61
62           Name=*
63
64       The following keys are accepted:
65
66       MACAddress=
67           A whitespace-separated list of hardware addresses. Use full colon-,
68           hyphen- or dot-delimited hexadecimal. See the example below. This
69           option may appear more than once, in which case the lists are
70           merged. If the empty string is assigned to this option, the list of
71           hardware addresses defined prior to this is reset.
72
73           Example:
74
75               MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
76
77       PermanentMACAddress=
78           A whitespace-separated list of hardware's permanent addresses.
79           While MACAddress= matches the device's current MAC address, this
80           matches the device's permanent MAC address, which may be different
81           from the current one. Use full colon-, hyphen- or dot-delimited
82           hexadecimal. This option may appear more than once, in which case
83           the lists are merged. If the empty string is assigned to this
84           option, the list of hardware addresses defined prior to this is
85           reset.
86
87       Path=
88           A whitespace-separated list of shell-style globs matching the
89           persistent path, as exposed by the udev property ID_PATH.
90
91       Driver=
92           A whitespace-separated list of shell-style globs matching the
93           driver currently bound to the device, as exposed by the udev
94           property ID_NET_DRIVER of its parent device, or if that is not set,
95           the driver as exposed by ethtool -i of the device itself. If the
96           list is prefixed with a "!", the test is inverted.
97
98       Type=
99           A whitespace-separated list of shell-style globs matching the
100           device type, as exposed by networkctl list. If the list is prefixed
101           with a "!", the test is inverted. Some valid values are "ether",
102           "loopback", "wlan", "wwan". Valid types are named either from the
103           udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
104           this is not comprehensive.
105
106       Property=
107           A whitespace-separated list of udev property names with their
108           values after equals sign ("="). If multiple properties are
109           specified, the test results are ANDed. If the list is prefixed with
110           a "!", the test is inverted. If a value contains white spaces, then
111           please quote whole key and value pair. If a value contains
112           quotation, then please escape the quotation with "\".
113
114           Example: if a .link file has the following:
115
116               Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
117
118           then, the .link file matches only when an interface has all the
119           above three properties.
120
121       Name=
122           A whitespace-separated list of shell-style globs matching the
123           device name, as exposed by the udev property "INTERFACE", or
124           device's alternative names. If the list is prefixed with a "!", the
125           test is inverted.
126
127       WLANInterfaceType=
128           A whitespace-separated list of wireless network type. Supported
129           values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
130           "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
131           "nan". If the list is prefixed with a "!", the test is inverted.
132
133       SSID=
134           A whitespace-separated list of shell-style globs matching the SSID
135           of the currently connected wireless LAN. If the list is prefixed
136           with a "!", the test is inverted.
137
138       BSSID=
139           A whitespace-separated list of hardware address of the currently
140           connected wireless LAN. Use full colon-, hyphen- or dot-delimited
141           hexadecimal. See the example in MACAddress=. This option may appear
142           more than once, in which case the lists are merged. If the empty
143           string is assigned to this option, the list is reset.
144
145       Host=
146           Matches against the hostname or machine ID of the host. See
147           ConditionHost= in systemd.unit(5) for details. When prefixed with
148           an exclamation mark ("!"), the result is negated. If an empty
149           string is assigned, then previously assigned value is cleared.
150
151       Virtualization=
152           Checks whether the system is executed in a virtualized environment
153           and optionally test whether it is a specific implementation. See
154           ConditionVirtualization= in systemd.unit(5) for details. When
155           prefixed with an exclamation mark ("!"), the result is negated. If
156           an empty string is assigned, then previously assigned value is
157           cleared.
158
159       KernelCommandLine=
160           Checks whether a specific kernel command line option is set. See
161           ConditionKernelCommandLine= in systemd.unit(5) for details. When
162           prefixed with an exclamation mark ("!"), the result is negated. If
163           an empty string is assigned, then previously assigned value is
164           cleared.
165
166       KernelVersion=
167           Checks whether the kernel version (as reported by uname -r) matches
168           a certain expression. See ConditionKernelVersion= in
169           systemd.unit(5) for details. When prefixed with an exclamation mark
170           ("!"), the result is negated. If an empty string is assigned, then
171           previously assigned value is cleared.
172
173       Architecture=
174           Checks whether the system is running on a specific architecture.
175           See ConditionArchitecture= in systemd.unit(5) for details. When
176           prefixed with an exclamation mark ("!"), the result is negated. If
177           an empty string is assigned, then previously assigned value is
178           cleared.
179
180       Firmware=
181           Checks whether the system is running on a machine with the
182           specified firmware. See ConditionFirmware= in systemd.unit(5) for
183           details. When prefixed with an exclamation mark ("!"), the result
184           is negated. If an empty string is assigned, then previously
185           assigned value is cleared.
186

[LINK] SECTION OPTIONS

188       The [Link] section accepts the following keys:
189
190       MACAddress=
191           The hardware address to set for the device.
192
193       MTUBytes=
194           The maximum transmission unit in bytes to set for the device. The
195           usual suffixes K, M, G, are supported and are understood to the
196           base of 1024.
197
198           Note that if IPv6 is enabled on the interface, and the MTU is
199           chosen below 1280 (the minimum MTU for IPv6) it will automatically
200           be increased to this value.
201
202       ARP=
203           Takes a boolean. If set to true, the ARP (low-level Address
204           Resolution Protocol) for this interface is enabled. When unset, the
205           kernel's default will be used.
206
207           For example, disabling ARP is useful when creating multiple MACVLAN
208           or VLAN virtual interfaces atop a single lower-level physical
209           interface, which will then only serve as a link/"bridge" device
210           aggregating traffic to the same physical link and not participate
211           in the network otherwise. Defaults to unset.
212
213       Multicast=
214           Takes a boolean. If set to true, the multicast flag on the device
215           is enabled. Defaults to unset.
216
217       AllMulticast=
218           Takes a boolean. If set to true, the driver retrieves all multicast
219           packets from the network. This happens when multicast routing is
220           enabled. Defaults to unset.
221
222       Promiscuous=
223           Takes a boolean. If set to true, promiscuous mode of the interface
224           is enabled. Defaults to unset.
225
226       Unmanaged=
227           Takes a boolean. When "yes", no attempts are made to bring up or
228           configure matching links, equivalent to when there are no matching
229           network files. Defaults to "no".
230
231           This is useful for preventing later matching network files from
232           interfering with certain interfaces that are fully controlled by
233           other applications.
234
235       Group=
236           Link groups are similar to port ranges found in managed switches.
237           When network interfaces are added to a numbered group, operations
238           on all the interfaces from that group can be performed at once.
239           Takes an unsigned integer in the range 0...4294967295. Defaults to
240           unset.
241
242       RequiredForOnline=
243           Takes a boolean or a minimum operational state and an optional
244           maximum operational state. Please see networkctl(1) for possible
245           operational states. When "yes", the network is deemed required when
246           determining whether the system is online (including when running
247           systemd-networkd-wait-online). When "no", the network is ignored
248           when determining the online state. When a minimum operational state
249           and an optional maximum operational state are set, "yes" is
250           implied, and this controls the minimum and maximum operational
251           state required for the network interface to be considered online.
252
253           Defaults to "yes" when ActivationPolicy= is not set, or set to
254           "up", "always-up", or "bound". Defaults to "no" when
255           ActivationPolicy= is set to "manual" or "down". This is forced to
256           "no" when ActivationPolicy= is set to "always-down".
257
258           The network will be brought up normally (as configured by
259           ActivationPolicy=), but in the event that there is no address being
260           assigned by DHCP or the cable is not plugged in, the link will
261           simply remain offline and be skipped automatically by
262           systemd-networkd-wait-online if "RequiredForOnline=no".
263
264       RequiredFamilyForOnline=
265           Takes an address family. When specified, an IP address in the given
266           family is deemed required when determining whether the link is
267           online (including when running systemd-networkd-wait-online). Takes
268           one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
269           that this option has no effect if "RequiredForOnline=no", or if
270           "RequiredForOnline=" specifies a minimum operational state below
271           "degraded".
272
273       ActivationPolicy=
274           Specifies the policy for systemd-networkd managing the link
275           administrative state. Specifically, this controls how
276           systemd-networkd changes the network device's "IFF_UP" flag, which
277           is sometimes controlled by system administrators by running e.g.,
278           ip set dev eth0 up or ip set dev eth0 down, and can also be changed
279           with networkctl up eth0 or networkctl down eth0.
280
281           Takes one of "up", "always-up", "manual", "always-down", "down", or
282           "bound". When "manual", systemd-networkd will not change the link's
283           admin state automatically; the system administrator must bring the
284           interface up or down manually, as desired. When "up" (the default)
285           or "always-up", or "down" or "always-down", systemd-networkd will
286           set the link up or down, respectively, when the interface is
287           (re)configured. When "always-up" or "always-down", systemd-networkd
288           will set the link up or down, respectively, any time
289           systemd-networkd detects a change in the administrative state. When
290           BindCarrier= is also set, this is automatically set to "bound" and
291           any other value is ignored.
292
293           When the policy is set to "down" or "manual", the default value of
294           RequiredForOnline= is "no". When the policy is set to
295           "always-down", the value of RequiredForOnline= forced to "no".
296
297           The administrative state is not the same as the carrier state, so
298           using "always-up" does not mean the link will never lose carrier.
299           The link carrier depends on both the administrative state as well
300           as the network device's physical connection. However, to avoid
301           reconfiguration failures, when using "always-up",
302           IgnoreCarrierLoss= is forced to true.
303

[SR-IOV] SECTION OPTIONS

305       The [SR-IOV] section accepts the following keys. Specify several
306       [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
307       ability to partition a single physical PCI resource into virtual PCI
308       functions which can then be injected into a VM. In the case of network
309       VFs, SR-IOV improves north-south network performance (that is, traffic
310       with endpoints outside the host machine) by allowing traffic to bypass
311       the host machine’s network stack.
312
313       VirtualFunction=
314           Specifies a Virtual Function (VF), lightweight PCIe function
315           designed solely to move data in and out. Takes an unsigned integer
316           in the range 0...2147483646. This option is compulsory.
317
318       VLANId=
319           Specifies VLAN ID of the virtual function. Takes an unsigned
320           integer in the range 1...4095.
321
322       QualityOfService=
323           Specifies quality of service of the virtual function. Takes an
324           unsigned integer in the range 1...4294967294.
325
326       VLANProtocol=
327           Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
328           "802.1ad".
329
330       MACSpoofCheck=
331           Takes a boolean. Controls the MAC spoof checking. When unset, the
332           kernel's default will be used.
333
334       QueryReceiveSideScaling=
335           Takes a boolean. Toggle the ability of querying the receive side
336           scaling (RSS) configuration of the virtual function (VF). The VF
337           RSS information like RSS hash key may be considered sensitive on
338           some devices where this information is shared between VF and the
339           physical function (PF). When unset, the kernel's default will be
340           used.
341
342       Trust=
343           Takes a boolean. Allows to set trust mode of the virtual function
344           (VF). When set, VF users can set a specific feature which may
345           impact security and/or performance. When unset, the kernel's
346           default will be used.
347
348       LinkState=
349           Allows to set the link state of the virtual function (VF). Takes a
350           boolean or a special value "auto". Setting to "auto" means a
351           reflection of the physical function (PF) link state, "yes" lets the
352           VF to communicate with other VFs on this host even if the PF link
353           state is down, "no" causes the hardware to drop any packets sent by
354           the VF. When unset, the kernel's default will be used.
355
356       MACAddress=
357           Specifies the MAC address for the virtual function.
358

