1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 A plain ini-style text file that encodes network configuration for
13 matching network interfaces, used by systemd-networkd(8). See
14 systemd.syntax(7) for a general description of the syntax.
15 The main network file must have the extension .network; other
17 extensions are ignored. Networks are applied to links whenever the
18 links appear.
19 The .network files are read from the files located in the system
21 network directories /usr/lib/systemd/network and
22 /usr/local/lib/systemd/network, the volatile runtime network directory
23 /run/systemd/network and the local administration network directory
24 /etc/systemd/network. All configuration files are collectively sorted
25 and processed in lexical order, regardless of the directories in which
26 they live. However, files with identical filenames replace each other.
27 Files in /etc/ have the highest priority, files in /run/ take
28 precedence over files with the same name under /usr/. This can be used
29 to override a system-supplied configuration file with a local file if
30 needed. As a special case, an empty file (file size 0) or symlink with
31 the same name pointing to /dev/null disables the configuration file
32 entirely (it is "masked").
33 Along with the network file foo.network, a "drop-in" directory
35 foo.network.d/ may exist. All files with the suffix ".conf" from this
36 directory will be merged in the alphanumeric order and parsed after the
37 main file itself has been parsed. This is useful to alter or add
38 configuration settings, without having to modify the main configuration
39 file. Each drop-in file must have appropriate section headers.
40 In addition to /etc/systemd/network, drop-in ".d" directories can be
42 placed in /usr/lib/systemd/network or /run/systemd/network directories.
43 Drop-in files in /etc/ take precedence over those in /run/ which in
44 turn take precedence over those in /usr/lib/. Drop-in files under any
45 of these directories take precedence over the main network file
46 wherever located.
47
49 The network file contains a [Match] section, which determines if a
50 given network file may be applied to a given device; and a [Network]
51 section specifying how the device should be configured. The first (in
52 lexical order) of the network files that matches a given device is
53 applied, all later files are ignored, even if they match as well.
54 A network file is said to match a network interface if all matches
56 specified by the [Match] section are satisfied. When a network file
57 does not contain valid settings in [Match] section, then the file will
58 match all interfaces and systemd-networkd warns about that. Hint: to
59 avoid the warning and to make it clear that all interfaces shall be
60 matched, add the following:
61 Name=*
63 The following keys are accepted:
65 MACAddress=
67 A whitespace-separated list of hardware addresses. Use full colon-,
68 hyphen- or dot-delimited hexadecimal. See the example below. This
69 option may appear more than once, in which case the lists are
70 merged. If the empty string is assigned to this option, the list of
71 hardware addresses defined prior to this is reset.
72 Example:
74 MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
76 PermanentMACAddress=
78 A whitespace-separated list of hardware's permanent addresses.
79 While MACAddress= matches the device's current MAC address, this
80 matches the device's permanent MAC address, which may be different
81 from the current one. Use full colon-, hyphen- or dot-delimited
82 hexadecimal. This option may appear more than once, in which case
83 the lists are merged. If the empty string is assigned to this
84 option, the list of hardware addresses defined prior to this is
85 reset.
86 Path=
88 A whitespace-separated list of shell-style globs matching the
89 persistent path, as exposed by the udev property ID_PATH.
90 Driver=
92 A whitespace-separated list of shell-style globs matching the
93 driver currently bound to the device, as exposed by the udev
94 property ID_NET_DRIVER of its parent device, or if that is not set,
95 the driver as exposed by ethtool -i of the device itself. If the
96 list is prefixed with a "!", the test is inverted.
97 Type=
99 A whitespace-separated list of shell-style globs matching the
100 device type, as exposed by networkctl list. If the list is prefixed
101 with a "!", the test is inverted. Some valid values are "ether",
102 "loopback", "wlan", "wwan". Valid types are named either from the
103 udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
104 this is not comprehensive.
105 Property=
107 A whitespace-separated list of udev property names with their
108 values after equals sign ("="). If multiple properties are
109 specified, the test results are ANDed. If the list is prefixed with
110 a "!", the test is inverted. If a value contains white spaces, then
111 please quote whole key and value pair. If a value contains
112 quotation, then please escape the quotation with "\".
113 Example: if a .link file has the following:
115 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
117 then, the .link file matches only when an interface has all the
119 above three properties.
120 Name=
122 A whitespace-separated list of shell-style globs matching the
123 device name, as exposed by the udev property "INTERFACE", or
124 device's alternative names. If the list is prefixed with a "!", the
125 test is inverted.
126 WLANInterfaceType=
128 A whitespace-separated list of wireless network type. Supported
129 values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
130 "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
131 "nan". If the list is prefixed with a "!", the test is inverted.
132 SSID=
134 A whitespace-separated list of shell-style globs matching the SSID
135 of the currently connected wireless LAN. If the list is prefixed
136 with a "!", the test is inverted.
137 BSSID=
139 A whitespace-separated list of hardware address of the currently
140 connected wireless LAN. Use full colon-, hyphen- or dot-delimited
141 hexadecimal. See the example in MACAddress=. This option may appear
142 more than once, in which case the lists are merged. If the empty
143 string is assigned to this option, the list is reset.
144 Host=
146 Matches against the hostname or machine ID of the host. See
147 ConditionHost= in systemd.unit(5) for details. When prefixed with
148 an exclamation mark ("!"), the result is negated. If an empty
149 string is assigned, then previously assigned value is cleared.
150 Virtualization=
152 Checks whether the system is executed in a virtualized environment
153 and optionally test whether it is a specific implementation. See
154 ConditionVirtualization= in systemd.unit(5) for details. When
155 prefixed with an exclamation mark ("!"), the result is negated. If
156 an empty string is assigned, then previously assigned value is
157 cleared.
158 KernelCommandLine=
160 Checks whether a specific kernel command line option is set. See
161 ConditionKernelCommandLine= in systemd.unit(5) for details. When
162 prefixed with an exclamation mark ("!"), the result is negated. If
163 an empty string is assigned, then previously assigned value is
164 cleared.
165 KernelVersion=
167 Checks whether the kernel version (as reported by uname -r) matches
168 a certain expression. See ConditionKernelVersion= in
169 systemd.unit(5) for details. When prefixed with an exclamation mark
170 ("!"), the result is negated. If an empty string is assigned, then
171 previously assigned value is cleared.
172 Architecture=
174 Checks whether the system is running on a specific architecture.
175 See ConditionArchitecture= in systemd.unit(5) for details. When
176 prefixed with an exclamation mark ("!"), the result is negated. If
177 an empty string is assigned, then previously assigned value is
178 cleared.
179 Firmware=
181 Checks whether the system is running on a machine with the
182 specified firmware. See ConditionFirmware= in systemd.unit(5) for
183 details. When prefixed with an exclamation mark ("!"), the result
184 is negated. If an empty string is assigned, then previously
185 assigned value is cleared.
186
188 The [Link] section accepts the following keys:
189 MACAddress=
191 The hardware address to set for the device.
192 MTUBytes=
194 The maximum transmission unit in bytes to set for the device. The
195 usual suffixes K, M, G, are supported and are understood to the
196 base of 1024.
197 Note that if IPv6 is enabled on the interface, and the MTU is
199 chosen below 1280 (the minimum MTU for IPv6) it will automatically
200 be increased to this value.
201 ARP=
203 Takes a boolean. If set to true, the ARP (low-level Address
204 Resolution Protocol) for this interface is enabled. When unset, the
205 kernel's default will be used.
206 For example, disabling ARP is useful when creating multiple MACVLAN
208 or VLAN virtual interfaces atop a single lower-level physical
209 interface, which will then only serve as a link/"bridge" device
210 aggregating traffic to the same physical link and not participate
211 in the network otherwise. Defaults to unset.
212 Multicast=
214 Takes a boolean. If set to true, the multicast flag on the device
215 is enabled. Defaults to unset.
216 AllMulticast=
218 Takes a boolean. If set to true, the driver retrieves all multicast
219 packets from the network. This happens when multicast routing is
220 enabled. Defaults to unset.
221 Promiscuous=
223 Takes a boolean. If set to true, promiscuous mode of the interface
224 is enabled. Defaults to unset.
225 Unmanaged=
227 Takes a boolean. When "yes", no attempts are made to bring up or
228 configure matching links, equivalent to when there are no matching
229 network files. Defaults to "no".
230 This is useful for preventing later matching network files from
232 interfering with certain interfaces that are fully controlled by
233 other applications.
234 Group=
236 Link groups are similar to port ranges found in managed switches.
237 When network interfaces are added to a numbered group, operations
238 on all the interfaces from that group can be performed at once.
239 Takes an unsigned integer in the range 0...4294967295. Defaults to
240 unset.
241 RequiredForOnline=
243 Takes a boolean or a minimum operational state and an optional
244 maximum operational state. Please see networkctl(1) for possible
245 operational states. When "yes", the network is deemed required when
246 determining whether the system is online (including when running
247 systemd-networkd-wait-online). When "no", the network is ignored
248 when determining the online state. When a minimum operational state
249 and an optional maximum operational state are set, "yes" is
250 implied, and this controls the minimum and maximum operational
251 state required for the network interface to be considered online.
252 Defaults to "yes" when ActivationPolicy= is not set, or set to
254 "up", "always-up", or "bound". Defaults to "no" when
255 ActivationPolicy= is set to "manual" or "down". This is forced to
256 "no" when ActivationPolicy= is set to "always-down".
257 The network will be brought up normally (as configured by
259 ActivationPolicy=), but in the event that there is no address being
260 assigned by DHCP or the cable is not plugged in, the link will
261 simply remain offline and be skipped automatically by
262 systemd-networkd-wait-online if "RequiredForOnline=no".
263 RequiredFamilyForOnline=
265 Takes an address family. When specified, an IP address in the given
266 family is deemed required when determining whether the link is
267 online (including when running systemd-networkd-wait-online). Takes
268 one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
269 that this option has no effect if "RequiredForOnline=no", or if
270 "RequiredForOnline=" specifies a minimum operational state below
271 "degraded".
272 ActivationPolicy=
274 Specifies the policy for systemd-networkd managing the link
275 administrative state. Specifically, this controls how
276 systemd-networkd changes the network device's "IFF_UP" flag, which
277 is sometimes controlled by system administrators by running e.g.,
278 ip set dev eth0 up or ip set dev eth0 down, and can also be changed
279 with networkctl up eth0 or networkctl down eth0.
280 Takes one of "up", "always-up", "manual", "always-down", "down", or
282 "bound". When "manual", systemd-networkd will not change the link's
283 admin state automatically; the system administrator must bring the
284 interface up or down manually, as desired. When "up" (the default)
285 or "always-up", or "down" or "always-down", systemd-networkd will
286 set the link up or down, respectively, when the interface is
287 (re)configured. When "always-up" or "always-down", systemd-networkd
288 will set the link up or down, respectively, any time
289 systemd-networkd detects a change in the administrative state. When
290 BindCarrier= is also set, this is automatically set to "bound" and
291 any other value is ignored.
292 When the policy is set to "down" or "manual", the default value of
294 RequiredForOnline= is "no". When the policy is set to
295 "always-down", the value of RequiredForOnline= forced to "no".
296 The administrative state is not the same as the carrier state, so
298 using "always-up" does not mean the link will never lose carrier.
299 The link carrier depends on both the administrative state as well
300 as the network device's physical connection. However, to avoid
301 reconfiguration failures, when using "always-up",
302 IgnoreCarrierLoss= is forced to true.
303
305 The [SR-IOV] section accepts the following keys. Specify several
306 [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
307 ability to partition a single physical PCI resource into virtual PCI
308 functions which can then be injected into a VM. In the case of network
309 VFs, SR-IOV improves north-south network performance (that is, traffic
310 with endpoints outside the host machine) by allowing traffic to bypass
311 the host machine’s network stack.
312 VirtualFunction=
314 Specifies a Virtual Function (VF), lightweight PCIe function
315 designed solely to move data in and out. Takes an unsigned integer
316 in the range 0...2147483646. This option is compulsory.
317 VLANId=
319 Specifies VLAN ID of the virtual function. Takes an unsigned
320 integer in the range 1...4095.
321 QualityOfService=
323 Specifies quality of service of the virtual function. Takes an
324 unsigned integer in the range 1...4294967294.
325 VLANProtocol=
327 Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
328 "802.1ad".
329 MACSpoofCheck=
331 Takes a boolean. Controls the MAC spoof checking. When unset, the
332 kernel's default will be used.
333 QueryReceiveSideScaling=
335 Takes a boolean. Toggle the ability of querying the receive side
336 scaling (RSS) configuration of the virtual function (VF). The VF
337 RSS information like RSS hash key may be considered sensitive on
338 some devices where this information is shared between VF and the
339 physical function (PF). When unset, the kernel's default will be
340 used.
341 Trust=
343 Takes a boolean. Allows to set trust mode of the virtual function
344 (VF). When set, VF users can set a specific feature which may
345 impact security and/or performance. When unset, the kernel's
346 default will be used.
347 LinkState=
349 Allows to set the link state of the virtual function (VF). Takes a
350 boolean or a special value "auto". Setting to "auto" means a
351 reflection of the physical function (PF) link state, "yes" lets the
352 VF to communicate with other VFs on this host even if the PF link
353 state is down, "no" causes the hardware to drop any packets sent by
354 the VF. When unset, the kernel's default will be used.
355 MACAddress=
357 Specifies the MAC address for the virtual function.
358
360 The [Network] section accepts the following keys:
361 Description=
363 A description of the device. This is only used for presentation
364 purposes.
365 DHCP=
367 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
368 "ipv4", or "ipv6". Defaults to "no".
369 Note that DHCPv6 will by default be triggered by Router
371 Advertisement, if that is enabled, regardless of this parameter. By
372 enabling DHCPv6 support explicitly, the DHCPv6 client will be
373 started regardless of the presence of routers on the link, or what
374 flags the routers pass. See "IPv6AcceptRA=".
375 Furthermore, note that by default the domain name specified through
377 DHCP is not used for name resolution. See option UseDomains= below.
378 See the [DHCPv4] or [DHCPv6] sections below for further
380 configuration options for the DHCP client support.
381 DHCPServer=
383 Takes a boolean. If set to "yes", DHCPv4 server will be started.
384 Defaults to "no". Further settings for the DHCP server may be set
385 in the [DHCPServer] section described below.
386 LinkLocalAddressing=
388 Enables link-local address autoconfiguration. Accepts yes, no,
389 ipv4, and ipv6. An IPv6 link-local address is configured when yes
390 or ipv6. An IPv4 link-local address is configured when yes or ipv4
391 and when DHCPv4 autoconfiguration has been unsuccessful for some
392 time. (IPv4 link-local address autoconfiguration will usually
393 happen in parallel with repeated attempts to acquire a DHCPv4
394 lease).
395 Defaults to no when Bridge=yes is set, and ipv6 otherwise.
397 IPv6LinkLocalAddressGenerationMode=
399 Specifies how IPv6 link local address is generated. Takes one of
400 "eui64", "none", "stable-privacy" and "random". When unset,
401 "stable-privacy" is used if IPv6StableSecretAddress= is specified,
402 and if not, "eui64" is used. Note that if LinkLocalAddressing= is
403 "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
404 ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
405 setting IPv6LinkLocalAddressGenerationMode=none disables to
406 configure an IPv6 link-local address.
