1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 A plain ini-style text file that encodes configuration about a virtual
13 network device, used by systemd-networkd(8). See systemd.syntax(7) for
14 a general description of the syntax.
15 The main Virtual Network Device file must have the extension .netdev;
17 other extensions are ignored. Virtual network devices are created as
18 soon as networkd is started. If a netdev with the specified name
19 already exists, networkd will use that as-is rather than create its
20 own. Note that the settings of the pre-existing netdev will not be
21 changed by networkd.
22 The .netdev files are read from the files located in the system network
24 directory /usr/lib/systemd/network, the volatile runtime network
25 directory /run/systemd/network and the local administration network
26 directory /etc/systemd/network. All configuration files are
27 collectively sorted and processed in lexical order, regardless of the
28 directories in which they live. However, files with identical filenames
29 replace each other. Files in /etc/ have the highest priority, files in
30 /run/ take precedence over files with the same name in /usr/lib/. This
31 can be used to override a system-supplied configuration file with a
32 local file if needed. As a special case, an empty file (file size 0) or
33 symlink with the same name pointing to /dev/null disables the
34 configuration file entirely (it is "masked").
35 Along with the netdev file foo.netdev, a "drop-in" directory
37 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
38 directory will be merged in the alphanumeric order and parsed after the
39 main file itself has been parsed. This is useful to alter or add
40 configuration settings, without having to modify the main configuration
41 file. Each drop-in file must have appropriate section headers.
42 In addition to /etc/systemd/network, drop-in ".d" directories can be
44 placed in /usr/lib/systemd/network or /run/systemd/network directories.
45 Drop-in files in /etc/ take precedence over those in /run/ which in
46 turn take precedence over those in /usr/lib/. Drop-in files under any
47 of these directories take precedence over the main netdev file wherever
48 located. (Of course, since /run/ is temporary and /usr/lib/ is for
49 vendors, it is unlikely drop-ins should be used in either of those
50 places.)
51
53 The following kinds of virtual network devices may be configured in
54 .netdev files:
55 Table 1. Supported kinds of virtual network devices
57 ┌──────────┬────────────────────────────┐
58 │Kind │ Description │
59 ├──────────┼────────────────────────────┤
60 │bond │ A bond device is an │
61 │ │ aggregation of all its │
62 │ │ slave devices. See Linux │
63 │ │ Ethernet Bonding Driver │
64 │ │ HOWTO[1] for details. │
65 ├──────────┼────────────────────────────┤
66 │bridge │ A bridge device is a │
67 │ │ software switch, and each │
68 │ │ of its slave devices and │
69 │ │ the bridge itself are │
70 │ │ ports of the switch. │
71 ├──────────┼────────────────────────────┤
72 │dummy │ A dummy device drops all │
73 │ │ packets sent to it. │
74 ├──────────┼────────────────────────────┤
75 │gre │ A Level 3 GRE tunnel over │
76 │ │ IPv4. See RFC 2784[2] for │
77 │ │ details. │
78 ├──────────┼────────────────────────────┤
79 │gretap │ A Level 2 GRE tunnel over │
80 │ │ IPv4. │
81 ├──────────┼────────────────────────────┤
82 │erspan │ ERSPAN mirrors traffic on │
83 │ │ one or more source ports │
84 │ │ and delivers the mirrored │
85 │ │ traffic to one or more │
86 │ │ destination ports on │
87 │ │ another switch. The │
88 │ │ traffic is encapsulated in │
89 │ │ generic routing │
90 │ │ encapsulation (GRE) and is │
91 │ │ therefore routable across │
92 │ │ a layer 3 network between │
93 │ │ the source switch and the │
94 │ │ destination switch. │
95 ├──────────┼────────────────────────────┤
96 │ip6gre │ A Level 3 GRE tunnel over │
97 │ │ IPv6. │
98 ├──────────┼────────────────────────────┤
99 │ip6tnl │ An IPv4 or IPv6 tunnel │
100 │ │ over IPv6 │
101 ├──────────┼────────────────────────────┤
102 │ip6gretap │ A Level 2 GRE tunnel over │
103 │ │ IPv6. │
104 ├──────────┼────────────────────────────┤
105 │ipip │ An IPv4 over IPv4 tunnel. │
106 ├──────────┼────────────────────────────┤
107 │ipvlan │ An IPVLAN device is a │
108 │ │ stacked device which │
109 │ │ receives packets from its │
110 │ │ underlying device based on │
111 │ │ IP address filtering. │
112 ├──────────┼────────────────────────────┤
113 │ipvtap │ An IPVTAP device is a │
114 │ │ stacked device which │
115 │ │ receives packets from its │
116 │ │ underlying device based on │
117 │ │ IP address filtering and │
118 │ │ can be accessed using the │
119 │ │ tap user space interface. │
120 ├──────────┼────────────────────────────┤
121 │macvlan │ A macvlan device is a │
122 │ │ stacked device which │
123 │ │ receives packets from its │
124 │ │ underlying device based on │
125 │ │ MAC address filtering. │
126 ├──────────┼────────────────────────────┤
127 │macvtap │ A macvtap device is a │
128 │ │ stacked device which │
129 │ │ receives packets from its │
130 │ │ underlying device based on │
131 │ │ MAC address filtering. │
132 ├──────────┼────────────────────────────┤
133 │sit │ An IPv6 over IPv4 tunnel. │
134 ├──────────┼────────────────────────────┤
135 │tap │ A persistent Level 2 │
136 │ │ tunnel between a network │
137 │ │ device and a device node. │
138 ├──────────┼────────────────────────────┤
139 │tun │ A persistent Level 3 │
140 │ │ tunnel between a network │
141 │ │ device and a device node. │
142 ├──────────┼────────────────────────────┤
143 │veth │ An Ethernet tunnel between │
144 │ │ a pair of network devices. │
145 ├──────────┼────────────────────────────┤
146 │vlan │ A VLAN is a stacked device │
147 │ │ which receives packets │
148 │ │ from its underlying device │
149 │ │ based on VLAN tagging. See │
150 │ │ IEEE 802.1Q[3] for │
151 │ │ details. │
152 ├──────────┼────────────────────────────┤
153 │vti │ An IPv4 over IPSec tunnel. │
154 ├──────────┼────────────────────────────┤
155 │vti6 │ An IPv6 over IPSec tunnel. │
156 ├──────────┼────────────────────────────┤
157 │vxlan │ A virtual extensible LAN │
158 │ │ (vxlan), for connecting │
159 │ │ Cloud computing │
160 │ │ deployments. │
161 ├──────────┼────────────────────────────┤
162 │geneve │ A GEneric NEtwork │
163 │ │ Virtualization │
164 │ │ Encapsulation (GENEVE) │
165 │ │ netdev driver. │
166 ├──────────┼────────────────────────────┤
167 │l2tp │ A Layer 2 Tunneling │
168 │ │ Protocol (L2TP) is a │
169 │ │ tunneling protocol used to │
170 │ │ support virtual private │
171 │ │ networks (VPNs) or as part │
172 │ │ of the delivery of │
173 │ │ services by ISPs. It does │
174 │ │ not provide any encryption │
175 │ │ or confidentiality by │
176 │ │ itself │
177 ├──────────┼────────────────────────────┤
178 │macsec │ Media Access Control │
179 │ │ Security (MACsec) is an │
180 │ │ 802.1AE IEEE │
181 │ │ industry-standard security │
182 │ │ technology that provides │
183 │ │ secure communication for │
184 │ │ all traffic on Ethernet │
185 │ │ links. MACsec provides │
186 │ │ point-to-point security on │
187 │ │ Ethernet links between │
188 │ │ directly connected nodes │
189 │ │ and is capable of │
190 │ │ identifying and preventing │
191 │ │ most security threats. │
