1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 A plain ini-style text file that encodes network configuration for
13 matching network interfaces, used by systemd-networkd(8). See
14 systemd.syntax(7) for a general description of the syntax.
15 The main network file must have the extension .network; other
17 extensions are ignored. Networks are applied to links whenever the
18 links appear.
19 The .network files are read from the files located in the system
21 network directories /usr/lib/systemd/network and
22 /usr/local/lib/systemd/network, the volatile runtime network directory
23 /run/systemd/network and the local administration network directory
24 /etc/systemd/network. All configuration files are collectively sorted
25 and processed in lexical order, regardless of the directories in which
26 they live. However, files with identical filenames replace each other.
27 Files in /etc/ have the highest priority, files in /run/ take
28 precedence over files with the same name under /usr/. This can be used
29 to override a system-supplied configuration file with a local file if
30 needed. As a special case, an empty file (file size 0) or symlink with
31 the same name pointing to /dev/null disables the configuration file
32 entirely (it is "masked").
33 Along with the network file foo.network, a "drop-in" directory
35 foo.network.d/ may exist. All files with the suffix ".conf" from this
36 directory will be merged in the alphanumeric order and parsed after the
37 main file itself has been parsed. This is useful to alter or add
38 configuration settings, without having to modify the main configuration
39 file. Each drop-in file must have appropriate section headers.
40 In addition to /etc/systemd/network, drop-in ".d" directories can be
42 placed in /usr/lib/systemd/network or /run/systemd/network directories.
43 Drop-in files in /etc/ take precedence over those in /run/ which in
44 turn take precedence over those in /usr/lib/. Drop-in files under any
45 of these directories take precedence over the main network file
46 wherever located.
47
49 The network file contains a [Match] section, which determines if a
50 given network file may be applied to a given device; and a [Network]
51 section specifying how the device should be configured. The first (in
52 lexical order) of the network files that matches a given device is
53 applied, all later files are ignored, even if they match as well.
54 A network file is said to match a network interface if all matches
56 specified by the [Match] section are satisfied. When a network file
57 does not contain valid settings in [Match] section, then the file will
58 match all interfaces and systemd-networkd warns about that. Hint: to
59 avoid the warning and to make it clear that all interfaces shall be
60 matched, add the following:
61 Name=*
63 The following keys are accepted:
65 MACAddress=
67 A whitespace-separated list of hardware addresses. The acceptable
68 formats are:
69 colon-delimited hexadecimal
71 Each field must be one byte. E.g. "12:34:56:78:90:ab" or
72 "AA:BB:CC:DD:EE:FF".
73 hyphen-delimited hexadecimal
75 Each field must be one byte. E.g. "12-34-56-78-90-ab" or
76 "AA-BB-CC-DD-EE-FF".
77 dot-delimited hexadecimal
79 Each field must be two bytes. E.g. "1234.5678.90ab" or
80 "AABB.CCDD.EEFF".
81 IPv4 address format
83 E.g. "127.0.0.1" or "192.168.0.1".
84 IPv6 address format
86 E.g. "2001:0db8:85a3::8a2e:0370:7334" or "::1".
87 The total length of each MAC address must be 4 (for IPv4 tunnel), 6
89 (for Ethernet), 16 (for IPv6 tunnel), or 20 (for InfiniBand). This
90 option may appear more than once, in which case the lists are
91 merged. If the empty string is assigned to this option, the list of
92 hardware addresses defined prior to this is reset. Defaults to
93 unset.
94 PermanentMACAddress=
96 A whitespace-separated list of hardware's permanent addresses.
97 While MACAddress= matches the device's current MAC address, this
98 matches the device's permanent MAC address, which may be different
99 from the current one. Use full colon-, hyphen- or dot-delimited
100 hexadecimal, or IPv4 or IPv6 address format. This option may appear
101 more than once, in which case the lists are merged. If the empty
102 string is assigned to this option, the list of hardware addresses
103 defined prior to this is reset. Defaults to unset.
104 Path=
106 A whitespace-separated list of shell-style globs matching the
107 persistent path, as exposed by the udev property ID_PATH.
108 Driver=
110 A whitespace-separated list of shell-style globs matching the
111 driver currently bound to the device, as exposed by the udev
112 property ID_NET_DRIVER of its parent device, or if that is not set,
113 the driver as exposed by ethtool -i of the device itself. If the
114 list is prefixed with a "!", the test is inverted.
115 Type=
117 A whitespace-separated list of shell-style globs matching the
118 device type, as exposed by networkctl list. If the list is prefixed
119 with a "!", the test is inverted. Some valid values are "ether",
120 "loopback", "wlan", "wwan". Valid types are named either from the
121 udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
122 this is not comprehensive.