407 IPv6StableSecretAddress=
409 Takes an IPv6 address. The specified address will be used as a
410 stable secret for generating IPv6 link-local address. If this
411 setting is specified, and IPv6LinkLocalAddressGenerationMode= is
412 unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
413 implied. If this setting is not specified, and "stable-privacy" is
414 set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
415 address will be generated from the local machine ID and the
416 interface name.
417 IPv4LLRoute=
419 Takes a boolean. If set to true, sets up the route needed for
420 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
421 false.
422 DefaultRouteOnDevice=
424 Takes a boolean. If set to true, sets up the default route bound to
425 the interface. Defaults to false. This is useful when creating
426 routes on point-to-point interfaces. This is equivalent to e.g. the
427 following,
428 ip route add default dev veth99
430 or,
432 [Route]
434 Gateway=0.0.0.0
435 Currently, there are no way to specify e.g., the table for the
437 route configured by this setting. To configure the default route
438 with such an additional property, please use the following instead:
439 [Route]
441 Gateway=0.0.0.0
442 Table=1234
443 IPv6Token=
445 Specifies an optional address generation mode for the Stateless
446 Address Autoconfiguration (SLAAC). Supported modes are
447 "prefixstable" and "static".
448 When the mode is set to "static", an IPv6 address must be specified
450 after a colon (":"), and the lower bits of the supplied address are
451 combined with the upper bits of a prefix received in a Router
452 Advertisement (RA) message to form a complete address. Note that if
453 multiple prefixes are received in an RA message, or in multiple RA
454 messages, addresses will be formed from each of them using the
455 supplied address. This mode implements SLAAC but uses a static
456 interface identifier instead of an identifier generated by using
457 the EUI-64 algorithm. Because the interface identifier is static,
458 if Duplicate Address Detection detects that the computed address is
459 a duplicate (in use by another node on the link), then this mode
460 will fail to provide an address for that prefix. If an IPv6 address
461 without mode is specified, then "static" mode is assumed.
462 When the mode is set to "prefixstable" the RFC 7217[1] algorithm
464 for generating interface identifiers will be used. This mode can
465 optionally take an IPv6 address separated with a colon (":"). If an
466 IPv6 address is specified, then an interface identifier is
467 generated only when a prefix received in an RA message matches the
468 supplied address.
469 If no address generation mode is specified (which is the default),
471 or a received prefix does not match any of the addresses provided
472 in "prefixstable" mode, then the EUI-64 algorithm will be used to
473 form an interface identifier for that prefix. This mode is also
474 SLAAC, but with a potentially stable interface identifier which
475 does not directly map to the interface's hardware address.
476 Note that the "prefixstable" algorithm uses both the interface name
478 and MAC address as input to the hash to compute the interface
479 identifier, so if either of those are changed the resulting
480 interface identifier (and address) will change, even if the prefix
481 received in the RA message has not changed.
482 This setting can be specified multiple times. If an empty string is
484 assigned, then the all previous assignments are cleared.
485 Examples:
487 IPv6Token=::1a:2b:3c:4d
489 IPv6Token=static:::1a:2b:3c:4d
490 IPv6Token=prefixstable
491 IPv6Token=prefixstable:2002:da8:1::
492 LLMNR=
494 Takes a boolean or "resolve". When true, enables Link-Local
495 Multicast Name Resolution[2] on the link. When set to "resolve",
496 only resolution is enabled, but not host registration and
497 announcement. Defaults to true. This setting is read by systemd-
498 resolved.service(8).
499 MulticastDNS=
501 Takes a boolean or "resolve". When true, enables Multicast DNS[3]
502 support on the link. When set to "resolve", only resolution is
503 enabled, but not host or service registration and announcement.
504 Defaults to false. This setting is read by systemd-
505 resolved.service(8).
506 DNSOverTLS=
508 Takes a boolean or "opportunistic". When true, enables
509 DNS-over-TLS[4] support on the link. When set to "opportunistic",
510 compatibility with non-DNS-over-TLS servers is increased, by
511 automatically turning off DNS-over-TLS servers in this case. This
512 option defines a per-interface setting for resolved.conf(5)'s
513 global DNSOverTLS= option. Defaults to false. This setting is read
514 by systemd-resolved.service(8).
515 DNSSEC=
517 Takes a boolean or "allow-downgrade". When true, enables DNSSEC[5]
518 DNS validation support on the link. When set to "allow-downgrade",
519 compatibility with non-DNSSEC capable networks is increased, by
520 automatically turning off DNSSEC in this case. This option defines
521 a per-interface setting for resolved.conf(5)'s global DNSSEC=
522 option. Defaults to false. This setting is read by systemd-
523 resolved.service(8).
524 DNSSECNegativeTrustAnchors=
526 A space-separated list of DNSSEC negative trust anchor domains. If
527 specified and DNSSEC is enabled, look-ups done via the interface's
528 DNS server will be subject to the list of negative trust anchors,
529 and not require authentication for the specified domains, or
530 anything below it. Use this to disable DNSSEC authentication for
531 specific private domains, that cannot be proven valid using the
532 Internet DNS hierarchy. Defaults to the empty list. This setting is
533 read by systemd-resolved.service(8).
534 LLDP=
536 Controls support for Ethernet LLDP packet reception. LLDP is a
537 link-layer protocol commonly implemented on professional routers
538 and bridges which announces which physical port a system is
539 connected to, as well as other related data. Accepts a boolean or
540 the special value "routers-only". When true, incoming LLDP packets
541 are accepted and a database of all LLDP neighbors maintained. If
542 "routers-only" is set only LLDP data of various types of routers is
543 collected and LLDP data about other types of devices ignored (such
544 as stations, telephones and others). If false, LLDP reception is
545 disabled. Defaults to "routers-only". Use networkctl(1) to query
546 the collected neighbor data. LLDP is only available on Ethernet
547 links. See EmitLLDP= below for enabling LLDP packet emission from
548 the local system.
549 EmitLLDP=
551 Controls support for Ethernet LLDP packet emission. Accepts a
552 boolean parameter or the special values "nearest-bridge",
553 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
554 turns off LLDP packet emission. If not false, a short LLDP packet
555 with information about the local system is sent out in regular
556 intervals on the link. The LLDP packet will contain information
557 about the local hostname, the local machine ID (as stored in
558 machine-id(5)) and the local interface name, as well as the pretty
559 hostname of the system (as set in machine-info(5)). LLDP emission
560 is only available on Ethernet links. Note that this setting passes
561 data suitable for identification of host to the network and should
562 thus not be enabled on untrusted networks, where such
563 identification data should not be made available. Use this option
564 to permit other systems to identify on which interfaces they are
565 connected to this system. The three special values control
566 propagation of the LLDP packets. The "nearest-bridge" setting
567 permits propagation only to the nearest connected bridge,
568 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
569 but not any other bridges, and "customer-bridge" permits
570 propagation until a customer bridge is reached. For details about
571 these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
572 this setting to true is equivalent to "nearest-bridge", the
573 recommended and most restricted level of propagation. See LLDP=
574 above for an option to enable LLDP reception.
575 BindCarrier=
577 A link name or a list of link names. When set, controls the
578 behavior of the current link. When all links in the list are in an
579 operational down state, the current link is brought down. When at
580 least one link has carrier, the current interface is brought up.
581 This forces ActivationPolicy= to be set to "bound".
583 Address=
585 A static IPv4 or IPv6 address and its prefix length, separated by a
586 "/" character. Specify this key more than once to configure several
587 addresses. The format of the address must be as described in
588 inet_pton(3). This is a short-hand for an [Address] section only
589 containing an Address key (see below). This option may be specified
590 more than once.
591 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
593 IPv6), a new address range of the requested size is automatically
594 allocated from a system-wide pool of unused ranges. Note that the
595 prefix length must be equal or larger than 8 for IPv4, and 64 for
596 IPv6. The allocated range is checked against all current network
597 interfaces and all known network configuration files to avoid
598 address range conflicts. The default system-wide pool consists of
599 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
600 for IPv6. This functionality is useful to manage a large number of
601 dynamically created network interfaces with the same network
602 configuration and automatic address range assignment.
603 Gateway=
605 The gateway address, which must be in the format described in
606 inet_pton(3). This is a short-hand for a [Route] section only
607 containing a Gateway key. This option may be specified more than
608 once.
609 DNS=
611 A DNS server address, which must be in the format described in
612 inet_pton(3). This option may be specified more than once. Each
613 address can optionally take a port number separated with ":", a
614 network interface name or index separated with "%", and a Server
615 Name Indication (SNI) separated with "#". When IPv6 address is
616 specified with a port number, then the address must be in the
617 square brackets. That is, the acceptable full formats are
618 "111.222.333.444:9953%ifname#example.com" for IPv4 and
619 "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
620 string is assigned, then the all previous assignments are cleared.
621 This setting is read by systemd-resolved.service(8).
622 Domains=
624 A whitespace-separated list of domains which should be resolved
625 using the DNS servers on this link. Each item in the list should be
626 a domain name, optionally prefixed with a tilde ("~"). The domains
627 with the prefix are called "routing-only domains". The domains
628 without the prefix are called "search domains" and are first used
629 as search suffixes for extending single-label hostnames (hostnames
630 containing no dots) to become fully qualified domain names (FQDNs).
631 If a single-label hostname is resolved on this interface, each of
632 the specified search domains are appended to it in turn, converting
633 it into a fully qualified domain name, until one of them may be
634 successfully resolved.
635 Both "search" and "routing-only" domains are used for routing of
637 DNS queries: look-ups for hostnames ending in those domains (hence
638 also single label names, if any "search domains" are listed), are
639 routed to the DNS servers configured for this interface. The domain
640 routing logic is particularly useful on multi-homed hosts with DNS
641 servers serving particular private DNS zones on each interface.
642 The "routing-only" domain "~." (the tilde indicating definition of
644 a routing domain, the dot referring to the DNS root domain which is
645 the implied suffix of all valid DNS names) has special effect. It
646 causes all DNS traffic which does not match another configured
647 domain routing entry to be routed to DNS servers specified for this
648 interface. This setting is useful to prefer a certain set of DNS
649 servers if a link on which they are connected is available.
650 This setting is read by systemd-resolved.service(8). "Search
652 domains" correspond to the domain and search entries in
653 resolv.conf(5). Domain name routing has no equivalent in the
654 traditional glibc API, which has no concept of domain name servers
655 limited to a specific link.
656 DNSDefaultRoute=
658 Takes a boolean argument. If true, this link's configured DNS
659 servers are used for resolving domain names that do not match any
660 link's configured Domains= setting. If false, this link's
661 configured DNS servers are never used for such domains, and are
662 exclusively used for resolving names that match at least one of the
663 domains configured on this link. If not specified defaults to an
664 automatic mode: queries not matching any link's configured domains
665 will be routed to this link if it has no routing-only domains
666 configured.
667 NTP=
669 An NTP server address (either an IP address, or a hostname). This
670 option may be specified more than once. This setting is read by
671 systemd-timesyncd.service(8).
672 IPForward=
674 Configures IP packet forwarding for the system. If enabled,
675 incoming packets on any network interface will be forwarded to any
676 other interfaces according to the routing table. Takes a boolean,
677 or the values "ipv4" or "ipv6", which only enable IP packet
678 forwarding for the specified address family. This controls the
679 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
680 of the network interface (see ip-sysctl.txt[7] for details about
681 sysctl options). Defaults to "no".
682 Note: this setting controls a global kernel option, and does so one
684 way only: if a network that has this setting enabled is set up the
685 global setting is turned on. However, it is never turned off again,
686 even after all networks with this setting enabled are shut down
687 again.
688 To allow IP packet forwarding only between specific network
690 interfaces use a firewall.
691 IPMasquerade=
693 Configures IP masquerading for the network interface. If enabled,
694 packets forwarded from the network interface will be appear as
695 coming from the local host. Takes one of "ipv4", "ipv6", "both", or
696 "no". Defaults to "no". If enabled, this automatically sets
697 IPForward= to one of "ipv4", "ipv6" or "yes".
698 Note. Any positive boolean values such as "yes" or "true" are now
700 deprecated. Please use one of the values in the above.
701 IPv6PrivacyExtensions=
703 Configures use of stateless temporary addresses that change over
704 time (see RFC 4941[8], Privacy Extensions for Stateless Address
705 Autoconfiguration in IPv6). Takes a boolean or the special values
706 "prefer-public" and "kernel". When true, enables the privacy
707 extensions and prefers temporary addresses over public addresses.
708 When "prefer-public", enables the privacy extensions, but prefers
709 public addresses over temporary addresses. When false, the privacy
710 extensions remain disabled. When "kernel", the kernel's default
711 setting will be left in place. Defaults to "no".
712 IPv6AcceptRA=
714 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
715 support for the interface. If true, RAs are accepted; if false, RAs
716 are ignored. When RAs are accepted, they may trigger the start of
717 the DHCPv6 client if the relevant flags are set in the RA data, or
718 if no routers are found on the link. The default is to disable RA
719 reception for bridge devices or when IP forwarding is enabled, and
720 to enable it otherwise. Cannot be enabled on bond devices and when
721 link local addressing is disabled.
722 Further settings for the IPv6 RA support may be configured in the
724 [IPv6AcceptRA] section, see below.
725 Also see ip-sysctl.txt[7] in the kernel documentation regarding
727 "accept_ra", but note that systemd's setting of 1 (i.e. true)
728 corresponds to kernel's setting of 2.
729 Note that kernel's implementation of the IPv6 RA protocol is always
731 disabled, regardless of this setting. If this option is enabled, a
732 userspace implementation of the IPv6 RA protocol is used, and the
733 kernel's own implementation remains disabled, since
734 systemd-networkd needs to know all details supplied in the
735 advertisements, and these are not available from the kernel if the
736 kernel's own implementation is used.
737 IPv6DuplicateAddressDetection=
739 Configures the amount of IPv6 Duplicate Address Detection (DAD)
740 probes to send. When unset, the kernel's default will be used.
741 IPv6HopLimit=
743 Configures IPv6 Hop Limit. For each router that forwards the
744 packet, the hop limit is decremented by 1. When the hop limit field
745 reaches zero, the packet is discarded. When unset, the kernel's
746 default will be used.
747 IPv4AcceptLocal=
749 Takes a boolean. Accept packets with local source addresses. In
750 combination with suitable routing, this can be used to direct
751 packets between two local interfaces over the wire and have them
752 accepted properly. When unset, the kernel's default will be used.
753 IPv4RouteLocalnet=
755 Takes a boolean. When true, the kernel does not consider loopback
756 addresses as martian source or destination while routing. This
757 enables the use of 127.0.0.0/8 for local routing purposes. When
758 unset, the kernel's default will be used.
759 IPv4ProxyARP=
761 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
762 technique in which one host, usually a router, answers ARP requests
763 intended for another machine. By "faking" its identity, the router
764 accepts responsibility for routing packets to the "real"
765 destination. See RFC 1027[9]. When unset, the kernel's default will
766 be used.
767 IPv6ProxyNDP=
769 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
770 Discovery Protocol) is a technique for IPv6 to allow routing of
771 addresses to a different destination when peers expect them to be
772 present on a certain physical link. In this case a router answers
773 Neighbour Advertisement messages intended for another machine by
774 offering its own MAC address as destination. Unlike proxy ARP for
775 IPv4, it is not enabled globally, but will only send Neighbour
776 Advertisement messages for addresses in the IPv6 neighbor proxy
777 table, which can also be shown by ip -6 neighbour show proxy.
778 systemd-networkd will control the per-interface `proxy_ndp` switch
779 for each configured interface depending on this option. When unset,
780 the kernel's default will be used.