192 ├──────────┼────────────────────────────┤
193 │vrf │ A Virtual Routing and │
194 │ │ Forwarding (VRF[4]) │
195 │ │ interface to create │
196 │ │ separate routing and │
197 │ │ forwarding domains. │
198 ├──────────┼────────────────────────────┤
199 │vcan │ The virtual CAN driver │
200 │ │ (vcan). Similar to the │
201 │ │ network loopback devices, │
202 │ │ vcan offers a virtual │
203 │ │ local CAN interface. │
204 ├──────────┼────────────────────────────┤
205 │vxcan │ The virtual CAN tunnel │
206 │ │ driver (vxcan). Similar to │
207 │ │ the virtual ethernet │
208 │ │ driver veth, vxcan │
209 │ │ implements a local CAN │
210 │ │ traffic tunnel between two │
211 │ │ virtual CAN network │
212 │ │ devices. When creating a │
213 │ │ vxcan, two vxcan devices │
214 │ │ are created as pair. When │
215 │ │ one end receives the │
216 │ │ packet it appears on its │
217 │ │ pair and vice versa. The │
218 │ │ vxcan can be used for │
219 │ │ cross namespace │
220 │ │ communication. │
221 ├──────────┼────────────────────────────┤
222 │wireguard │ WireGuard Secure Network │
223 │ │ Tunnel. │
224 ├──────────┼────────────────────────────┤
225 │nlmon │ A Netlink monitor device. │
226 │ │ Use an nlmon device when │
227 │ │ you want to monitor system │
228 │ │ Netlink messages. │
229 ├──────────┼────────────────────────────┤
230 │fou │ Foo-over-UDP tunneling. │
231 ├──────────┼────────────────────────────┤
232 │xfrm │ A virtual tunnel interface │
233 │ │ like vti/vti6 but with │
234 │ │ several advantages. │
235 ├──────────┼────────────────────────────┤
236 │ifb │ The Intermediate │
237 │ │ Functional Block (ifb) │
238 │ │ pseudo network interface │
239 │ │ acts as a QoS concentrator │
240 │ │ for multiple different │
241 │ │ sources of traffic. │
242 ├──────────┼────────────────────────────┤
243 │bareudp │ Bare UDP tunnels provide a │
244 │ │ generic L3 encapsulation │
245 │ │ support for tunnelling │
246 │ │ different L3 protocols │
247 │ │ like MPLS, IP etc. inside │
248 │ │ of an UDP tunnel. │
249 ├──────────┼────────────────────────────┤
250 │batadv │ B.A.T.M.A.N. Advanced[5] │
251 │ │ is a routing protocol for │
252 │ │ multi-hop mobile ad-hoc │
253 │ │ networks which operates on │
254 │ │ layer 2. │
255 ├──────────┼────────────────────────────┤
256 │ipoib │ An IP over Infiniband │
257 │ │ subinterface. │
258 └──────────┴────────────────────────────┘
259
261 A virtual network device is only created if the [Match] section matches
262 the current environment, or if the section is empty. The following keys
263 are accepted:
264 Host=
266 Matches against the hostname or machine ID of the host. See
267 ConditionHost= in systemd.unit(5) for details. When prefixed with
268 an exclamation mark ("!"), the result is negated. If an empty
269 string is assigned, then previously assigned value is cleared.
270 Virtualization=
272 Checks whether the system is executed in a virtualized environment
273 and optionally test whether it is a specific implementation. See
274 ConditionVirtualization= in systemd.unit(5) for details. When
275 prefixed with an exclamation mark ("!"), the result is negated. If
276 an empty string is assigned, then previously assigned value is
277 cleared.
278 KernelCommandLine=
280 Checks whether a specific kernel command line option is set. See
281 ConditionKernelCommandLine= in systemd.unit(5) for details. When
282 prefixed with an exclamation mark ("!"), the result is negated. If
283 an empty string is assigned, then previously assigned value is
284 cleared.
285 KernelVersion=
287 Checks whether the kernel version (as reported by uname -r) matches
288 a certain expression. See ConditionKernelVersion= in
289 systemd.unit(5) for details. When prefixed with an exclamation mark
290 ("!"), the result is negated. If an empty string is assigned, then
291 previously assigned value is cleared.
292 Architecture=
294 Checks whether the system is running on a specific architecture.
295 See ConditionArchitecture= in systemd.unit(5) for details. When
296 prefixed with an exclamation mark ("!"), the result is negated. If
297 an empty string is assigned, then previously assigned value is
298 cleared.
299 Firmware=
301 Checks whether the system is running on a machine with the
302 specified firmware. See ConditionFirmware= in systemd.unit(5) for
303 details. When prefixed with an exclamation mark ("!"), the result
304 is negated. If an empty string is assigned, then previously
305 assigned value is cleared.
306
308 The [NetDev] section accepts the following keys:
309 Description=
311 A free-form description of the netdev.
312 Name=
314 The interface name used when creating the netdev. This setting is
315 compulsory.
316 Kind=
318 The netdev kind. This setting is compulsory. See the "Supported
319 netdev kinds" section for the valid keys.
320 MTUBytes=
322 The maximum transmission unit in bytes to set for the device. The
323 usual suffixes K, M, G are supported and are understood to the base
324 of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
325 currently supported in [NetDev] section. Please specify it in
326 [Link] section of corresponding systemd.network(5) files.
327 MACAddress=
329 Specifies the MAC address to use for the device, or takes the
330 special value "none". When "none", systemd-networkd does not
331 request the MAC address for the device, and the kernel will assign
332 a random MAC address. For "tun", "tap", or "l2tp" devices, the
333 MACAddress= setting in the [NetDev] section is not supported and
334 will be ignored. Please specify it in the [Link] section of the
335 corresponding systemd.network(5) file. If this option is not set,
336 "vlan" device inherits the MAC address of the master interface. For
337 other kind of netdevs, if this option is not set, then the MAC
338 address is generated based on the interface name and the machine-
339 id(5).
340 Note, even if "none" is specified, systemd-udevd will assign the
342 persistent MAC address for the device, as 99-default.link has
343 MACAddressPolicy=persistent. So, it is also necessary to create a
344 custom .link file for the device, if the MAC address assignment is
345 not desired.
346
348 The [Bridge] section only applies for netdevs of kind "bridge", and
349 accepts the following keys:
350 HelloTimeSec=
352 HelloTimeSec specifies the number of seconds between two hello
353 packets sent out by the root bridge and the designated bridges.
354 Hello packets are used to communicate information about the
355 topology throughout the entire bridged local area network.
356 MaxAgeSec=
358 MaxAgeSec specifies the number of seconds of maximum message age.
359 If the last seen (received) hello packet is more than this number
360 of seconds old, the bridge in question will start the takeover
361 procedure in attempt to become the Root Bridge itself.
362 ForwardDelaySec=
364 ForwardDelaySec specifies the number of seconds spent in each of
365 the Listening and Learning states before the Forwarding state is
366 entered.
367 AgeingTimeSec=
369 This specifies the number of seconds a MAC Address will be kept in
370 the forwarding database after having a packet received from this
371 MAC Address.
372 Priority=
374 The priority of the bridge. An integer between 0 and 65535. A lower
375 value means higher priority. The bridge having the lowest priority
376 will be elected as root bridge.