123 Property=
125 A whitespace-separated list of udev property names with their
126 values after equals sign ("="). If multiple properties are
127 specified, the test results are ANDed. If the list is prefixed with
128 a "!", the test is inverted. If a value contains white spaces, then
129 please quote whole key and value pair. If a value contains
130 quotation, then please escape the quotation with "\".
131 Example: if a .link file has the following:
133 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
135 then, the .link file matches only when an interface has all the
137 above three properties.
138 Name=
140 A whitespace-separated list of shell-style globs matching the
141 device name, as exposed by the udev property "INTERFACE", or
142 device's alternative names. If the list is prefixed with a "!", the
143 test is inverted.
144 WLANInterfaceType=
146 A whitespace-separated list of wireless network type. Supported
147 values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
148 "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
149 "nan". If the list is prefixed with a "!", the test is inverted.
150 SSID=
152 A whitespace-separated list of shell-style globs matching the SSID
153 of the currently connected wireless LAN. If the list is prefixed
154 with a "!", the test is inverted.
155 BSSID=
157 A whitespace-separated list of hardware address of the currently
158 connected wireless LAN. Use full colon-, hyphen- or dot-delimited
159 hexadecimal. See the example in MACAddress=. This option may appear
160 more than once, in which case the lists are merged. If the empty
161 string is assigned to this option, the list is reset.
162 Host=
164 Matches against the hostname or machine ID of the host. See
165 ConditionHost= in systemd.unit(5) for details. When prefixed with
166 an exclamation mark ("!"), the result is negated. If an empty
167 string is assigned, then previously assigned value is cleared.
168 Virtualization=
170 Checks whether the system is executed in a virtualized environment
171 and optionally test whether it is a specific implementation. See
172 ConditionVirtualization= in systemd.unit(5) for details. When
173 prefixed with an exclamation mark ("!"), the result is negated. If
174 an empty string is assigned, then previously assigned value is
175 cleared.
176 KernelCommandLine=
178 Checks whether a specific kernel command line option is set. See
179 ConditionKernelCommandLine= in systemd.unit(5) for details. When
180 prefixed with an exclamation mark ("!"), the result is negated. If
181 an empty string is assigned, then previously assigned value is
182 cleared.
183 KernelVersion=
185 Checks whether the kernel version (as reported by uname -r) matches
186 a certain expression. See ConditionKernelVersion= in
187 systemd.unit(5) for details. When prefixed with an exclamation mark
188 ("!"), the result is negated. If an empty string is assigned, then
189 previously assigned value is cleared.
190 Architecture=
192 Checks whether the system is running on a specific architecture.
193 See ConditionArchitecture= in systemd.unit(5) for details. When
194 prefixed with an exclamation mark ("!"), the result is negated. If
195 an empty string is assigned, then previously assigned value is
196 cleared.
197 Firmware=
199 Checks whether the system is running on a machine with the
200 specified firmware. See ConditionFirmware= in systemd.unit(5) for
201 details. When prefixed with an exclamation mark ("!"), the result
202 is negated. If an empty string is assigned, then previously
203 assigned value is cleared.
204
206 The [Link] section accepts the following keys:
207 MACAddress=
209 The hardware address to set for the device.
210 MTUBytes=
212 The maximum transmission unit in bytes to set for the device. The
213 usual suffixes K, M, G, are supported and are understood to the
214 base of 1024.
215 Note that if IPv6 is enabled on the interface, and the MTU is
217 chosen below 1280 (the minimum MTU for IPv6) it will automatically
218 be increased to this value.
219 ARP=
221 Takes a boolean. If set to true, the ARP (low-level Address
222 Resolution Protocol) for this interface is enabled. When unset, the
223 kernel's default will be used.
224 For example, disabling ARP is useful when creating multiple MACVLAN
226 or VLAN virtual interfaces atop a single lower-level physical
227 interface, which will then only serve as a link/"bridge" device
228 aggregating traffic to the same physical link and not participate
229 in the network otherwise. Defaults to unset.
230 Multicast=
232 Takes a boolean. If set to true, the multicast flag on the device
233 is enabled. Defaults to unset.
234 AllMulticast=
236 Takes a boolean. If set to true, the driver retrieves all multicast
237 packets from the network. This happens when multicast routing is
238 enabled. Defaults to unset.
239 Promiscuous=
241 Takes a boolean. If set to true, promiscuous mode of the interface
242 is enabled. Defaults to unset.
243 If this is set to false for the underlying link of a "passthru"
245 mode MACVLAN/MACVTAP, the virtual interface will be created with
246 the "nopromisc" flag set.
247 Unmanaged=
249 Takes a boolean. When "yes", no attempts are made to bring up or
250 configure matching links, equivalent to when there are no matching
251 network files. Defaults to "no".