781 IPv6ProxyNDPAddress=
783 An IPv6 address, for which Neighbour Advertisement messages will be
784 proxied. This option may be specified more than once.
785 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
786 kernel's IPv6 neighbor proxy table. This option implies
787 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP has been set to
788 false. When unset, the kernel's default will be used.
789 IPv6SendRA=
791 Whether to enable or disable Router Advertisement sending on a
792 link. Takes a boolean value. When enabled, prefixes configured in
793 [IPv6Prefix] sections and routes configured in [IPv6RoutePrefix]
794 sections are distributed as defined in the [IPv6SendRA] section. If
795 DHCPv6PrefixDelegation= is enabled, then the delegated prefixes are
796 also distributed. See DHCPv6PrefixDelegation= setting and the
797 [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
798 [DHCPv6PrefixDelegation] sections for more configuration options.
799 DHCPv6PrefixDelegation=
801 Takes a boolean value. When enabled, requests prefixes using a
802 DHCPv6 client configured on another link. By default, an address
803 within each delegated prefix will be assigned, and the prefixes
804 will be announced through IPv6 Router Advertisement when
805 IPv6SendRA= is enabled. Such default settings can be configured in
806 [DHCPv6PrefixDelegation] section. Defaults to disabled.
807 IPv6MTUBytes=
809 Configures IPv6 maximum transmission unit (MTU). An integer greater
810 than or equal to 1280 bytes. When unset, the kernel's default will
811 be used.
812 BatmanAdvanced=, Bond=, Bridge=, VRF=
814 The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
815 interface to add the link to. See systemd.netdev(5).
816 IPVLAN=, IPVTAP=, L2TP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=,
818 VXLAN=, Xfrm=
819 The name of an IPVLAN, IPVTAP, L2TP, MACsec, MACVLAN, MACVTAP,
820 tunnel, VLAN, VXLAN, or Xfrm to be created on the link. See
821 systemd.netdev(5). This option may be specified more than once.
822 ActiveSlave=
824 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
825 option is only valid for following modes: "active-backup",
826 "balance-alb" and "balance-tlb". Defaults to false.
827 PrimarySlave=
829 Takes a boolean. Specifies which slave is the primary device. The
830 specified device will always be the active slave while it is
831 available. Only when the primary is off-line will alternate devices
832 be used. This is useful when one slave is preferred over another,
833 e.g. when one slave has higher throughput than another. The
834 "PrimarySlave=" option is only valid for following modes:
835 "active-backup", "balance-alb" and "balance-tlb". Defaults to
836 false.
837 ConfigureWithoutCarrier=
839 Takes a boolean. Allows networkd to configure a specific link even
840 if it has no carrier. Defaults to false. If IgnoreCarrierLoss= is
841 not explicitly set, it will default to this value.
842 IgnoreCarrierLoss=
844 Takes a boolean. Allows networkd to retain both the static and
845 dynamic configuration of the interface even if its carrier is lost.
846 When unset, the value specified with ConfigureWithoutCarrier= is
847 used.
848 When ActivationPolicy= is set to "always-up", this is forced to
850 "true".
851 KeepConfiguration=
853 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
854 "static", systemd-networkd will not drop static addresses and
855 routes on starting up process. When set to "dhcp-on-stop",
856 systemd-networkd will not drop addresses and routes on stopping the
857 daemon. When "dhcp", the addresses and routes provided by a DHCP
858 server will never be dropped even if the DHCP lease expires. This
859 is contrary to the DHCP specification, but may be the best choice
860 if, e.g., the root filesystem relies on this connection. The
861 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
862 "static". Defaults to "no".
863
865 An [Address] section accepts the following keys. Specify several
866 [Address] sections to configure several addresses.
867 Address=
869 As in the [Network] section. This key is mandatory. Each [Address]
870 section can contain one Address= setting.
871 Peer=
873 The peer address in a point-to-point connection. Accepts the same
874 format as the Address= key.
875 Broadcast=
877 Takes an IPv4 address or boolean value. The address must be in the
878 format described in inet_pton(3). If set to true, then the IPv4
879 broadcast address will be derived from the Address= setting. If set
880 to false, then the broadcast address will not be set. Defaults to
881 true, except for wireguard interfaces, where it default to false.
882 Label=
884 An address label.
885 PreferredLifetime=
887 Allows the default "preferred lifetime" of the address to be
888 overridden. Only three settings are accepted: "forever",
889 "infinity", which is the default and means that the address never
890 expires, and "0", which means that the address is considered
891 immediately "expired" and will not be used, unless explicitly
892 requested. A setting of PreferredLifetime=0 is useful for addresses
893 which are added to be used only by a specific application, which is
894 then configured to use them explicitly.
895 Scope=
897 The scope of the address, which can be "global" (valid everywhere
898 on the network, even through a gateway), "link" (only valid on this
899 device, will not traverse a gateway) or "host" (only valid within
900 the device itself, e.g. 127.0.0.1) or an unsigned integer in the
901 range 0...255. Defaults to "global".
902 RouteMetric=
904 The metric of the prefix route, which is pointing to the subnet of
905 the configured IP address, taking the configured prefix length into
906 account. Takes an unsigned integer in the range 0...4294967295.
907 When unset or set to 0, the kernel's default value is used. This
908 setting will be ignored when AddPrefixRoute= is false.
909 HomeAddress=
911 Takes a boolean. Designates this address the "home address" as
912 defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
913 DuplicateAddressDetection=
915 Takes one of "ipv4", "ipv6", "both", "none". When "ipv4", performs
916 IPv4 Address Conflict Detection. See RFC 5227[11]. When "ipv6",
917 performs IPv6 Duplicate Address Detection. See RFC 4862[12].
918 Defaults to "ipv6".
919 ManageTemporaryAddress=
921 Takes a boolean. If true the kernel manage temporary addresses
922 created from this one as template on behalf of Privacy Extensions
923 RFC 3041[13]. For this to become active, the use_tempaddr sysctl
924 setting has to be set to a value greater than zero. The given
925 address needs to have a prefix length of 64. This flag allows using
926 privacy extensions in a manually configured network, just like if
927 stateless auto-configuration was active. Defaults to false.
928 AddPrefixRoute=
930 Takes a boolean. When true, the prefix route for the address is
931 automatically added. Defaults to true.
932 AutoJoin=
934 Takes a boolean. Joining multicast group on ethernet level via ip
935 maddr command would not work if we have an Ethernet switch that
936 does IGMP snooping since the switch would not replicate multicast
937 packets on ports that did not have IGMP reports for the multicast
938 addresses. Linux vxlan interfaces created via ip link add vxlan or
939 networkd's netdev kind vxlan have the group option that enables
940 then to do the required join. By extending ip address command with
941 option "autojoin" we can get similar functionality for openvswitch
942 (OVS) vxlan interfaces as well as other tunneling mechanisms that
943 need to receive multicast traffic. Defaults to "no".
944
946 A [Neighbor] section accepts the following keys. The neighbor section
947 adds a permanent, static entry to the neighbor table (IPv6) or ARP
948 table (IPv4) for the given hardware address on the links matched for
949 the network. Specify several [Neighbor] sections to configure several
950 static neighbors.
951 Address=
953 The IP address of the neighbor.
954 LinkLayerAddress=
956 The link layer address (MAC address or IP address) of the neighbor.
957
959 An [IPv6AddressLabel] section accepts the following keys. Specify
960 several [IPv6AddressLabel] sections to configure several address
961 labels. IPv6 address labels are used for address selection. See RFC
962 3484[14]. Precedence is managed by userspace, and only the label itself
963 is stored in the kernel.
964 Label=
966 The label for the prefix, an unsigned integer in the range
967 0–4294967294. 0xffffffff is reserved. This setting is mandatory.
968 Prefix=
970 IPv6 prefix is an address with a prefix length, separated by a
971 slash "/" character. This key is mandatory.
972
974 An [RoutingPolicyRule] section accepts the following keys. Specify
975 several [RoutingPolicyRule] sections to configure several rules.
976 TypeOfService=
978 Takes a number between 0 and 255 that specifies the type of service
979 to match.
980 From=
982 Specifies the source address prefix to match. Possibly followed by
983 a slash and the prefix length.
984 To=
986 Specifies the destination address prefix to match. Possibly
987 followed by a slash and the prefix length.
988 FirewallMark=
990 Specifies the iptables firewall mark value to match (a number
991 between 1 and 4294967295). Optionally, the firewall mask (also a
992 number between 1 and 4294967295) can be suffixed with a slash
993 ("/"), e.g., "7/255".
994 Table=
996 Specifies the routing table identifier to lookup if the rule
997 selector matches. Takes one of predefined names "default", "main",
998 and "local", and names defined in RouteTable= in networkd.conf(5),
999 or a number between 1 and 4294967295. Defaults to "main".
1000 Priority=
1002 Specifies the priority of this rule. Priority= is an unsigned
1003 integer in the range 0...4294967295. Higher number means lower
1004 priority, and rules get processed in order of increasing number.
1005 Defaults to unset, and the kernel will pick a value dynamically.
1006 IncomingInterface=
1008 Specifies incoming device to match. If the interface is loopback,
1009 the rule only matches packets originating from this host.
1010 OutgoingInterface=
1012 Specifies the outgoing device to match. The outgoing interface is
1013 only available for packets originating from local sockets that are
1014 bound to a device.
1015 SourcePort=
1017 Specifies the source IP port or IP port range match in forwarding
1018 information base (FIB) rules. A port range is specified by the
1019 lower and upper port separated by a dash. Defaults to unset.
1020 DestinationPort=
1022 Specifies the destination IP port or IP port range match in
1023 forwarding information base (FIB) rules. A port range is specified
1024 by the lower and upper port separated by a dash. Defaults to unset.
1025 IPProtocol=
1027 Specifies the IP protocol to match in forwarding information base
1028 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1029 or IP protocol number such as "6" for "tcp" or "17" for "udp".
1030 Defaults to unset.
1031 InvertRule=
1033 A boolean. Specifies whether the rule is to be inverted. Defaults
1034 to false.
1035 Family=
1037 Takes a special value "ipv4", "ipv6", or "both". By default, the
1038 address family is determined by the address specified in To= or
1039 From=. If neither To= nor From= are specified, then defaults to
1040 "ipv4".
1041 User=
1043 Takes a username, a user ID, or a range of user IDs separated by a
1044 dash. Defaults to unset.
1045 SuppressPrefixLength=
1047 Takes a number N in the range 0...128 and rejects routing decisions
1048 that have a prefix length of N or less. Defaults to unset.
1049 Type=
1051 Specifies Routing Policy Database (RPDB) rule type. Takes one of
1052 "blackhole", "unreachable" or "prohibit".
1053
1055 The [NextHop] section is used to manipulate entries in the kernel's
1056 "nexthop" tables. The [NextHop] section accepts the following keys.
1057 Specify several [NextHop] sections to configure several hops.
1058 Id=
1060 The id of the next hop. Takes an unsigned integer in the range
1061 1...4294967295. If left unspecified, then automatically chosen by
1062 kernel.
1063 Gateway=
1065 As in the [Network] section.
1066 Family=
1068 Takes one of the special values "ipv4" or "ipv6". By default, the
1069 family is determined by the address specified in Gateway=. If
1070 Gateway= is not specified, then defaults to "ipv4".
1071 OnLink=
1073 Takes a boolean. If set to true, the kernel does not have to check
1074 if the gateway is reachable directly by the current machine (i.e.,
1075 attached to the local network), so that we can insert the nexthop
1076 in the kernel table without it being complained about. Defaults to
1077 "no".
1078 Blackhole=
1080 Takes a boolean. If enabled, packets to the corresponding routes
1081 are discarded silently, and Gateway= cannot be specified. Defaults
1082 to "no".
1083 Group=
1085 Takes a whitespace separated list of nexthop IDs. Each ID must be
1086 in the range 1...4294967295. Optionally, each nexthop ID can take a
1087 weight after a colon ("id[:weight]"). The weight must be in the
1088 range 1...255. If the weight is not specified, then it is assumed
1089 that the weight is 1. This setting cannot be specified with
1090 Gateway=, Family=, Blackhole=. This setting can be specified
1091 multiple times. If an empty string is assigned, then the all
1092 previous assignments are cleared. Defaults to unset.
1093
1095 The [Route] section accepts the following keys. Specify several [Route]
1096 sections to configure several routes.
1097 Gateway=
1099 Takes the gateway address or the special values "_dhcp4" and
1100 "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1101 address provided by DHCPv4 or IPv6 RA is used.
1102 GatewayOnLink=
1104 Takes a boolean. If set to true, the kernel does not have to check
1105 if the gateway is reachable directly by the current machine (i.e.,
1106 attached to the local network), so that we can insert the route in
1107 the kernel table without it being complained about. Defaults to
1108 "no".
1109 Destination=
1111 The destination prefix of the route. Possibly followed by a slash
1112 and the prefix length. If omitted, a full-length host route is
1113 assumed.
1114 Source=
1116 The source prefix of the route. Possibly followed by a slash and
1117 the prefix length. If omitted, a full-length host route is assumed.
1118 Metric=
1120 The metric of the route. Takes an unsigned integer in the range
1121 0...4294967295. Defaults to unset, and the kernel's default will be
1122 used.
1123 IPv6Preference=
1125 Specifies the route preference as defined in RFC 4191[15] for
1126 Router Discovery messages. Which can be one of "low" the route has
1127 a lowest priority, "medium" the route has a default priority or
1128 "high" the route has a highest priority.
1129 Scope=
1131 The scope of the IPv4 route, which can be "global", "site", "link",
1132 "host", or "nowhere":
1133 • "global" means the route can reach hosts more than one hop
1135 away.
1136 • "site" means an interior route in the local autonomous system.
1138 • "link" means the route can only reach hosts on the local
1140 network (one hop away).
1141 • "host" means the route will not leave the local machine (used
1143 for internal addresses like 127.0.0.1).
1144 • "nowhere" means the destination doesn't exist.
1146 For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1148 and "link" if Type= is "broadcast", "multicast", or "anycast". In
1149 other cases, defaults to "global". The value is not used for IPv6.
1150 PreferredSource=
1152 The preferred source address of the route. The address must be in
1153 the format described in inet_pton(3).
1154 Table=
1156 The table identifier for the route. Takes one of predefined names
1157 "default", "main", and "local", and names defined in RouteTable= in
1158 networkd.conf(5), or a number between 1 and 4294967295. The table
1159 can be retrieved using ip route show table num. If unset and Type=
1160 is "local", "broadcast", "anycast", or "nat", then "local" is used.
1161 In other cases, defaults to "main".
1162 Protocol=
1164 The protocol identifier for the route. Takes a number between 0 and
1165 255 or the special values "kernel", "boot", "static", "ra" and
1166 "dhcp". Defaults to "static".
1167 Type=
1169 Specifies the type for the route. Takes one of "unicast", "local",
1170 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1171 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1172 route is defined, i.e. a route indicating the path to take to a
1173 destination network address. If "blackhole", packets to the defined
1174 route are discarded silently. If "unreachable", packets to the
1175 defined route are discarded and the ICMP message "Host Unreachable"
1176 is generated. If "prohibit", packets to the defined route are
1177 discarded and the ICMP message "Communication Administratively
1178 Prohibited" is generated. If "throw", route lookup in the current
1179 routing table will fail and the route selection process will return
1180 to Routing Policy Database (RPDB). Defaults to "unicast".