377 GroupForwardMask=
379 A 16-bit bitmask represented as an integer which allows forwarding
380 of link local frames with 802.1D reserved addresses
381 (01:80:C2:00:00:0X). A logical AND is performed between the
382 specified bitmask and the exponentiation of 2^X, the lower nibble
383 of the last octet of the MAC address. For example, a value of 8
384 would allow forwarding of frames addressed to 01:80:C2:00:00:03
385 (802.1X PAE).
386 DefaultPVID=
388 This specifies the default port VLAN ID of a newly attached bridge
389 port. Set this to an integer in the range 1...4094 or "none" to
390 disable the PVID.
391 MulticastQuerier=
393 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
394 option in the kernel. If enabled, the kernel will send general ICMP
395 queries from a zero source address. This feature should allow
396 faster convergence on startup, but it causes some multicast-aware
397 switches to misbehave and disrupt forwarding of multicast packets.
398 When unset, the kernel's default will be used.
399 MulticastSnooping=
401 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
402 option in the kernel. If enabled, IGMP snooping monitors the
403 Internet Group Management Protocol (IGMP) traffic between hosts and
404 multicast routers. When unset, the kernel's default will be used.
405 VLANFiltering=
407 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
408 option in the kernel. If enabled, the bridge will be started in
409 VLAN-filtering mode. When unset, the kernel's default will be used.
410 VLANProtocol=
412 Allows setting the protocol used for VLAN filtering. Takes 802.1q
413 or, 802.1ad, and defaults to unset and kernel's default is used.
414 STP=
416 Takes a boolean. This enables the bridge's Spanning Tree Protocol
417 (STP). When unset, the kernel's default will be used.
418 MulticastIGMPVersion=
420 Allows changing bridge's multicast Internet Group Management
421 Protocol (IGMP) version. Takes an integer 2 or 3. When unset, the
422 kernel's default will be used.
423
425 The [VLAN] section only applies for netdevs of kind "vlan", and accepts
426 the following key:
427 Id=
429 The VLAN ID to use. An integer in the range 0...4094. This setting
430 is compulsory.
431 Protocol=
433 Allows setting the protocol used for the VLAN interface. Takes
434 "802.1q" or, "802.1ad", and defaults to unset and kernel's default
435 is used.
436 GVRP=
438 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
439 protocol that allows automatic learning of VLANs on a network. When
440 unset, the kernel's default will be used.
441 MVRP=
443 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
444 formerly known as GARP VLAN Registration Protocol (GVRP) is a
445 standards-based Layer 2 network protocol, for automatic
446 configuration of VLAN information on switches. It was defined in
447 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
448 default will be used.
449 LooseBinding=
451 Takes a boolean. The VLAN loose binding mode, in which only the
452 operational state is passed from the parent to the associated
453 VLANs, but the VLAN device state is not changed. When unset, the
454 kernel's default will be used.
455 ReorderHeader=
457 Takes a boolean. When enabled, the VLAN reorder header is used and
458 VLAN interfaces behave like physical interfaces. When unset, the
459 kernel's default will be used.
460 EgressQOSMaps=, IngressQOSMaps=
462 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
463 to VLAN header PCP field for outgoing and incoming frames,
464 respectively. Takes a whitespace-separated list of integer pairs,
465 where each integer must be in the range 1...4294967294, in the
466 format "from"-"to", e.g., "21-7 45-5". Note that "from" must be
467 greater than or equal to "to". When unset, the kernel's default
468 will be used.
469
471 The [MACVLAN] section only applies for netdevs of kind "macvlan", and
472 accepts the following key:
473 Mode=
475 The MACVLAN mode to use. The supported options are "private",
476 "vepa", "bridge", "passthru", and "source".
477 SourceMACAddress=
479 A whitespace-separated list of remote hardware addresses allowed on
480 the MACVLAN. This option only has an effect in source mode. Use
481 full colon-, hyphen- or dot-delimited hexadecimal. This option may
482 appear more than once, in which case the lists are merged. If the
483 empty string is assigned to this option, the list of hardware
484 addresses defined prior to this is reset. Defaults to unset.
485 BroadcastMulticastQueueLength=
487 Specifies the length of the receive queue for broadcast/multicast
488 packets. An unsigned integer in the range 0...4294967294. Defaults
489 to unset.
490
492 The [MACVTAP] section applies for netdevs of kind "macvtap" and accepts
493 the same keys as [MACVLAN].
494
496 The [IPVLAN] section only applies for netdevs of kind "ipvlan", and
497 accepts the following key:
498 Mode=
500 The IPVLAN mode to use. The supported options are "L2","L3" and
501 "L3S".
502 Flags=
504 The IPVLAN flags to use. The supported options are
505 "bridge","private" and "vepa".
506
508 The [IPVTAP] section only applies for netdevs of kind "ipvtap" and
509 accepts the same keys as [IPVLAN].
510
512 The [VXLAN] section only applies for netdevs of kind "vxlan", and
513 accepts the following keys:
514 VNI=
516 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
517 in the range 1...16777215.
518 Remote=
520 Configures destination IP address.
521 Local=
523 Configures local IP address.
524 Group=
526 Configures VXLAN multicast group IP address. All members of a VXLAN
527 must use the same multicast group address.
528 TOS=
530 The Type Of Service byte value for a vxlan interface.
531 TTL=
533 A fixed Time To Live N on Virtual eXtensible Local Area Network
534 packets. Takes "inherit" or a number in the range 0...255. 0 is a
535 special value meaning inherit the inner protocol's TTL value.
536 "inherit" means that it will inherit the outer protocol's TTL
537 value.
538 MacLearning=
540 Takes a boolean. When true, enables dynamic MAC learning to
541 discover remote MAC addresses.
542 FDBAgeingSec=
544 The lifetime of Forwarding Database entry learnt by the kernel, in
545 seconds.
546 MaximumFDBEntries=
548 Configures maximum number of FDB entries.
549 ReduceARPProxy=
551 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
552 answers ARP requests from the local bridge on behalf of remote
553 Distributed Overlay Virtual Ethernet (DVOE)[6] clients. Defaults to
554 false.
555 L2MissNotification=
557 Takes a boolean. When true, enables netlink LLADDR miss
558 notifications.
559 L3MissNotification=
561 Takes a boolean. When true, enables netlink IP address miss
562 notifications.
563 RouteShortCircuit=
565 Takes a boolean. When true, route short circuiting is turned on.
566 UDPChecksum=
568 Takes a boolean. When true, transmitting UDP checksums when doing
569 VXLAN/IPv4 is turned on.
570 UDP6ZeroChecksumTx=
572 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
573 turned on.
574 UDP6ZeroChecksumRx=
576 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
577 is turned on.
578 RemoteChecksumTx=
580 Takes a boolean. When true, remote transmit checksum offload of
581 VXLAN is turned on.
582 RemoteChecksumRx=
584 Takes a boolean. When true, remote receive checksum offload in
585 VXLAN is turned on.
586 GroupPolicyExtension=
588 Takes a boolean. When true, it enables Group Policy VXLAN extension
589 security label mechanism across network peers based on VXLAN. For
590 details about the Group Policy VXLAN, see the VXLAN Group Policy[7]
591 document. Defaults to false.
592 GenericProtocolExtension=
594 Takes a boolean. When true, Generic Protocol Extension extends the
595 existing VXLAN protocol to provide protocol typing, OAM, and
596 versioning capabilities. For details about the VXLAN GPE Header,
597 see the Generic Protocol Extension for VXLAN[8] document. If
598 destination port is not specified and Generic Protocol Extension is
599 set then default port of 4790 is used. Defaults to false.