252 This is useful for preventing later matching network files from
254 interfering with certain interfaces that are fully controlled by
255 other applications.
256 Group=
258 Link groups are similar to port ranges found in managed switches.
259 When network interfaces are added to a numbered group, operations
260 on all the interfaces from that group can be performed at once.
261 Takes an unsigned integer in the range 0...2147483647. Defaults to
262 unset.
263 RequiredForOnline=
265 Takes a boolean or a minimum operational state and an optional
266 maximum operational state. Please see networkctl(1) for possible
267 operational states. When "yes", the network is deemed required when
268 determining whether the system is online (including when running
269 systemd-networkd-wait-online). When "no", the network is ignored
270 when determining the online state. When a minimum operational state
271 and an optional maximum operational state are set, "yes" is
272 implied, and this controls the minimum and maximum operational
273 state required for the network interface to be considered online.
274 Defaults to "yes" when ActivationPolicy= is not set, or set to
276 "up", "always-up", or "bound". Defaults to "no" when
277 ActivationPolicy= is set to "manual" or "down". This is forced to
278 "no" when ActivationPolicy= is set to "always-down".
279 The network will be brought up normally (as configured by
281 ActivationPolicy=), but in the event that there is no address being
282 assigned by DHCP or the cable is not plugged in, the link will
283 simply remain offline and be skipped automatically by
284 systemd-networkd-wait-online if "RequiredForOnline=no".
285 RequiredFamilyForOnline=
287 Takes an address family. When specified, an IP address in the given
288 family is deemed required when determining whether the link is
289 online (including when running systemd-networkd-wait-online). Takes
290 one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
291 that this option has no effect if "RequiredForOnline=no", or if
292 "RequiredForOnline=" specifies a minimum operational state below
293 "degraded".
294 ActivationPolicy=
296 Specifies the policy for systemd-networkd managing the link
297 administrative state. Specifically, this controls how
298 systemd-networkd changes the network device's "IFF_UP" flag, which
299 is sometimes controlled by system administrators by running e.g.,
300 ip link set dev eth0 up or ip link set dev eth0 down, and can also
301 be changed with networkctl up eth0 or networkctl down eth0.
302 Takes one of "up", "always-up", "manual", "always-down", "down", or
304 "bound". When "manual", systemd-networkd will not change the link's
305 admin state automatically; the system administrator must bring the
306 interface up or down manually, as desired. When "up" (the default)
307 or "always-up", or "down" or "always-down", systemd-networkd will
308 set the link up or down, respectively, when the interface is
309 (re)configured. When "always-up" or "always-down", systemd-networkd
310 will set the link up or down, respectively, any time
311 systemd-networkd detects a change in the administrative state. When
312 BindCarrier= is also set, this is automatically set to "bound" and
313 any other value is ignored.
314 When the policy is set to "down" or "manual", the default value of
316 RequiredForOnline= is "no". When the policy is set to
317 "always-down", the value of RequiredForOnline= forced to "no".
318 The administrative state is not the same as the carrier state, so
320 using "always-up" does not mean the link will never lose carrier.
321 The link carrier depends on both the administrative state as well
322 as the network device's physical connection. However, to avoid
323 reconfiguration failures, when using "always-up",
324 IgnoreCarrierLoss= is forced to true.
325
327 The [SR-IOV] section accepts the following keys. Specify several
328 [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
329 ability to partition a single physical PCI resource into virtual PCI
330 functions which can then be injected into a VM. In the case of network
331 VFs, SR-IOV improves north-south network performance (that is, traffic
332 with endpoints outside the host machine) by allowing traffic to bypass
333 the host machine’s network stack.
334 VirtualFunction=
336 Specifies a Virtual Function (VF), lightweight PCIe function
337 designed solely to move data in and out. Takes an integer in the
338 range 0...2147483646. This option is compulsory.
339 VLANId=
341 Specifies VLAN ID of the virtual function. Takes an integer in the
342 range 1...4095.
343 QualityOfService=
345 Specifies quality of service of the virtual function. Takes an
346 integer in the range 1...4294967294.
347 VLANProtocol=
349 Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
350 "802.1ad".
351 MACSpoofCheck=
353 Takes a boolean. Controls the MAC spoof checking. When unset, the
354 kernel's default will be used.
355 QueryReceiveSideScaling=
357 Takes a boolean. Toggle the ability of querying the receive side
358 scaling (RSS) configuration of the virtual function (VF). The VF
359 RSS information like RSS hash key may be considered sensitive on
360 some devices where this information is shared between VF and the
361 physical function (PF). When unset, the kernel's default will be
362 used.
363 Trust=
365 Takes a boolean. Allows one to set trust mode of the virtual
366 function (VF). When set, VF users can set a specific feature which
367 may impact security and/or performance. When unset, the kernel's
368 default will be used.