[NETWORK] SECTION OPTIONS

360       The [Network] section accepts the following keys:
361
362       Description=
363           A description of the device. This is only used for presentation
364           purposes.
365
366       DHCP=
367           Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
368           "ipv4", or "ipv6". Defaults to "no".
369
370           Note that DHCPv6 will by default be triggered by Router
371           Advertisement, if that is enabled, regardless of this parameter. By
372           enabling DHCPv6 support explicitly, the DHCPv6 client will be
373           started regardless of the presence of routers on the link, or what
374           flags the routers pass. See "IPv6AcceptRA=".
375
376           Furthermore, note that by default the domain name specified through
377           DHCP is not used for name resolution. See option UseDomains= below.
378
379           See the [DHCPv4] or [DHCPv6] sections below for further
380           configuration options for the DHCP client support.
381
382       DHCPServer=
383           Takes a boolean. If set to "yes", DHCPv4 server will be started.
384           Defaults to "no". Further settings for the DHCP server may be set
385           in the [DHCPServer] section described below.
386
387       LinkLocalAddressing=
388           Enables link-local address autoconfiguration. Accepts yes, no,
389           ipv4, and ipv6. An IPv6 link-local address is configured when yes
390           or ipv6. An IPv4 link-local address is configured when yes or ipv4
391           and when DHCPv4 autoconfiguration has been unsuccessful for some
392           time. (IPv4 link-local address autoconfiguration will usually
393           happen in parallel with repeated attempts to acquire a DHCPv4
394           lease).
395
396           Defaults to no when Bridge=yes is set, and ipv6 otherwise.
397
398       IPv6LinkLocalAddressGenerationMode=
399           Specifies how IPv6 link local address is generated. Takes one of
400           "eui64", "none", "stable-privacy" and "random". When unset,
401           "stable-privacy" is used if IPv6StableSecretAddress= is specified,
402           and if not, "eui64" is used. Note that if LinkLocalAddressing= is
403           "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
404           ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
405           setting IPv6LinkLocalAddressGenerationMode=none disables to
406           configure an IPv6 link-local address.
407
408       IPv6StableSecretAddress=
409           Takes an IPv6 address. The specified address will be used as a
410           stable secret for generating IPv6 link-local address. If this
411           setting is specified, and IPv6LinkLocalAddressGenerationMode= is
412           unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
413           implied. If this setting is not specified, and "stable-privacy" is
414           set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
415           address will be generated from the local machine ID and the
416           interface name.
417
418       IPv4LLRoute=
419           Takes a boolean. If set to true, sets up the route needed for
420           non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
421           false.
422
423       DefaultRouteOnDevice=
424           Takes a boolean. If set to true, sets up the default route bound to
425           the interface. Defaults to false. This is useful when creating
426           routes on point-to-point interfaces. This is equivalent to e.g. the
427           following,
428
429               ip route add default dev veth99
430
431           or,
432
433               [Route]
434               Gateway=0.0.0.0
435
436           Currently, there are no way to specify e.g., the table for the
437           route configured by this setting. To configure the default route
438           with such an additional property, please use the following instead:
439
440               [Route]
441               Gateway=0.0.0.0
442               Table=1234
443
444       IPv6Token=
445           Specifies an optional address generation mode for the Stateless
446           Address Autoconfiguration (SLAAC). Supported modes are
447           "prefixstable" and "static".
448
449           When the mode is set to "static", an IPv6 address must be specified
450           after a colon (":"), and the lower bits of the supplied address are
451           combined with the upper bits of a prefix received in a Router
452           Advertisement (RA) message to form a complete address. Note that if
453           multiple prefixes are received in an RA message, or in multiple RA
454           messages, addresses will be formed from each of them using the
455           supplied address. This mode implements SLAAC but uses a static
456           interface identifier instead of an identifier generated by using
457           the EUI-64 algorithm. Because the interface identifier is static,
458           if Duplicate Address Detection detects that the computed address is
459           a duplicate (in use by another node on the link), then this mode
460           will fail to provide an address for that prefix. If an IPv6 address
461           without mode is specified, then "static" mode is assumed.
462
463           When the mode is set to "prefixstable" the RFC 7217[1] algorithm
464           for generating interface identifiers will be used. This mode can
465           optionally take an IPv6 address separated with a colon (":"). If an
466           IPv6 address is specified, then an interface identifier is
467           generated only when a prefix received in an RA message matches the
468           supplied address.
469
470           If no address generation mode is specified (which is the default),
471           or a received prefix does not match any of the addresses provided
472           in "prefixstable" mode, then the EUI-64 algorithm will be used to
473           form an interface identifier for that prefix. This mode is also
474           SLAAC, but with a potentially stable interface identifier which
475           does not directly map to the interface's hardware address.
476
477           Note that the "prefixstable" algorithm uses both the interface name
478           and MAC address as input to the hash to compute the interface
479           identifier, so if either of those are changed the resulting
480           interface identifier (and address) will change, even if the prefix
481           received in the RA message has not changed.
482
483           This setting can be specified multiple times. If an empty string is
484           assigned, then the all previous assignments are cleared.
485
486           Examples:
487
488               IPv6Token=::1a:2b:3c:4d
489               IPv6Token=static:::1a:2b:3c:4d
490               IPv6Token=prefixstable
491               IPv6Token=prefixstable:2002:da8:1::
492
493       LLMNR=
494           Takes a boolean or "resolve". When true, enables Link-Local
495           Multicast Name Resolution[2] on the link. When set to "resolve",
496           only resolution is enabled, but not host registration and
497           announcement. Defaults to true. This setting is read by systemd-
498           resolved.service(8).
499
500       MulticastDNS=
501           Takes a boolean or "resolve". When true, enables Multicast DNS[3]
502           support on the link. When set to "resolve", only resolution is
503           enabled, but not host or service registration and announcement.
504           Defaults to false. This setting is read by systemd-
505           resolved.service(8).
506
507       DNSOverTLS=
508           Takes a boolean or "opportunistic". When true, enables
509           DNS-over-TLS[4] support on the link. When set to "opportunistic",
510           compatibility with non-DNS-over-TLS servers is increased, by
511           automatically turning off DNS-over-TLS servers in this case. This
512           option defines a per-interface setting for resolved.conf(5)'s
513           global DNSOverTLS= option. Defaults to false. This setting is read
514           by systemd-resolved.service(8).
515
516       DNSSEC=
517           Takes a boolean or "allow-downgrade". When true, enables DNSSEC[5]
518           DNS validation support on the link. When set to "allow-downgrade",
519           compatibility with non-DNSSEC capable networks is increased, by
520           automatically turning off DNSSEC in this case. This option defines
521           a per-interface setting for resolved.conf(5)'s global DNSSEC=
522           option. Defaults to false. This setting is read by systemd-
523           resolved.service(8).
524
525       DNSSECNegativeTrustAnchors=
526           A space-separated list of DNSSEC negative trust anchor domains. If
527           specified and DNSSEC is enabled, look-ups done via the interface's
528           DNS server will be subject to the list of negative trust anchors,
529           and not require authentication for the specified domains, or
530           anything below it. Use this to disable DNSSEC authentication for
531           specific private domains, that cannot be proven valid using the
532           Internet DNS hierarchy. Defaults to the empty list. This setting is
533           read by systemd-resolved.service(8).
534
535       LLDP=
536           Controls support for Ethernet LLDP packet reception. LLDP is a
537           link-layer protocol commonly implemented on professional routers
538           and bridges which announces which physical port a system is
539           connected to, as well as other related data. Accepts a boolean or
540           the special value "routers-only". When true, incoming LLDP packets
541           are accepted and a database of all LLDP neighbors maintained. If
542           "routers-only" is set only LLDP data of various types of routers is
543           collected and LLDP data about other types of devices ignored (such
544           as stations, telephones and others). If false, LLDP reception is
545           disabled. Defaults to "routers-only". Use networkctl(1) to query
546           the collected neighbor data. LLDP is only available on Ethernet
547           links. See EmitLLDP= below for enabling LLDP packet emission from
548           the local system.
549
550       EmitLLDP=
551           Controls support for Ethernet LLDP packet emission. Accepts a
552           boolean parameter or the special values "nearest-bridge",
553           "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
554           turns off LLDP packet emission. If not false, a short LLDP packet
555           with information about the local system is sent out in regular
556           intervals on the link. The LLDP packet will contain information
557           about the local hostname, the local machine ID (as stored in
558           machine-id(5)) and the local interface name, as well as the pretty
559           hostname of the system (as set in machine-info(5)). LLDP emission
560           is only available on Ethernet links. Note that this setting passes
561           data suitable for identification of host to the network and should
562           thus not be enabled on untrusted networks, where such
563           identification data should not be made available. Use this option
564           to permit other systems to identify on which interfaces they are
565           connected to this system. The three special values control
566           propagation of the LLDP packets. The "nearest-bridge" setting
567           permits propagation only to the nearest connected bridge,
568           "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
569           but not any other bridges, and "customer-bridge" permits
570           propagation until a customer bridge is reached. For details about
571           these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
572           this setting to true is equivalent to "nearest-bridge", the
573           recommended and most restricted level of propagation. See LLDP=
574           above for an option to enable LLDP reception.
575
576       BindCarrier=
577           A link name or a list of link names. When set, controls the
578           behavior of the current link. When all links in the list are in an
579           operational down state, the current link is brought down. When at
580           least one link has carrier, the current interface is brought up.
581
582           This forces ActivationPolicy= to be set to "bound".
583
584       Address=
585           A static IPv4 or IPv6 address and its prefix length, separated by a
586           "/" character. Specify this key more than once to configure several
587           addresses. The format of the address must be as described in
588           inet_pton(3). This is a short-hand for an [Address] section only
589           containing an Address key (see below). This option may be specified
590           more than once.
591
592           If the specified address is "0.0.0.0" (for IPv4) or "::" (for
593           IPv6), a new address range of the requested size is automatically
594           allocated from a system-wide pool of unused ranges. Note that the
595           prefix length must be equal or larger than 8 for IPv4, and 64 for
596           IPv6. The allocated range is checked against all current network
597           interfaces and all known network configuration files to avoid
598           address range conflicts. The default system-wide pool consists of
599           192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
600           for IPv6. This functionality is useful to manage a large number of
601           dynamically created network interfaces with the same network
602           configuration and automatic address range assignment.
603
604       Gateway=
605           The gateway address, which must be in the format described in
606           inet_pton(3). This is a short-hand for a [Route] section only
607           containing a Gateway key. This option may be specified more than
608           once.
609
610       DNS=
611           A DNS server address, which must be in the format described in
612           inet_pton(3). This option may be specified more than once. Each
613           address can optionally take a port number separated with ":", a
614           network interface name or index separated with "%", and a Server
615           Name Indication (SNI) separated with "#". When IPv6 address is
616           specified with a port number, then the address must be in the
617           square brackets. That is, the acceptable full formats are
618           "111.222.333.444:9953%ifname#example.com" for IPv4 and
619           "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
620           string is assigned, then the all previous assignments are cleared.
621           This setting is read by systemd-resolved.service(8).
622
623       Domains=
624           A whitespace-separated list of domains which should be resolved
625           using the DNS servers on this link. Each item in the list should be
626           a domain name, optionally prefixed with a tilde ("~"). The domains
627           with the prefix are called "routing-only domains". The domains
628           without the prefix are called "search domains" and are first used
629           as search suffixes for extending single-label hostnames (hostnames
630           containing no dots) to become fully qualified domain names (FQDNs).
631           If a single-label hostname is resolved on this interface, each of
632           the specified search domains are appended to it in turn, converting
633           it into a fully qualified domain name, until one of them may be
634           successfully resolved.
635
636           Both "search" and "routing-only" domains are used for routing of
637           DNS queries: look-ups for hostnames ending in those domains (hence
638           also single label names, if any "search domains" are listed), are
639           routed to the DNS servers configured for this interface. The domain
640           routing logic is particularly useful on multi-homed hosts with DNS
641           servers serving particular private DNS zones on each interface.
642
643           The "routing-only" domain "~."  (the tilde indicating definition of
644           a routing domain, the dot referring to the DNS root domain which is
645           the implied suffix of all valid DNS names) has special effect. It
646           causes all DNS traffic which does not match another configured
647           domain routing entry to be routed to DNS servers specified for this
648           interface. This setting is useful to prefer a certain set of DNS
649           servers if a link on which they are connected is available.
650
651           This setting is read by systemd-resolved.service(8). "Search
652           domains" correspond to the domain and search entries in
653           resolv.conf(5). Domain name routing has no equivalent in the
654           traditional glibc API, which has no concept of domain name servers
655           limited to a specific link.
656
657       DNSDefaultRoute=
658           Takes a boolean argument. If true, this link's configured DNS
659           servers are used for resolving domain names that do not match any
660           link's configured Domains= setting. If false, this link's
661           configured DNS servers are never used for such domains, and are
662           exclusively used for resolving names that match at least one of the
663           domains configured on this link. If not specified defaults to an
664           automatic mode: queries not matching any link's configured domains
665           will be routed to this link if it has no routing-only domains
666           configured.
667
668       NTP=
669           An NTP server address (either an IP address, or a hostname). This
670           option may be specified more than once. This setting is read by
671           systemd-timesyncd.service(8).
672
673       IPForward=
674           Configures IP packet forwarding for the system. If enabled,
675           incoming packets on any network interface will be forwarded to any
676           other interfaces according to the routing table. Takes a boolean,
677           or the values "ipv4" or "ipv6", which only enable IP packet
678           forwarding for the specified address family. This controls the
679           net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
680           of the network interface (see ip-sysctl.txt[7] for details about
681           sysctl options). Defaults to "no".
682
683           Note: this setting controls a global kernel option, and does so one
684           way only: if a network that has this setting enabled is set up the
685           global setting is turned on. However, it is never turned off again,
686           even after all networks with this setting enabled are shut down
687           again.
688
689           To allow IP packet forwarding only between specific network
690           interfaces use a firewall.
691
692       IPMasquerade=
693           Configures IP masquerading for the network interface. If enabled,
694           packets forwarded from the network interface will be appear as
695           coming from the local host. Takes one of "ipv4", "ipv6", "both", or
696           "no". Defaults to "no". If enabled, this automatically sets
697           IPForward= to one of "ipv4", "ipv6" or "yes".
698
699           Note. Any positive boolean values such as "yes" or "true" are now
700           deprecated. Please use one of the values in the above.
701
702       IPv6PrivacyExtensions=
703           Configures use of stateless temporary addresses that change over
704           time (see RFC 4941[8], Privacy Extensions for Stateless Address
705           Autoconfiguration in IPv6). Takes a boolean or the special values
706           "prefer-public" and "kernel". When true, enables the privacy
707           extensions and prefers temporary addresses over public addresses.
708           When "prefer-public", enables the privacy extensions, but prefers
709           public addresses over temporary addresses. When false, the privacy
710           extensions remain disabled. When "kernel", the kernel's default
711           setting will be left in place. Defaults to "no".
712
713       IPv6AcceptRA=
714           Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
715           support for the interface. If true, RAs are accepted; if false, RAs
716           are ignored. When RAs are accepted, they may trigger the start of
717           the DHCPv6 client if the relevant flags are set in the RA data, or
718           if no routers are found on the link. The default is to disable RA
719           reception for bridge devices or when IP forwarding is enabled, and
720           to enable it otherwise. Cannot be enabled on bond devices and when
721           link local addressing is disabled.
722
723           Further settings for the IPv6 RA support may be configured in the
724           [IPv6AcceptRA] section, see below.
725
726           Also see ip-sysctl.txt[7] in the kernel documentation regarding
727           "accept_ra", but note that systemd's setting of 1 (i.e. true)
728           corresponds to kernel's setting of 2.
729
730           Note that kernel's implementation of the IPv6 RA protocol is always
731           disabled, regardless of this setting. If this option is enabled, a
732           userspace implementation of the IPv6 RA protocol is used, and the
733           kernel's own implementation remains disabled, since
734           systemd-networkd needs to know all details supplied in the
735           advertisements, and these are not available from the kernel if the
736           kernel's own implementation is used.
737
738       IPv6DuplicateAddressDetection=
739           Configures the amount of IPv6 Duplicate Address Detection (DAD)
740           probes to send. When unset, the kernel's default will be used.
741
742       IPv6HopLimit=
743           Configures IPv6 Hop Limit. For each router that forwards the
744           packet, the hop limit is decremented by 1. When the hop limit field
745           reaches zero, the packet is discarded. When unset, the kernel's
746           default will be used.
747
748       IPv4AcceptLocal=
749           Takes a boolean. Accept packets with local source addresses. In
750           combination with suitable routing, this can be used to direct
751           packets between two local interfaces over the wire and have them
752           accepted properly. When unset, the kernel's default will be used.
753
754       IPv4RouteLocalnet=
755           Takes a boolean. When true, the kernel does not consider loopback
756           addresses as martian source or destination while routing. This
757           enables the use of 127.0.0.0/8 for local routing purposes. When
758           unset, the kernel's default will be used.
759
760       IPv4ProxyARP=
761           Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
762           technique in which one host, usually a router, answers ARP requests
763           intended for another machine. By "faking" its identity, the router
764           accepts responsibility for routing packets to the "real"
765           destination. See RFC 1027[9]. When unset, the kernel's default will
766           be used.
767
768       IPv6ProxyNDP=
769           Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
770           Discovery Protocol) is a technique for IPv6 to allow routing of
771           addresses to a different destination when peers expect them to be
772           present on a certain physical link. In this case a router answers
773           Neighbour Advertisement messages intended for another machine by
774           offering its own MAC address as destination. Unlike proxy ARP for
775           IPv4, it is not enabled globally, but will only send Neighbour
776           Advertisement messages for addresses in the IPv6 neighbor proxy
777           table, which can also be shown by ip -6 neighbour show proxy.
778           systemd-networkd will control the per-interface `proxy_ndp` switch
779           for each configured interface depending on this option. When unset,
780           the kernel's default will be used.
781
782       IPv6ProxyNDPAddress=
783           An IPv6 address, for which Neighbour Advertisement messages will be
784           proxied. This option may be specified more than once.
785           systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
786           kernel's IPv6 neighbor proxy table. This option implies
787           IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP has been set to
788           false. When unset, the kernel's default will be used.
789
790       IPv6SendRA=
791           Whether to enable or disable Router Advertisement sending on a
792           link. Takes a boolean value. When enabled, prefixes configured in
793           [IPv6Prefix] sections and routes configured in [IPv6RoutePrefix]
794           sections are distributed as defined in the [IPv6SendRA] section. If
795           DHCPv6PrefixDelegation= is enabled, then the delegated prefixes are
796           also distributed. See DHCPv6PrefixDelegation= setting and the
797           [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
798           [DHCPv6PrefixDelegation] sections for more configuration options.
799
800       DHCPv6PrefixDelegation=
801           Takes a boolean value. When enabled, requests prefixes using a
802           DHCPv6 client configured on another link. By default, an address
803           within each delegated prefix will be assigned, and the prefixes
804           will be announced through IPv6 Router Advertisement when
805           IPv6SendRA= is enabled. Such default settings can be configured in
806           [DHCPv6PrefixDelegation] section. Defaults to disabled.
807
808       IPv6MTUBytes=
809           Configures IPv6 maximum transmission unit (MTU). An integer greater
810           than or equal to 1280 bytes. When unset, the kernel's default will
811           be used.
812
813       BatmanAdvanced=, Bond=, Bridge=, VRF=
814           The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
815           interface to add the link to. See systemd.netdev(5).
816
817       IPVLAN=, IPVTAP=, L2TP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=,
818       VXLAN=, Xfrm=
819           The name of an IPVLAN, IPVTAP, L2TP, MACsec, MACVLAN, MACVTAP,
820           tunnel, VLAN, VXLAN, or Xfrm to be created on the link. See
821           systemd.netdev(5). This option may be specified more than once.
822
823       ActiveSlave=
824           Takes a boolean. Specifies the new active slave. The "ActiveSlave="
825           option is only valid for following modes: "active-backup",
826           "balance-alb" and "balance-tlb". Defaults to false.
827
828       PrimarySlave=
829           Takes a boolean. Specifies which slave is the primary device. The
830           specified device will always be the active slave while it is
831           available. Only when the primary is off-line will alternate devices
832           be used. This is useful when one slave is preferred over another,
833           e.g. when one slave has higher throughput than another. The
834           "PrimarySlave=" option is only valid for following modes:
835           "active-backup", "balance-alb" and "balance-tlb". Defaults to
836           false.
837
838       ConfigureWithoutCarrier=
839           Takes a boolean. Allows networkd to configure a specific link even
840           if it has no carrier. Defaults to false. If IgnoreCarrierLoss= is
841           not explicitly set, it will default to this value.
842
843       IgnoreCarrierLoss=
844           Takes a boolean. Allows networkd to retain both the static and
845           dynamic configuration of the interface even if its carrier is lost.
846           When unset, the value specified with ConfigureWithoutCarrier= is
847           used.
848
849           When ActivationPolicy= is set to "always-up", this is forced to
850           "true".
851
852       KeepConfiguration=
853           Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
854           "static", systemd-networkd will not drop static addresses and
855           routes on starting up process. When set to "dhcp-on-stop",
856           systemd-networkd will not drop addresses and routes on stopping the
857           daemon. When "dhcp", the addresses and routes provided by a DHCP
858           server will never be dropped even if the DHCP lease expires. This
859           is contrary to the DHCP specification, but may be the best choice
860           if, e.g., the root filesystem relies on this connection. The
861           setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
862           "static". Defaults to "no".
863