600 DestinationPort=
602 Configures the default destination UDP port. If the destination
603 port is not specified then Linux kernel default will be used. Set
604 to 4789 to get the IANA assigned value.
605 PortRange=
607 Configures the source port range for the VXLAN. The kernel assigns
608 the source UDP port based on the flow to help the receiver to do
609 load balancing. When this option is not set, the normal range of
610 local UDP ports is used.
611 FlowLabel=
613 Specifies the flow label to use in outgoing packets. The valid
614 range is 0-1048575.
615 IPDoNotFragment=
617 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
618 packets, or to inherit its value from the IPv4 inner header. Takes
619 a boolean value, or "inherit". Set to "inherit" if the encapsulated
620 protocol is IPv6. When unset, the kernel's default will be used.
621 Independent=
623 Takes a boolean. When true, the vxlan interface is created without
624 any underlying network interface. Defaults to false, which means
625 that a .network file that requests this VXLAN interface using
626 VXLAN= is required for the VXLAN to be created.
627
629 The [GENEVE] section only applies for netdevs of kind "geneve", and
630 accepts the following keys:
631 Id=
633 Specifies the Virtual Network Identifier (VNI) to use, a number
634 between 0 and 16777215. This field is mandatory.
635 Remote=
637 Specifies the unicast destination IP address to use in outgoing
638 packets.
639 TOS=
641 Specifies the TOS value to use in outgoing packets. Takes a number
642 between 1 and 255.
643 TTL=
645 Accepts the same values as in the [VXLAN] section, except that when
646 unset or set to 0, the kernel's default will be used, meaning that
647 packet TTL will be set from /proc/sys/net/ipv4/ip_default_ttl.
648 UDPChecksum=
650 Takes a boolean. When true, specifies that UDP checksum is
651 calculated for transmitted packets over IPv4.
652 UDP6ZeroChecksumTx=
654 Takes a boolean. When true, skip UDP checksum calculation for
655 transmitted packets over IPv6.
656 UDP6ZeroChecksumRx=
658 Takes a boolean. When true, allows incoming UDP packets over IPv6
659 with zero checksum field.
660 DestinationPort=
662 Specifies destination port. Defaults to 6081. If not set or
663 assigned the empty string, the default port of 6081 is used.
664 FlowLabel=
666 Specifies the flow label to use in outgoing packets.
667 IPDoNotFragment=
669 Accepts the same key as in [VXLAN] section.
670
672 The [BareUDP] section only applies for netdevs of kind "bareudp", and
673 accepts the following keys:
674 DestinationPort=
676 Specifies the destination UDP port (in range 1...65535). This is
677 mandatory.
678 EtherType=
680 Specifies the L3 protocol. Takes one of "ipv4", "ipv6", "mpls-uc"
681 or "mpls-mc". This is mandatory.
682
684 The [L2TP] section only applies for netdevs of kind "l2tp", and accepts
685 the following keys:
686 TunnelId=
688 Specifies the tunnel identifier. Takes an number in the range
689 1...4294967295. The value used must match the "PeerTunnelId=" value
690 being used at the peer. This setting is compulsory.
691 PeerTunnelId=
693 Specifies the peer tunnel id. Takes a number in the range
694 1...4294967295. The value used must match the "TunnelId=" value
695 being used at the peer. This setting is compulsory.
696 Remote=
698 Specifies the IP address of the remote peer. This setting is
699 compulsory.
700 Local=
702 Specifies the IP address of the local interface. Takes an IP
703 address, or the special values "auto", "static", or "dynamic". When
704 an address is set, then the local interface must have the address.
705 If "auto", then one of the addresses on the local interface is
706 used. Similarly, if "static" or "dynamic" is set, then one of the
707 static or dynamic addresses on the local interface is used.
708 Defaults to "auto".
709 EncapsulationType=
711 Specifies the encapsulation type of the tunnel. Takes one of "udp"
712 or "ip".
713 UDPSourcePort=
715 Specifies the UDP source port to be used for the tunnel. When UDP
716 encapsulation is selected it's mandatory. Ignored when IP
717 encapsulation is selected.
718 UDPDestinationPort=
720 Specifies destination port. When UDP encapsulation is selected it's
721 mandatory. Ignored when IP encapsulation is selected.
722 UDPChecksum=
724 Takes a boolean. When true, specifies that UDP checksum is
725 calculated for transmitted packets over IPv4.
726 UDP6ZeroChecksumTx=
728 Takes a boolean. When true, skip UDP checksum calculation for
729 transmitted packets over IPv6.
730 UDP6ZeroChecksumRx=
732 Takes a boolean. When true, allows incoming UDP packets over IPv6
733 with zero checksum field.
734
736 The [L2TPSession] section only applies for netdevs of kind "l2tp", and
737 accepts the following keys:
738 Name=
740 Specifies the name of the session. This setting is compulsory.
741 SessionId=
743 Specifies the session identifier. Takes an number in the range
744 1...4294967295. The value used must match the "SessionId=" value
745 being used at the peer. This setting is compulsory.
746 PeerSessionId=
748 Specifies the peer session identifier. Takes an number in the range
749 1...4294967295. The value used must match the "PeerSessionId="
750 value being used at the peer. This setting is compulsory.
751 Layer2SpecificHeader=
753 Specifies layer2specific header type of the session. One of "none"
754 or "default". Defaults to "default".
755
757 The [MACsec] section only applies for network devices of kind "macsec",
758 and accepts the following keys:
759 Port=
761 Specifies the port to be used for the MACsec transmit channel. The
762 port is used to make secure channel identifier (SCI). Takes a value
763 between 1 and 65535. Defaults to unset.
764 Encrypt=
766 Takes a boolean. When true, enable encryption. Defaults to unset.
767
769 The [MACsecReceiveChannel] section only applies for network devices of
770 kind "macsec", and accepts the following keys:
771 Port=
773 Specifies the port to be used for the MACsec receive channel. The
774 port is used to make secure channel identifier (SCI). Takes a value
775 between 1 and 65535. This option is compulsory, and is not set by
776 default.
777 MACAddress=
779 Specifies the MAC address to be used for the MACsec receive
780 channel. The MAC address used to make secure channel identifier
781 (SCI). This setting is compulsory, and is not set by default.
782
784 The [MACsecTransmitAssociation] section only applies for network
785 devices of kind "macsec", and accepts the following keys:
786 PacketNumber=
788 Specifies the packet number to be used for replay protection and
789 the construction of the initialization vector (along with the
790 secure channel identifier [SCI]). Takes a value between
791 1-4,294,967,295. Defaults to unset.
792 KeyId=
794 Specifies the identification for the key. Takes a number between
795 0-255. This option is compulsory, and is not set by default.
796 Key=
798 Specifies the encryption key used in the transmission channel. The
799 same key must be configured on the peer’s matching receive channel.
800 This setting is compulsory, and is not set by default. Takes a
801 128-bit key encoded in a hexadecimal string, for example
802 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
803 KeyFile=
805 Takes an absolute path to a file which contains a 128-bit key
806 encoded in a hexadecimal string, which will be used in the
807 transmission channel. When this option is specified, Key= is
808 ignored. Note that the file must be readable by the user
809 "systemd-network", so it should be, e.g., owned by
810 "root:systemd-network" with a "0640" file mode. If the path refers
811 to an AF_UNIX stream socket in the file system a connection is made
812 to it and the key read from it.