369 LinkState=
371 Allows one to set the link state of the virtual function (VF).
372 Takes a boolean or a special value "auto". Setting to "auto" means
373 a reflection of the physical function (PF) link state, "yes" lets
374 the VF to communicate with other VFs on this host even if the PF
375 link state is down, "no" causes the hardware to drop any packets
376 sent by the VF. When unset, the kernel's default will be used.
377 MACAddress=
379 Specifies the MAC address for the virtual function.
380
382 The [Network] section accepts the following keys:
383 Description=
385 A description of the device. This is only used for presentation
386 purposes.
387 DHCP=
389 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
390 "ipv4", or "ipv6". Defaults to "no".
391 Note that DHCPv6 will by default be triggered by Router
393 Advertisement, if that is enabled, regardless of this parameter. By
394 enabling DHCPv6 support explicitly, the DHCPv6 client will be
395 started regardless of the presence of routers on the link, or what
396 flags the routers pass. See "IPv6AcceptRA=".
397 Furthermore, note that by default the domain name specified through
399 DHCP is not used for name resolution. See option UseDomains= below.
400 See the [DHCPv4] or [DHCPv6] sections below for further
402 configuration options for the DHCP client support.
403 DHCPServer=
405 Takes a boolean. If set to "yes", DHCPv4 server will be started.
406 Defaults to "no". Further settings for the DHCP server may be set
407 in the [DHCPServer] section described below.
408 LinkLocalAddressing=
410 Enables link-local address autoconfiguration. Accepts yes, no,
411 ipv4, and ipv6. An IPv6 link-local address is configured when yes
412 or ipv6. An IPv4 link-local address is configured when yes or ipv4
413 and when DHCPv4 autoconfiguration has been unsuccessful for some
414 time. (IPv4 link-local address autoconfiguration will usually
415 happen in parallel with repeated attempts to acquire a DHCPv4
416 lease).
417 Defaults to no when KeepMaster= or Bridge= is set or when the
419 specified MACVLAN=/MACVTAP= has Mode=passthru, or ipv6 otherwise.
420 IPv6LinkLocalAddressGenerationMode=
422 Specifies how IPv6 link local address is generated. Takes one of
423 "eui64", "none", "stable-privacy" and "random". When unset,
424 "stable-privacy" is used if IPv6StableSecretAddress= is specified,
425 and if not, "eui64" is used. Note that if LinkLocalAddressing= is
426 "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
427 ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
428 setting IPv6LinkLocalAddressGenerationMode=none disables to
429 configure an IPv6 link-local address.
430 IPv6StableSecretAddress=
432 Takes an IPv6 address. The specified address will be used as a
433 stable secret for generating IPv6 link-local address. If this
434 setting is specified, and IPv6LinkLocalAddressGenerationMode= is
435 unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
436 implied. If this setting is not specified, and "stable-privacy" is
437 set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
438 address will be generated from the local machine ID and the
439 interface name.
440 IPv4LLRoute=
442 Takes a boolean. If set to true, sets up the route needed for
443 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
444 false.
445 DefaultRouteOnDevice=
447 Takes a boolean. If set to true, sets up the default route bound to
448 the interface. Defaults to false. This is useful when creating
449 routes on point-to-point interfaces. This is equivalent to e.g. the
450 following,
451 ip route add default dev veth99
453 or,
455 [Route]
457 Gateway=0.0.0.0
458 Currently, there are no way to specify e.g., the table for the
460 route configured by this setting. To configure the default route
461 with such an additional property, please use the following instead:
462 [Route]
464 Gateway=0.0.0.0
465 Table=1234
466 LLMNR=
468 Takes a boolean or "resolve". When true, enables Link-Local
469 Multicast Name Resolution[1] on the link. When set to "resolve",
470 only resolution is enabled, but not host registration and
471 announcement. Defaults to true. This setting is read by systemd-
472 resolved.service(8).
473 MulticastDNS=
475 Takes a boolean or "resolve". When true, enables Multicast DNS[2]
476 support on the link. When set to "resolve", only resolution is
477 enabled, but not host or service registration and announcement.
478 Defaults to false. This setting is read by systemd-
479 resolved.service(8).
480 DNSOverTLS=
482 Takes a boolean or "opportunistic". When true, enables
483 DNS-over-TLS[3] support on the link. When set to "opportunistic",
484 compatibility with non-DNS-over-TLS servers is increased, by
485 automatically turning off DNS-over-TLS servers in this case. This
486 option defines a per-interface setting for resolved.conf(5)'s
487 global DNSOverTLS= option. Defaults to unset, and the global
488 setting will be used. This setting is read by systemd-
489 resolved.service(8).