1181 InitialCongestionWindow=
1183 The TCP initial congestion window is used during the start of a TCP
1184 connection. During the start of a TCP session, when a client
1185 requests a resource, the server's initial congestion window
1186 determines how many packets will be sent during the initial burst
1187 of data without waiting for acknowledgement. Takes a number between
1188 1 and 1023. Note that 100 is considered an extremely large value
1189 for this option. When unset, the kernel's default (typically 10)
1190 will be used.
1191 InitialAdvertisedReceiveWindow=
1193 The TCP initial advertised receive window is the amount of receive
1194 data (in bytes) that can initially be buffered at one time on a
1195 connection. The sending host can send only that amount of data
1196 before waiting for an acknowledgment and window update from the
1197 receiving host. Takes a number between 1 and 1023. Note that 100 is
1198 considered an extremely large value for this option. When unset,
1199 the kernel's default will be used.
1200 QuickAck=
1202 Takes a boolean. When true enables TCP quick ack mode for the
1203 route. When unset, the kernel's default will be used.
1204 FastOpenNoCookie=
1206 Takes a boolean. When true enables TCP fastopen without a cookie on
1207 a per-route basis. When unset, the kernel's default will be used.
1208 TTLPropagate=
1210 Takes a boolean. When true enables TTL propagation at Label
1211 Switched Path (LSP) egress. When unset, the kernel's default will
1212 be used.
1213 MTUBytes=
1215 The maximum transmission unit in bytes to set for the route. The
1216 usual suffixes K, M, G, are supported and are understood to the
1217 base of 1024.
1218 Note that if IPv6 is enabled on the interface, and the MTU is
1220 chosen below 1280 (the minimum MTU for IPv6) it will automatically
1221 be increased to this value.
1222 IPServiceType=
1224 Takes string; "CS6" or "CS4". Used to set IP service type to CS6
1225 (network control) or CS4 (Realtime). Defaults to CS6.
1226 TCPAdvertisedMaximumSegmentSize=
1228 Specifies the Path MSS (in bytes) hints given on TCP layer. The
1229 usual suffixes K, M, G, are supported and are understood to the
1230 base of 1024. An unsigned integer in the range 1–4294967294. When
1231 unset, the kernel's default will be used.
1232 MultiPathRoute=address[@name] [weight]
1234 Configures multipath route. Multipath routing is the technique of
1235 using multiple alternative paths through a network. Takes gateway
1236 address. Optionally, takes a network interface name or index
1237 separated with "@", and a weight in 1..256 for this multipath route
1238 separated with whitespace. This setting can be specified multiple
1239 times. If an empty string is assigned, then the all previous
1240 assignments are cleared.
1241 NextHop=
1243 Specifies the nexthop id. Takes an unsigned integer in the range
1244 1...4294967295. If set, the corresponding [NextHop] section must be
1245 configured. Defaults to unset.
1246
1248 The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1249 with the DHCP= setting described above:
1250 SendHostname=
1252 When true (the default), the machine's hostname (or the value
1253 specified with Hostname=, described below) will be sent to the DHCP
1254 server. Note that the hostname must consist only of 7-bit ASCII
1255 lower-case characters and no spaces or dots, and be formatted as a
1256 valid DNS domain name. Otherwise, the hostname is not sent even if
1257 this option is true.
1258 Hostname=
1260 Use this value for the hostname which is sent to the DHCP server,
1261 instead of machine's hostname. Note that the specified hostname
1262 must consist only of 7-bit ASCII lower-case characters and no
1263 spaces or dots, and be formatted as a valid DNS domain name.
1264 MUDURL=
1266 When configured, the specified Manufacturer Usage Description (MUD)
1267 URL will be sent to the DHCPv4 server. Takes a URL of length up to
1268 255 characters. A superficial verification that the string is a
1269 valid URL will be performed. DHCPv4 clients are intended to have at
1270 most one MUD URL associated with them. See RFC 8520[16].
1271 MUD is an embedded software standard defined by the IETF that
1273 allows IoT device makers to advertise device specifications,
1274 including the intended communication patterns for their device when
1275 it connects to the network. The network can then use this to author
1276 a context-specific access policy, so the device functions only
1277 within those parameters.
1278 ClientIdentifier=
1280 The DHCPv4 client identifier to use. Takes one of mac, duid or
1281 duid-only. If set to mac, the MAC address of the link is used. If
1282 set to duid, an RFC4361-compliant Client ID, which is the
1283 combination of IAID and DUID (see below), is used. If set to
1284 duid-only, only DUID is used, this may not be RFC compliant, but
1285 some setups may require to use this. Defaults to duid.
1286 VendorClassIdentifier=
1288 The vendor class identifier used to identify vendor type and
1289 configuration.
1290 UserClass=
1292 A DHCPv4 client can use UserClass option to identify the type or
1293 category of user or applications it represents. The information
1294 contained in this option is a string that represents the user class
1295 of which the client is a member. Each class sets an identifying
1296 string of information to be used by the DHCP service to classify
1297 clients. Takes a whitespace-separated list of strings.
1298 DUIDType=
1300 Override the global DUIDType= setting for this network. See
1301 networkd.conf(5) for a description of possible values.
1302 DUIDRawData=
1304 Override the global DUIDRawData= setting for this network. See
1305 networkd.conf(5) for a description of possible values.
1306 IAID=
1308 The DHCP Identity Association Identifier (IAID) for the interface,
1309 a 32-bit unsigned integer.
1310 Anonymize=
1312 Takes a boolean. When true, the options sent to the DHCP server
1313 will follow the RFC 7844[17] (Anonymity Profiles for DHCP Clients)
1314 to minimize disclosure of identifying information. Defaults to
1315 false.
1316 This option should only be set to true when MACAddressPolicy= is
1318 set to random (see systemd.link(5)).
1319 When true, SendHostname=, ClientIdentifier=,
1321 VendorClassIdentifier=, UserClass=, RequestOptions=, SendOption=,
1322 SendVendorOption=, and MUDURL= are ignored.
1323 With this option enabled DHCP requests will mimic those generated
1325 by Microsoft Windows, in order to reduce the ability to fingerprint
1326 and recognize installations. This means DHCP request sizes will
1327 grow and lease data will be more comprehensive than normally,
1328 though most of the requested data is not actually used.
1329 RequestOptions=
1331 Sets request options to be sent to the server in the DHCPv4 request
1332 options list. A whitespace-separated list of integers in the range
1333 1...254. Defaults to unset.
1334 SendOption=
1336 Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1337 option number, data type and data separated with a colon
1338 ("option:type:value"). The option number must be an integer in the
1339 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1340 "ipv4address", or "string". Special characters in the data string
1341 may be escaped using C-style escapes[18]. This setting can be
1342 specified multiple times. If an empty string is specified, then all
1343 options specified earlier are cleared. Defaults to unset.
1344 SendVendorOption=
1346 Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1347 option number, data type and data separated with a colon
1348 ("option:type:value"). The option number must be an integer in the
1349 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1350 "ipv4address", or "string". Special characters in the data string
1351 may be escaped using C-style escapes[18]. This setting can be
1352 specified multiple times. If an empty string is specified, then all
1353 options specified earlier are cleared. Defaults to unset.
1354 UseDNS=
1356 When true (the default), the DNS servers received from the DHCP
1357 server will be used.
1358 This corresponds to the nameserver option in resolv.conf(5).
1360 RoutesToDNS=
1362 When true, the routes to the DNS servers received from the DHCP
1363 server will be configured. When UseDNS= is disabled, this setting
1364 is ignored. Defaults to true.
1365 UseNTP=
1367 When true (the default), the NTP servers received from the DHCP
1368 server will be used by systemd-timesyncd.service.
1369 RoutesToNTP=
1371 When true, the routes to the NTP servers received from the DHCP
1372 server will be configured. When UseNTP= is disabled, this setting
1373 is ignored. Defaults to true.
1374 UseSIP=
1376 When true (the default), the SIP servers received from the DHCP
1377 server will be collected and made available to client programs.
1378 UseMTU=
1380 When true, the interface maximum transmission unit from the DHCP
1381 server will be used on the current link. If MTUBytes= is set, then
1382 this setting is ignored. Defaults to false.
1383 UseHostname=
1385 When true (the default), the hostname received from the DHCP server
1386 will be set as the transient hostname of the system.
1387 UseDomains=
1389 Takes a boolean, or the special value route. When true, the domain
1390 name received from the DHCP server will be used as DNS search
1391 domain over this link, similar to the effect of the Domains=
1392 setting. If set to route, the domain name received from the DHCP
1393 server will be used for routing DNS queries only, but not for
1394 searching, similar to the effect of the Domains= setting when the
1395 argument is prefixed with "~". Defaults to false.
1396 It is recommended to enable this option only on trusted networks,
1398 as setting this affects resolution of all hostnames, in particular
1399 of single-label names. It is generally safer to use the supplied
1400 domain only as routing domain, rather than as search domain, in
1401 order to not have it affect local resolution of single-label names.
1402 When set to true, this setting corresponds to the domain option in
1404 resolv.conf(5).
1405 UseRoutes=
1407 When true (the default), the static routes will be requested from
1408 the DHCP server and added to the routing table with a metric of
1409 1024, and a scope of global, link or host, depending on the route's
1410 destination and gateway. If the destination is on the local host,
1411 e.g., 127.x.x.x, or the same as the link's own address, the scope
1412 will be set to host. Otherwise if the gateway is null (a direct
1413 route), a link scope will be used. For anything else, scope
1414 defaults to global.
1415 RouteMetric=
1417 Set the routing metric for routes specified by the DHCP server.
1418 Takes an unsigned integer in the range 0...4294967295. Defaults to
1419 1024.
1420 RouteTable=num
1422 The table identifier for DHCP routes (a number between 1 and
1423 4294967295, or 0 to unset). The table can be retrieved using ip
1424 route show table num.
1425 When used in combination with VRF=, the VRF's routing table is used
1427 when this parameter is not specified.
1428 RouteMTUBytes=
1430 Specifies the MTU for the DHCP routes. Please see the [Route]
1431 section for further details.
1432 UseGateway=
1434 When true, the gateway will be requested from the DHCP server and
1435 added to the routing table with a metric of 1024, and a scope of
1436 link. When unset, the value specified with UseRoutes= is used.
1437 UseTimezone=
1439 When true, the timezone received from the DHCP server will be set
1440 as timezone of the local system. Defaults to false.
1441 FallbackLeaseLifetimeSec=
1443 Allows to set DHCPv4 lease lifetime when DHCPv4 server does not
1444 send the lease lifetime. Takes one of "forever" or "infinity". The
1445 latter means that the address never expires. Defaults to unset.
1446 RequestBroadcast=
1448 Request the server to use broadcast messages before the IP address
1449 has been configured. This is necessary for devices that cannot
1450 receive RAW packets, or that cannot receive packets at all before
1451 an IP address has been configured. On the other hand, this must not
1452 be enabled on networks where broadcasts are filtered out.
1453 MaxAttempts=
1455 Specifies how many times the DHCPv4 client configuration should be
1456 attempted. Takes a number or "infinity". Defaults to "infinity".
1457 Note that the time between retries is increased exponentially, up
1458 to approximately one per minute, so the network will not be
1459 overloaded even if this number is high. The default is suitable in
1460 most circumstances.
1461 ListenPort=
1463 Set the port from which the DHCP client packets originate.
1464 DenyList=
1466 A whitespace-separated list of IPv4 addresses. DHCP offers from
1467 servers in the list are rejected. Note that if AllowList= is
1468 configured then DenyList= is ignored.
1469 AllowList=
1471 A whitespace-separated list of IPv4 addresses. DHCP offers from
1472 servers in the list are accepted.
1473 SendRelease=
1475 When true, the DHCPv4 client sends a DHCP release packet when it
1476 stops. Defaults to true.
1477 SendDecline=
1479 A boolean. When "true", the DHCPv4 client receives the IP address
1480 from the DHCP server. After a new IP is received, the DHCPv4 client
1481 performs IPv4 Duplicate Address Detection. If duplicate use is
1482 detected, the DHCPv4 client rejects the IP by sending a DHCPDECLINE
1483 packet and tries to obtain an IP address again. See RFC 5224[11].
1484 Defaults to "unset".
1485
1487 The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1488 with the DHCP= setting described above, or invoked by the IPv6 Router
1489 Advertisement:
1490 MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1492 As in the [DHCPv4] section.
1493 SendOption=
1495 As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1496 fields to store option numbers, the option number is an integer in
1497 the range 1...65536.
1498 SendVendorOption=
1500 Send an arbitrary vendor option in the DHCPv6 request. Takes an
1501 enterprise identifier, DHCP option number, data type, and data
1502 separated with a colon ("enterprise identifier:option:type:value").
1503 Enterprise identifier is an unsigned integer in the range
1504 1...4294967294. The option number must be an integer in the range
1505 1...254. Data type takes one of "uint8", "uint16", "uint32",
1506 "ipv4address", "ipv6address", or "string". Special characters in
1507 the data string may be escaped using C-style escapes[18]. This
1508 setting can be specified multiple times. If an empty string is
1509 specified, then all options specified earlier are cleared. Defaults
1510 to unset.
1511 UserClass=
1513 A DHCPv6 client can use User Class option to identify the type or
1514 category of user or applications it represents. The information
1515 contained in this option is a string that represents the user class
1516 of which the client is a member. Each class sets an identifying
1517 string of information to be used by the DHCP service to classify
1518 clients. Special characters in the data string may be escaped using
1519 C-style escapes[18]. This setting can be specified multiple times.
1520 If an empty string is specified, then all options specified earlier
1521 are cleared. Takes a whitespace-separated list of strings. Note
1522 that currently NUL bytes are not allowed.
1523 VendorClass=
1525 A DHCPv6 client can use VendorClass option to identify the vendor
1526 that manufactured the hardware on which the client is running. The
1527 information contained in the data area of this option is contained
1528 in one or more opaque fields that identify details of the hardware
1529 configuration. Takes a whitespace-separated list of strings.
1530 PrefixDelegationHint=
1532 Takes an IPv6 address with prefix length in the same format as the
1533 Address= in the [Network] section. The DHCPv6 client will include a
1534 prefix hint in the DHCPv6 solicitation sent to the server. The
1535 prefix length must be in the range 1–128. Defaults to unset.
1536 UseAddress=
1538 When true (the default), the IP addresses provided by the DHCPv6
1539 server will be assigned.
1540 UseDNS=, UseNTP=, UseHostname=, UseDomains=
1542 As in the [DHCPv4] section.
1543 ForceDHCPv6PDOtherInformation=
1545 Takes a boolean that enforces DHCPv6 stateful mode when the 'Other
1546 information' bit is set in Router Advertisement messages. By
1547 default setting only the 'O' bit in Router Advertisements makes
1548 DHCPv6 request network information in a stateless manner using a
1549 two-message Information Request and Information Reply message
1550 exchange. RFC 7084[19], requirement WPD-4, updates this behavior
1551 for a Customer Edge router so that stateful DHCPv6 Prefix
1552 Delegation is also requested when only the 'O' bit is set in Router
1553 Advertisements. This option enables such a CE behavior as it is
1554 impossible to automatically distinguish the intention of the 'O'
1555 bit otherwise. By default this option is set to false, enable it if
1556 no prefixes are delegated when the device should be acting as a CE
1557 router.
1558 WithoutRA=
1560 Allows DHCPv6 client to start without router advertisements's
1561 managed or other address configuration flag. Takes one of "solicit"
1562 or "information-request". Defaults to unset.