813 Activate=
815 Takes a boolean. If enabled, then the security association is
816 activated. Defaults to unset.
817 UseForEncoding=
819 Takes a boolean. If enabled, then the security association is used
820 for encoding. Only one [MACsecTransmitAssociation] section can
821 enable this option. When enabled, Activate=yes is implied. Defaults
822 to unset.
823
825 The [MACsecReceiveAssociation] section only applies for network devices
826 of kind "macsec", and accepts the following keys:
827 Port=
829 Accepts the same key as in [MACsecReceiveChannel] section.
830 MACAddress=
832 Accepts the same key as in [MACsecReceiveChannel] section.
833 PacketNumber=
835 Accepts the same key as in [MACsecTransmitAssociation] section.
836 KeyId=
838 Accepts the same key as in [MACsecTransmitAssociation] section.
839 Key=
841 Accepts the same key as in [MACsecTransmitAssociation] section.
842 KeyFile=
844 Accepts the same key as in [MACsecTransmitAssociation] section.
845 Activate=
847 Accepts the same key as in [MACsecTransmitAssociation] section.
848
850 The [Tunnel] section only applies for netdevs of kind "ipip", "sit",
851 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
852 "erspan" and accepts the following keys:
853 Local=
855 A static local address for tunneled packets. It must be an address
856 on another interface of this host, or the special value "any".
857 Remote=
859 The remote endpoint of the tunnel. Takes an IP address or the
860 special value "any".
861 TOS=
863 The Type Of Service byte value for a tunnel interface. For details
864 about the TOS, see the Type of Service in the Internet Protocol
865 Suite[9] document.
866 TTL=
868 A fixed Time To Live N on tunneled packets. N is a number in the
869 range 1...255. 0 is a special value meaning that packets inherit
870 the TTL value. The default value for IPv4 tunnels is 0 (inherit).
871 The default value for IPv6 tunnels is 64.
872 DiscoverPathMTU=
874 Takes a boolean. When true, enables Path MTU Discovery on the
875 tunnel.
876 IPv6FlowLabel=
878 Configures the 20-bit flow label (see RFC 6437[10]) field in the
879 IPv6 header (see RFC 2460[11]), which is used by a node to label
880 packets of a flow. It is only used for IPv6 tunnels. A flow label
881 of zero is used to indicate packets that have not been labeled. It
882 can be configured to a value in the range 0...0xFFFFF, or be set to
883 "inherit", in which case the original flowlabel is used.
884 CopyDSCP=
886 Takes a boolean. When true, the Differentiated Service Code Point
887 (DSCP) field will be copied to the inner header from outer header
888 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
889 in an IP packet that enables different levels of service to be
890 assigned to network traffic. Defaults to "no".
891 EncapsulationLimit=
893 The Tunnel Encapsulation Limit option specifies how many additional
894 levels of encapsulation are permitted to be prepended to the
895 packet. For example, a Tunnel Encapsulation Limit option containing
896 a limit value of zero means that a packet carrying that option may
897 not enter another tunnel before exiting the current tunnel. (see
898 RFC 2473[12]). The valid range is 0...255 and "none". Defaults to
899 4.
900 Key=
902 The Key= parameter specifies the same key to use in both directions
903 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
904 address-like dotted quad. It is used as mark-configured SAD/SPD
905 entry as part of the lookup key (both in data and control path) in
906 IP XFRM (framework used to implement IPsec protocol). See ip-xfrm —
907 transform configuration[13] for details. It is only used for
908 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
909 InputKey=
911 The InputKey= parameter specifies the key to use for input. The
912 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
913 and ERSPAN tunnels.
914 OutputKey=
916 The OutputKey= parameter specifies the key to use for output. The
917 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
918 and ERSPAN tunnels.
919 Mode=
921 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
922 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
923 Independent=
925 Takes a boolean. When false (the default), the tunnel is always
926 created over some network device, and a .network file that requests
927 this tunnel using Tunnel= is required for the tunnel to be created.
928 When true, the tunnel is created independently of any network as
929 "tunnel@NONE".
930 AssignToLoopback=
932 Takes a boolean. If set to "yes", the loopback interface "lo" is
933 used as the underlying device of the tunnel interface. Defaults to
934 "no".
935 AllowLocalRemote=
937 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
938 where the remote endpoint is a local host address. When unset, the
939 kernel's default will be used.
940 FooOverUDP=
942 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
943 configured. Defaults to false. This takes effects only for IPIP,
944 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
945 over UDP[14]
946 FOUDestinationPort=
948 This setting specifies the UDP destination port for encapsulation.
949 This field is mandatory when FooOverUDP=yes, and is not set by
950 default.
951 FOUSourcePort=
953 This setting specifies the UDP source port for encapsulation.
954 Defaults to 0 — that is, the source port for packets is left to the
955 network stack to decide.
956 Encapsulation=
958 Accepts the same key as in the [FooOverUDP] section.
959 IPv6RapidDeploymentPrefix=
961 Reconfigure the tunnel for IPv6 Rapid Deployment[15], also known as
962 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
963 length. Only applicable to SIT tunnels.
964 ISATAP=
966 Takes a boolean. If set, configures the tunnel as Intra-Site
967 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
968 applicable to SIT tunnels. When unset, the kernel's default will be
969 used.
970 SerializeTunneledPackets=
972 Takes a boolean. If set to yes, then packets are serialized. Only
973 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
974 kernel's default will be used.
975 ERSPANIndex=
977 Specifies the ERSPAN index field for the interface, an integer in
978 the range 1...1048575 associated with the ERSPAN traffic's source
979 port and direction. This field is mandatory.
980
982 The [FooOverUDP] section only applies for netdevs of kind "fou" and
983 accepts the following keys:
984 Encapsulation=
986 Specifies the encapsulation mechanism used to store networking
987 packets of various protocols inside the UDP packets. Supports the
988 following values: "FooOverUDP" provides the simplest no-frills
989 model of UDP encapsulation, it simply encapsulates packets directly
990 in the UDP payload. "GenericUDPEncapsulation" is a generic and
991 extensible encapsulation, it allows encapsulation of packets for
992 any IP protocol and optional data as part of the encapsulation. For
993 more detailed information see Generic UDP Encapsulation[16].
994 Defaults to "FooOverUDP".
995 Port=
997 Specifies the port number where the encapsulated packets will
998 arrive. Those packets will be removed and manually fed back into
999 the network stack with the encapsulation removed to be sent to the
1000 real destination. This option is mandatory.
1001 PeerPort=
1003 Specifies the peer port number. Defaults to unset. Note that when
1004 peer port is set "Peer=" address is mandatory.
1005 Protocol=
1007 The Protocol= specifies the protocol number of the packets arriving
1008 at the UDP port. When Encapsulation=FooOverUDP, this field is
1009 mandatory and is not set by default. Takes an IP protocol name such
1010 as "gre" or "ipip", or an integer within the range 1...255. When
1011 Encapsulation=GenericUDPEncapsulation, this must not be specified.
1012 Peer=
1014 Configures peer IP address. Note that when peer address is set
1015 "PeerPort=" is mandatory.
1016 Local=
1018 Configures local IP address.
1019
1021 The [Peer] section only applies for netdevs of kind "veth" and accepts
1022 the following keys:
1023 Name=
1025 The interface name used when creating the netdev. This setting is
1026 compulsory.
1027 MACAddress=
1029 The peer MACAddress, if not set, it is generated in the same way as
1030 the MAC address of the main interface.