490 DNSSEC=
492 Takes a boolean or "allow-downgrade". When true, enables DNSSEC[4]
493 DNS validation support on the link. When set to "allow-downgrade",
494 compatibility with non-DNSSEC capable networks is increased, by
495 automatically turning off DNSSEC in this case. This option defines
496 a per-interface setting for resolved.conf(5)'s global DNSSEC=
497 option. Defaults to unset, and the global setting will be used.
498 This setting is read by systemd-resolved.service(8).
499 DNSSECNegativeTrustAnchors=
501 A space-separated list of DNSSEC negative trust anchor domains. If
502 specified and DNSSEC is enabled, look-ups done via the interface's
503 DNS server will be subject to the list of negative trust anchors,
504 and not require authentication for the specified domains, or
505 anything below it. Use this to disable DNSSEC authentication for
506 specific private domains, that cannot be proven valid using the
507 Internet DNS hierarchy. Defaults to the empty list. This setting is
508 read by systemd-resolved.service(8).
509 LLDP=
511 Controls support for Ethernet LLDP packet reception. LLDP is a
512 link-layer protocol commonly implemented on professional routers
513 and bridges which announces which physical port a system is
514 connected to, as well as other related data. Accepts a boolean or
515 the special value "routers-only". When true, incoming LLDP packets
516 are accepted and a database of all LLDP neighbors maintained. If
517 "routers-only" is set only LLDP data of various types of routers is
518 collected and LLDP data about other types of devices ignored (such
519 as stations, telephones and others). If false, LLDP reception is
520 disabled. Defaults to "routers-only". Use networkctl(1) to query
521 the collected neighbor data. LLDP is only available on Ethernet
522 links. See EmitLLDP= below for enabling LLDP packet emission from
523 the local system.
524 EmitLLDP=
526 Controls support for Ethernet LLDP packet emission. Accepts a
527 boolean parameter or the special values "nearest-bridge",
528 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
529 turns off LLDP packet emission. If not false, a short LLDP packet
530 with information about the local system is sent out in regular
531 intervals on the link. The LLDP packet will contain information
532 about the local hostname, the local machine ID (as stored in
533 machine-id(5)) and the local interface name, as well as the pretty
534 hostname of the system (as set in machine-info(5)). LLDP emission
535 is only available on Ethernet links. Note that this setting passes
536 data suitable for identification of host to the network and should
537 thus not be enabled on untrusted networks, where such
538 identification data should not be made available. Use this option
539 to permit other systems to identify on which interfaces they are
540 connected to this system. The three special values control
541 propagation of the LLDP packets. The "nearest-bridge" setting
542 permits propagation only to the nearest connected bridge,
543 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
544 but not any other bridges, and "customer-bridge" permits
545 propagation until a customer bridge is reached. For details about
546 these concepts, see IEEE 802.1AB-2016[5]. Note that configuring
547 this setting to true is equivalent to "nearest-bridge", the
548 recommended and most restricted level of propagation. See LLDP=
549 above for an option to enable LLDP reception.
550 BindCarrier=
552 A link name or a list of link names. When set, controls the
553 behavior of the current link. When all links in the list are in an
554 operational down state, the current link is brought down. When at
555 least one link has carrier, the current interface is brought up.
556 This forces ActivationPolicy= to be set to "bound".
558 Address=
560 A static IPv4 or IPv6 address and its prefix length, separated by a
561 "/" character. Specify this key more than once to configure several
562 addresses. The format of the address must be as described in
563 inet_pton(3). This is a short-hand for an [Address] section only
564 containing an Address key (see below). This option may be specified
565 more than once.
566 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
568 IPv6), a new address range of the requested size is automatically
569 allocated from a system-wide pool of unused ranges. Note that the
570 prefix length must be equal or larger than 8 for IPv4, and 64 for
571 IPv6. The allocated range is checked against all current network
572 interfaces and all known network configuration files to avoid
573 address range conflicts. The default system-wide pool consists of
574 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
575 for IPv6. This functionality is useful to manage a large number of
576 dynamically created network interfaces with the same network
577 configuration and automatic address range assignment.
578 Gateway=
580 The gateway address, which must be in the format described in
581 inet_pton(3). This is a short-hand for a [Route] section only
582 containing a Gateway= key. This option may be specified more than
583 once.
584 DNS=
586 A DNS server address, which must be in the format described in
587 inet_pton(3). This option may be specified more than once. Each
588 address can optionally take a port number separated with ":", a
589 network interface name or index separated with "%", and a Server
590 Name Indication (SNI) separated with "#". When IPv6 address is
591 specified with a port number, then the address must be in the
592 square brackets. That is, the acceptable full formats are
593 "111.222.333.444:9953%ifname#example.com" for IPv4 and
594 "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
595 string is assigned, then the all previous assignments are cleared.