1563 RapidCommit=
1565 Takes a boolean. The DHCPv6 client can obtain configuration
1566 parameters from a DHCPv6 server through a rapid two-message
1567 exchange (solicit and reply). When the rapid commit option is
1568 enabled by both the DHCPv6 client and the DHCPv6 server, the
1569 two-message exchange is used, rather than the default four-message
1570 exchange (solicit, advertise, request, and reply). The two-message
1571 exchange provides faster client configuration and is beneficial in
1572 environments in which networks are under a heavy load. See RFC
1573 3315[20] for details. Defaults to true.
1574
1576 The [DHCPv6PrefixDelegation] section configures delegated prefixes
1577 assigned by DHCPv6 server. The settings in this section are used only
1578 when DHCPv6PrefixDelegation= setting is enabled.
1579 SubnetId=
1581 Configure a specific subnet ID on the interface from a (previously)
1582 received prefix delegation. You can either set "auto" (the default)
1583 or a specific subnet ID (as defined in RFC 4291[21], section
1584 2.5.4), in which case the allowed value is hexadecimal, from 0 to
1585 0x7fffffffffffffff inclusive.
1586 Announce=
1588 Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1589 is enabled, the delegated prefixes are distributed through the IPv6
1590 Router Advertisement. Defaults to yes.
1591 Assign=
1593 Takes a boolean. Specifies whether to add an address from the
1594 delegated prefixes which are received from the WAN interface by the
1595 DHCPv6 Prefix Delegation. When true (on LAN interfce), the EUI-64
1596 algorithm will be used by default to form an interface identifier
1597 from the delegated prefixes. See also Token= setting below.
1598 Defaults to yes.
1599 Token=
1601 Specifies an optional address generation mode for assigning an
1602 address in each delegated prefix. Takes an IPv6 address. When set,
1603 the lower bits of the supplied address is combined with the upper
1604 bits of each delegatad prefix received from the WAN interface by
1605 the DHCPv6 Prefix Delegation to form a complete address. When
1606 Assign= is disabled, this setting is ignored. When unset, the
1607 EUI-64 algorithm will be used to form addresses. Defaults to unset.
1608 ManageTemporaryAddress=
1610 As in the [Address] section, but defaults to true.
1611 RouteMetric=
1613 The metric of the route to the delegated prefix subnet. Takes an
1614 unsigned integer in the range 0...4294967295. When unset or set to
1615 0, the kernel's default value is used.
1616
1618 The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1619 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1620 above:
1621 UseDNS=
1623 When true (the default), the DNS servers received in the Router
1624 Advertisement will be used.
1625 This corresponds to the nameserver option in resolv.conf(5).
1627 UseDomains=
1629 Takes a boolean, or the special value "route". When true, the
1630 domain name received via IPv6 Router Advertisement (RA) will be
1631 used as DNS search domain over this link, similar to the effect of
1632 the Domains= setting. If set to "route", the domain name received
1633 via IPv6 RA will be used for routing DNS queries only, but not for
1634 searching, similar to the effect of the Domains= setting when the
1635 argument is prefixed with "~". Defaults to false.
1636 It is recommended to enable this option only on trusted networks,
1638 as setting this affects resolution of all hostnames, in particular
1639 of single-label names. It is generally safer to use the supplied
1640 domain only as routing domain, rather than as search domain, in
1641 order to not have it affect local resolution of single-label names.
1642 When set to true, this setting corresponds to the domain option in
1644 resolv.conf(5).
1645 RouteTable=num
1647 The table identifier for the routes received in the Router
1648 Advertisement (a number between 1 and 4294967295, or 0 to unset).
1649 The table can be retrieved using ip route show table num.
1650 RouteMetric=
1652 Set the routing metric for the routes received in the Router
1653 Advertisement. Takes an unsigned integer in the range
1654 0...4294967295. Defaults to 1024.
1655 UseAutonomousPrefix=
1657 When true (the default), the autonomous prefix received in the
1658 Router Advertisement will be used and take precedence over any
1659 statically configured ones.
1660 UseOnLinkPrefix=
1662 When true (the default), the onlink prefix received in the Router
1663 Advertisement will be used and takes precedence over any statically
1664 configured ones.
1665 RouterDenyList=
1667 A whitespace-separated list of IPv6 router addresses. Any
1668 information advertised by the listed router is ignored.
1669 RouterAllowList=
1671 A whitespace-separated list of IPv6 router addresses. Only
1672 information advertised by the listed router is accepted. Note that
1673 if RouterAllowList= is configured then RouterDenyList= is ignored.
1674 PrefixDenyList=
1676 A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1677 supplied via router advertisements in the list are ignored.
1678 PrefixAllowList=
1680 A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1681 supplied via router advertisements in the list are allowed. Note
1682 that if PrefixAllowList= is configured then PrefixDenyList= is
1683 ignored.
1684 RouteDenyList=
1686 A whitespace-separated list of IPv6 route prefixes. IPv6 route
1687 prefixes supplied via router advertisements in the list are
1688 ignored.
1689 RouteAllowList=
1691 A whitespace-separated list of IPv6 route prefixes. IPv6 route
1692 prefixes supplied via router advertisements in the list are
1693 allowed. Note that if RouteAllowList= is configured then
1694 RouteDenyList= is ignored.
1695 DHCPv6Client=
1697 Takes a boolean, or the special value "always". When true or
1698 "always", the DHCPv6 client will be started when the RA has the
1699 managed or other information flag. If set to "always", the DHCPv6
1700 client will also be started in managed mode when neither managed
1701 nor other information flag is set in the RA. Defaults to true.
1702
1704 The [DHCPServer] section contains settings for the DHCP server, if
1705 enabled via the DHCPServer= option described above:
1706 ServerAddress=
1708 Specifies server address for the DHCP server. Takes an IPv4 address
1709 with prefix length, for example "192.168.0.1/24". This setting may
1710 be useful when the link on which the DHCP server is running has
1711 multiple static addresses. When unset, one of static addresses in
1712 the link will be automatically selected. Defaults to unset.
1713 PoolOffset=, PoolSize=
1715 Configures the pool of addresses to hand out. The pool is a
1716 contiguous sequence of IP addresses in the subnet configured for
1717 the server address, which does not include the subnet nor the
1718 broadcast address. PoolOffset= takes the offset of the pool from
1719 the start of subnet, or zero to use the default value. PoolSize=
1720 takes the number of IP addresses in the pool or zero to use the
1721 default value. By default, the pool starts at the first address
1722 after the subnet address and takes up the rest of the subnet,
1723 excluding the broadcast address. If the pool includes the server
1724 address (the default), this is reserved and not handed out to
1725 clients.
1726 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1728 Control the default and maximum DHCP lease time to pass to clients.
1729 These settings take time values in seconds or another common time
1730 unit, depending on the suffix. The default lease time is used for
1731 clients that did not ask for a specific lease time. If a client
1732 asks for a lease time longer than the maximum lease time, it is
1733 automatically shortened to the specified time. The default lease
1734 time defaults to 1h, the maximum lease time to 12h. Shorter lease
1735 times are beneficial if the configuration data in DHCP leases
1736 changes frequently and clients shall learn the new settings with
1737 shorter latencies. Longer lease times reduce the generated DHCP
1738 network traffic.
1739 UplinkInterface=
1741 Specifies name or index of uplink interface, or one of the special
1742 values ":none" and ":auto". When emitting DNS, NTP, or SIP servers
1743 are enabled but no servers are specified, the servers configured in
1744 the uplink interface will be emitted. When ":auto", the link which
1745 has default gateway with higher priority will be automatically
1746 selected. When ":none", no uplink interface will be selected.
1747 Defaults to ":auto".
1748 EmitDNS=, DNS=
1750 EmitDNS= takes a boolean. Configures whether the DHCP leases handed
1751 out to clients shall contain DNS server information. Defaults to
1752 "yes". The DNS servers to pass to clients may be configured with
1753 the DNS= option, which takes a list of IPv4 addresses. If the
1754 EmitDNS= option is enabled but no servers configured, the servers
1755 are automatically propagated from an "uplink" interface that has
1756 appropriate servers set. The "uplink" interface is determined by
1757 the default route of the system with the highest priority. Note
1758 that this information is acquired at the time the lease is handed
1759 out, and does not take uplink interfaces into account that acquire
1760 DNS server information at a later point. If no suitable uplink
1761 interface is found the DNS server data from /etc/resolv.conf is
1762 used. Also, note that the leases are not refreshed if the uplink
1763 network configuration changes. To ensure clients regularly acquire
1764 the most current uplink DNS server information, it is thus
1765 advisable to shorten the DHCP lease time via MaxLeaseTimeSec=
1766 described above.
1767 EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
1769 EmitLPR=, LPR=
1770 Similar to the EmitDNS= and DNS= settings described above, these
1771 settings configure whether and what server information for the
1772 indicate protocol shall be emitted as part of the DHCP lease. The
1773 same syntax, propagation semantics and defaults apply as for
1774 EmitDNS= and DNS=.
1775 EmitRouter=
1777 Similar to the EmitDNS= setting described above, this setting
1778 configures whether the DHCP lease should contain the router option.
1779 The same syntax, propagation semantics and defaults apply as for
1780 EmitDNS=.
1781 EmitTimezone=, Timezone=
1783 Takes a boolean. Configures whether the DHCP leases handed out to
1784 clients shall contain timezone information. Defaults to "yes". The
1785 Timezone= setting takes a timezone string (such as "Europe/Berlin"
1786 or "UTC") to pass to clients. If no explicit timezone is set, the
1787 system timezone of the local host is propagated, as determined by
1788 the /etc/localtime symlink.
1789 SendOption=
1791 Send a raw option with value via DHCPv4 server. Takes a DHCP option
1792 number, data type and data ("option:type:value"). The option number
1793 is an integer in the range 1...254. The type takes one of "uint8",
1794 "uint16", "uint32", "ipv4address", "ipv6address", or "string".
1795 Special characters in the data string may be escaped using C-style
1796 escapes[18]. This setting can be specified multiple times. If an
1797 empty string is specified, then all options specified earlier are
1798 cleared. Defaults to unset.
1799 SendVendorOption=
1801 Send a vendor option with value via DHCPv4 server. Takes a DHCP
1802 option number, data type and data ("option:type:value"). The option
1803 number is an integer in the range 1...254. The type takes one of
1804 "uint8", "uint16", "uint32", "ipv4address", or "string". Special
1805 characters in the data string may be escaped using C-style
1806 escapes[18]. This setting can be specified multiple times. If an
1807 empty string is specified, then all options specified earlier are
1808 cleared. Defaults to unset.
1809 BindToInterface=
1811 Takes a boolean value. When "yes", DHCP server socket will be bound
1812 to its network interface and all socket communication will be
1813 restricted to this interface. Defaults to "yes", except if
1814 RelayTarget= is used (see below), in which case it defaults
1815 defaults to "no".
1816 RelayTarget=
1818 Takes an IPv4 address, which must be in the format described in
1819 inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
1820 RFC 1542[22]. The address is the address of DHCP server or another
1821 relay agent to forward DHCP messages to and from.
1822 RelayAgentCircuitId=
1824 Specifies value for Agent Circuit ID suboption of Relay Agent
1825 Information option. Takes a string, which must be in the format
1826 "string:value", where "value" should be replaced with the value of
1827 the suboption. Defaults to unset (means no Agent Circuit ID
1828 suboption is generated). Ignored if RelayTarget= is not specified.
1829 RelayAgentRemoteId=
1831 Specifies value for Agent Remote ID suboption of Relay Agent
1832 Information option. Takes a string, which must be in the format
1833 "string:value", where "value" should be replaced with the value of
1834 the suboption. Defaults to unset (means no Agent Remote ID
1835 suboption is generated). Ignored if RelayTarget= is not specified.
1836
1838 The "[DHCPServerStaticLease]" section configures a static DHCP lease to
1839 assign a fixed IPv4 address to a specific device based on its MAC
1840 address. This section can be specified multiple times.
1841 MACAddress=
1843 The hardware address of a device to match. This key is mandatory.
1844 Address=
1846 The IPv4 address that should be assigned to the device that was
1847 matched with MACAddress=. This key is mandatory.
1848
1850 The [IPv6SendRA] section contains settings for sending IPv6 Router
1851 Advertisements and whether to act as a router, if enabled via the
1852 IPv6SendRA= option described above. IPv6 network prefixes or routes are
1853 defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
1854 Managed=, OtherInformation=
1856 Takes a boolean. Controls whether a DHCPv6 server is used to
1857 acquire IPv6 addresses on the network link when Managed= is set to
1858 "true" or if only additional network information can be obtained
1859 via DHCPv6 for the network link when OtherInformation= is set to
1860 "true". Both settings default to "false", which means that a DHCPv6
1861 server is not being used.
1862 RouterLifetimeSec=
1864 Takes a timespan. Configures the IPv6 router lifetime in seconds.
1865 When set to 0, the host is not acting as a router. Defaults to 30
1866 minutes.
1867 RouterPreference=
1869 Configures IPv6 router preference if RouterLifetimeSec= is
1870 non-zero. Valid values are "high", "medium" and "low", with
1871 "normal" and "default" added as synonyms for "medium" just to make
1872 configuration easier. See RFC 4191[15] for details. Defaults to
1873 "medium".
1874 EmitDNS=, DNS=
1876 DNS= specifies a list of recursive DNS server IPv6 addresses that
1877 are distributed via Router Advertisement messages when EmitDNS= is
1878 true. DNS= also takes special value "_link_local"; in that case
1879 the IPv6 link local address is distributed. If DNS= is empty, DNS
1880 servers are read from the [Network] section. If the [Network]
1881 section does not contain any DNS servers either, DNS servers from
1882 the uplink with the highest priority default route are used. When
1883 EmitDNS= is false, no DNS server information is sent in Router
1884 Advertisement messages. EmitDNS= defaults to true.
1885 EmitDomains=, Domains=
1887 A list of DNS search domains distributed via Router Advertisement
1888 messages when EmitDomains= is true. If Domains= is empty, DNS
1889 search domains are read from the [Network] section. If the
1890 [Network] section does not contain any DNS search domains either,
1891 DNS search domains from the uplink with the highest priority
1892 default route are used. When EmitDomains= is false, no DNS search
1893 domain information is sent in Router Advertisement messages.
1894 EmitDomains= defaults to true.
1895 DNSLifetimeSec=
1897 Lifetime in seconds for the DNS server addresses listed in DNS= and
1898 search domains listed in Domains=.
1899
1901 One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
1902 announced via Router Advertisements. See RFC 4861[23] for further
1903 details.
1904 AddressAutoconfiguration=, OnLink=
1906 Takes a boolean to specify whether IPv6 addresses can be
1907 autoconfigured with this prefix and whether the prefix can be used
1908 for onlink determination. Both settings default to "true" in order
1909 to ease configuration.
1910 Prefix=
1912 The IPv6 prefix that is to be distributed to hosts. Similarly to
1913 configuring static IPv6 addresses, the setting is configured as an
1914 IPv6 prefix and its prefix length, separated by a "/" character.
1915 Use multiple [IPv6Prefix] sections to configure multiple IPv6
1916 prefixes since prefix lifetimes, address autoconfiguration and
1917 onlink status may differ from one prefix to another.
1918 PreferredLifetimeSec=, ValidLifetimeSec=
1920 Preferred and valid lifetimes for the prefix measured in seconds.
1921 PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1922 ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1923 Assign=
1925 Takes a boolean. When true, adds an address from the prefix.
1926 Default to false.
1927 RouteMetric=
1929 The metric of the prefix route. Takes an unsigned integer in the
1930 range 0...4294967295. When unset or set to 0, the kernel's default
1931 value is used. This setting is ignored when Assign= is false.