1031
1033 The [VXCAN] section only applies for netdevs of kind "vxcan" and
1034 accepts the following key:
1035 Peer=
1037 The peer interface name used when creating the netdev. This setting
1038 is compulsory.
1039
1041 The [Tun] section only applies for netdevs of kind "tun", and accepts
1042 the following keys:
1043 MultiQueue=
1045 Takes a boolean. Configures whether to use multiple file
1046 descriptors (queues) to parallelize packets sending and receiving.
1047 Defaults to "no".
1048 PacketInfo=
1050 Takes a boolean. Configures whether packets should be prepended
1051 with four extra bytes (two flag bytes and two protocol bytes). If
1052 disabled, it indicates that the packets will be pure IP packets.
1053 Defaults to "no".
1054 VNetHeader=
1056 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
1057 device. It allows sending and receiving larger Generic Segmentation
1058 Offload (GSO) packets. This may increase throughput significantly.
1059 Defaults to "no".
1060 User=
1062 User to grant access to the /dev/net/tun device.
1063 Group=
1065 Group to grant access to the /dev/net/tun device.
1066
1068 The [Tap] section only applies for netdevs of kind "tap", and accepts
1069 the same keys as the [Tun] section.
1070
1072 The [WireGuard] section accepts the following keys:
1073 PrivateKey=
1075 The Base64 encoded private key for the interface. It can be
1076 generated using the wg genkey command (see wg(8)). This option or
1077 PrivateKeyFile= is mandatory to use WireGuard. Note that because
1078 this information is secret, you may want to set the permissions of
1079 the .netdev file to be owned by "root:systemd-network" with a
1080 "0640" file mode.
1081 PrivateKeyFile=
1083 Takes an absolute path to a file which contains the Base64 encoded
1084 private key for the interface. When this option is specified, then
1085 PrivateKey= is ignored. Note that the file must be readable by the
1086 user "systemd-network", so it should be, e.g., owned by
1087 "root:systemd-network" with a "0640" file mode. If the path refers
1088 to an AF_UNIX stream socket in the file system a connection is made
1089 to it and the key read from it.
1090 ListenPort=
1092 Sets UDP port for listening. Takes either value between 1 and 65535
1093 or "auto". If "auto" is specified, the port is automatically
1094 generated based on interface name. Defaults to "auto".
1095 FirewallMark=
1097 Sets a firewall mark on outgoing WireGuard packets from this
1098 interface. Takes a number between 1 and 4294967295.
1099 RouteTable=
1101 The table identifier for the routes to the addresses specified in
1102 the AllowedIPs=. Takes a negative boolean value, one of the
1103 predefined names "default", "main", and "local", names defined in
1104 RouteTable= in networkd.conf(5), or a number in the range
1105 1...4294967295. When "off" the routes to the addresses specified in
1106 the AllowedIPs= setting will not be configured. Defaults to false.
1107 This setting will be ignored when the same setting is specified in
1108 the [WireGuardPeer] section.
1109 RouteMetric=
1111 The priority of the routes to the addresses specified in the
1112 AllowedIPs=. Takes an integer in the range 0...4294967295. Defaults
1113 to 0 for IPv4 addresses, and 1024 for IPv6 addresses. This setting
1114 will be ignored when the same setting is specified in the
1115 [WireGuardPeer] section.
1116
1118 The [WireGuardPeer] section accepts the following keys:
1119 PublicKey=
1121 Sets a Base64 encoded public key calculated by wg pubkey (see
1122 wg(8)) from a private key, and usually transmitted out of band to
1123 the author of the configuration file. This option is mandatory for
1124 this section.
1125 PresharedKey=
1127 Optional preshared key for the interface. It can be generated by
1128 the wg genpsk command. This option adds an additional layer of
1129 symmetric-key cryptography to be mixed into the already existing
1130 public-key cryptography, for post-quantum resistance. Note that
1131 because this information is secret, you may want to set the
1132 permissions of the .netdev file to be owned by
1133 "root:systemd-network" with a "0640" file mode.
1134 PresharedKeyFile=
1136 Takes an absolute path to a file which contains the Base64 encoded
1137 preshared key for the peer. When this option is specified, then
1138 PresharedKey= is ignored. Note that the file must be readable by
1139 the user "systemd-network", so it should be, e.g., owned by
1140 "root:systemd-network" with a "0640" file mode. If the path refers
1141 to an AF_UNIX stream socket in the file system a connection is made
1142 to it and the key read from it.
1143 AllowedIPs=
1145 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1146 masks from which this peer is allowed to send incoming traffic and
1147 to which outgoing traffic for this peer is directed.
1148 The catch-all 0.0.0.0/0 may be specified for matching all IPv4
1150 addresses, and ::/0 may be specified for matching all IPv6
1151 addresses.
1152 Note that this only affects routing inside the network interface
1154 itself, i.e. the packets that pass through the tunnel itself. To
1155 cause packets to be sent via the tunnel in the first place, an
1156 appropriate route needs to be added as well — either in the
1157 "[Routes]" section on the ".network" matching the wireguard
1158 interface, or externally to systemd-networkd.
1159 Endpoint=
1161 Sets an endpoint IP address or hostname, followed by a colon, and
1162 then a port number. This endpoint will be updated automatically
1163 once to the most recent source IP address and port of correctly
1164 authenticated packets from the peer at configuration time.
1165 PersistentKeepalive=
1167 Sets a seconds interval, between 1 and 65535 inclusive, of how
1168 often to send an authenticated empty packet to the peer for the
1169 purpose of keeping a stateful firewall or NAT mapping valid
1170 persistently. For example, if the interface very rarely sends
1171 traffic, but it might at anytime receive traffic from a peer, and
1172 it is behind NAT, the interface might benefit from having a
1173 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1174 this option is disabled. By default or when unspecified, this
1175 option is off. Most users will not need this.
1176 RouteTable=
1178 The table identifier for the routes to the addresses specified in
1179 the AllowedIPs=. Takes a negative boolean value, one of the
1180 predefined names "default", "main", and "local", names defined in
1181 RouteTable= in networkd.conf(5), or a number in the range
1182 1...4294967295. Defaults to unset, and the value specified in the
1183 same setting in the [WireGuard] section will be used.
1184 RouteMetric=
1186 The priority of the routes to the addresses specified in the
1187 AllowedIPs=. Takes an integer in the range 0...4294967295. Defaults
1188 to unset, and the value specified in the same setting in the
1189 [WireGuard] section will be used.
1190
1192 The [Bond] section accepts the following key:
1193 Mode=
1195 Specifies one of the bonding policies. The default is "balance-rr"
1196 (round robin). Possible values are "balance-rr", "active-backup",
1197 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1198 "balance-alb".
1199 TransmitHashPolicy=
1201 Selects the transmit hash policy to use for slave selection in
1202 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1203 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1204 LACPTransmitRate=
1206 Specifies the rate with which link partner transmits Link
1207 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1208 Possible values are "slow", which requests partner to transmit
1209 LACPDUs every 30 seconds, and "fast", which requests partner to
1210 transmit LACPDUs every second. The default value is "slow".
1211 MIIMonitorSec=
1213 Specifies the frequency that Media Independent Interface link
1214 monitoring will occur. A value of zero disables MII link
1215 monitoring. This value is rounded down to the nearest millisecond.
1216 The default value is 0.
1217 UpDelaySec=
1219 Specifies the delay before a link is enabled after a link up status
1220 has been detected. This value is rounded down to a multiple of
1221 MIIMonitorSec=. The default value is 0.
1222 DownDelaySec=
1224 Specifies the delay before a link is disabled after a link down
1225 status has been detected. This value is rounded down to a multiple
1226 of MIIMonitorSec=. The default value is 0.