596 This setting is read by systemd-resolved.service(8).
597 Domains=
599 A whitespace-separated list of domains which should be resolved
600 using the DNS servers on this link. Each item in the list should be
601 a domain name, optionally prefixed with a tilde ("~"). The domains
602 with the prefix are called "routing-only domains". The domains
603 without the prefix are called "search domains" and are first used
604 as search suffixes for extending single-label hostnames (hostnames
605 containing no dots) to become fully qualified domain names (FQDNs).
606 If a single-label hostname is resolved on this interface, each of
607 the specified search domains are appended to it in turn, converting
608 it into a fully qualified domain name, until one of them may be
609 successfully resolved.
610 Both "search" and "routing-only" domains are used for routing of
612 DNS queries: look-ups for hostnames ending in those domains (hence
613 also single label names, if any "search domains" are listed), are
614 routed to the DNS servers configured for this interface. The domain
615 routing logic is particularly useful on multi-homed hosts with DNS
616 servers serving particular private DNS zones on each interface.
617 The "routing-only" domain "~." (the tilde indicating definition of
619 a routing domain, the dot referring to the DNS root domain which is
620 the implied suffix of all valid DNS names) has special effect. It
621 causes all DNS traffic which does not match another configured
622 domain routing entry to be routed to DNS servers specified for this
623 interface. This setting is useful to prefer a certain set of DNS
624 servers if a link on which they are connected is available.
625 This setting is read by systemd-resolved.service(8). "Search
627 domains" correspond to the domain and search entries in
628 resolv.conf(5). Domain name routing has no equivalent in the
629 traditional glibc API, which has no concept of domain name servers
630 limited to a specific link.
631 DNSDefaultRoute=
633 Takes a boolean argument. If true, this link's configured DNS
634 servers are used for resolving domain names that do not match any
635 link's configured Domains= setting. If false, this link's
636 configured DNS servers are never used for such domains, and are
637 exclusively used for resolving names that match at least one of the
638 domains configured on this link. If not specified defaults to an
639 automatic mode: queries not matching any link's configured domains
640 will be routed to this link if it has no routing-only domains
641 configured.
642 NTP=
644 An NTP server address (either an IP address, or a hostname). This
645 option may be specified more than once. This setting is read by
646 systemd-timesyncd.service(8).
647 IPForward=
649 Configures IP packet forwarding for the system. If enabled,
650 incoming packets on any network interface will be forwarded to any
651 other interfaces according to the routing table. Takes a boolean,
652 or the values "ipv4" or "ipv6", which only enable IP packet
653 forwarding for the specified address family. This controls the
654 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
655 of the network interface (see ip-sysctl.txt[6] for details about
656 sysctl options). Defaults to "no".
657 Note: this setting controls a global kernel option, and does so one
659 way only: if a network that has this setting enabled is set up the
660 global setting is turned on. However, it is never turned off again,
661 even after all networks with this setting enabled are shut down
662 again.
663 To allow IP packet forwarding only between specific network
665 interfaces use a firewall.
666 IPMasquerade=
668 Configures IP masquerading for the network interface. If enabled,
669 packets forwarded from the network interface will be appear as
670 coming from the local host. Takes one of "ipv4", "ipv6", "both", or
671 "no". Defaults to "no". If enabled, this automatically sets
672 IPForward= to one of "ipv4", "ipv6" or "yes".
673 Note. Any positive boolean values such as "yes" or "true" are now
675 deprecated. Please use one of the values in the above.
676 IPv6PrivacyExtensions=
678 Configures use of stateless temporary addresses that change over
679 time (see RFC 4941[7], Privacy Extensions for Stateless Address
680 Autoconfiguration in IPv6). Takes a boolean or the special values
681 "prefer-public" and "kernel". When true, enables the privacy
682 extensions and prefers temporary addresses over public addresses.
683 When "prefer-public", enables the privacy extensions, but prefers
684 public addresses over temporary addresses. When false, the privacy
685 extensions remain disabled. When "kernel", the kernel's default
686 setting will be left in place. Defaults to "no".
687 IPv6AcceptRA=
689 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
690 support for the interface. If true, RAs are accepted; if false, RAs
691 are ignored. When RAs are accepted, they may trigger the start of
692 the DHCPv6 client if the relevant flags are set in the RA data, or
693 if no routers are found on the link. The default is to disable RA
694 reception for bridge devices or when IP forwarding is enabled, and
695 to enable it otherwise. Cannot be enabled on bond devices and when
696 link local addressing is disabled.
697 Further settings for the IPv6 RA support may be configured in the
699 [IPv6AcceptRA] section, see below.
700 Also see ip-sysctl.txt[6] in the kernel documentation regarding
702 "accept_ra", but note that systemd's setting of 1 (i.e. true)
703 corresponds to kernel's setting of 2.