[ADDRESS] SECTION OPTIONS

865       An [Address] section accepts the following keys. Specify several
866       [Address] sections to configure several addresses.
867
868       Address=
869           As in the [Network] section. This key is mandatory. Each [Address]
870           section can contain one Address= setting.
871
872       Peer=
873           The peer address in a point-to-point connection. Accepts the same
874           format as the Address= key.
875
876       Broadcast=
877           Takes an IPv4 address or boolean value. The address must be in the
878           format described in inet_pton(3). If set to true, then the IPv4
879           broadcast address will be derived from the Address= setting. If set
880           to false, then the broadcast address will not be set. Defaults to
881           true, except for wireguard interfaces, where it default to false.
882
883       Label=
884           An address label.
885
886       PreferredLifetime=
887           Allows the default "preferred lifetime" of the address to be
888           overridden. Only three settings are accepted: "forever",
889           "infinity", which is the default and means that the address never
890           expires, and "0", which means that the address is considered
891           immediately "expired" and will not be used, unless explicitly
892           requested. A setting of PreferredLifetime=0 is useful for addresses
893           which are added to be used only by a specific application, which is
894           then configured to use them explicitly.
895
896       Scope=
897           The scope of the address, which can be "global" (valid everywhere
898           on the network, even through a gateway), "link" (only valid on this
899           device, will not traverse a gateway) or "host" (only valid within
900           the device itself, e.g. 127.0.0.1) or an unsigned integer in the
901           range 0...255. Defaults to "global".
902
903       RouteMetric=
904           The metric of the prefix route, which is pointing to the subnet of
905           the configured IP address, taking the configured prefix length into
906           account. Takes an unsigned integer in the range 0...4294967295.
907           When unset or set to 0, the kernel's default value is used. This
908           setting will be ignored when AddPrefixRoute= is false.
909
910       HomeAddress=
911           Takes a boolean. Designates this address the "home address" as
912           defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
913
914       DuplicateAddressDetection=
915           Takes one of "ipv4", "ipv6", "both", "none". When "ipv4", performs
916           IPv4 Address Conflict Detection. See RFC 5227[11]. When "ipv6",
917           performs IPv6 Duplicate Address Detection. See RFC 4862[12].
918           Defaults to "ipv6".
919
920       ManageTemporaryAddress=
921           Takes a boolean. If true the kernel manage temporary addresses
922           created from this one as template on behalf of Privacy Extensions
923           RFC 3041[13]. For this to become active, the use_tempaddr sysctl
924           setting has to be set to a value greater than zero. The given
925           address needs to have a prefix length of 64. This flag allows using
926           privacy extensions in a manually configured network, just like if
927           stateless auto-configuration was active. Defaults to false.
928
929       AddPrefixRoute=
930           Takes a boolean. When true, the prefix route for the address is
931           automatically added. Defaults to true.
932
933       AutoJoin=
934           Takes a boolean. Joining multicast group on ethernet level via ip
935           maddr command would not work if we have an Ethernet switch that
936           does IGMP snooping since the switch would not replicate multicast
937           packets on ports that did not have IGMP reports for the multicast
938           addresses. Linux vxlan interfaces created via ip link add vxlan or
939           networkd's netdev kind vxlan have the group option that enables
940           then to do the required join. By extending ip address command with
941           option "autojoin" we can get similar functionality for openvswitch
942           (OVS) vxlan interfaces as well as other tunneling mechanisms that
943           need to receive multicast traffic. Defaults to "no".
944

[NEIGHBOR] SECTION OPTIONS

946       A [Neighbor] section accepts the following keys. The neighbor section
947       adds a permanent, static entry to the neighbor table (IPv6) or ARP
948       table (IPv4) for the given hardware address on the links matched for
949       the network. Specify several [Neighbor] sections to configure several
950       static neighbors.
951
952       Address=
953           The IP address of the neighbor.
954
955       LinkLayerAddress=
956           The link layer address (MAC address or IP address) of the neighbor.
957

[IPV6ADDRESSLABEL] SECTION OPTIONS

959       An [IPv6AddressLabel] section accepts the following keys. Specify
960       several [IPv6AddressLabel] sections to configure several address
961       labels. IPv6 address labels are used for address selection. See RFC
962       3484[14]. Precedence is managed by userspace, and only the label itself
963       is stored in the kernel.
964
965       Label=
966           The label for the prefix, an unsigned integer in the range
967           0–4294967294. 0xffffffff is reserved. This setting is mandatory.
968
969       Prefix=
970           IPv6 prefix is an address with a prefix length, separated by a
971           slash "/" character. This key is mandatory.
972

[ROUTINGPOLICYRULE] SECTION OPTIONS

974       An [RoutingPolicyRule] section accepts the following keys. Specify
975       several [RoutingPolicyRule] sections to configure several rules.
976
977       TypeOfService=
978           Takes a number between 0 and 255 that specifies the type of service
979           to match.
980
981       From=
982           Specifies the source address prefix to match. Possibly followed by
983           a slash and the prefix length.
984
985       To=
986           Specifies the destination address prefix to match. Possibly
987           followed by a slash and the prefix length.
988
989       FirewallMark=
990           Specifies the iptables firewall mark value to match (a number
991           between 1 and 4294967295). Optionally, the firewall mask (also a
992           number between 1 and 4294967295) can be suffixed with a slash
993           ("/"), e.g., "7/255".
994
995       Table=
996           Specifies the routing table identifier to lookup if the rule
997           selector matches. Takes one of predefined names "default", "main",
998           and "local", and names defined in RouteTable= in networkd.conf(5),
999           or a number between 1 and 4294967295. Defaults to "main".
1000
1001       Priority=
1002           Specifies the priority of this rule.  Priority= is an unsigned
1003           integer in the range 0...4294967295. Higher number means lower
1004           priority, and rules get processed in order of increasing number.
1005           Defaults to unset, and the kernel will pick a value dynamically.
1006
1007       IncomingInterface=
1008           Specifies incoming device to match. If the interface is loopback,
1009           the rule only matches packets originating from this host.
1010
1011       OutgoingInterface=
1012           Specifies the outgoing device to match. The outgoing interface is
1013           only available for packets originating from local sockets that are
1014           bound to a device.
1015
1016       SourcePort=
1017           Specifies the source IP port or IP port range match in forwarding
1018           information base (FIB) rules. A port range is specified by the
1019           lower and upper port separated by a dash. Defaults to unset.
1020
1021       DestinationPort=
1022           Specifies the destination IP port or IP port range match in
1023           forwarding information base (FIB) rules. A port range is specified
1024           by the lower and upper port separated by a dash. Defaults to unset.
1025
1026       IPProtocol=
1027           Specifies the IP protocol to match in forwarding information base
1028           (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1029           or IP protocol number such as "6" for "tcp" or "17" for "udp".
1030           Defaults to unset.
1031
1032       InvertRule=
1033           A boolean. Specifies whether the rule is to be inverted. Defaults
1034           to false.
1035
1036       Family=
1037           Takes a special value "ipv4", "ipv6", or "both". By default, the
1038           address family is determined by the address specified in To= or
1039           From=. If neither To= nor From= are specified, then defaults to
1040           "ipv4".
1041
1042       User=
1043           Takes a username, a user ID, or a range of user IDs separated by a
1044           dash. Defaults to unset.
1045
1046       SuppressPrefixLength=
1047           Takes a number N in the range 0...128 and rejects routing decisions
1048           that have a prefix length of N or less. Defaults to unset.
1049
1050       Type=
1051           Specifies Routing Policy Database (RPDB) rule type. Takes one of
1052           "blackhole", "unreachable" or "prohibit".
1053

[NEXTHOP] SECTION OPTIONS

1055       The [NextHop] section is used to manipulate entries in the kernel's
1056       "nexthop" tables. The [NextHop] section accepts the following keys.
1057       Specify several [NextHop] sections to configure several hops.
1058
1059       Id=
1060           The id of the next hop. Takes an unsigned integer in the range
1061           1...4294967295. If left unspecified, then automatically chosen by
1062           kernel.
1063
1064       Gateway=
1065           As in the [Network] section.
1066
1067       Family=
1068           Takes one of the special values "ipv4" or "ipv6". By default, the
1069           family is determined by the address specified in Gateway=. If
1070           Gateway= is not specified, then defaults to "ipv4".
1071
1072       OnLink=
1073           Takes a boolean. If set to true, the kernel does not have to check
1074           if the gateway is reachable directly by the current machine (i.e.,
1075           attached to the local network), so that we can insert the nexthop
1076           in the kernel table without it being complained about. Defaults to
1077           "no".
1078
1079       Blackhole=
1080           Takes a boolean. If enabled, packets to the corresponding routes
1081           are discarded silently, and Gateway= cannot be specified. Defaults
1082           to "no".
1083
1084       Group=
1085           Takes a whitespace separated list of nexthop IDs. Each ID must be
1086           in the range 1...4294967295. Optionally, each nexthop ID can take a
1087           weight after a colon ("id[:weight]"). The weight must be in the
1088           range 1...255. If the weight is not specified, then it is assumed
1089           that the weight is 1. This setting cannot be specified with
1090           Gateway=, Family=, Blackhole=. This setting can be specified
1091           multiple times. If an empty string is assigned, then the all
1092           previous assignments are cleared. Defaults to unset.
1093

[ROUTE] SECTION OPTIONS

1095       The [Route] section accepts the following keys. Specify several [Route]
1096       sections to configure several routes.
1097
1098       Gateway=
1099           Takes the gateway address or the special values "_dhcp4" and
1100           "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1101           address provided by DHCPv4 or IPv6 RA is used.
1102
1103       GatewayOnLink=
1104           Takes a boolean. If set to true, the kernel does not have to check
1105           if the gateway is reachable directly by the current machine (i.e.,
1106           attached to the local network), so that we can insert the route in
1107           the kernel table without it being complained about. Defaults to
1108           "no".
1109
1110       Destination=
1111           The destination prefix of the route. Possibly followed by a slash
1112           and the prefix length. If omitted, a full-length host route is
1113           assumed.
1114
1115       Source=
1116           The source prefix of the route. Possibly followed by a slash and
1117           the prefix length. If omitted, a full-length host route is assumed.
1118
1119       Metric=
1120           The metric of the route. Takes an unsigned integer in the range
1121           0...4294967295. Defaults to unset, and the kernel's default will be
1122           used.
1123
1124       IPv6Preference=
1125           Specifies the route preference as defined in RFC 4191[15] for
1126           Router Discovery messages. Which can be one of "low" the route has
1127           a lowest priority, "medium" the route has a default priority or
1128           "high" the route has a highest priority.
1129
1130       Scope=
1131           The scope of the IPv4 route, which can be "global", "site", "link",
1132           "host", or "nowhere":
1133
1134           •   "global" means the route can reach hosts more than one hop
1135               away.
1136
1137           •   "site" means an interior route in the local autonomous system.
1138
1139           •   "link" means the route can only reach hosts on the local
1140               network (one hop away).
1141
1142           •   "host" means the route will not leave the local machine (used
1143               for internal addresses like 127.0.0.1).
1144
1145           •   "nowhere" means the destination doesn't exist.
1146
1147           For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1148           and "link" if Type= is "broadcast", "multicast", or "anycast". In
1149           other cases, defaults to "global". The value is not used for IPv6.
1150
1151       PreferredSource=
1152           The preferred source address of the route. The address must be in
1153           the format described in inet_pton(3).
1154
1155       Table=
1156           The table identifier for the route. Takes one of predefined names
1157           "default", "main", and "local", and names defined in RouteTable= in
1158           networkd.conf(5), or a number between 1 and 4294967295. The table
1159           can be retrieved using ip route show table num. If unset and Type=
1160           is "local", "broadcast", "anycast", or "nat", then "local" is used.
1161           In other cases, defaults to "main".
1162
1163       Protocol=
1164           The protocol identifier for the route. Takes a number between 0 and
1165           255 or the special values "kernel", "boot", "static", "ra" and
1166           "dhcp". Defaults to "static".
1167
1168       Type=
1169           Specifies the type for the route. Takes one of "unicast", "local",
1170           "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1171           "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1172           route is defined, i.e. a route indicating the path to take to a
1173           destination network address. If "blackhole", packets to the defined
1174           route are discarded silently. If "unreachable", packets to the
1175           defined route are discarded and the ICMP message "Host Unreachable"
1176           is generated. If "prohibit", packets to the defined route are
1177           discarded and the ICMP message "Communication Administratively
1178           Prohibited" is generated. If "throw", route lookup in the current
1179           routing table will fail and the route selection process will return
1180           to Routing Policy Database (RPDB). Defaults to "unicast".
1181
1182       InitialCongestionWindow=
1183           The TCP initial congestion window is used during the start of a TCP
1184           connection. During the start of a TCP session, when a client
1185           requests a resource, the server's initial congestion window
1186           determines how many packets will be sent during the initial burst
1187           of data without waiting for acknowledgement. Takes a number between
1188           1 and 1023. Note that 100 is considered an extremely large value
1189           for this option. When unset, the kernel's default (typically 10)
1190           will be used.
1191
1192       InitialAdvertisedReceiveWindow=
1193           The TCP initial advertised receive window is the amount of receive
1194           data (in bytes) that can initially be buffered at one time on a
1195           connection. The sending host can send only that amount of data
1196           before waiting for an acknowledgment and window update from the
1197           receiving host. Takes a number between 1 and 1023. Note that 100 is
1198           considered an extremely large value for this option. When unset,
1199           the kernel's default will be used.
1200
1201       QuickAck=
1202           Takes a boolean. When true enables TCP quick ack mode for the
1203           route. When unset, the kernel's default will be used.
1204
1205       FastOpenNoCookie=
1206           Takes a boolean. When true enables TCP fastopen without a cookie on
1207           a per-route basis. When unset, the kernel's default will be used.
1208
1209       TTLPropagate=
1210           Takes a boolean. When true enables TTL propagation at Label
1211           Switched Path (LSP) egress. When unset, the kernel's default will
1212           be used.
1213
1214       MTUBytes=
1215           The maximum transmission unit in bytes to set for the route. The
1216           usual suffixes K, M, G, are supported and are understood to the
1217           base of 1024.
1218
1219           Note that if IPv6 is enabled on the interface, and the MTU is
1220           chosen below 1280 (the minimum MTU for IPv6) it will automatically
1221           be increased to this value.
1222
1223       IPServiceType=
1224           Takes string; "CS6" or "CS4". Used to set IP service type to CS6
1225           (network control) or CS4 (Realtime). Defaults to CS6.
1226
1227       TCPAdvertisedMaximumSegmentSize=
1228           Specifies the Path MSS (in bytes) hints given on TCP layer. The
1229           usual suffixes K, M, G, are supported and are understood to the
1230           base of 1024. An unsigned integer in the range 1–4294967294. When
1231           unset, the kernel's default will be used.
1232
1233       MultiPathRoute=address[@name] [weight]
1234           Configures multipath route. Multipath routing is the technique of
1235           using multiple alternative paths through a network. Takes gateway
1236           address. Optionally, takes a network interface name or index
1237           separated with "@", and a weight in 1..256 for this multipath route
1238           separated with whitespace. This setting can be specified multiple
1239           times. If an empty string is assigned, then the all previous
1240           assignments are cleared.
1241
1242       NextHop=
1243           Specifies the nexthop id. Takes an unsigned integer in the range
1244           1...4294967295. If set, the corresponding [NextHop] section must be
1245           configured. Defaults to unset.
1246