1932
1934 One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
1935 that are announced via Router Advertisements. See RFC 4191[15] for
1936 further details.
1937 Route=
1939 The IPv6 route that is to be distributed to hosts. Similarly to
1940 configuring static IPv6 routes, the setting is configured as an
1941 IPv6 prefix routes and its prefix route length, separated by a "/"
1942 character. Use multiple [IPv6PrefixRoutes] sections to configure
1943 multiple IPv6 prefix routes.
1944 LifetimeSec=
1946 Lifetime for the route prefix measured in seconds. LifetimeSec=
1947 defaults to 604800 seconds (one week).
1948
1950 The [Bridge] section accepts the following keys:
1951 UnicastFlood=
1953 Takes a boolean. Controls whether the bridge should flood traffic
1954 for which an FDB entry is missing and the destination is unknown
1955 through this port. When unset, the kernel's default will be used.
1956 MulticastFlood=
1958 Takes a boolean. Controls whether the bridge should flood traffic
1959 for which an MDB entry is missing and the destination is unknown
1960 through this port. When unset, the kernel's default will be used.
1961 MulticastToUnicast=
1963 Takes a boolean. Multicast to unicast works on top of the multicast
1964 snooping feature of the bridge. Which means unicast copies are only
1965 delivered to hosts which are interested in it. When unset, the
1966 kernel's default will be used.
1967 NeighborSuppression=
1969 Takes a boolean. Configures whether ARP and ND neighbor suppression
1970 is enabled for this port. When unset, the kernel's default will be
1971 used.
1972 Learning=
1974 Takes a boolean. Configures whether MAC address learning is enabled
1975 for this port. When unset, the kernel's default will be used.
1976 HairPin=
1978 Takes a boolean. Configures whether traffic may be sent back out of
1979 the port on which it was received. When this flag is false, then
1980 the bridge will not forward traffic back out of the receiving port.
1981 When unset, the kernel's default will be used.
1982 UseBPDU=
1984 Takes a boolean. Configures whether STP Bridge Protocol Data Units
1985 will be processed by the bridge port. When unset, the kernel's
1986 default will be used.
1987 FastLeave=
1989 Takes a boolean. This flag allows the bridge to immediately stop
1990 multicast traffic on a port that receives an IGMP Leave message. It
1991 is only used with IGMP snooping if enabled on the bridge. When
1992 unset, the kernel's default will be used.
1993 AllowPortToBeRoot=
1995 Takes a boolean. Configures whether a given port is allowed to
1996 become a root port. Only used when STP is enabled on the bridge.
1997 When unset, the kernel's default will be used.
1998 ProxyARP=
2000 Takes a boolean. Configures whether proxy ARP to be enabled on this
2001 port. When unset, the kernel's default will be used.
2002 ProxyARPWiFi=
2004 Takes a boolean. Configures whether proxy ARP to be enabled on this
2005 port which meets extended requirements by IEEE 802.11 and Hotspot
2006 2.0 specifications. When unset, the kernel's default will be used.
2007 MulticastRouter=
2009 Configures this port for having multicast routers attached. A port
2010 with a multicast router will receive all multicast traffic. Takes
2011 one of "no" to disable multicast routers on this port, "query" to
2012 let the system detect the presence of routers, "permanent" to
2013 permanently enable multicast traffic forwarding on this port, or
2014 "temporary" to enable multicast routers temporarily on this port,
2015 not depending on incoming queries. When unset, the kernel's default
2016 will be used.
2017 Cost=
2019 Sets the "cost" of sending packets of this interface. Each port in
2020 a bridge may have a different speed and the cost is used to decide
2021 which link to use. Faster interfaces should have lower costs. It is
2022 an integer value between 1 and 65535.
2023 Priority=
2025 Sets the "priority" of sending packets on this interface. Each port
2026 in a bridge may have a different priority which is used to decide
2027 which link to use. Lower value means higher priority. It is an
2028 integer value between 0 to 63. Networkd does not set any default,
2029 meaning the kernel default value of 32 is used.
2030
2032 The [BridgeFDB] section manages the forwarding database table of a port
2033 and accepts the following keys. Specify several [BridgeFDB] sections to
2034 configure several static MAC table entries.
2035 MACAddress=
2037 As in the [Network] section. This key is mandatory.
2038 Destination=
2040 Takes an IP address of the destination VXLAN tunnel endpoint.
2041 VLANId=
2043 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2044 ID information is appended to the new static MAC table entry.
2045 VNI=
2047 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2048 connect to the remote VXLAN tunnel endpoint. Takes a number in the
2049 range 1...16777215. Defaults to unset.
2050 AssociatedWith=
2052 Specifies where the address is associated with. Takes one of "use",
2053 "self", "master" or "router". "use" means the address is in use.
2054 User space can use this option to indicate to the kernel that the
2055 fdb entry is in use. "self" means the address is associated with
2056 the port drivers fdb. Usually hardware. "master" means the address
2057 is associated with master devices fdb. "router" means the
2058 destination address is associated with a router. Note that it's
2059 valid if the referenced device is a VXLAN type device and has route
2060 shortcircuit enabled. Defaults to "self".
2061 OutgoingInterface=
2063 Specifies the name or index of the outgoing interface for the VXLAN
2064 device driver to reach the remote VXLAN tunnel endpoint. Defaults
2065 to unset.
2066
2068 The [BridgeMDB] section manages the multicast membership entries
2069 forwarding database table of a port and accepts the following keys.
2070 Specify several [BridgeMDB] sections to configure several permanent
2071 multicast membership entries.
2072 MulticastGroupAddress=
2074 Specifies the IPv4 or IPv6 multicast group address to add. This
2075 setting is mandatory.
2076 VLANId=
2078 The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2079 4094. Optional, defaults to 0.
2080
2082 The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2083 accepts the following keys:
2084 MUDURL=
2086 When configured, the specified Manufacturer Usage Descriptions
2087 (MUD) URL will be sent in LLDP packets. The syntax and semantics
2088 are the same as for MUDURL= in the [DHCPv4] section described
2089 above.
2090 The MUD URLs received via LLDP packets are saved and can be read
2092 using the sd_lldp_neighbor_get_mud_url() function.
2093
2095 The [CAN] section manages the Controller Area Network (CAN bus) and
2096 accepts the following keys:
2097 BitRate=
2099 The bitrate of CAN device in bits per second. The usual SI prefixes
2100 (K, M) with the base of 1000 can be used here. Takes a number in
2101 the range 1...4294967295.
2102 SamplePoint=
2104 Optional sample point in percent with one decimal (e.g. "75%",
2105 "87.5%") or permille (e.g. "875‰").
2106 DataBitRate=, DataSamplePoint=
2108 The bitrate and sample point for the data phase, if CAN-FD is used.
2109 These settings are analogous to the BitRate= and SamplePoint= keys.
2110 FDMode=
2112 Takes a boolean. When "yes", CAN-FD mode is enabled for the
2113 interface. Note, that a bitrate and optional sample point should
2114 also be set for the CAN-FD data phase using the DataBitRate= and
2115 DataSamplePoint= keys.
2116 FDNonISO=
2118 Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2119 interface. When unset, the kernel's default will be used.
2120 RestartSec=
2122 Automatic restart delay time. If set to a non-zero value, a restart
2123 of the CAN controller will be triggered automatically in case of a
2124 bus-off condition after the specified delay time. Subsecond delays
2125 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
2126 postfix. Using "infinity" or "0" will turn the automatic restart
2127 off. By default automatic restart is disabled.
2128 Termination=
2130 Takes a boolean. When "yes", the termination resistor will be
2131 selected for the bias network. When unset, the kernel's default
2132 will be used.
2133 TripleSampling=
2135 Takes a boolean. When "yes", three samples (instead of one) are
2136 used to determine the value of a received bit by majority rule.
2137 When unset, the kernel's default will be used.
2138 BusErrorReporting=
2140 Takes a boolean. When "yes", reporting of CAN bus errors is
2141 activated (those include single bit, frame format, and bit stuffing
2142 errors, unable to send dominant bit, unable to send recessive bit,
2143 bus overload, active error announcement, error occurred on
2144 transmission). When unset, the kernel's default will be used. Note:
2145 in case of a CAN bus with a single CAN device, sending a CAN frame
2146 may result in a huge number of CAN bus errors.
2147 ListenOnly=
2149 Takes a boolean. When "yes", listen-only mode is enabled. When the
2150 interface is in listen-only mode, the interface neither transmit
2151 CAN frames nor send ACK bit. Listen-only mode is important to debug
2152 CAN networks without interfering with the communication or
2153 acknowledge the CAN frame. When unset, the kernel's default will be
2154 used.
2155
2157 The [QDisc] section manages the traffic control queueing discipline
2158 (qdisc).
2159 Parent=
2161 Specifies the parent Queueing Discipline (qdisc). Takes one of
2162 "clsact" or "ingress". This is mandatory.
2163 Handle=
2165 Configures the major number of unique identifier of the qdisc,
2166 known as the handle. Takes a hexadecimal number in the range
2167 0x1–0xffff. Defaults to unset.
2168
2170 The [NetworkEmulator] section manages the queueing discipline (qdisc)
2171 of the network emulator. It can be used to configure the kernel packet
2172 scheduler and simulate packet delay and loss for UDP or TCP
2173 applications, or limit the bandwidth usage of a particular service to
2174 simulate internet connections.
2175 Parent=
2177 Configures the parent Queueing Discipline (qdisc). Takes one of
2178 "root", "clsact", "ingress" or a class identifier. The class
2179 identifier is specified as the major and minor numbers in
2180 hexadecimal in the range 0x1–Oxffff separated with a colon
2181 ("major:minor"). Defaults to "root".
2182 Handle=
2184 Configures the major number of unique identifier of the qdisc,
2185 known as the handle. Takes a hexadecimal number in the range
2186 0x1–0xffff. Defaults to unset.
2187 DelaySec=
2189 Specifies the fixed amount of delay to be added to all packets
2190 going out of the interface. Defaults to unset.
2191 DelayJitterSec=
2193 Specifies the chosen delay to be added to the packets outgoing to
2194 the network interface. Defaults to unset.
2195 PacketLimit=
2197 Specifies the maximum number of packets the qdisc may hold queued
2198 at a time. An unsigned integer in the range 0–4294967294. Defaults
2199 to 1000.
2200 LossRate=
2202 Specifies an independent loss probability to be added to the
2203 packets outgoing from the network interface. Takes a percentage
2204 value, suffixed with "%". Defaults to unset.
2205 DuplicateRate=
2207 Specifies that the chosen percent of packets is duplicated before
2208 queuing them. Takes a percentage value, suffixed with "%". Defaults
2209 to unset.
2210
2212 The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2213 of token bucket filter (tbf).
2214 Parent=
2216 Configures the parent Queueing Discipline (qdisc). Takes one of
2217 "root", "clsact", "ingress" or a class identifier. The class
2218 identifier is specified as the major and minor numbers in
2219 hexadecimal in the range 0x1–Oxffff separated with a colon
2220 ("major:minor"). Defaults to "root".
2221 Handle=
2223 Configures the major number of unique identifier of the qdisc,
2224 known as the handle. Takes a hexadecimal number in the range
2225 0x1–0xffff. Defaults to unset.
2226 LatencySec=
2228 Specifies the latency parameter, which specifies the maximum amount
2229 of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2230 to unset.
2231 LimitBytes=
2233 Takes the number of bytes that can be queued waiting for tokens to
2234 become available. When the size is suffixed with K, M, or G, it is
2235 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2236 base of 1024. Defaults to unset.
2237 BurstBytes=
2239 Specifies the size of the bucket. This is the maximum amount of
2240 bytes that tokens can be available for instantaneous transfer. When
2241 the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2242 Megabytes, or Gigabytes, respectively, to the base of 1024.
2243 Defaults to unset.
2244 Rate=
2246 Specifies the device specific bandwidth. When suffixed with K, M,
2247 or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2248 Gigabits, respectively, to the base of 1000. Defaults to unset.
2249 MPUBytes=
2251 The Minimum Packet Unit (MPU) determines the minimal token usage
2252 (specified in bytes) for a packet. When suffixed with K, M, or G,
2253 the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2254 respectively, to the base of 1024. Defaults to zero.
2255 PeakRate=
2257 Takes the maximum depletion rate of the bucket. When suffixed with
2258 K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2259 Gigabits, respectively, to the base of 1000. Defaults to unset.
2260 MTUBytes=
2262 Specifies the size of the peakrate bucket. When suffixed with K, M,
2263 or G, the specified size is parsed as Kilobytes, Megabytes, or
2264 Gigabytes, respectively, to the base of 1024. Defaults to unset.
2265
2267 The [PIE] section manages the queueing discipline (qdisc) of
2268 Proportional Integral controller-Enhanced (PIE).
2269 Parent=
2271 Configures the parent Queueing Discipline (qdisc). Takes one of
2272 "root", "clsact", "ingress" or a class identifier. The class
2273 identifier is specified as the major and minor numbers in
2274 hexadecimal in the range 0x1–Oxffff separated with a colon
2275 ("major:minor"). Defaults to "root".
2276 Handle=
2278 Configures the major number of unique identifier of the qdisc,
2279 known as the handle. Takes a hexadecimal number in the range
2280 0x1–0xffff. Defaults to unset.
2281 PacketLimit=
2283 Specifies the hard limit on the queue size in number of packets.
2284 When this limit is reached, incoming packets are dropped. An
2285 unsigned integer in the range 1...4294967294. Defaults to unset and
2286 kernel's default is used.
2287
2289 The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2290 Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2291 Parent=
2293 Configures the parent Queueing Discipline (qdisc). Takes one of
2294 "root", "clsact", "ingress" or a class identifier. The class
2295 identifier is specified as the major and minor numbers in
2296 hexadecimal in the range 0x1–Oxffff separated with a colon
2297 ("major:minor"). Defaults to "root".
2298 Handle=
2300 Configures the major number of unique identifier of the qdisc,
2301 known as the handle. Takes a hexadecimal number in the range
2302 0x1–0xffff. Defaults to unset.
2303 PacketLimit=
2305 Specifies the hard limit on the queue size in number of packets.
2306 When this limit is reached, incoming packets are dropped. An
2307 unsigned integer ranges 1 to 4294967294. Defaults to unset and
2308 kernel's default is used.
2309
2311 The [StochasticFairBlue] section manages the queueing discipline
2312 (qdisc) of stochastic fair blue (sfb).
2313 Parent=
2315 Configures the parent Queueing Discipline (qdisc). Takes one of
2316 "root", "clsact", "ingress" or a class identifier. The class
2317 identifier is specified as the major and minor numbers in
2318 hexadecimal in the range 0x1–Oxffff separated with a colon
2319 ("major:minor"). Defaults to "root".
2320 Handle=
2322 Configures the major number of unique identifier of the qdisc,
2323 known as the handle. Takes a hexadecimal number in the range
2324 0x1–0xffff. Defaults to unset.
2325 PacketLimit=
2327 Specifies the hard limit on the queue size in number of packets.
2328 When this limit is reached, incoming packets are dropped. An
2329 unsigned integer in the range 0–4294967294. Defaults to unset and
2330 kernel's default is used.
2331
2333 The [StochasticFairnessQueueing] section manages the queueing
2334 discipline (qdisc) of stochastic fairness queueing (sfq).