704 Note that kernel's implementation of the IPv6 RA protocol is always
706 disabled, regardless of this setting. If this option is enabled, a
707 userspace implementation of the IPv6 RA protocol is used, and the
708 kernel's own implementation remains disabled, since
709 systemd-networkd needs to know all details supplied in the
710 advertisements, and these are not available from the kernel if the
711 kernel's own implementation is used.
712 IPv6DuplicateAddressDetection=
714 Configures the amount of IPv6 Duplicate Address Detection (DAD)
715 probes to send. When unset, the kernel's default will be used.
716 IPv6HopLimit=
718 Configures IPv6 Hop Limit. For each router that forwards the
719 packet, the hop limit is decremented by 1. When the hop limit field
720 reaches zero, the packet is discarded. When unset, the kernel's
721 default will be used.
722 IPv4AcceptLocal=
724 Takes a boolean. Accept packets with local source addresses. In
725 combination with suitable routing, this can be used to direct
726 packets between two local interfaces over the wire and have them
727 accepted properly. When unset, the kernel's default will be used.
728 IPv4RouteLocalnet=
730 Takes a boolean. When true, the kernel does not consider loopback
731 addresses as martian source or destination while routing. This
732 enables the use of 127.0.0.0/8 for local routing purposes. When
733 unset, the kernel's default will be used.
734 IPv4ProxyARP=
736 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
737 technique in which one host, usually a router, answers ARP requests
738 intended for another machine. By "faking" its identity, the router
739 accepts responsibility for routing packets to the "real"
740 destination. See RFC 1027[8]. When unset, the kernel's default will
741 be used.
742 IPv6ProxyNDP=
744 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
745 Discovery Protocol) is a technique for IPv6 to allow routing of
746 addresses to a different destination when peers expect them to be
747 present on a certain physical link. In this case a router answers
748 Neighbour Advertisement messages intended for another machine by
749 offering its own MAC address as destination. Unlike proxy ARP for
750 IPv4, it is not enabled globally, but will only send Neighbour
751 Advertisement messages for addresses in the IPv6 neighbor proxy
752 table, which can also be shown by ip -6 neighbour show proxy.
753 systemd-networkd will control the per-interface `proxy_ndp` switch
754 for each configured interface depending on this option. When unset,
755 the kernel's default will be used.
756 IPv6ProxyNDPAddress=
758 An IPv6 address, for which Neighbour Advertisement messages will be
759 proxied. This option may be specified more than once.
760 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
761 kernel's IPv6 neighbor proxy table. This setting implies
762 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP= has been set to
763 false. When unset, the kernel's default will be used.
764 IPv6SendRA=
766 Whether to enable or disable Router Advertisement sending on a
767 link. Takes a boolean value. When enabled, prefixes configured in
768 [IPv6Prefix] sections and routes configured in the
769 [IPv6RoutePrefix] sections are distributed as defined in the
770 [IPv6SendRA] section. If DHCPPrefixDelegation= is enabled, then the
771 delegated prefixes are also distributed. See DCHPPrefixDelegation=
772 setting and the [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
773 [DHCPPrefixDelegation] sections for more configuration options.
774 DHCPPrefixDelegation=
776 Takes a boolean value. When enabled, requests subnet prefixes
777 acquired by a DHCPv6 client, or by a DHCPv4 client through the 6RD
778 option configured on another link. By default, an address within
779 each delegated prefix will be assigned, and the prefixes will be
780 announced through IPv6 Router Advertisement when IPv6SendRA= is
781 enabled. Such default settings can be configured in the
782 [DHCPPrefixDelegation] section. Defaults to disabled.
783 IPv6MTUBytes=
785 Configures IPv6 maximum transmission unit (MTU). An integer greater
786 than or equal to 1280 bytes. When unset, the kernel's default will
787 be used.
788 KeepMaster=
790 Takes a boolean value. When enabled, the current master interface
791 index will not be changed, and BatmanAdvanced=, Bond=, Bridge=, and
792 VRF= settings are ignored. This may be useful when a netdev with a
793 master interface is created by another program, e.g. systemd-
794 nspawn(1). Defaults to false.
795 BatmanAdvanced=, Bond=, Bridge=, VRF=
797 The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
798 interface to add the link to. See systemd.netdev(5).
799 IPoIB=, IPVLAN=, IPVTAP=, L2TP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=,
801 VLAN=, VXLAN=, Xfrm=
802 The name of an IPoIB, IPVLAN, IPVTAP, L2TP, MACsec, MACVLAN,
803 MACVTAP, tunnel, VLAN, VXLAN, or Xfrm to be created on the link.
804 See systemd.netdev(5). This option may be specified more than once.
805 ActiveSlave=
807 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
808 option is only valid for following modes: "active-backup",
809 "balance-alb", and "balance-tlb". Defaults to false.