[DHCPV4] SECTION OPTIONS

1248       The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1249       with the DHCP= setting described above:
1250
1251       SendHostname=
1252           When true (the default), the machine's hostname (or the value
1253           specified with Hostname=, described below) will be sent to the DHCP
1254           server. Note that the hostname must consist only of 7-bit ASCII
1255           lower-case characters and no spaces or dots, and be formatted as a
1256           valid DNS domain name. Otherwise, the hostname is not sent even if
1257           this option is true.
1258
1259       Hostname=
1260           Use this value for the hostname which is sent to the DHCP server,
1261           instead of machine's hostname. Note that the specified hostname
1262           must consist only of 7-bit ASCII lower-case characters and no
1263           spaces or dots, and be formatted as a valid DNS domain name.
1264
1265       MUDURL=
1266           When configured, the specified Manufacturer Usage Description (MUD)
1267           URL will be sent to the DHCPv4 server. Takes a URL of length up to
1268           255 characters. A superficial verification that the string is a
1269           valid URL will be performed. DHCPv4 clients are intended to have at
1270           most one MUD URL associated with them. See RFC 8520[16].
1271
1272           MUD is an embedded software standard defined by the IETF that
1273           allows IoT device makers to advertise device specifications,
1274           including the intended communication patterns for their device when
1275           it connects to the network. The network can then use this to author
1276           a context-specific access policy, so the device functions only
1277           within those parameters.
1278
1279       ClientIdentifier=
1280           The DHCPv4 client identifier to use. Takes one of mac, duid or
1281           duid-only. If set to mac, the MAC address of the link is used. If
1282           set to duid, an RFC4361-compliant Client ID, which is the
1283           combination of IAID and DUID (see below), is used. If set to
1284           duid-only, only DUID is used, this may not be RFC compliant, but
1285           some setups may require to use this. Defaults to duid.
1286
1287       VendorClassIdentifier=
1288           The vendor class identifier used to identify vendor type and
1289           configuration.
1290
1291       UserClass=
1292           A DHCPv4 client can use UserClass option to identify the type or
1293           category of user or applications it represents. The information
1294           contained in this option is a string that represents the user class
1295           of which the client is a member. Each class sets an identifying
1296           string of information to be used by the DHCP service to classify
1297           clients. Takes a whitespace-separated list of strings.
1298
1299       DUIDType=
1300           Override the global DUIDType= setting for this network. See
1301           networkd.conf(5) for a description of possible values.
1302
1303       DUIDRawData=
1304           Override the global DUIDRawData= setting for this network. See
1305           networkd.conf(5) for a description of possible values.
1306
1307       IAID=
1308           The DHCP Identity Association Identifier (IAID) for the interface,
1309           a 32-bit unsigned integer.
1310
1311       Anonymize=
1312           Takes a boolean. When true, the options sent to the DHCP server
1313           will follow the RFC 7844[17] (Anonymity Profiles for DHCP Clients)
1314           to minimize disclosure of identifying information. Defaults to
1315           false.
1316
1317           This option should only be set to true when MACAddressPolicy= is
1318           set to random (see systemd.link(5)).
1319
1320           When true, SendHostname=, ClientIdentifier=,
1321           VendorClassIdentifier=, UserClass=, RequestOptions=, SendOption=,
1322           SendVendorOption=, and MUDURL= are ignored.
1323
1324           With this option enabled DHCP requests will mimic those generated
1325           by Microsoft Windows, in order to reduce the ability to fingerprint
1326           and recognize installations. This means DHCP request sizes will
1327           grow and lease data will be more comprehensive than normally,
1328           though most of the requested data is not actually used.
1329
1330       RequestOptions=
1331           Sets request options to be sent to the server in the DHCPv4 request
1332           options list. A whitespace-separated list of integers in the range
1333           1...254. Defaults to unset.
1334
1335       SendOption=
1336           Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1337           option number, data type and data separated with a colon
1338           ("option:type:value"). The option number must be an integer in the
1339           range 1...254. The type takes one of "uint8", "uint16", "uint32",
1340           "ipv4address", or "string". Special characters in the data string
1341           may be escaped using C-style escapes[18]. This setting can be
1342           specified multiple times. If an empty string is specified, then all
1343           options specified earlier are cleared. Defaults to unset.
1344
1345       SendVendorOption=
1346           Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1347           option number, data type and data separated with a colon
1348           ("option:type:value"). The option number must be an integer in the
1349           range 1...254. The type takes one of "uint8", "uint16", "uint32",
1350           "ipv4address", or "string". Special characters in the data string
1351           may be escaped using C-style escapes[18]. This setting can be
1352           specified multiple times. If an empty string is specified, then all
1353           options specified earlier are cleared. Defaults to unset.
1354
1355       UseDNS=
1356           When true (the default), the DNS servers received from the DHCP
1357           server will be used.
1358
1359           This corresponds to the nameserver option in resolv.conf(5).
1360
1361       RoutesToDNS=
1362           When true, the routes to the DNS servers received from the DHCP
1363           server will be configured. When UseDNS= is disabled, this setting
1364           is ignored. Defaults to true.
1365
1366       UseNTP=
1367           When true (the default), the NTP servers received from the DHCP
1368           server will be used by systemd-timesyncd.service.
1369
1370       RoutesToNTP=
1371           When true, the routes to the NTP servers received from the DHCP
1372           server will be configured. When UseNTP= is disabled, this setting
1373           is ignored. Defaults to true.
1374
1375       UseSIP=
1376           When true (the default), the SIP servers received from the DHCP
1377           server will be collected and made available to client programs.
1378
1379       UseMTU=
1380           When true, the interface maximum transmission unit from the DHCP
1381           server will be used on the current link. If MTUBytes= is set, then
1382           this setting is ignored. Defaults to false.
1383
1384       UseHostname=
1385           When true (the default), the hostname received from the DHCP server
1386           will be set as the transient hostname of the system.
1387
1388       UseDomains=
1389           Takes a boolean, or the special value route. When true, the domain
1390           name received from the DHCP server will be used as DNS search
1391           domain over this link, similar to the effect of the Domains=
1392           setting. If set to route, the domain name received from the DHCP
1393           server will be used for routing DNS queries only, but not for
1394           searching, similar to the effect of the Domains= setting when the
1395           argument is prefixed with "~". Defaults to false.
1396
1397           It is recommended to enable this option only on trusted networks,
1398           as setting this affects resolution of all hostnames, in particular
1399           of single-label names. It is generally safer to use the supplied
1400           domain only as routing domain, rather than as search domain, in
1401           order to not have it affect local resolution of single-label names.
1402
1403           When set to true, this setting corresponds to the domain option in
1404           resolv.conf(5).
1405
1406       UseRoutes=
1407           When true (the default), the static routes will be requested from
1408           the DHCP server and added to the routing table with a metric of
1409           1024, and a scope of global, link or host, depending on the route's
1410           destination and gateway. If the destination is on the local host,
1411           e.g., 127.x.x.x, or the same as the link's own address, the scope
1412           will be set to host. Otherwise if the gateway is null (a direct
1413           route), a link scope will be used. For anything else, scope
1414           defaults to global.
1415
1416       RouteMetric=
1417           Set the routing metric for routes specified by the DHCP server.
1418           Takes an unsigned integer in the range 0...4294967295. Defaults to
1419           1024.
1420
1421       RouteTable=num
1422           The table identifier for DHCP routes (a number between 1 and
1423           4294967295, or 0 to unset). The table can be retrieved using ip
1424           route show table num.
1425
1426           When used in combination with VRF=, the VRF's routing table is used
1427           when this parameter is not specified.
1428
1429       RouteMTUBytes=
1430           Specifies the MTU for the DHCP routes. Please see the [Route]
1431           section for further details.
1432
1433       UseGateway=
1434           When true, the gateway will be requested from the DHCP server and
1435           added to the routing table with a metric of 1024, and a scope of
1436           link. When unset, the value specified with UseRoutes= is used.
1437
1438       UseTimezone=
1439           When true, the timezone received from the DHCP server will be set
1440           as timezone of the local system. Defaults to false.
1441
1442       FallbackLeaseLifetimeSec=
1443           Allows to set DHCPv4 lease lifetime when DHCPv4 server does not
1444           send the lease lifetime. Takes one of "forever" or "infinity". The
1445           latter means that the address never expires. Defaults to unset.
1446
1447       RequestBroadcast=
1448           Request the server to use broadcast messages before the IP address
1449           has been configured. This is necessary for devices that cannot
1450           receive RAW packets, or that cannot receive packets at all before
1451           an IP address has been configured. On the other hand, this must not
1452           be enabled on networks where broadcasts are filtered out.
1453
1454       MaxAttempts=
1455           Specifies how many times the DHCPv4 client configuration should be
1456           attempted. Takes a number or "infinity". Defaults to "infinity".
1457           Note that the time between retries is increased exponentially, up
1458           to approximately one per minute, so the network will not be
1459           overloaded even if this number is high. The default is suitable in
1460           most circumstances.
1461
1462       ListenPort=
1463           Set the port from which the DHCP client packets originate.
1464
1465       DenyList=
1466           A whitespace-separated list of IPv4 addresses. DHCP offers from
1467           servers in the list are rejected. Note that if AllowList= is
1468           configured then DenyList= is ignored.
1469
1470       AllowList=
1471           A whitespace-separated list of IPv4 addresses. DHCP offers from
1472           servers in the list are accepted.
1473
1474       SendRelease=
1475           When true, the DHCPv4 client sends a DHCP release packet when it
1476           stops. Defaults to true.
1477
1478       SendDecline=
1479           A boolean. When "true", the DHCPv4 client receives the IP address
1480           from the DHCP server. After a new IP is received, the DHCPv4 client
1481           performs IPv4 Duplicate Address Detection. If duplicate use is
1482           detected, the DHCPv4 client rejects the IP by sending a DHCPDECLINE
1483           packet and tries to obtain an IP address again. See RFC 5224[11].
1484           Defaults to "unset".
1485

[DHCPV6] SECTION OPTIONS

1487       The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1488       with the DHCP= setting described above, or invoked by the IPv6 Router
1489       Advertisement:
1490
1491       MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1492           As in the [DHCPv4] section.
1493
1494       SendOption=
1495           As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1496           fields to store option numbers, the option number is an integer in
1497           the range 1...65536.
1498
1499       SendVendorOption=
1500           Send an arbitrary vendor option in the DHCPv6 request. Takes an
1501           enterprise identifier, DHCP option number, data type, and data
1502           separated with a colon ("enterprise identifier:option:type:value").
1503           Enterprise identifier is an unsigned integer in the range
1504           1...4294967294. The option number must be an integer in the range
1505           1...254. Data type takes one of "uint8", "uint16", "uint32",
1506           "ipv4address", "ipv6address", or "string". Special characters in
1507           the data string may be escaped using C-style escapes[18]. This
1508           setting can be specified multiple times. If an empty string is
1509           specified, then all options specified earlier are cleared. Defaults
1510           to unset.
1511
1512       UserClass=
1513           A DHCPv6 client can use User Class option to identify the type or
1514           category of user or applications it represents. The information
1515           contained in this option is a string that represents the user class
1516           of which the client is a member. Each class sets an identifying
1517           string of information to be used by the DHCP service to classify
1518           clients. Special characters in the data string may be escaped using
1519           C-style escapes[18]. This setting can be specified multiple times.
1520           If an empty string is specified, then all options specified earlier
1521           are cleared. Takes a whitespace-separated list of strings. Note
1522           that currently NUL bytes are not allowed.
1523
1524       VendorClass=
1525           A DHCPv6 client can use VendorClass option to identify the vendor
1526           that manufactured the hardware on which the client is running. The
1527           information contained in the data area of this option is contained
1528           in one or more opaque fields that identify details of the hardware
1529           configuration. Takes a whitespace-separated list of strings.
1530
1531       PrefixDelegationHint=
1532           Takes an IPv6 address with prefix length in the same format as the
1533           Address= in the [Network] section. The DHCPv6 client will include a
1534           prefix hint in the DHCPv6 solicitation sent to the server. The
1535           prefix length must be in the range 1–128. Defaults to unset.
1536
1537       UseAddress=
1538           When true (the default), the IP addresses provided by the DHCPv6
1539           server will be assigned.
1540
1541       UseDNS=, UseNTP=, UseHostname=, UseDomains=
1542           As in the [DHCPv4] section.
1543
1544       ForceDHCPv6PDOtherInformation=
1545           Takes a boolean that enforces DHCPv6 stateful mode when the 'Other
1546           information' bit is set in Router Advertisement messages. By
1547           default setting only the 'O' bit in Router Advertisements makes
1548           DHCPv6 request network information in a stateless manner using a
1549           two-message Information Request and Information Reply message
1550           exchange.  RFC 7084[19], requirement WPD-4, updates this behavior
1551           for a Customer Edge router so that stateful DHCPv6 Prefix
1552           Delegation is also requested when only the 'O' bit is set in Router
1553           Advertisements. This option enables such a CE behavior as it is
1554           impossible to automatically distinguish the intention of the 'O'
1555           bit otherwise. By default this option is set to false, enable it if
1556           no prefixes are delegated when the device should be acting as a CE
1557           router.
1558
1559       WithoutRA=
1560           Allows DHCPv6 client to start without router advertisements's
1561           managed or other address configuration flag. Takes one of "solicit"
1562           or "information-request". Defaults to unset.
1563
1564       RapidCommit=
1565           Takes a boolean. The DHCPv6 client can obtain configuration
1566           parameters from a DHCPv6 server through a rapid two-message
1567           exchange (solicit and reply). When the rapid commit option is
1568           enabled by both the DHCPv6 client and the DHCPv6 server, the
1569           two-message exchange is used, rather than the default four-message
1570           exchange (solicit, advertise, request, and reply). The two-message
1571           exchange provides faster client configuration and is beneficial in
1572           environments in which networks are under a heavy load. See RFC
1573           3315[20] for details. Defaults to true.
1574

[DHCPV6PREFIXDELEGATION] SECTION OPTIONS

1576       The [DHCPv6PrefixDelegation] section configures delegated prefixes
1577       assigned by DHCPv6 server. The settings in this section are used only
1578       when DHCPv6PrefixDelegation= setting is enabled.
1579
1580       SubnetId=
1581           Configure a specific subnet ID on the interface from a (previously)
1582           received prefix delegation. You can either set "auto" (the default)
1583           or a specific subnet ID (as defined in RFC 4291[21], section
1584           2.5.4), in which case the allowed value is hexadecimal, from 0 to
1585           0x7fffffffffffffff inclusive.
1586
1587       Announce=
1588           Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1589           is enabled, the delegated prefixes are distributed through the IPv6
1590           Router Advertisement. Defaults to yes.
1591
1592       Assign=
1593           Takes a boolean. Specifies whether to add an address from the
1594           delegated prefixes which are received from the WAN interface by the
1595           DHCPv6 Prefix Delegation. When true (on LAN interfce), the EUI-64
1596           algorithm will be used by default to form an interface identifier
1597           from the delegated prefixes. See also Token= setting below.
1598           Defaults to yes.
1599
1600       Token=
1601           Specifies an optional address generation mode for assigning an
1602           address in each delegated prefix. Takes an IPv6 address. When set,
1603           the lower bits of the supplied address is combined with the upper
1604           bits of each delegatad prefix received from the WAN interface by
1605           the DHCPv6 Prefix Delegation to form a complete address. When
1606           Assign= is disabled, this setting is ignored. When unset, the
1607           EUI-64 algorithm will be used to form addresses. Defaults to unset.
1608
1609       ManageTemporaryAddress=
1610           As in the [Address] section, but defaults to true.
1611
1612       RouteMetric=
1613           The metric of the route to the delegated prefix subnet. Takes an
1614           unsigned integer in the range 0...4294967295. When unset or set to
1615           0, the kernel's default value is used.
1616