2335 Parent=
2337 Configures the parent Queueing Discipline (qdisc). Takes one of
2338 "root", "clsact", "ingress" or a class identifier. The class
2339 identifier is specified as the major and minor numbers in
2340 hexadecimal in the range 0x1–Oxffff separated with a colon
2341 ("major:minor"). Defaults to "root".
2342 Handle=
2344 Configures the major number of unique identifier of the qdisc,
2345 known as the handle. Takes a hexadecimal number in the range
2346 0x1–0xffff. Defaults to unset.
2347 PerturbPeriodSec=
2349 Specifies the interval in seconds for queue algorithm perturbation.
2350 Defaults to unset.
2351
2353 The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2354 limited Packet First In First Out (bfifo).
2355 Parent=
2357 Configures the parent Queueing Discipline (qdisc). Takes one of
2358 "root", "clsact", "ingress" or a class identifier. The class
2359 identifier is specified as the major and minor numbers in
2360 hexadecimal in the range 0x1–Oxffff separated with a colon
2361 ("major:minor"). Defaults to "root".
2362 Handle=
2364 Configures the major number of unique identifier of the qdisc,
2365 known as the handle. Takes a hexadecimal number in the range
2366 0x1–0xffff. Defaults to unset.
2367 LimitBytes=
2369 Specifies the hard limit in bytes on the FIFO buffer size. The size
2370 limit prevents overflow in case the kernel is unable to dequeue
2371 packets as quickly as it receives them. When this limit is reached,
2372 incoming packets are dropped. When suffixed with K, M, or G, the
2373 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2374 respectively, to the base of 1024. Defaults to unset and kernel
2375 default is used.
2376
2378 The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2379 First In First Out (pfifo).
2380 Parent=
2382 Configures the parent Queueing Discipline (qdisc). Takes one of
2383 "root", "clsact", "ingress" or a class identifier. The class
2384 identifier is specified as the major and minor numbers in
2385 hexadecimal in the range 0x1–Oxffff separated with a colon
2386 ("major:minor"). Defaults to "root".
2387 Handle=
2389 Configures the major number of unique identifier of the qdisc,
2390 known as the handle. Takes a hexadecimal number in the range
2391 0x1–0xffff. Defaults to unset.
2392 PacketLimit=
2394 Specifies the hard limit on the number of packets in the FIFO
2395 queue. The size limit prevents overflow in case the kernel is
2396 unable to dequeue packets as quickly as it receives them. When this
2397 limit is reached, incoming packets are dropped. An unsigned integer
2398 in the range 0–4294967294. Defaults to unset and kernel's default
2399 is used.
2400
2402 The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2403 Packet First In First Out Head Drop (pfifo_head_drop).
2404 Parent=
2406 Configures the parent Queueing Discipline (qdisc). Takes one of
2407 "root", "clsact", "ingress" or a class identifier. The class
2408 identifier is specified as the major and minor numbers in
2409 hexadecimal in the range 0x1–Oxffff separated with a colon
2410 ("major:minor"). Defaults to "root".
2411 Handle=
2413 Configures the major number of unique identifier of the qdisc,
2414 known as the handle. Takes a hexadecimal number in the range
2415 0x1–0xffff. Defaults to unset.
2416 PacketLimit=
2418 As in [PFIFO] section.
2419
2421 The [PFIFOFast] section manages the queueing discipline (qdisc) of
2422 Packet First In First Out Fast (pfifo_fast).
2423 Parent=
2425 Configures the parent Queueing Discipline (qdisc). Takes one of
2426 "root", "clsact", "ingress" or a class identifier. The class
2427 identifier is specified as the major and minor numbers in
2428 hexadecimal in the range 0x1–Oxffff separated with a colon
2429 ("major:minor"). Defaults to "root".
2430 Handle=
2432 Configures the major number of unique identifier of the qdisc,
2433 known as the handle. Takes a hexadecimal number in the range
2434 0x1–0xffff. Defaults to unset.
2435
2437 The [CAKE] section manages the queueing discipline (qdisc) of Common
2438 Applications Kept Enhanced (CAKE).
2439 Parent=
2441 Configures the parent Queueing Discipline (qdisc). Takes one of
2442 "root", "clsact", "ingress" or a class identifier. The class
2443 identifier is specified as the major and minor numbers in
2444 hexadecimal in the range 0x1–Oxffff separated with a colon
2445 ("major:minor"). Defaults to "root".
2446 Handle=
2448 Configures the major number of unique identifier of the qdisc,
2449 known as the handle. Takes a hexadecimal number in the range
2450 0x1–0xffff. Defaults to unset.
2451 OverheadBytes=
2453 Specifies that bytes to be addeded to the size of each packet.
2454 Bytes may be negative. Takes an integer in the range from -64 to
2455 256. Defaults to unset and kernel's default is used.
2456 Bandwidth=
2458 Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2459 specified size is parsed as Kilobits, Megabits, or Gigabits,
2460 respectively, to the base of 1000. Defaults to unset and kernel's
2461 default is used.
2462
2464 The [ControlledDelay] section manages the queueing discipline (qdisc)
2465 of controlled delay (CoDel).
2466 Parent=
2468 Configures the parent Queueing Discipline (qdisc). Takes one of
2469 "root", "clsact", "ingress" or a class identifier. The class
2470 identifier is specified as the major and minor numbers in
2471 hexadecimal in the range 0x1–Oxffff separated with a colon
2472 ("major:minor"). Defaults to "root".
2473 Handle=
2475 Configures the major number of unique identifier of the qdisc,
2476 known as the handle. Takes a hexadecimal number in the range
2477 0x1–0xffff. Defaults to unset.
2478 PacketLimit=
2480 Specifies the hard limit on the queue size in number of packets.
2481 When this limit is reached, incoming packets are dropped. An
2482 unsigned integer in the range 0–4294967294. Defaults to unset and
2483 kernel's default is used.
2484 TargetSec=
2486 Takes a timespan. Specifies the acceptable minimum
2487 standing/persistent queue delay. Defaults to unset and kernel's
2488 default is used.
2489 IntervalSec=
2491 Takes a timespan. This is used to ensure that the measured minimum
2492 delay does not become too stale. Defaults to unset and kernel's
2493 default is used.
2494 ECN=
2496 Takes a boolean. This can be used to mark packets instead of
2497 dropping them. Defaults to unset and kernel's default is used.
2498 CEThresholdSec=
2500 Takes a timespan. This sets a threshold above which all packets are
2501 marked with ECN Congestion Experienced (CE). Defaults to unset and
2502 kernel's default is used.
2503
2505 The [DeficitRoundRobinScheduler] section manages the queueing
2506 discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
2507 Parent=
2509 Configures the parent Queueing Discipline (qdisc). Takes one of
2510 "root", "clsact", "ingress" or a class identifier. The class
2511 identifier is specified as the major and minor numbers in
2512 hexadecimal in the range 0x1–Oxffff separated with a colon
2513 ("major:minor"). Defaults to "root".
2514 Handle=
2516 Configures the major number of unique identifier of the qdisc,
2517 known as the handle. Takes a hexadecimal number in the range
2518 0x1–0xffff. Defaults to unset.
2519
2521 The [DeficitRoundRobinSchedulerClass] section manages the traffic
2522 control class of Deficit Round Robin Scheduler (DRR).
2523 Parent=
2525 Configures the parent Queueing Discipline (qdisc). Takes one of
2526 "root", or a qdisc identifier. The qdisc identifier is specified as
2527 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2528 separated with a colon ("major:minor"). Defaults to "root".
2529 ClassId=
2531 Configures the unique identifier of the class. It is specified as
2532 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2533 separated with a colon ("major:minor"). Defaults to unset.
2534 QuantumBytes=
2536 Specifies the amount of bytes a flow is allowed to dequeue before
2537 the scheduler moves to the next class. When suffixed with K, M, or
2538 G, the specified size is parsed as Kilobytes, Megabytes, or
2539 Gigabytes, respectively, to the base of 1024. Defaults to the MTU
2540 of the interface.
2541
2543 The [EnhancedTransmissionSelection] section manages the queueing
2544 discipline (qdisc) of Enhanced Transmission Selection (ETS).
2545 Parent=
2547 Configures the parent Queueing Discipline (qdisc). Takes one of
2548 "root", "clsact", "ingress" or a class identifier. The class
2549 identifier is specified as the major and minor numbers in
2550 hexadecimal in the range 0x1–Oxffff separated with a colon
2551 ("major:minor"). Defaults to "root".
2552 Handle=
2554 Configures the major number of unique identifier of the qdisc,
2555 known as the handle. Takes a hexadecimal number in the range
2556 0x1–0xffff. Defaults to unset.
2557 Bands=
2559 Specifies the number of bands. An unsigned integer in the range
2560 1–16. This value has to be at least large enough to cover the
2561 strict bands specified through the StrictBands= and
2562 bandwidth-sharing bands specified in QuantumBytes=.
2563 StrictBands=
2565 Specifies the number of bands that should be created in strict
2566 mode. An unsigned integer in the range 1–16.
2567 QuantumBytes=
2569 Specifies the white-space separated list of quantum used in
2570 band-sharing bands. When suffixed with K, M, or G, the specified
2571 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
2572 to the base of 1024. This setting can be specified multiple times.
2573 If an empty string is assigned, then the all previous assignments
2574 are cleared.
2575 PriorityMap=
2577 The priority map maps the priority of a packet to a band. The
2578 argument is a whitespace separated list of numbers. The first
2579 number indicates which band the packets with priority 0 should be
2580 put to, the second is for priority 1, and so on. There can be up to
2581 16 numbers in the list. If there are fewer, the default band that
2582 traffic with one of the unmentioned priorities goes to is the last
2583 one. Each band number must be in the range 0...255. This setting
2584 can be specified multiple times. If an empty string is assigned,
2585 then the all previous assignments are cleared.
2586
2588 The [GenericRandomEarlyDetection] section manages the queueing
2589 discipline (qdisc) of Generic Random Early Detection (GRED).
2590 Parent=
2592 Configures the parent Queueing Discipline (qdisc). Takes one of
2593 "root", "clsact", "ingress" or a class identifier. The class
2594 identifier is specified as the major and minor numbers in
2595 hexadecimal in the range 0x1–Oxffff separated with a colon
2596 ("major:minor"). Defaults to "root".
2597 Handle=
2599 Configures the major number of unique identifier of the qdisc,
2600 known as the handle. Takes a hexadecimal number in the range
2601 0x1–0xffff. Defaults to unset.
2602 VirtualQueues=
2604 Specifies the number of virtual queues. Takes an integer in the
2605 range 1...16. Defaults to unset and kernel's default is used.
2606 DefaultVirtualQueue=
2608 Specifies the number of default virtual queue. This must be less
2609 than VirtualQueue=. Defaults to unset and kernel's default is used.
2610 GenericRIO=
2612 Takes a boolean. It turns on the RIO-like buffering scheme.
2613 Defaults to unset and kernel's default is used.
2614
2616 The [FairQueueingControlledDelay] section manages the queueing
2617 discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
2618 Parent=
2620 Configures the parent Queueing Discipline (qdisc). Takes one of
2621 "root", "clsact", "ingress" or a class identifier. The class
2622 identifier is specified as the major and minor numbers in
2623 hexadecimal in the range 0x1–Oxffff separated with a colon
2624 ("major:minor"). Defaults to "root".
2625 Handle=
2627 Configures the major number of unique identifier of the qdisc,
2628 known as the handle. Takes a hexadecimal number in the range
2629 0x1–0xffff. Defaults to unset.
2630 PacketLimit=
2632 Specifies the hard limit on the real queue size. When this limit is
2633 reached, incoming packets are dropped. Defaults to unset and
2634 kernel's default is used.
2635 MemoryLimitBytes=
2637 Specifies the limit on the total number of bytes that can be queued
2638 in this FQ-CoDel instance. When suffixed with K, M, or G, the
2639 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2640 respectively, to the base of 1024. Defaults to unset and kernel's
2641 default is used.
2642 Flows=
2644 Specifies the number of flows into which the incoming packets are
2645 classified. Defaults to unset and kernel's default is used.
2646 TargetSec=
2648 Takes a timespan. Specifies the acceptable minimum
2649 standing/persistent queue delay. Defaults to unset and kernel's
2650 default is used.
2651 IntervalSec=
2653 Takes a timespan. This is used to ensure that the measured minimum
2654 delay does not become too stale. Defaults to unset and kernel's
2655 default is used.
2656 QuantumBytes=
2658 Specifies the number of bytes used as the "deficit" in the fair
2659 queuing algorithm timespan. When suffixed with K, M, or G, the
2660 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2661 respectively, to the base of 1024. Defaults to unset and kernel's
2662 default is used.
2663 ECN=
2665 Takes a boolean. This can be used to mark packets instead of
2666 dropping them. Defaults to unset and kernel's default is used.
2667 CEThresholdSec=
2669 Takes a timespan. This sets a threshold above which all packets are
2670 marked with ECN Congestion Experienced (CE). Defaults to unset and
2671 kernel's default is used.
2672
2674 The [FairQueueing] section manages the queueing discipline (qdisc) of
2675 fair queue traffic policing (FQ).
2676 Parent=
2678 Configures the parent Queueing Discipline (qdisc). Takes one of
2679 "root", "clsact", "ingress" or a class identifier. The class
2680 identifier is specified as the major and minor numbers in
2681 hexadecimal in the range 0x1–Oxffff separated with a colon
2682 ("major:minor"). Defaults to "root".
2683 Handle=
2685 Configures the major number of unique identifier of the qdisc,
2686 known as the handle. Takes a hexadecimal number in the range
2687 0x1–0xffff. Defaults to unset.
2688 PacketLimit=
2690 Specifies the hard limit on the real queue size. When this limit is
2691 reached, incoming packets are dropped. Defaults to unset and
2692 kernel's default is used.
2693 FlowLimit=
2695 Specifies the hard limit on the maximum number of packets queued
2696 per flow. Defaults to unset and kernel's default is used.
2697 QuantumBytes=
2699 Specifies the credit per dequeue RR round, i.e. the amount of bytes
2700 a flow is allowed to dequeue at once. When suffixed with K, M, or
2701 G, the specified size is parsed as Kilobytes, Megabytes, or
2702 Gigabytes, respectively, to the base of 1024. Defaults to unset and
2703 kernel's default is used.
2704 InitialQuantumBytes=
2706 Specifies the initial sending rate credit, i.e. the amount of bytes
2707 a new flow is allowed to dequeue initially. When suffixed with K,
2708 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
2709 Gigabytes, respectively, to the base of 1024. Defaults to unset and
2710 kernel's default is used.
2711 MaximumRate=
2713 Specifies the maximum sending rate of a flow. When suffixed with K,
2714 M, or G, the specified size is parsed as Kilobits, Megabits, or
2715 Gigabits, respectively, to the base of 1000. Defaults to unset and
2716 kernel's default is used.
2717 Buckets=
2719 Specifies the size of the hash table used for flow lookups.
2720 Defaults to unset and kernel's default is used.
2721 OrphanMask=
2723 Takes an unsigned integer. For packets not owned by a socket, fq is
2724 able to mask a part of hash and reduce number of buckets associated
2725 with the traffic. Defaults to unset and kernel's default is used.
2726 Pacing=
2728 Takes a boolean, and enables or disables flow pacing. Defaults to
2729 unset and kernel's default is used.
2730 CEThresholdSec=
2732 Takes a timespan. This sets a threshold above which all packets are
2733 marked with ECN Congestion Experienced (CE). Defaults to unset and
2734 kernel's default is used.