1227 LearnPacketIntervalSec=
1229 Specifies the number of seconds between instances where the bonding
1230 driver sends learning packets to each slave peer switch. The valid
1231 range is 1...0x7fffffff; the default value is 1. This option has an
1232 effect only for the balance-tlb and balance-alb modes.
1233 AdSelect=
1235 Specifies the 802.3ad aggregation selection logic to use. Possible
1236 values are "stable", "bandwidth" and "count".
1237 AdActorSystemPriority=
1239 Specifies the 802.3ad actor system priority. Takes a number in the
1240 range 1...65535.
1241 AdUserPortKey=
1243 Specifies the 802.3ad user defined portion of the port key. Takes a
1244 number in the range 0...1023.
1245 AdActorSystem=
1247 Specifies the 802.3ad system MAC address. This cannot be a null or
1248 multicast address.
1249 FailOverMACPolicy=
1251 Specifies whether the active-backup mode should set all slaves to
1252 the same MAC address at the time of enslavement or, when enabled,
1253 to perform special handling of the bond's MAC address in accordance
1254 with the selected policy. The default policy is none. Possible
1255 values are "none", "active" and "follow".
1256 ARPValidate=
1258 Specifies whether or not ARP probes and replies should be validated
1259 in any mode that supports ARP monitoring, or whether non-ARP
1260 traffic should be filtered (disregarded) for link monitoring
1261 purposes. Possible values are "none", "active", "backup" and "all".
1262 ARPIntervalSec=
1264 Specifies the ARP link monitoring frequency. A value of 0 disables
1265 ARP monitoring. The default value is 0, and the default unit
1266 seconds.
1267 ARPIPTargets=
1269 Specifies the IP addresses to use as ARP monitoring peers when
1270 ARPIntervalSec= is greater than 0. These are the targets of the ARP
1271 request sent to determine the health of the link to the targets.
1272 Specify these values in IPv4 dotted decimal format. At least one IP
1273 address must be given for ARP monitoring to function. The maximum
1274 number of targets that can be specified is 16. The default value is
1275 no IP addresses.
1276 ARPAllTargets=
1278 Specifies the quantity of ARPIPTargets= that must be reachable in
1279 order for the ARP monitor to consider a slave as being up. This
1280 option affects only active-backup mode for slaves with ARPValidate
1281 enabled. Possible values are "any" and "all".
1282 PrimaryReselectPolicy=
1284 Specifies the reselection policy for the primary slave. This
1285 affects how the primary slave is chosen to become the active slave
1286 when failure of the active slave or recovery of the primary slave
1287 occurs. This option is designed to prevent flip-flopping between
1288 the primary slave and other slaves. Possible values are "always",
1289 "better" and "failure".
1290 ResendIGMP=
1292 Specifies the number of IGMP membership reports to be issued after
1293 a failover event. One membership report is issued immediately after
1294 the failover, subsequent packets are sent in each 200ms interval.
1295 The valid range is 0...255. Defaults to 1. A value of 0 prevents
1296 the IGMP membership report from being issued in response to the
1297 failover event.
1298 PacketsPerSlave=
1300 Specify the number of packets to transmit through a slave before
1301 moving to the next one. When set to 0, then a slave is chosen at
1302 random. The valid range is 0...65535. Defaults to 1. This option
1303 only has effect when in balance-rr mode.
1304 GratuitousARP=
1306 Specify the number of peer notifications (gratuitous ARPs and
1307 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1308 failover event. As soon as the link is up on the new slave, a peer
1309 notification is sent on the bonding device and each VLAN
1310 sub-device. This is repeated at each link monitor interval
1311 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1312 number is greater than 1. The valid range is 0...255. The default
1313 value is 1. These options affect only the active-backup mode.
1314 AllSlavesActive=
1316 Takes a boolean. Specifies that duplicate frames (received on
1317 inactive ports) should be dropped when false, or delivered when
1318 true. Normally, bonding will drop duplicate frames (received on
1319 inactive ports), which is desirable for most users. But there are
1320 some times it is nice to allow duplicate frames to be delivered.
1321 The default value is false (drop duplicate frames received on
1322 inactive ports).
1323 DynamicTransmitLoadBalancing=
1325 Takes a boolean. Specifies if dynamic shuffling of flows is
1326 enabled. Applies only for balance-tlb mode. Defaults to unset.
1327 MinLinks=
1329 Specifies the minimum number of links that must be active before
1330 asserting carrier. The default value is 0.
1331 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1333
1335 The [Xfrm] section accepts the following keys:
1336 InterfaceId=
1338 Sets the ID/key of the xfrm interface which needs to be associated
1339 with a SA/policy. Can be decimal or hexadecimal, valid range is
1340 1-0xffffffff. This is mandatory.
1341 Independent=
1343 Takes a boolean. If false (the default), the xfrm interface must
1344 have an underlying device which can be used for hardware
1345 offloading.
1346 For more detail information see Virtual XFRM Interfaces[17].
1348
1350 The [VRF] section only applies for netdevs of kind "vrf" and accepts
1351 the following key:
1352 Table=
1354 The numeric routing table identifier. This setting is compulsory.
1355
1357 The [BatmanAdvanced] section only applies for netdevs of kind "batadv"
1358 and accepts the following keys:
1359 GatewayMode=
1361 Takes one of "off", "server", or "client". A batman-adv node can
1362 either run in server mode (sharing its internet connection with the
1363 mesh) or in client mode (searching for the most suitable internet
1364 connection in the mesh) or having the gateway support turned off
1365 entirely (which is the default setting).
1366 Aggregation=
1368 Takes a boolean value. Enables or disables aggregation of
1369 originator messages. Defaults to true.
1370 BridgeLoopAvoidance=
1372 Takes a boolean value. Enables or disables avoidance of loops on
1373 bridges. Defaults to true.
1374 DistributedArpTable=
1376 Takes a boolean value. Enables or disables the distributed ARP
1377 table. Defaults to true.
1378 Fragmentation=
1380 Takes a boolean value. Enables or disables fragmentation. Defaults
1381 to true.
1382 HopPenalty=
1384 The hop penalty setting allows one to modify batctl(8) preference
1385 for multihop routes vs. short routes. This integer value is applied
1386 to the TQ (Transmit Quality) of each forwarded OGM (Originator
1387 Message), thereby propagating the cost of an extra hop (the packet
1388 has to be received and retransmitted which costs airtime). A higher
1389 hop penalty will make it more unlikely that other nodes will choose
1390 this node as intermediate hop towards any given destination. The
1391 default hop penalty of '15' is a reasonable value for most setups
1392 and probably does not need to be changed. However, mobile nodes
1393 could choose a value of 255 (maximum value) to avoid being chosen
1394 as a router by other nodes. The minimum value is 0.
1395 OriginatorIntervalSec=
1397 The value specifies the interval in seconds, unless another time
1398 unit is specified in which batman-adv floods the network with its
1399 protocol information. See systemd.time(7) for more information.
1400 GatewayBandwidthDown=
1402 If the node is a server, this parameter is used to inform other
1403 nodes in the network about this node's internet connection download
1404 bandwidth in bits per second. Just enter any number suffixed with
1405 K, M, G or T (base 1000) and the batman-adv module will propagate
1406 the entered value in the mesh.