[IPV6ACCEPTRA] SECTION OPTIONS

1618       The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1619       (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1620       above:
1621
1622       UseDNS=
1623           When true (the default), the DNS servers received in the Router
1624           Advertisement will be used.
1625
1626           This corresponds to the nameserver option in resolv.conf(5).
1627
1628       UseDomains=
1629           Takes a boolean, or the special value "route". When true, the
1630           domain name received via IPv6 Router Advertisement (RA) will be
1631           used as DNS search domain over this link, similar to the effect of
1632           the Domains= setting. If set to "route", the domain name received
1633           via IPv6 RA will be used for routing DNS queries only, but not for
1634           searching, similar to the effect of the Domains= setting when the
1635           argument is prefixed with "~". Defaults to false.
1636
1637           It is recommended to enable this option only on trusted networks,
1638           as setting this affects resolution of all hostnames, in particular
1639           of single-label names. It is generally safer to use the supplied
1640           domain only as routing domain, rather than as search domain, in
1641           order to not have it affect local resolution of single-label names.
1642
1643           When set to true, this setting corresponds to the domain option in
1644           resolv.conf(5).
1645
1646       RouteTable=num
1647           The table identifier for the routes received in the Router
1648           Advertisement (a number between 1 and 4294967295, or 0 to unset).
1649           The table can be retrieved using ip route show table num.
1650
1651       RouteMetric=
1652           Set the routing metric for the routes received in the Router
1653           Advertisement. Takes an unsigned integer in the range
1654           0...4294967295. Defaults to 1024.
1655
1656       UseAutonomousPrefix=
1657           When true (the default), the autonomous prefix received in the
1658           Router Advertisement will be used and take precedence over any
1659           statically configured ones.
1660
1661       UseOnLinkPrefix=
1662           When true (the default), the onlink prefix received in the Router
1663           Advertisement will be used and takes precedence over any statically
1664           configured ones.
1665
1666       RouterDenyList=
1667           A whitespace-separated list of IPv6 router addresses. Any
1668           information advertised by the listed router is ignored.
1669
1670       RouterAllowList=
1671           A whitespace-separated list of IPv6 router addresses. Only
1672           information advertised by the listed router is accepted. Note that
1673           if RouterAllowList= is configured then RouterDenyList= is ignored.
1674
1675       PrefixDenyList=
1676           A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1677           supplied via router advertisements in the list are ignored.
1678
1679       PrefixAllowList=
1680           A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1681           supplied via router advertisements in the list are allowed. Note
1682           that if PrefixAllowList= is configured then PrefixDenyList= is
1683           ignored.
1684
1685       RouteDenyList=
1686           A whitespace-separated list of IPv6 route prefixes. IPv6 route
1687           prefixes supplied via router advertisements in the list are
1688           ignored.
1689
1690       RouteAllowList=
1691           A whitespace-separated list of IPv6 route prefixes. IPv6 route
1692           prefixes supplied via router advertisements in the list are
1693           allowed. Note that if RouteAllowList= is configured then
1694           RouteDenyList= is ignored.
1695
1696       DHCPv6Client=
1697           Takes a boolean, or the special value "always". When true or
1698           "always", the DHCPv6 client will be started when the RA has the
1699           managed or other information flag. If set to "always", the DHCPv6
1700           client will also be started in managed mode when neither managed
1701           nor other information flag is set in the RA. Defaults to true.
1702

[DHCPSERVER] SECTION OPTIONS

1704       The [DHCPServer] section contains settings for the DHCP server, if
1705       enabled via the DHCPServer= option described above:
1706
1707       ServerAddress=
1708           Specifies server address for the DHCP server. Takes an IPv4 address
1709           with prefix length, for example "192.168.0.1/24". This setting may
1710           be useful when the link on which the DHCP server is running has
1711           multiple static addresses. When unset, one of static addresses in
1712           the link will be automatically selected. Defaults to unset.
1713
1714       PoolOffset=, PoolSize=
1715           Configures the pool of addresses to hand out. The pool is a
1716           contiguous sequence of IP addresses in the subnet configured for
1717           the server address, which does not include the subnet nor the
1718           broadcast address.  PoolOffset= takes the offset of the pool from
1719           the start of subnet, or zero to use the default value.  PoolSize=
1720           takes the number of IP addresses in the pool or zero to use the
1721           default value. By default, the pool starts at the first address
1722           after the subnet address and takes up the rest of the subnet,
1723           excluding the broadcast address. If the pool includes the server
1724           address (the default), this is reserved and not handed out to
1725           clients.
1726
1727       DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1728           Control the default and maximum DHCP lease time to pass to clients.
1729           These settings take time values in seconds or another common time
1730           unit, depending on the suffix. The default lease time is used for
1731           clients that did not ask for a specific lease time. If a client
1732           asks for a lease time longer than the maximum lease time, it is
1733           automatically shortened to the specified time. The default lease
1734           time defaults to 1h, the maximum lease time to 12h. Shorter lease
1735           times are beneficial if the configuration data in DHCP leases
1736           changes frequently and clients shall learn the new settings with
1737           shorter latencies. Longer lease times reduce the generated DHCP
1738           network traffic.
1739
1740       UplinkInterface=
1741           Specifies name or index of uplink interface, or one of the special
1742           values ":none" and ":auto". When emitting DNS, NTP, or SIP servers
1743           are enabled but no servers are specified, the servers configured in
1744           the uplink interface will be emitted. When ":auto", the link which
1745           has default gateway with higher priority will be automatically
1746           selected. When ":none", no uplink interface will be selected.
1747           Defaults to ":auto".
1748
1749       EmitDNS=, DNS=
1750           EmitDNS= takes a boolean. Configures whether the DHCP leases handed
1751           out to clients shall contain DNS server information. Defaults to
1752           "yes". The DNS servers to pass to clients may be configured with
1753           the DNS= option, which takes a list of IPv4 addresses. If the
1754           EmitDNS= option is enabled but no servers configured, the servers
1755           are automatically propagated from an "uplink" interface that has
1756           appropriate servers set. The "uplink" interface is determined by
1757           the default route of the system with the highest priority. Note
1758           that this information is acquired at the time the lease is handed
1759           out, and does not take uplink interfaces into account that acquire
1760           DNS server information at a later point. If no suitable uplink
1761           interface is found the DNS server data from /etc/resolv.conf is
1762           used. Also, note that the leases are not refreshed if the uplink
1763           network configuration changes. To ensure clients regularly acquire
1764           the most current uplink DNS server information, it is thus
1765           advisable to shorten the DHCP lease time via MaxLeaseTimeSec=
1766           described above.
1767
1768       EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
1769       EmitLPR=, LPR=
1770           Similar to the EmitDNS= and DNS= settings described above, these
1771           settings configure whether and what server information for the
1772           indicate protocol shall be emitted as part of the DHCP lease. The
1773           same syntax, propagation semantics and defaults apply as for
1774           EmitDNS= and DNS=.
1775
1776       EmitRouter=
1777           Similar to the EmitDNS= setting described above, this setting
1778           configures whether the DHCP lease should contain the router option.
1779           The same syntax, propagation semantics and defaults apply as for
1780           EmitDNS=.
1781
1782       EmitTimezone=, Timezone=
1783           Takes a boolean. Configures whether the DHCP leases handed out to
1784           clients shall contain timezone information. Defaults to "yes". The
1785           Timezone= setting takes a timezone string (such as "Europe/Berlin"
1786           or "UTC") to pass to clients. If no explicit timezone is set, the
1787           system timezone of the local host is propagated, as determined by
1788           the /etc/localtime symlink.
1789
1790       SendOption=
1791           Send a raw option with value via DHCPv4 server. Takes a DHCP option
1792           number, data type and data ("option:type:value"). The option number
1793           is an integer in the range 1...254. The type takes one of "uint8",
1794           "uint16", "uint32", "ipv4address", "ipv6address", or "string".
1795           Special characters in the data string may be escaped using C-style
1796           escapes[18]. This setting can be specified multiple times. If an
1797           empty string is specified, then all options specified earlier are
1798           cleared. Defaults to unset.
1799
1800       SendVendorOption=
1801           Send a vendor option with value via DHCPv4 server. Takes a DHCP
1802           option number, data type and data ("option:type:value"). The option
1803           number is an integer in the range 1...254. The type takes one of
1804           "uint8", "uint16", "uint32", "ipv4address", or "string". Special
1805           characters in the data string may be escaped using C-style
1806           escapes[18]. This setting can be specified multiple times. If an
1807           empty string is specified, then all options specified earlier are
1808           cleared. Defaults to unset.
1809
1810       BindToInterface=
1811           Takes a boolean value. When "yes", DHCP server socket will be bound
1812           to its network interface and all socket communication will be
1813           restricted to this interface. Defaults to "yes", except if
1814           RelayTarget= is used (see below), in which case it defaults
1815           defaults to "no".
1816
1817       RelayTarget=
1818           Takes an IPv4 address, which must be in the format described in
1819           inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
1820           RFC 1542[22]. The address is the address of DHCP server or another
1821           relay agent to forward DHCP messages to and from.
1822
1823       RelayAgentCircuitId=
1824           Specifies value for Agent Circuit ID suboption of Relay Agent
1825           Information option. Takes a string, which must be in the format
1826           "string:value", where "value" should be replaced with the value of
1827           the suboption. Defaults to unset (means no Agent Circuit ID
1828           suboption is generated). Ignored if RelayTarget= is not specified.
1829
1830       RelayAgentRemoteId=
1831           Specifies value for Agent Remote ID suboption of Relay Agent
1832           Information option. Takes a string, which must be in the format
1833           "string:value", where "value" should be replaced with the value of
1834           the suboption. Defaults to unset (means no Agent Remote ID
1835           suboption is generated). Ignored if RelayTarget= is not specified.
1836

[DHCPSERVERSTATICLEASE] SECTION OPTIONS

1838       The "[DHCPServerStaticLease]" section configures a static DHCP lease to
1839       assign a fixed IPv4 address to a specific device based on its MAC
1840       address. This section can be specified multiple times.
1841
1842       MACAddress=
1843           The hardware address of a device to match. This key is mandatory.
1844
1845       Address=
1846           The IPv4 address that should be assigned to the device that was
1847           matched with MACAddress=. This key is mandatory.
1848

[IPV6SENDRA] SECTION OPTIONS

1850       The [IPv6SendRA] section contains settings for sending IPv6 Router
1851       Advertisements and whether to act as a router, if enabled via the
1852       IPv6SendRA= option described above. IPv6 network prefixes or routes are
1853       defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
1854
1855       Managed=, OtherInformation=
1856           Takes a boolean. Controls whether a DHCPv6 server is used to
1857           acquire IPv6 addresses on the network link when Managed= is set to
1858           "true" or if only additional network information can be obtained
1859           via DHCPv6 for the network link when OtherInformation= is set to
1860           "true". Both settings default to "false", which means that a DHCPv6
1861           server is not being used.
1862
1863       RouterLifetimeSec=
1864           Takes a timespan. Configures the IPv6 router lifetime in seconds.
1865           When set to 0, the host is not acting as a router. Defaults to 30
1866           minutes.
1867
1868       RouterPreference=
1869           Configures IPv6 router preference if RouterLifetimeSec= is
1870           non-zero. Valid values are "high", "medium" and "low", with
1871           "normal" and "default" added as synonyms for "medium" just to make
1872           configuration easier. See RFC 4191[15] for details. Defaults to
1873           "medium".
1874
1875       EmitDNS=, DNS=
1876           DNS= specifies a list of recursive DNS server IPv6 addresses that
1877           are distributed via Router Advertisement messages when EmitDNS= is
1878           true.  DNS= also takes special value "_link_local"; in that case
1879           the IPv6 link local address is distributed. If DNS= is empty, DNS
1880           servers are read from the [Network] section. If the [Network]
1881           section does not contain any DNS servers either, DNS servers from
1882           the uplink with the highest priority default route are used. When
1883           EmitDNS= is false, no DNS server information is sent in Router
1884           Advertisement messages.  EmitDNS= defaults to true.
1885
1886       EmitDomains=, Domains=
1887           A list of DNS search domains distributed via Router Advertisement
1888           messages when EmitDomains= is true. If Domains= is empty, DNS
1889           search domains are read from the [Network] section. If the
1890           [Network] section does not contain any DNS search domains either,
1891           DNS search domains from the uplink with the highest priority
1892           default route are used. When EmitDomains= is false, no DNS search
1893           domain information is sent in Router Advertisement messages.
1894           EmitDomains= defaults to true.
1895
1896       DNSLifetimeSec=
1897           Lifetime in seconds for the DNS server addresses listed in DNS= and
1898           search domains listed in Domains=.
1899

[IPV6PREFIX] SECTION OPTIONS

1901       One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
1902       announced via Router Advertisements. See RFC 4861[23] for further
1903       details.
1904
1905       AddressAutoconfiguration=, OnLink=
1906           Takes a boolean to specify whether IPv6 addresses can be
1907           autoconfigured with this prefix and whether the prefix can be used
1908           for onlink determination. Both settings default to "true" in order
1909           to ease configuration.
1910
1911       Prefix=
1912           The IPv6 prefix that is to be distributed to hosts. Similarly to
1913           configuring static IPv6 addresses, the setting is configured as an
1914           IPv6 prefix and its prefix length, separated by a "/" character.
1915           Use multiple [IPv6Prefix] sections to configure multiple IPv6
1916           prefixes since prefix lifetimes, address autoconfiguration and
1917           onlink status may differ from one prefix to another.
1918
1919       PreferredLifetimeSec=, ValidLifetimeSec=
1920           Preferred and valid lifetimes for the prefix measured in seconds.
1921           PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1922           ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1923
1924       Assign=
1925           Takes a boolean. When true, adds an address from the prefix.
1926           Default to false.
1927
1928       RouteMetric=
1929           The metric of the prefix route. Takes an unsigned integer in the
1930           range 0...4294967295. When unset or set to 0, the kernel's default
1931           value is used. This setting is ignored when Assign= is false.
1932

[IPV6ROUTEPREFIX] SECTION OPTIONS

1934       One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
1935       that are announced via Router Advertisements. See RFC 4191[15] for
1936       further details.
1937
1938       Route=
1939           The IPv6 route that is to be distributed to hosts. Similarly to
1940           configuring static IPv6 routes, the setting is configured as an
1941           IPv6 prefix routes and its prefix route length, separated by a "/"
1942           character. Use multiple [IPv6PrefixRoutes] sections to configure
1943           multiple IPv6 prefix routes.
1944
1945       LifetimeSec=
1946           Lifetime for the route prefix measured in seconds.  LifetimeSec=
1947           defaults to 604800 seconds (one week).
1948