2735
2737 The [TrivialLinkEqualizer] section manages the queueing discipline
2738 (qdisc) of trivial link equalizer (teql).
2739 Parent=
2741 Configures the parent Queueing Discipline (qdisc). Takes one of
2742 "root", "clsact", "ingress" or a class identifier. The class
2743 identifier is specified as the major and minor numbers in
2744 hexadecimal in the range 0x1–Oxffff separated with a colon
2745 ("major:minor"). Defaults to "root".
2746 Handle=
2748 Configures the major number of unique identifier of the qdisc,
2749 known as the handle. Takes a hexadecimal number in the range
2750 0x1–0xffff. Defaults to unset.
2751 Id=
2753 Specifies the interface ID "N" of teql. Defaults to "0". Note that
2754 when teql is used, currently, the module sch_teql with
2755 max_equalizers=N+1 option must be loaded before systemd-networkd is
2756 started.
2757
2759 The [HierarchyTokenBucket] section manages the queueing discipline
2760 (qdisc) of hierarchy token bucket (htb).
2761 Parent=
2763 Configures the parent Queueing Discipline (qdisc). Takes one of
2764 "root", "clsact", "ingress" or a class identifier. The class
2765 identifier is specified as the major and minor numbers in
2766 hexadecimal in the range 0x1–Oxffff separated with a colon
2767 ("major:minor"). Defaults to "root".
2768 Handle=
2770 Configures the major number of unique identifier of the qdisc,
2771 known as the handle. Takes a hexadecimal number in the range
2772 0x1–0xffff. Defaults to unset.
2773 DefaultClass=
2775 Takes the minor id in hexadecimal of the default class.
2776 Unclassified traffic gets sent to the class. Defaults to unset.
2777 RateToQuantum=
2779 Takes an unsigned integer. The DRR quantums are calculated by
2780 dividing the value configured in Rate= by RateToQuantum=.
2781
2783 The [HierarchyTokenBucketClass] section manages the traffic control
2784 class of hierarchy token bucket (htb).
2785 Parent=
2787 Configures the parent Queueing Discipline (qdisc). Takes one of
2788 "root", or a qdisc identifier. The qdisc identifier is specified as
2789 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2790 separated with a colon ("major:minor"). Defaults to "root".
2791 ClassId=
2793 Configures the unique identifier of the class. It is specified as
2794 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2795 separated with a colon ("major:minor"). Defaults to unset.
2796 Priority=
2798 Specifies the priority of the class. In the round-robin process,
2799 classes with the lowest priority field are tried for packets first.
2800 QuantumBytes=
2802 Specifies how many bytes to serve from leaf at once. When suffixed
2803 with K, M, or G, the specified size is parsed as Kilobytes,
2804 Megabytes, or Gigabytes, respectively, to the base of 1024.
2805 MTUBytes=
2807 Specifies the maximum packet size we create. When suffixed with K,
2808 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
2809 Gigabytes, respectively, to the base of 1024.
2810 OverheadBytes=
2812 Takes an unsigned integer which specifies per-packet size overhead
2813 used in rate computations. When suffixed with K, M, or G, the
2814 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2815 respectively, to the base of 1024.
2816 Rate=
2818 Specifies the maximum rate this class and all its children are
2819 guaranteed. When suffixed with K, M, or G, the specified size is
2820 parsed as Kilobits, Megabits, or Gigabits, respectively, to the
2821 base of 1000. This setting is mandatory.
2822 CeilRate=
2824 Specifies the maximum rate at which a class can send, if its parent
2825 has bandwidth to spare. When suffixed with K, M, or G, the
2826 specified size is parsed as Kilobits, Megabits, or Gigabits,
2827 respectively, to the base of 1000. When unset, the value specified
2828 with Rate= is used.
2829 BufferBytes=
2831 Specifies the maximum bytes burst which can be accumulated during
2832 idle period. When suffixed with K, M, or G, the specified size is
2833 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2834 base of 1024.
2835 CeilBufferBytes=
2837 Specifies the maximum bytes burst for ceil which can be accumulated
2838 during idle period. When suffixed with K, M, or G, the specified
2839 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
2840 to the base of 1024.
2841
2843 The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
2844 of Heavy Hitter Filter (hhf).
2845 Parent=
2847 Configures the parent Queueing Discipline (qdisc). Takes one of
2848 "root", "clsact", "ingress" or a class identifier. The class
2849 identifier is specified as the major and minor numbers in
2850 hexadecimal in the range 0x1–Oxffff separated with a colon
2851 ("major:minor"). Defaults to "root".
2852 Handle=
2854 Configures the major number of unique identifier of the qdisc,
2855 known as the handle. Takes a hexadecimal number in the range
2856 0x1–0xffff. Defaults to unset.
2857 PacketLimit=
2859 Specifies the hard limit on the queue size in number of packets.
2860 When this limit is reached, incoming packets are dropped. An
2861 unsigned integer in the range 0–4294967294. Defaults to unset and
2862 kernel's default is used.
2863
2865 The [QuickFairQueueing] section manages the queueing discipline (qdisc)
2866 of Quick Fair Queueing (QFQ).
2867 Parent=
2869 Configures the parent Queueing Discipline (qdisc). Takes one of
2870 "root", "clsact", "ingress" or a class identifier. The class
2871 identifier is specified as the major and minor numbers in
2872 hexadecimal in the range 0x1–Oxffff separated with a colon
2873 ("major:minor"). Defaults to "root".
2874 Handle=
2876 Configures the major number of unique identifier of the qdisc,
2877 known as the handle. Takes a hexadecimal number in the range
2878 0x1–0xffff. Defaults to unset.
2879
2881 The [QuickFairQueueingClass] section manages the traffic control class
2882 of Quick Fair Queueing (qfq).
2883 Parent=
2885 Configures the parent Queueing Discipline (qdisc). Takes one of
2886 "root", or a qdisc identifier. The qdisc identifier is specified as
2887 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2888 separated with a colon ("major:minor"). Defaults to "root".
2889 ClassId=
2891 Configures the unique identifier of the class. It is specified as
2892 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2893 separated with a colon ("major:minor"). Defaults to unset.
2894 Weight=
2896 Specifies the weight of the class. Takes an integer in the range
2897 1...1023. Defaults to unset in which case the kernel default is
2898 used.
2899 MaxPacketBytes=
2901 Specifies the maximum packet size in bytes for the class. When
2902 suffixed with K, M, or G, the specified size is parsed as
2903 Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
2904 1024. When unset, the kernel default is used.
2905
2907 The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
2908 port and accepts the following keys. Specify several [BridgeVLAN]
2909 sections to configure several VLAN entries. The VLANFiltering= option
2910 has to be enabled, see the [Bridge] section in systemd.netdev(5).
2911 VLAN=
2913 The VLAN ID allowed on the port. This can be either a single ID or
2914 a range M-N. VLAN IDs are valid from 1 to 4094.
2915 EgressUntagged=
2917 The VLAN ID specified here will be used to untag frames on egress.
2918 Configuring EgressUntagged= implicates the use of VLAN= above and
2919 will enable the VLAN ID for ingress as well. This can be either a
2920 single ID or a range M-N.
2921 PVID=
2923 The Port VLAN ID specified here is assigned to all untagged frames
2924 at ingress. PVID= can be used only once. Configuring PVID=
2925 implicates the use of VLAN= above and will enable the VLAN ID for
2926 ingress as well.
2927
2929 Example 1. Static network configuration
2930 # /etc/systemd/network/50-static.network
2932 [Match]
2933 Name=enp2s0
2934 [Network]
2936 Address=192.168.0.15/24
2937 Gateway=192.168.0.1
2938 This brings interface "enp2s0" up with a static address. The specified
2940 gateway will be used for a default route.
2941 Example 2. DHCP on ethernet links
2943 # /etc/systemd/network/80-dhcp.network
2945 [Match]
2946 Name=en*
2947 [Network]
2949 DHCP=yes
2950 This will enable DHCPv4 and DHCPv6 on all interfaces with names
2952 starting with "en" (i.e. ethernet interfaces).
2953 Example 3. IPv6 Prefix Delegation
2955 # /etc/systemd/network/55-ipv6-pd-upstream.network
2957 [Match]
2958 Name=enp1s0
2959 [Network]
2961 DHCP=ipv6
2962 # /etc/systemd/network/56-ipv6-pd-downstream.network
2964 [Match]
2965 Name=enp2s0
2966 [Network]
2968 IPv6SendRA=yes
2969 DHCPv6PrefixDelegation=yes
2970 This will enable DHCPv6-PD on the interface enp1s0 as an upstream
2972 interface where the DHCPv6 client is running and enp2s0 as a downstream
2973 interface where the prefix is delegated to. The delegated prefixes are
2974 distributed by IPv6 Router Advertisement on the downstream network.
2975 Example 4. A bridge with two enslaved links
2977 # /etc/systemd/network/25-bridge-static.network
2979 [Match]
2980 Name=bridge0
2981 [Network]
2983 Address=192.168.0.15/24
2984 Gateway=192.168.0.1
2985 DNS=192.168.0.1
2986 # /etc/systemd/network/25-bridge-slave-interface-1.network
2988 [Match]
2989 Name=enp2s0
2990 [Network]
2992 Bridge=bridge0
2993 # /etc/systemd/network/25-bridge-slave-interface-2.network
2995 [Match]
2996 Name=wlp3s0
2997 [Network]
2999 Bridge=bridge0
3000 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3002 The bridge will have the specified static address and network assigned,
3003 and a default route via the specified gateway will be added. The
3004 specified DNS server will be added to the global list of DNS resolvers.
3005 Example 5.
3007 # /etc/systemd/network/20-bridge-slave-interface-vlan.network
3009 [Match]
3010 Name=enp2s0
3011 [Network]
3013 Bridge=bridge0
3014 [BridgeVLAN]
3016 VLAN=1-32
3017 PVID=42
3018 EgressUntagged=42
3019 [BridgeVLAN]
3021 VLAN=100-200
3022 [BridgeVLAN]
3024 EgressUntagged=300-400
3025 This overrides the configuration specified in the previous example for
3027 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3028 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3029 300-400 will be untagged when they leave on this interface. Untagged
3030 packets which arrive on this interface will be assigned VLAN ID 42.
3031 Example 6. Various tunnels
3033 /etc/systemd/network/25-tunnels.network
3035 [Match]
3036 Name=ens1
3037 [Network]
3039 Tunnel=ipip-tun
3040 Tunnel=sit-tun
3041 Tunnel=gre-tun
3042 Tunnel=vti-tun
3043 /etc/systemd/network/25-tunnel-ipip.netdev
3046 [NetDev]
3047 Name=ipip-tun
3048 Kind=ipip
3049 /etc/systemd/network/25-tunnel-sit.netdev
3052 [NetDev]
3053 Name=sit-tun
3054 Kind=sit
3055 /etc/systemd/network/25-tunnel-gre.netdev
3058 [NetDev]
3059 Name=gre-tun
3060 Kind=gre
3061 /etc/systemd/network/25-tunnel-vti.netdev
3064 [NetDev]
3065 Name=vti-tun
3066 Kind=vti
3067 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3070 tunnel, a GRE tunnel, and a VTI tunnel using it.
3071 Example 7. A bond device
3073 # /etc/systemd/network/30-bond1.network
3075 [Match]
3076 Name=bond1
3077 [Network]
3079 DHCP=ipv6
3080 # /etc/systemd/network/30-bond1.netdev
3082 [NetDev]
3083 Name=bond1
3084 Kind=bond
3085 # /etc/systemd/network/30-bond1-dev1.network
3087 [Match]
3088 MACAddress=52:54:00:e9:64:41
3089 [Network]
3091 Bond=bond1
3092 # /etc/systemd/network/30-bond1-dev2.network
3094 [Match]
3095 MACAddress=52:54:00:e9:64:42
3096 [Network]
3098 Bond=bond1
3099 This will create a bond device "bond1" and enslave the two devices with
3101 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3102 will be used to acquire an address.
3103 Example 8. Virtual Routing and Forwarding (VRF)
3105 Add the "bond1" interface to the VRF master interface "vrf1". This will
3107 redirect routes generated on this interface to be within the routing
3108 table defined during VRF creation. For kernels before 4.8 traffic won't
3109 be redirected towards the VRFs routing table unless specific ip-rules
3110 are added.
3111 # /etc/systemd/network/25-vrf.network
3113 [Match]
3114 Name=bond1
3115 [Network]
3117 VRF=vrf1
3118 Example 9. MacVTap
3120 This brings up a network interface "macvtap-test" and attaches it to
3122 "enp0s25".
3123 # /usr/lib/systemd/network/25-macvtap.network
3125 [Match]
3126 Name=enp0s25
3127 [Network]
3129 MACVTAP=macvtap-test
3130 Example 10. A Xfrm interface with physical underlying device.
3132 # /etc/systemd/network/27-xfrm.netdev
3134 [NetDev]
3135 Name=xfrm0
3136 [Xfrm]
3138 InterfaceId=7
3139 # /etc/systemd/network/27-eth0.network
3141 [Match]
3142 Name=eth0
3143 [Network]
3145 Xfrm=xfrm0
3146 This creates a "xfrm0" interface and binds it to the "eth0" device.
3148 This allows hardware based ipsec offloading to the "eth0" nic. If
3149 offloading is not needed, xfrm interfaces can be assigned to the "lo"
3150 device.
3151
3153 systemd(1), systemd-networkd.service(8), systemd.link(5),
3154 systemd.netdev(5), systemd-resolved.service(8)
3155
3157 1. RFC 7217
3158 https://tools.ietf.org/html/rfc7217
3159 2. Link-Local Multicast Name Resolution
3161 https://tools.ietf.org/html/rfc4795
3162 3. Multicast DNS
3164 https://tools.ietf.org/html/rfc6762
3165 4. DNS-over-TLS
3167 https://tools.ietf.org/html/rfc7858
3168 5. DNSSEC
3170 https://tools.ietf.org/html/rfc4033
3171 6. IEEE 802.1AB-2016
3173 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3174 7. ip-sysctl.txt
3176 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
3177 8. RFC 4941
3179 https://tools.ietf.org/html/rfc4941
3180 9. RFC 1027
3182 https://tools.ietf.org/html/rfc1027
3183 10. RFC 6275
3185 https://tools.ietf.org/html/rfc6275
3186 11. RFC 5227
3188 https://tools.ietf.org/html/rfc5227
3189 12. RFC 4862
3191 https://tools.ietf.org/html/rfc4862
3192 13. RFC 3041
3194 https://tools.ietf.org/html/rfc3041
3195 14. RFC 3484
3197 https://tools.ietf.org/html/rfc3484
3198 15. RFC 4191
3200 https://tools.ietf.org/html/rfc4191
3201 16. RFC 8520
3203 https://tools.ietf.org/html/rfc8520
3204 17. RFC 7844
3206 https://tools.ietf.org/html/rfc7844
3207 18. C-style escapes
3209 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3210 19. RFC 7084
3212 https://tools.ietf.org/html/rfc7084
3213 20. RFC 3315
3215 https://tools.ietf.org/html/rfc3315#section-17.2.1
3216 21. RFC 4291
3218 https://tools.ietf.org/html/rfc4291#section-2.5.4
3219 22. RFC 1542
3221 https://tools.ietf.org/html/rfc1542
3222 23. RFC 4861
3224 https://tools.ietf.org/html/rfc4861
3225systemd 249 SYSTEMD.NETWORK(5)