1407 GatewayBandwidthUp=
1409 If the node is a server, this parameter is used to inform other
1410 nodes in the network about this node's internet connection upload
1411 bandwidth in bits per second. Just enter any number suffixed with
1412 K, M, G or T (base 1000) and the batman-adv module will propagate
1413 the entered value in the mesh.
1414 RoutingAlgorithm=
1416 This can be either "batman-v" or "batman-iv" and describes which
1417 routing_algo of batctl(8) to use. The algorithm cannot be changed
1418 after interface creation. Defaults to "batman-v".
1419
1421 The [IPoIB] section only applies for netdevs of kind "ipoib" and
1422 accepts the following keys:
1423 PartitionKey=
1425 Takes an integer in the range 1...0xffff, except for 0x8000.
1426 Defaults to unset, and the kernel's default is used.
1427 Mode=
1429 Takes one of the special values "datagram" or "connected". Defaults
1430 to unset, and the kernel's default is used.
1431 When "datagram", the Infiniband unreliable datagram (UD) transport
1433 is used, and so the interface MTU is equal to the IB L2 MTU minus
1434 the IPoIB encapsulation header (4 bytes). For example, in a typical
1435 IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
1436 bytes.
1437 When "connected", the Infiniband reliable connected (RC) transport
1439 is used. Connected mode takes advantage of the connected nature of
1440 the IB transport and allows an MTU up to the maximal IP packet size
1441 of 64K, which reduces the number of IP packets needed for handling
1442 large UDP datagrams, TCP segments, etc and increases the
1443 performance for large messages.
1444 IgnoreUserspaceMulticastGroup=
1446 Takes an boolean value. When true, the kernel ignores multicast
1447 groups handled by userspace. Defaults to unset, and the kernel's
1448 default is used.
1449
1451 Example 1. /etc/systemd/network/25-bridge.netdev
1452 [NetDev]
1454 Name=bridge0
1455 Kind=bridge
1456 Example 2. /etc/systemd/network/25-vlan1.netdev
1458 [Match]
1460 Virtualization=no
1461 [NetDev]
1463 Name=vlan1
1464 Kind=vlan
1465 [VLAN]
1467 Id=1
1468 Example 3. /etc/systemd/network/25-ipip.netdev
1470 [NetDev]
1472 Name=ipip-tun
1473 Kind=ipip
1474 MTUBytes=1480
1475 [Tunnel]
1477 Local=192.168.223.238
1478 Remote=192.169.224.239
1479 TTL=64
1480 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1482 [NetDev]
1484 Name=fou-tun
1485 Kind=fou
1486 [FooOverUDP]
1488 Port=5555
1489 Protocol=4
1490 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1493 [NetDev]
1495 Name=ipip-tun
1496 Kind=ipip
1497 [Tunnel]
1499 Independent=yes
1500 Local=10.65.208.212
1501 Remote=10.65.208.211
1502 FooOverUDP=yes
1503 FOUDestinationPort=5555
1504 Example 6. /etc/systemd/network/25-tap.netdev
1507 [NetDev]
1509 Name=tap-test
1510 Kind=tap
1511 [Tap]
1513 MultiQueue=yes
1514 PacketInfo=yes
1515 Example 7. /etc/systemd/network/25-sit.netdev
1517 [NetDev]
1519 Name=sit-tun
1520 Kind=sit
1521 MTUBytes=1480
1522 [Tunnel]
1524 Local=10.65.223.238
1525 Remote=10.65.223.239
1526 Example 8. /etc/systemd/network/25-6rd.netdev
1528 [NetDev]
1530 Name=6rd-tun
1531 Kind=sit
1532 MTUBytes=1480
1533 [Tunnel]
1535 Local=10.65.223.238
1536 IPv6RapidDeploymentPrefix=2602::/24
1537 Example 9. /etc/systemd/network/25-gre.netdev
1539 [NetDev]
1541 Name=gre-tun
1542 Kind=gre
1543 MTUBytes=1480
1544 [Tunnel]
1546 Local=10.65.223.238
1547 Remote=10.65.223.239
1548 Example 10. /etc/systemd/network/25-ip6gre.netdev
1550 [NetDev]
1552 Name=ip6gre-tun
1553 Kind=ip6gre
1554 [Tunnel]
1556 Key=123
1557 Example 11. /etc/systemd/network/25-vti.netdev
1559 [NetDev]
1561 Name=vti-tun
1562 Kind=vti
1563 MTUBytes=1480
1564 [Tunnel]
1566 Local=10.65.223.238
1567 Remote=10.65.223.239
1568 Example 12. /etc/systemd/network/25-veth.netdev
1570 [NetDev]
1572 Name=veth-test
1573 Kind=veth
1574 [Peer]
1576 Name=veth-peer
1577 Example 13. /etc/systemd/network/25-bond.netdev
1579 [NetDev]
1581 Name=bond1
1582 Kind=bond
1583 [Bond]
1585 Mode=802.3ad
1586 TransmitHashPolicy=layer3+4
1587 MIIMonitorSec=1s
1588 LACPTransmitRate=fast
1589 Example 14. /etc/systemd/network/25-dummy.netdev
1591 [NetDev]
1593 Name=dummy-test
1594 Kind=dummy
1595 MACAddress=12:34:56:78:9a:bc
1596 Example 15. /etc/systemd/network/25-vrf.netdev
1598 Create a VRF interface with table 42.
1600 [NetDev]
1602 Name=vrf-test
1603 Kind=vrf
1604 [VRF]
1606 Table=42
1607 Example 16. /etc/systemd/network/25-macvtap.netdev
1609 Create a MacVTap device.
1611 [NetDev]
1613 Name=macvtap-test
1614 Kind=macvtap
1615 Example 17. /etc/systemd/network/25-wireguard.netdev
1618 [NetDev]
1620 Name=wg0
1621 Kind=wireguard
1622 [WireGuard]
1624 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1625 ListenPort=51820
1626 [WireGuardPeer]
1628 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1629 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1630 Endpoint=wireguard.example.com:51820
1631 Example 18. /etc/systemd/network/27-xfrm.netdev
1633 [NetDev]
1635 Name=xfrm0
1636 Kind=xfrm
1637 [Xfrm]
1639 Independent=yes
1640
1642 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1643
1645 1. Linux Ethernet Bonding Driver HOWTO
1646 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1647 2. RFC 2784
1649 https://tools.ietf.org/html/rfc2784
1650 3. IEEE 802.1Q
1652 http://www.ieee802.org/1/pages/802.1Q.html
1653 4. VRF
1655 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1656 5. B.A.T.M.A.N. Advanced
1658 https://www.open-mesh.org/projects/open-mesh/wiki
1659 6. (DVOE)
1661 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1662 7. VXLAN Group Policy
1664 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1665 8. Generic Protocol Extension for VXLAN
1667 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1668 9. Type of Service in the Internet Protocol Suite
1670 http://tools.ietf.org/html/rfc1349
1671 10. RFC 6437
1673 https://tools.ietf.org/html/rfc6437
1674 11. RFC 2460
1676 https://tools.ietf.org/html/rfc2460
1677 12. RFC 2473
1679 https://tools.ietf.org/html/rfc2473#section-4.1.1
1680 13. ip-xfrm — transform configuration
1682 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1683 14. Foo over UDP
1685 https://lwn.net/Articles/614348
1686 15. IPv6 Rapid Deployment
1688 https://tools.ietf.org/html/rfc5569
1689 16. Generic UDP Encapsulation
1691 https://lwn.net/Articles/615044
1692 17. Virtual XFRM Interfaces
1694 https://lwn.net/Articles/757391
1695systemd 250 SYSTEMD.NETDEV(5)