[BRIDGE] SECTION OPTIONS

1950       The [Bridge] section accepts the following keys:
1951
1952       UnicastFlood=
1953           Takes a boolean. Controls whether the bridge should flood traffic
1954           for which an FDB entry is missing and the destination is unknown
1955           through this port. When unset, the kernel's default will be used.
1956
1957       MulticastFlood=
1958           Takes a boolean. Controls whether the bridge should flood traffic
1959           for which an MDB entry is missing and the destination is unknown
1960           through this port. When unset, the kernel's default will be used.
1961
1962       MulticastToUnicast=
1963           Takes a boolean. Multicast to unicast works on top of the multicast
1964           snooping feature of the bridge. Which means unicast copies are only
1965           delivered to hosts which are interested in it. When unset, the
1966           kernel's default will be used.
1967
1968       NeighborSuppression=
1969           Takes a boolean. Configures whether ARP and ND neighbor suppression
1970           is enabled for this port. When unset, the kernel's default will be
1971           used.
1972
1973       Learning=
1974           Takes a boolean. Configures whether MAC address learning is enabled
1975           for this port. When unset, the kernel's default will be used.
1976
1977       HairPin=
1978           Takes a boolean. Configures whether traffic may be sent back out of
1979           the port on which it was received. When this flag is false, then
1980           the bridge will not forward traffic back out of the receiving port.
1981           When unset, the kernel's default will be used.
1982
1983       UseBPDU=
1984           Takes a boolean. Configures whether STP Bridge Protocol Data Units
1985           will be processed by the bridge port. When unset, the kernel's
1986           default will be used.
1987
1988       FastLeave=
1989           Takes a boolean. This flag allows the bridge to immediately stop
1990           multicast traffic on a port that receives an IGMP Leave message. It
1991           is only used with IGMP snooping if enabled on the bridge. When
1992           unset, the kernel's default will be used.
1993
1994       AllowPortToBeRoot=
1995           Takes a boolean. Configures whether a given port is allowed to
1996           become a root port. Only used when STP is enabled on the bridge.
1997           When unset, the kernel's default will be used.
1998
1999       ProxyARP=
2000           Takes a boolean. Configures whether proxy ARP to be enabled on this
2001           port. When unset, the kernel's default will be used.
2002
2003       ProxyARPWiFi=
2004           Takes a boolean. Configures whether proxy ARP to be enabled on this
2005           port which meets extended requirements by IEEE 802.11 and Hotspot
2006           2.0 specifications. When unset, the kernel's default will be used.
2007
2008       MulticastRouter=
2009           Configures this port for having multicast routers attached. A port
2010           with a multicast router will receive all multicast traffic. Takes
2011           one of "no" to disable multicast routers on this port, "query" to
2012           let the system detect the presence of routers, "permanent" to
2013           permanently enable multicast traffic forwarding on this port, or
2014           "temporary" to enable multicast routers temporarily on this port,
2015           not depending on incoming queries. When unset, the kernel's default
2016           will be used.
2017
2018       Cost=
2019           Sets the "cost" of sending packets of this interface. Each port in
2020           a bridge may have a different speed and the cost is used to decide
2021           which link to use. Faster interfaces should have lower costs. It is
2022           an integer value between 1 and 65535.
2023
2024       Priority=
2025           Sets the "priority" of sending packets on this interface. Each port
2026           in a bridge may have a different priority which is used to decide
2027           which link to use. Lower value means higher priority. It is an
2028           integer value between 0 to 63. Networkd does not set any default,
2029           meaning the kernel default value of 32 is used.
2030

[BRIDGEFDB] SECTION OPTIONS

2032       The [BridgeFDB] section manages the forwarding database table of a port
2033       and accepts the following keys. Specify several [BridgeFDB] sections to
2034       configure several static MAC table entries.
2035
2036       MACAddress=
2037           As in the [Network] section. This key is mandatory.
2038
2039       Destination=
2040           Takes an IP address of the destination VXLAN tunnel endpoint.
2041
2042       VLANId=
2043           The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2044           ID information is appended to the new static MAC table entry.
2045
2046       VNI=
2047           The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2048           connect to the remote VXLAN tunnel endpoint. Takes a number in the
2049           range 1...16777215. Defaults to unset.
2050
2051       AssociatedWith=
2052           Specifies where the address is associated with. Takes one of "use",
2053           "self", "master" or "router".  "use" means the address is in use.
2054           User space can use this option to indicate to the kernel that the
2055           fdb entry is in use.  "self" means the address is associated with
2056           the port drivers fdb. Usually hardware.  "master" means the address
2057           is associated with master devices fdb.  "router" means the
2058           destination address is associated with a router. Note that it's
2059           valid if the referenced device is a VXLAN type device and has route
2060           shortcircuit enabled. Defaults to "self".
2061
2062       OutgoingInterface=
2063           Specifies the name or index of the outgoing interface for the VXLAN
2064           device driver to reach the remote VXLAN tunnel endpoint. Defaults
2065           to unset.
2066

[BRIDGEMDB] SECTION OPTIONS

2068       The [BridgeMDB] section manages the multicast membership entries
2069       forwarding database table of a port and accepts the following keys.
2070       Specify several [BridgeMDB] sections to configure several permanent
2071       multicast membership entries.
2072
2073       MulticastGroupAddress=
2074           Specifies the IPv4 or IPv6 multicast group address to add. This
2075           setting is mandatory.
2076
2077       VLANId=
2078           The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2079           4094. Optional, defaults to 0.
2080

[LLDP] SECTION OPTIONS

2082       The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2083       accepts the following keys:
2084
2085       MUDURL=
2086           When configured, the specified Manufacturer Usage Descriptions
2087           (MUD) URL will be sent in LLDP packets. The syntax and semantics
2088           are the same as for MUDURL= in the [DHCPv4] section described
2089           above.
2090
2091           The MUD URLs received via LLDP packets are saved and can be read
2092           using the sd_lldp_neighbor_get_mud_url() function.
2093

[CAN] SECTION OPTIONS

2095       The [CAN] section manages the Controller Area Network (CAN bus) and
2096       accepts the following keys:
2097
2098       BitRate=
2099           The bitrate of CAN device in bits per second. The usual SI prefixes
2100           (K, M) with the base of 1000 can be used here. Takes a number in
2101           the range 1...4294967295.
2102
2103       SamplePoint=
2104           Optional sample point in percent with one decimal (e.g.  "75%",
2105           "87.5%") or permille (e.g.  "875‰").
2106
2107       DataBitRate=, DataSamplePoint=
2108           The bitrate and sample point for the data phase, if CAN-FD is used.
2109           These settings are analogous to the BitRate= and SamplePoint= keys.
2110
2111       FDMode=
2112           Takes a boolean. When "yes", CAN-FD mode is enabled for the
2113           interface. Note, that a bitrate and optional sample point should
2114           also be set for the CAN-FD data phase using the DataBitRate= and
2115           DataSamplePoint= keys.
2116
2117       FDNonISO=
2118           Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2119           interface. When unset, the kernel's default will be used.
2120
2121       RestartSec=
2122           Automatic restart delay time. If set to a non-zero value, a restart
2123           of the CAN controller will be triggered automatically in case of a
2124           bus-off condition after the specified delay time. Subsecond delays
2125           can be specified using decimals (e.g.  "0.1s") or a "ms" or "us"
2126           postfix. Using "infinity" or "0" will turn the automatic restart
2127           off. By default automatic restart is disabled.
2128
2129       Termination=
2130           Takes a boolean. When "yes", the termination resistor will be
2131           selected for the bias network. When unset, the kernel's default
2132           will be used.
2133
2134       TripleSampling=
2135           Takes a boolean. When "yes", three samples (instead of one) are
2136           used to determine the value of a received bit by majority rule.
2137           When unset, the kernel's default will be used.
2138
2139       BusErrorReporting=
2140           Takes a boolean. When "yes", reporting of CAN bus errors is
2141           activated (those include single bit, frame format, and bit stuffing
2142           errors, unable to send dominant bit, unable to send recessive bit,
2143           bus overload, active error announcement, error occurred on
2144           transmission). When unset, the kernel's default will be used. Note:
2145           in case of a CAN bus with a single CAN device, sending a CAN frame
2146           may result in a huge number of CAN bus errors.
2147
2148       ListenOnly=
2149           Takes a boolean. When "yes", listen-only mode is enabled. When the
2150           interface is in listen-only mode, the interface neither transmit
2151           CAN frames nor send ACK bit. Listen-only mode is important to debug
2152           CAN networks without interfering with the communication or
2153           acknowledge the CAN frame. When unset, the kernel's default will be
2154           used.
2155

[QDISC] SECTION OPTIONS

2157       The [QDisc] section manages the traffic control queueing discipline
2158       (qdisc).
2159
2160       Parent=
2161           Specifies the parent Queueing Discipline (qdisc). Takes one of
2162           "clsact" or "ingress". This is mandatory.
2163
2164       Handle=
2165           Configures the major number of unique identifier of the qdisc,
2166           known as the handle. Takes a hexadecimal number in the range
2167           0x1–0xffff. Defaults to unset.
2168

[NETWORKEMULATOR] SECTION OPTIONS

2170       The [NetworkEmulator] section manages the queueing discipline (qdisc)
2171       of the network emulator. It can be used to configure the kernel packet
2172       scheduler and simulate packet delay and loss for UDP or TCP
2173       applications, or limit the bandwidth usage of a particular service to
2174       simulate internet connections.
2175
2176       Parent=
2177           Configures the parent Queueing Discipline (qdisc). Takes one of
2178           "root", "clsact", "ingress" or a class identifier. The class
2179           identifier is specified as the major and minor numbers in
2180           hexadecimal in the range 0x1–Oxffff separated with a colon
2181           ("major:minor"). Defaults to "root".
2182
2183       Handle=
2184           Configures the major number of unique identifier of the qdisc,
2185           known as the handle. Takes a hexadecimal number in the range
2186           0x1–0xffff. Defaults to unset.
2187
2188       DelaySec=
2189           Specifies the fixed amount of delay to be added to all packets
2190           going out of the interface. Defaults to unset.
2191
2192       DelayJitterSec=
2193           Specifies the chosen delay to be added to the packets outgoing to
2194           the network interface. Defaults to unset.
2195
2196       PacketLimit=
2197           Specifies the maximum number of packets the qdisc may hold queued
2198           at a time. An unsigned integer in the range 0–4294967294. Defaults
2199           to 1000.
2200
2201       LossRate=
2202           Specifies an independent loss probability to be added to the
2203           packets outgoing from the network interface. Takes a percentage
2204           value, suffixed with "%". Defaults to unset.
2205
2206       DuplicateRate=
2207           Specifies that the chosen percent of packets is duplicated before
2208           queuing them. Takes a percentage value, suffixed with "%". Defaults
2209           to unset.
2210

[TOKENBUCKETFILTER] SECTION OPTIONS

2212       The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2213       of token bucket filter (tbf).
2214
2215       Parent=
2216           Configures the parent Queueing Discipline (qdisc). Takes one of
2217           "root", "clsact", "ingress" or a class identifier. The class
2218           identifier is specified as the major and minor numbers in
2219           hexadecimal in the range 0x1–Oxffff separated with a colon
2220           ("major:minor"). Defaults to "root".
2221
2222       Handle=
2223           Configures the major number of unique identifier of the qdisc,
2224           known as the handle. Takes a hexadecimal number in the range
2225           0x1–0xffff. Defaults to unset.
2226
2227       LatencySec=
2228           Specifies the latency parameter, which specifies the maximum amount
2229           of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2230           to unset.
2231
2232       LimitBytes=
2233           Takes the number of bytes that can be queued waiting for tokens to
2234           become available. When the size is suffixed with K, M, or G, it is
2235           parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2236           base of 1024. Defaults to unset.
2237
2238       BurstBytes=
2239           Specifies the size of the bucket. This is the maximum amount of
2240           bytes that tokens can be available for instantaneous transfer. When
2241           the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2242           Megabytes, or Gigabytes, respectively, to the base of 1024.
2243           Defaults to unset.
2244
2245       Rate=
2246           Specifies the device specific bandwidth. When suffixed with K, M,
2247           or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2248           Gigabits, respectively, to the base of 1000. Defaults to unset.
2249
2250       MPUBytes=
2251           The Minimum Packet Unit (MPU) determines the minimal token usage
2252           (specified in bytes) for a packet. When suffixed with K, M, or G,
2253           the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2254           respectively, to the base of 1024. Defaults to zero.
2255
2256       PeakRate=
2257           Takes the maximum depletion rate of the bucket. When suffixed with
2258           K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2259           Gigabits, respectively, to the base of 1000. Defaults to unset.
2260
2261       MTUBytes=
2262           Specifies the size of the peakrate bucket. When suffixed with K, M,
2263           or G, the specified size is parsed as Kilobytes, Megabytes, or
2264           Gigabytes, respectively, to the base of 1024. Defaults to unset.
2265

[PIE] SECTION OPTIONS

2267       The [PIE] section manages the queueing discipline (qdisc) of
2268       Proportional Integral controller-Enhanced (PIE).
2269
2270       Parent=
2271           Configures the parent Queueing Discipline (qdisc). Takes one of
2272           "root", "clsact", "ingress" or a class identifier. The class
2273           identifier is specified as the major and minor numbers in
2274           hexadecimal in the range 0x1–Oxffff separated with a colon
2275           ("major:minor"). Defaults to "root".
2276
2277       Handle=
2278           Configures the major number of unique identifier of the qdisc,
2279           known as the handle. Takes a hexadecimal number in the range
2280           0x1–0xffff. Defaults to unset.
2281
2282       PacketLimit=
2283           Specifies the hard limit on the queue size in number of packets.
2284           When this limit is reached, incoming packets are dropped. An
2285           unsigned integer in the range 1...4294967294. Defaults to unset and
2286           kernel's default is used.
2287

[FLOWQUEUEPIE] SECTION OPTIONS

2289       The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2290       Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2291
2292       Parent=
2293           Configures the parent Queueing Discipline (qdisc). Takes one of
2294           "root", "clsact", "ingress" or a class identifier. The class
2295           identifier is specified as the major and minor numbers in
2296           hexadecimal in the range 0x1–Oxffff separated with a colon
2297           ("major:minor"). Defaults to "root".
2298
2299       Handle=
2300           Configures the major number of unique identifier of the qdisc,
2301           known as the handle. Takes a hexadecimal number in the range
2302           0x1–0xffff. Defaults to unset.
2303
2304       PacketLimit=
2305           Specifies the hard limit on the queue size in number of packets.
2306           When this limit is reached, incoming packets are dropped. An
2307           unsigned integer ranges 1 to 4294967294. Defaults to unset and
2308           kernel's default is used.
2309

[STOCHASTICFAIRBLUE] SECTION OPTIONS

2311       The [StochasticFairBlue] section manages the queueing discipline
2312       (qdisc) of stochastic fair blue (sfb).
2313
2314       Parent=
2315           Configures the parent Queueing Discipline (qdisc). Takes one of
2316           "root", "clsact", "ingress" or a class identifier. The class
2317           identifier is specified as the major and minor numbers in
2318           hexadecimal in the range 0x1–Oxffff separated with a colon
2319           ("major:minor"). Defaults to "root".
2320
2321       Handle=
2322           Configures the major number of unique identifier of the qdisc,
2323           known as the handle. Takes a hexadecimal number in the range
2324           0x1–0xffff. Defaults to unset.
2325
2326       PacketLimit=
2327           Specifies the hard limit on the queue size in number of packets.
2328           When this limit is reached, incoming packets are dropped. An
2329           unsigned integer in the range 0–4294967294. Defaults to unset and
2330           kernel's default is used.
2331

[STOCHASTICFAIRNESSQUEUEING] SECTION OPTIONS

2333       The [StochasticFairnessQueueing] section manages the queueing
2334       discipline (qdisc) of stochastic fairness queueing (sfq).
2335
2336       Parent=
2337           Configures the parent Queueing Discipline (qdisc). Takes one of
2338           "root", "clsact", "ingress" or a class identifier. The class
2339           identifier is specified as the major and minor numbers in
2340           hexadecimal in the range 0x1–Oxffff separated with a colon
2341           ("major:minor"). Defaults to "root".
2342
2343       Handle=
2344           Configures the major number of unique identifier of the qdisc,
2345           known as the handle. Takes a hexadecimal number in the range
2346           0x1–0xffff. Defaults to unset.
2347
2348       PerturbPeriodSec=
2349           Specifies the interval in seconds for queue algorithm perturbation.
2350           Defaults to unset.
2351

[BFIFO] SECTION OPTIONS

2353       The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2354       limited Packet First In First Out (bfifo).
2355
2356       Parent=
2357           Configures the parent Queueing Discipline (qdisc). Takes one of
2358           "root", "clsact", "ingress" or a class identifier. The class
2359           identifier is specified as the major and minor numbers in
2360           hexadecimal in the range 0x1–Oxffff separated with a colon
2361           ("major:minor"). Defaults to "root".
2362
2363       Handle=
2364           Configures the major number of unique identifier of the qdisc,
2365           known as the handle. Takes a hexadecimal number in the range
2366           0x1–0xffff. Defaults to unset.
2367
2368       LimitBytes=
2369           Specifies the hard limit in bytes on the FIFO buffer size. The size
2370           limit prevents overflow in case the kernel is unable to dequeue
2371           packets as quickly as it receives them. When this limit is reached,
2372           incoming packets are dropped. When suffixed with K, M, or G, the
2373           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2374           respectively, to the base of 1024. Defaults to unset and kernel
2375           default is used.
2376

[PFIFO] SECTION OPTIONS

2378       The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2379       First In First Out (pfifo).
2380
2381       Parent=
2382           Configures the parent Queueing Discipline (qdisc). Takes one of
2383           "root", "clsact", "ingress" or a class identifier. The class
2384           identifier is specified as the major and minor numbers in
2385           hexadecimal in the range 0x1–Oxffff separated with a colon
2386           ("major:minor"). Defaults to "root".
2387
2388       Handle=
2389           Configures the major number of unique identifier of the qdisc,
2390           known as the handle. Takes a hexadecimal number in the range
2391           0x1–0xffff. Defaults to unset.
2392
2393       PacketLimit=
2394           Specifies the hard limit on the number of packets in the FIFO
2395           queue. The size limit prevents overflow in case the kernel is
2396           unable to dequeue packets as quickly as it receives them. When this
2397           limit is reached, incoming packets are dropped. An unsigned integer
2398           in the range 0–4294967294. Defaults to unset and kernel's default
2399           is used.
2400

[PFIFOHEADDROP] SECTION OPTIONS

2402       The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2403       Packet First In First Out Head Drop (pfifo_head_drop).
2404
2405       Parent=
2406           Configures the parent Queueing Discipline (qdisc). Takes one of
2407           "root", "clsact", "ingress" or a class identifier. The class
2408           identifier is specified as the major and minor numbers in
2409           hexadecimal in the range 0x1–Oxffff separated with a colon
2410           ("major:minor"). Defaults to "root".
2411
2412       Handle=
2413           Configures the major number of unique identifier of the qdisc,
2414           known as the handle. Takes a hexadecimal number in the range
2415           0x1–0xffff. Defaults to unset.
2416
2417       PacketLimit=
2418           As in [PFIFO] section.
2419

[PFIFOFAST] SECTION OPTIONS

2421       The [PFIFOFast] section manages the queueing discipline (qdisc) of
2422       Packet First In First Out Fast (pfifo_fast).
2423
2424       Parent=
2425           Configures the parent Queueing Discipline (qdisc). Takes one of
2426           "root", "clsact", "ingress" or a class identifier. The class
2427           identifier is specified as the major and minor numbers in
2428           hexadecimal in the range 0x1–Oxffff separated with a colon
2429           ("major:minor"). Defaults to "root".
2430
2431       Handle=
2432           Configures the major number of unique identifier of the qdisc,
2433           known as the handle. Takes a hexadecimal number in the range
2434           0x1–0xffff. Defaults to unset.
2435

[CAKE] SECTION OPTIONS

2437       The [CAKE] section manages the queueing discipline (qdisc) of Common
2438       Applications Kept Enhanced (CAKE).
2439
2440       Parent=
2441           Configures the parent Queueing Discipline (qdisc). Takes one of
2442           "root", "clsact", "ingress" or a class identifier. The class
2443           identifier is specified as the major and minor numbers in
2444           hexadecimal in the range 0x1–Oxffff separated with a colon
2445           ("major:minor"). Defaults to "root".
2446
2447       Handle=
2448           Configures the major number of unique identifier of the qdisc,
2449           known as the handle. Takes a hexadecimal number in the range
2450           0x1–0xffff. Defaults to unset.
2451
2452       OverheadBytes=
2453           Specifies that bytes to be addeded to the size of each packet.
2454           Bytes may be negative. Takes an integer in the range from -64 to
2455           256. Defaults to unset and kernel's default is used.
2456
2457       Bandwidth=
2458           Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2459           specified size is parsed as Kilobits, Megabits, or Gigabits,
2460           respectively, to the base of 1000. Defaults to unset and kernel's
2461           default is used.
2462

[CONTROLLEDDELAY] SECTION OPTIONS

2464       The [ControlledDelay] section manages the queueing discipline (qdisc)
2465       of controlled delay (CoDel).
2466
2467       Parent=
2468           Configures the parent Queueing Discipline (qdisc). Takes one of
2469           "root", "clsact", "ingress" or a class identifier. The class
2470           identifier is specified as the major and minor numbers in
2471           hexadecimal in the range 0x1–Oxffff separated with a colon
2472           ("major:minor"). Defaults to "root".
2473
2474       Handle=
2475           Configures the major number of unique identifier of the qdisc,
2476           known as the handle. Takes a hexadecimal number in the range
2477           0x1–0xffff. Defaults to unset.
2478
2479       PacketLimit=
2480           Specifies the hard limit on the queue size in number of packets.
2481           When this limit is reached, incoming packets are dropped. An
2482           unsigned integer in the range 0–4294967294. Defaults to unset and
2483           kernel's default is used.
2484
2485       TargetSec=
2486           Takes a timespan. Specifies the acceptable minimum
2487           standing/persistent queue delay. Defaults to unset and kernel's
2488           default is used.
2489
2490       IntervalSec=
2491           Takes a timespan. This is used to ensure that the measured minimum
2492           delay does not become too stale. Defaults to unset and kernel's
2493           default is used.
2494
2495       ECN=
2496           Takes a boolean. This can be used to mark packets instead of
2497           dropping them. Defaults to unset and kernel's default is used.
2498
2499       CEThresholdSec=
2500           Takes a timespan. This sets a threshold above which all packets are
2501           marked with ECN Congestion Experienced (CE). Defaults to unset and
2502           kernel's default is used.
2503

[DEFICITROUNDROBINSCHEDULER] SECTION OPTIONS

2505       The [DeficitRoundRobinScheduler] section manages the queueing
2506       discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
2507
2508       Parent=
2509           Configures the parent Queueing Discipline (qdisc). Takes one of
2510           "root", "clsact", "ingress" or a class identifier. The class
2511           identifier is specified as the major and minor numbers in
2512           hexadecimal in the range 0x1–Oxffff separated with a colon
2513           ("major:minor"). Defaults to "root".
2514
2515       Handle=
2516           Configures the major number of unique identifier of the qdisc,
2517           known as the handle. Takes a hexadecimal number in the range
2518           0x1–0xffff. Defaults to unset.
2519

[DEFICITROUNDROBINSCHEDULERCLASS] SECTION OPTIONS

2521       The [DeficitRoundRobinSchedulerClass] section manages the traffic
2522       control class of Deficit Round Robin Scheduler (DRR).
2523
2524       Parent=
2525           Configures the parent Queueing Discipline (qdisc). Takes one of
2526           "root", or a qdisc identifier. The qdisc identifier is specified as
2527           the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2528           separated with a colon ("major:minor"). Defaults to "root".
2529
2530       ClassId=
2531           Configures the unique identifier of the class. It is specified as
2532           the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2533           separated with a colon ("major:minor"). Defaults to unset.
2534
2535       QuantumBytes=
2536           Specifies the amount of bytes a flow is allowed to dequeue before
2537           the scheduler moves to the next class. When suffixed with K, M, or
2538           G, the specified size is parsed as Kilobytes, Megabytes, or
2539           Gigabytes, respectively, to the base of 1024. Defaults to the MTU
2540           of the interface.
2541

[ENHANCEDTRANSMISSIONSELECTION] SECTION OPTIONS

2543       The [EnhancedTransmissionSelection] section manages the queueing
2544       discipline (qdisc) of Enhanced Transmission Selection (ETS).
2545
2546       Parent=
2547           Configures the parent Queueing Discipline (qdisc). Takes one of
2548           "root", "clsact", "ingress" or a class identifier. The class
2549           identifier is specified as the major and minor numbers in
2550           hexadecimal in the range 0x1–Oxffff separated with a colon
2551           ("major:minor"). Defaults to "root".
2552
2553       Handle=
2554           Configures the major number of unique identifier of the qdisc,
2555           known as the handle. Takes a hexadecimal number in the range
2556           0x1–0xffff. Defaults to unset.
2557
2558       Bands=
2559           Specifies the number of bands. An unsigned integer in the range
2560           1–16. This value has to be at least large enough to cover the
2561           strict bands specified through the StrictBands= and
2562           bandwidth-sharing bands specified in QuantumBytes=.
2563
2564       StrictBands=
2565           Specifies the number of bands that should be created in strict
2566           mode. An unsigned integer in the range 1–16.
2567
2568       QuantumBytes=
2569           Specifies the white-space separated list of quantum used in
2570           band-sharing bands. When suffixed with K, M, or G, the specified
2571           size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
2572           to the base of 1024. This setting can be specified multiple times.
2573           If an empty string is assigned, then the all previous assignments
2574           are cleared.
2575
2576       PriorityMap=
2577           The priority map maps the priority of a packet to a band. The
2578           argument is a whitespace separated list of numbers. The first
2579           number indicates which band the packets with priority 0 should be
2580           put to, the second is for priority 1, and so on. There can be up to
2581           16 numbers in the list. If there are fewer, the default band that
2582           traffic with one of the unmentioned priorities goes to is the last
2583           one. Each band number must be in the range 0...255. This setting
2584           can be specified multiple times. If an empty string is assigned,
2585           then the all previous assignments are cleared.
2586

[GENERICRANDOMEARLYDETECTION] SECTION OPTIONS

2588       The [GenericRandomEarlyDetection] section manages the queueing
2589       discipline (qdisc) of Generic Random Early Detection (GRED).
2590
2591       Parent=
2592           Configures the parent Queueing Discipline (qdisc). Takes one of
2593           "root", "clsact", "ingress" or a class identifier. The class
2594           identifier is specified as the major and minor numbers in
2595           hexadecimal in the range 0x1–Oxffff separated with a colon
2596           ("major:minor"). Defaults to "root".
2597
2598       Handle=
2599           Configures the major number of unique identifier of the qdisc,
2600           known as the handle. Takes a hexadecimal number in the range
2601           0x1–0xffff. Defaults to unset.
2602
2603       VirtualQueues=
2604           Specifies the number of virtual queues. Takes an integer in the
2605           range 1...16. Defaults to unset and kernel's default is used.
2606
2607       DefaultVirtualQueue=
2608           Specifies the number of default virtual queue. This must be less
2609           than VirtualQueue=. Defaults to unset and kernel's default is used.
2610
2611       GenericRIO=
2612           Takes a boolean. It turns on the RIO-like buffering scheme.
2613           Defaults to unset and kernel's default is used.
2614

[FAIRQUEUEINGCONTROLLEDDELAY] SECTION OPTIONS

2616       The [FairQueueingControlledDelay] section manages the queueing
2617       discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
2618
2619       Parent=
2620           Configures the parent Queueing Discipline (qdisc). Takes one of
2621           "root", "clsact", "ingress" or a class identifier. The class
2622           identifier is specified as the major and minor numbers in
2623           hexadecimal in the range 0x1–Oxffff separated with a colon
2624           ("major:minor"). Defaults to "root".
2625
2626       Handle=
2627           Configures the major number of unique identifier of the qdisc,
2628           known as the handle. Takes a hexadecimal number in the range
2629           0x1–0xffff. Defaults to unset.
2630
2631       PacketLimit=
2632           Specifies the hard limit on the real queue size. When this limit is
2633           reached, incoming packets are dropped. Defaults to unset and
2634           kernel's default is used.
2635
2636       MemoryLimitBytes=
2637           Specifies the limit on the total number of bytes that can be queued
2638           in this FQ-CoDel instance. When suffixed with K, M, or G, the
2639           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2640           respectively, to the base of 1024. Defaults to unset and kernel's
2641           default is used.
2642
2643       Flows=
2644           Specifies the number of flows into which the incoming packets are
2645           classified. Defaults to unset and kernel's default is used.
2646
2647       TargetSec=
2648           Takes a timespan. Specifies the acceptable minimum
2649           standing/persistent queue delay. Defaults to unset and kernel's
2650           default is used.
2651
2652       IntervalSec=
2653           Takes a timespan. This is used to ensure that the measured minimum
2654           delay does not become too stale. Defaults to unset and kernel's
2655           default is used.
2656
2657       QuantumBytes=
2658           Specifies the number of bytes used as the "deficit" in the fair
2659           queuing algorithm timespan. When suffixed with K, M, or G, the
2660           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2661           respectively, to the base of 1024. Defaults to unset and kernel's
2662           default is used.
2663
2664       ECN=
2665           Takes a boolean. This can be used to mark packets instead of
2666           dropping them. Defaults to unset and kernel's default is used.
2667
2668       CEThresholdSec=
2669           Takes a timespan. This sets a threshold above which all packets are
2670           marked with ECN Congestion Experienced (CE). Defaults to unset and
2671           kernel's default is used.
2672

[FAIRQUEUEING] SECTION OPTIONS

2674       The [FairQueueing] section manages the queueing discipline (qdisc) of
2675       fair queue traffic policing (FQ).
2676
2677       Parent=
2678           Configures the parent Queueing Discipline (qdisc). Takes one of
2679           "root", "clsact", "ingress" or a class identifier. The class
2680           identifier is specified as the major and minor numbers in
2681           hexadecimal in the range 0x1–Oxffff separated with a colon
2682           ("major:minor"). Defaults to "root".
2683
2684       Handle=
2685           Configures the major number of unique identifier of the qdisc,
2686           known as the handle. Takes a hexadecimal number in the range
2687           0x1–0xffff. Defaults to unset.
2688
2689       PacketLimit=
2690           Specifies the hard limit on the real queue size. When this limit is
2691           reached, incoming packets are dropped. Defaults to unset and
2692           kernel's default is used.
2693
2694       FlowLimit=
2695           Specifies the hard limit on the maximum number of packets queued
2696           per flow. Defaults to unset and kernel's default is used.
2697
2698       QuantumBytes=
2699           Specifies the credit per dequeue RR round, i.e. the amount of bytes
2700           a flow is allowed to dequeue at once. When suffixed with K, M, or
2701           G, the specified size is parsed as Kilobytes, Megabytes, or
2702           Gigabytes, respectively, to the base of 1024. Defaults to unset and
2703           kernel's default is used.
2704
2705       InitialQuantumBytes=
2706           Specifies the initial sending rate credit, i.e. the amount of bytes
2707           a new flow is allowed to dequeue initially. When suffixed with K,
2708           M, or G, the specified size is parsed as Kilobytes, Megabytes, or
2709           Gigabytes, respectively, to the base of 1024. Defaults to unset and
2710           kernel's default is used.
2711
2712       MaximumRate=
2713           Specifies the maximum sending rate of a flow. When suffixed with K,
2714           M, or G, the specified size is parsed as Kilobits, Megabits, or
2715           Gigabits, respectively, to the base of 1000. Defaults to unset and
2716           kernel's default is used.
2717
2718       Buckets=
2719           Specifies the size of the hash table used for flow lookups.
2720           Defaults to unset and kernel's default is used.
2721
2722       OrphanMask=
2723           Takes an unsigned integer. For packets not owned by a socket, fq is
2724           able to mask a part of hash and reduce number of buckets associated
2725           with the traffic. Defaults to unset and kernel's default is used.
2726
2727       Pacing=
2728           Takes a boolean, and enables or disables flow pacing. Defaults to
2729           unset and kernel's default is used.
2730
2731       CEThresholdSec=
2732           Takes a timespan. This sets a threshold above which all packets are
2733           marked with ECN Congestion Experienced (CE). Defaults to unset and
2734           kernel's default is used.
2735

[TRIVIALLINKEQUALIZER] SECTION OPTIONS

2737       The [TrivialLinkEqualizer] section manages the queueing discipline
2738       (qdisc) of trivial link equalizer (teql).
2739
2740       Parent=
2741           Configures the parent Queueing Discipline (qdisc). Takes one of
2742           "root", "clsact", "ingress" or a class identifier. The class
2743           identifier is specified as the major and minor numbers in
2744           hexadecimal in the range 0x1–Oxffff separated with a colon
2745           ("major:minor"). Defaults to "root".
2746
2747       Handle=
2748           Configures the major number of unique identifier of the qdisc,
2749           known as the handle. Takes a hexadecimal number in the range
2750           0x1–0xffff. Defaults to unset.
2751
2752       Id=
2753           Specifies the interface ID "N" of teql. Defaults to "0". Note that
2754           when teql is used, currently, the module sch_teql with
2755           max_equalizers=N+1 option must be loaded before systemd-networkd is
2756           started.
2757

[HIERARCHYTOKENBUCKET] SECTION OPTIONS

2759       The [HierarchyTokenBucket] section manages the queueing discipline
2760       (qdisc) of hierarchy token bucket (htb).
2761
2762       Parent=
2763           Configures the parent Queueing Discipline (qdisc). Takes one of
2764           "root", "clsact", "ingress" or a class identifier. The class
2765           identifier is specified as the major and minor numbers in
2766           hexadecimal in the range 0x1–Oxffff separated with a colon
2767           ("major:minor"). Defaults to "root".
2768
2769       Handle=
2770           Configures the major number of unique identifier of the qdisc,
2771           known as the handle. Takes a hexadecimal number in the range
2772           0x1–0xffff. Defaults to unset.
2773
2774       DefaultClass=
2775           Takes the minor id in hexadecimal of the default class.
2776           Unclassified traffic gets sent to the class. Defaults to unset.
2777
2778       RateToQuantum=
2779           Takes an unsigned integer. The DRR quantums are calculated by
2780           dividing the value configured in Rate= by RateToQuantum=.
2781

[HIERARCHYTOKENBUCKETCLASS] SECTION OPTIONS

2783       The [HierarchyTokenBucketClass] section manages the traffic control
2784       class of hierarchy token bucket (htb).
2785
2786       Parent=
2787           Configures the parent Queueing Discipline (qdisc). Takes one of
2788           "root", or a qdisc identifier. The qdisc identifier is specified as
2789           the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2790           separated with a colon ("major:minor"). Defaults to "root".
2791
2792       ClassId=
2793           Configures the unique identifier of the class. It is specified as
2794           the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2795           separated with a colon ("major:minor"). Defaults to unset.
2796
2797       Priority=
2798           Specifies the priority of the class. In the round-robin process,
2799           classes with the lowest priority field are tried for packets first.
2800
2801       QuantumBytes=
2802           Specifies how many bytes to serve from leaf at once. When suffixed
2803           with K, M, or G, the specified size is parsed as Kilobytes,
2804           Megabytes, or Gigabytes, respectively, to the base of 1024.
2805
2806       MTUBytes=
2807           Specifies the maximum packet size we create. When suffixed with K,
2808           M, or G, the specified size is parsed as Kilobytes, Megabytes, or
2809           Gigabytes, respectively, to the base of 1024.
2810
2811       OverheadBytes=
2812           Takes an unsigned integer which specifies per-packet size overhead
2813           used in rate computations. When suffixed with K, M, or G, the
2814           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2815           respectively, to the base of 1024.
2816
2817       Rate=
2818           Specifies the maximum rate this class and all its children are
2819           guaranteed. When suffixed with K, M, or G, the specified size is
2820           parsed as Kilobits, Megabits, or Gigabits, respectively, to the
2821           base of 1000. This setting is mandatory.
2822
2823       CeilRate=
2824           Specifies the maximum rate at which a class can send, if its parent
2825           has bandwidth to spare. When suffixed with K, M, or G, the
2826           specified size is parsed as Kilobits, Megabits, or Gigabits,
2827           respectively, to the base of 1000. When unset, the value specified
2828           with Rate= is used.
2829
2830       BufferBytes=
2831           Specifies the maximum bytes burst which can be accumulated during
2832           idle period. When suffixed with K, M, or G, the specified size is
2833           parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2834           base of 1024.
2835
2836       CeilBufferBytes=
2837           Specifies the maximum bytes burst for ceil which can be accumulated
2838           during idle period. When suffixed with K, M, or G, the specified
2839           size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
2840           to the base of 1024.
2841

[HEAVYHITTERFILTER] SECTION OPTIONS

2843       The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
2844       of Heavy Hitter Filter (hhf).
2845
2846       Parent=
2847           Configures the parent Queueing Discipline (qdisc). Takes one of
2848           "root", "clsact", "ingress" or a class identifier. The class
2849           identifier is specified as the major and minor numbers in
2850           hexadecimal in the range 0x1–Oxffff separated with a colon
2851           ("major:minor"). Defaults to "root".
2852
2853       Handle=
2854           Configures the major number of unique identifier of the qdisc,
2855           known as the handle. Takes a hexadecimal number in the range
2856           0x1–0xffff. Defaults to unset.
2857
2858       PacketLimit=
2859           Specifies the hard limit on the queue size in number of packets.
2860           When this limit is reached, incoming packets are dropped. An
2861           unsigned integer in the range 0–4294967294. Defaults to unset and
2862           kernel's default is used.
2863

[QUICKFAIRQUEUEING] SECTION OPTIONS

2865       The [QuickFairQueueing] section manages the queueing discipline (qdisc)
2866       of Quick Fair Queueing (QFQ).
2867
2868       Parent=
2869           Configures the parent Queueing Discipline (qdisc). Takes one of
2870           "root", "clsact", "ingress" or a class identifier. The class
2871           identifier is specified as the major and minor numbers in
2872           hexadecimal in the range 0x1–Oxffff separated with a colon
2873           ("major:minor"). Defaults to "root".
2874
2875       Handle=
2876           Configures the major number of unique identifier of the qdisc,
2877           known as the handle. Takes a hexadecimal number in the range
2878           0x1–0xffff. Defaults to unset.
2879

[QUICKFAIRQUEUEINGCLASS] SECTION OPTIONS

2881       The [QuickFairQueueingClass] section manages the traffic control class
2882       of Quick Fair Queueing (qfq).
2883
2884       Parent=
2885           Configures the parent Queueing Discipline (qdisc). Takes one of
2886           "root", or a qdisc identifier. The qdisc identifier is specified as
2887           the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2888           separated with a colon ("major:minor"). Defaults to "root".
2889
2890       ClassId=
2891           Configures the unique identifier of the class. It is specified as
2892           the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2893           separated with a colon ("major:minor"). Defaults to unset.
2894
2895       Weight=
2896           Specifies the weight of the class. Takes an integer in the range
2897           1...1023. Defaults to unset in which case the kernel default is
2898           used.
2899
2900       MaxPacketBytes=
2901           Specifies the maximum packet size in bytes for the class. When
2902           suffixed with K, M, or G, the specified size is parsed as
2903           Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
2904           1024. When unset, the kernel default is used.
2905

[BRIDGEVLAN] SECTION OPTIONS

2907       The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
2908       port and accepts the following keys. Specify several [BridgeVLAN]
2909       sections to configure several VLAN entries. The VLANFiltering= option
2910       has to be enabled, see the [Bridge] section in systemd.netdev(5).
2911
2912       VLAN=
2913           The VLAN ID allowed on the port. This can be either a single ID or
2914           a range M-N. VLAN IDs are valid from 1 to 4094.
2915
2916       EgressUntagged=
2917           The VLAN ID specified here will be used to untag frames on egress.
2918           Configuring EgressUntagged= implicates the use of VLAN= above and
2919           will enable the VLAN ID for ingress as well. This can be either a
2920           single ID or a range M-N.
2921
2922       PVID=
2923           The Port VLAN ID specified here is assigned to all untagged frames
2924           at ingress.  PVID= can be used only once. Configuring PVID=
2925           implicates the use of VLAN= above and will enable the VLAN ID for
2926           ingress as well.
2927

EXAMPLES

2929       Example 1. Static network configuration
2930
2931           # /etc/systemd/network/50-static.network
2932           [Match]
2933           Name=enp2s0
2934
2935           [Network]
2936           Address=192.168.0.15/24
2937           Gateway=192.168.0.1
2938
2939       This brings interface "enp2s0" up with a static address. The specified
2940       gateway will be used for a default route.
2941
2942       Example 2. DHCP on ethernet links
2943
2944           # /etc/systemd/network/80-dhcp.network
2945           [Match]
2946           Name=en*
2947
2948           [Network]
2949           DHCP=yes
2950
2951       This will enable DHCPv4 and DHCPv6 on all interfaces with names
2952       starting with "en" (i.e. ethernet interfaces).
2953
2954       Example 3. IPv6 Prefix Delegation
2955
2956           # /etc/systemd/network/55-ipv6-pd-upstream.network
2957           [Match]
2958           Name=enp1s0
2959
2960           [Network]
2961           DHCP=ipv6
2962
2963           # /etc/systemd/network/56-ipv6-pd-downstream.network
2964           [Match]
2965           Name=enp2s0
2966
2967           [Network]
2968           IPv6SendRA=yes
2969           DHCPv6PrefixDelegation=yes
2970
2971       This will enable DHCPv6-PD on the interface enp1s0 as an upstream
2972       interface where the DHCPv6 client is running and enp2s0 as a downstream
2973       interface where the prefix is delegated to. The delegated prefixes are
2974       distributed by IPv6 Router Advertisement on the downstream network.
2975
2976       Example 4. A bridge with two enslaved links
2977
2978           # /etc/systemd/network/25-bridge-static.network
2979           [Match]
2980           Name=bridge0
2981
2982           [Network]
2983           Address=192.168.0.15/24
2984           Gateway=192.168.0.1
2985           DNS=192.168.0.1
2986
2987           # /etc/systemd/network/25-bridge-slave-interface-1.network
2988           [Match]
2989           Name=enp2s0
2990
2991           [Network]
2992           Bridge=bridge0
2993
2994           # /etc/systemd/network/25-bridge-slave-interface-2.network
2995           [Match]
2996           Name=wlp3s0
2997
2998           [Network]
2999           Bridge=bridge0
3000
3001       This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3002       The bridge will have the specified static address and network assigned,
3003       and a default route via the specified gateway will be added. The
3004       specified DNS server will be added to the global list of DNS resolvers.
3005
3006       Example 5.
3007
3008           # /etc/systemd/network/20-bridge-slave-interface-vlan.network
3009           [Match]
3010           Name=enp2s0
3011
3012           [Network]
3013           Bridge=bridge0
3014
3015           [BridgeVLAN]
3016           VLAN=1-32
3017           PVID=42
3018           EgressUntagged=42
3019
3020           [BridgeVLAN]
3021           VLAN=100-200
3022
3023           [BridgeVLAN]
3024           EgressUntagged=300-400
3025
3026       This overrides the configuration specified in the previous example for
3027       the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3028       1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3029       300-400 will be untagged when they leave on this interface. Untagged
3030       packets which arrive on this interface will be assigned VLAN ID 42.
3031
3032       Example 6. Various tunnels
3033
3034           /etc/systemd/network/25-tunnels.network
3035           [Match]
3036           Name=ens1
3037
3038           [Network]
3039           Tunnel=ipip-tun
3040           Tunnel=sit-tun
3041           Tunnel=gre-tun
3042           Tunnel=vti-tun
3043
3044
3045           /etc/systemd/network/25-tunnel-ipip.netdev
3046           [NetDev]
3047           Name=ipip-tun
3048           Kind=ipip
3049
3050
3051           /etc/systemd/network/25-tunnel-sit.netdev
3052           [NetDev]
3053           Name=sit-tun
3054           Kind=sit
3055
3056
3057           /etc/systemd/network/25-tunnel-gre.netdev
3058           [NetDev]
3059           Name=gre-tun
3060           Kind=gre
3061
3062
3063           /etc/systemd/network/25-tunnel-vti.netdev
3064           [NetDev]
3065           Name=vti-tun
3066           Kind=vti
3067
3068
3069       This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3070       tunnel, a GRE tunnel, and a VTI tunnel using it.
3071
3072       Example 7. A bond device
3073
3074           # /etc/systemd/network/30-bond1.network
3075           [Match]
3076           Name=bond1
3077
3078           [Network]
3079           DHCP=ipv6
3080
3081           # /etc/systemd/network/30-bond1.netdev
3082           [NetDev]
3083           Name=bond1
3084           Kind=bond
3085
3086           # /etc/systemd/network/30-bond1-dev1.network
3087           [Match]
3088           MACAddress=52:54:00:e9:64:41
3089
3090           [Network]
3091           Bond=bond1
3092
3093           # /etc/systemd/network/30-bond1-dev2.network
3094           [Match]
3095           MACAddress=52:54:00:e9:64:42
3096
3097           [Network]
3098           Bond=bond1
3099
3100       This will create a bond device "bond1" and enslave the two devices with
3101       MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3102       will be used to acquire an address.
3103
3104       Example 8. Virtual Routing and Forwarding (VRF)
3105
3106       Add the "bond1" interface to the VRF master interface "vrf1". This will
3107       redirect routes generated on this interface to be within the routing
3108       table defined during VRF creation. For kernels before 4.8 traffic won't
3109       be redirected towards the VRFs routing table unless specific ip-rules
3110       are added.
3111
3112           # /etc/systemd/network/25-vrf.network
3113           [Match]
3114           Name=bond1
3115
3116           [Network]
3117           VRF=vrf1
3118
3119       Example 9. MacVTap
3120
3121       This brings up a network interface "macvtap-test" and attaches it to
3122       "enp0s25".
3123
3124           # /usr/lib/systemd/network/25-macvtap.network
3125           [Match]
3126           Name=enp0s25
3127
3128           [Network]
3129           MACVTAP=macvtap-test
3130
3131       Example 10. A Xfrm interface with physical underlying device.
3132
3133           # /etc/systemd/network/27-xfrm.netdev
3134           [NetDev]
3135           Name=xfrm0
3136
3137           [Xfrm]
3138           InterfaceId=7
3139
3140           # /etc/systemd/network/27-eth0.network
3141           [Match]
3142           Name=eth0
3143
3144           [Network]
3145           Xfrm=xfrm0
3146
3147       This creates a "xfrm0" interface and binds it to the "eth0" device.
3148       This allows hardware based ipsec offloading to the "eth0" nic. If
3149       offloading is not needed, xfrm interfaces can be assigned to the "lo"
3150       device.
3151

SEE ALSO

3153       systemd(1), systemd-networkd.service(8), systemd.link(5),
3154       systemd.netdev(5), systemd-resolved.service(8)
3155

NOTES

3157        1. RFC 7217
3158           https://tools.ietf.org/html/rfc7217
3159
3160        2. Link-Local Multicast Name Resolution
3161           https://tools.ietf.org/html/rfc4795
3162
3163        3. Multicast DNS
3164           https://tools.ietf.org/html/rfc6762
3165
3166        4. DNS-over-TLS
3167           https://tools.ietf.org/html/rfc7858
3168
3169        5. DNSSEC
3170           https://tools.ietf.org/html/rfc4033
3171
3172        6. IEEE 802.1AB-2016
3173           https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3174
3175        7. ip-sysctl.txt
3176           https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
3177
3178        8. RFC 4941
3179           https://tools.ietf.org/html/rfc4941
3180
3181        9. RFC 1027
3182           https://tools.ietf.org/html/rfc1027
3183
3184       10. RFC 6275
3185           https://tools.ietf.org/html/rfc6275
3186
3187       11. RFC 5227
3188           https://tools.ietf.org/html/rfc5227
3189
3190       12. RFC 4862
3191           https://tools.ietf.org/html/rfc4862
3192
3193       13. RFC 3041
3194           https://tools.ietf.org/html/rfc3041
3195
3196       14. RFC 3484
3197           https://tools.ietf.org/html/rfc3484
3198
3199       15. RFC 4191
3200           https://tools.ietf.org/html/rfc4191
3201
3202       16. RFC 8520
3203           https://tools.ietf.org/html/rfc8520
3204
3205       17. RFC 7844
3206           https://tools.ietf.org/html/rfc7844
3207
3208       18. C-style escapes
3209           https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3210
3211       19. RFC 7084
3212           https://tools.ietf.org/html/rfc7084
3213
3214       20. RFC 3315
3215           https://tools.ietf.org/html/rfc3315#section-17.2.1
3216
3217       21. RFC 4291
3218           https://tools.ietf.org/html/rfc4291#section-2.5.4
3219
3220       22. RFC 1542
3221           https://tools.ietf.org/html/rfc1542
3222
3223       23. RFC 4861
3224           https://tools.ietf.org/html/rfc4861
3225
3226
3227
3228systemd 249                                                 SYSTEMD.NETWORK(5)
Impressum