810 PrimarySlave=
812 Takes a boolean. Specifies which slave is the primary device. The
813 specified device will always be the active slave while it is
814 available. Only when the primary is off-line will alternate devices
815 be used. This is useful when one slave is preferred over another,
816 e.g. when one slave has higher throughput than another. The
817 "PrimarySlave=" option is only valid for following modes:
818 "active-backup", "balance-alb", and "balance-tlb". Defaults to
819 false.
820 ConfigureWithoutCarrier=
822 Takes a boolean. Allows networkd to configure a specific link even
823 if it has no carrier. Defaults to false. If enabled, and the
824 IgnoreCarrierLoss= setting is not explicitly set, then it is
825 enabled as well.
826 IgnoreCarrierLoss=
828 Takes a boolean or a timespan. When true, networkd retains both the
829 static and dynamic configuration of the interface even if its
830 carrier is lost. When a timespan is specified, networkd waits for
831 the specified timespan, and ignores the carrier loss if the link
832 regain its carrier within the timespan. Setting a finite timespan
833 may be useful for a wireless interface connecting to a network
834 which has multiple access points with the same SSID, or an
835 interface which is reset on changing MTU. When unset, the value
836 specified with ConfigureWithoutCarrier= is used.
837 When ActivationPolicy= is set to "always-up", this is forced to
839 "true".
840 KeepConfiguration=
842 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
843 "static", systemd-networkd will not drop static addresses and
844 routes on starting up process. When set to "dhcp-on-stop",
845 systemd-networkd will not drop addresses and routes on stopping the
846 daemon. When "dhcp", the addresses and routes provided by a DHCP
847 server will never be dropped even if the DHCP lease expires. This
848 is contrary to the DHCP specification, but may be the best choice
849 if, e.g., the root filesystem relies on this connection. The
850 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
851 "static". Defaults to "dhcp-on-stop" when systemd-networkd is
852 running in initrd, "yes" when the root filesystem is a network
853 filesystem, and "no" otherwise.
854
856 An [Address] section accepts the following keys. Specify several
857 [Address] sections to configure several addresses.
858 Address=
860 As in the [Network] section. This setting is mandatory. Each
861 [Address] section can contain one Address= setting.
862 Peer=
864 The peer address in a point-to-point connection. Accepts the same
865 format as the Address= setting.
866 Broadcast=
868 Takes an IPv4 address or boolean value. The address must be in the
869 format described in inet_pton(3). If set to true, then the IPv4
870 broadcast address will be derived from the Address= setting. If set
871 to false, then the broadcast address will not be set. Defaults to
872 true, except for wireguard interfaces, where it default to false.
873 Label=
875 Specifies the label for the IPv4 address. The label must be a 7-bit
876 ASCII string with a length of 1...15 characters. Defaults to unset.
877 PreferredLifetime=
879 Allows the default "preferred lifetime" of the address to be
880 overridden. Only three settings are accepted: "forever",
881 "infinity", which is the default and means that the address never
882 expires, and "0", which means that the address is considered
883 immediately "expired" and will not be used, unless explicitly
884 requested. A setting of PreferredLifetime=0 is useful for addresses
885 which are added to be used only by a specific application, which is
886 then configured to use them explicitly.
887 Scope=
889 The scope of the address, which can be "global" (valid everywhere
890 on the network, even through a gateway), "link" (only valid on this
891 device, will not traverse a gateway) or "host" (only valid within
892 the device itself, e.g. 127.0.0.1) or an integer in the range
893 0...255. Defaults to "global".
894 RouteMetric=
896 The metric of the prefix route, which is pointing to the subnet of
897 the configured IP address, taking the configured prefix length into
898 account. Takes an unsigned integer in the range 0...4294967295.
899 When unset or set to 0, the kernel's default value is used. This
900 setting will be ignored when AddPrefixRoute= is false.
901 HomeAddress=
903 Takes a boolean. Designates this address the "home address" as
904 defined in RFC 6275[9]. Supported only on IPv6. Defaults to false.
905 DuplicateAddressDetection=
907 Takes one of "ipv4", "ipv6", "both", or "none". When "ipv4",
908 performs IPv4 Address Conflict Detection. See RFC 5227[10]. When
909 "ipv6", performs IPv6 Duplicate Address Detection. See RFC
910 4862[11]. Defaults to "ipv4" for IPv4 link-local addresses, "ipv6"
911 for IPv6 addresses, and "none" otherwise.
912 ManageTemporaryAddress=
914 Takes a boolean. If true the kernel manage temporary addresses
915 created from this one as template on behalf of Privacy Extensions
916 RFC 3041[12]. For this to become active, the use_tempaddr sysctl
917 setting has to be set to a value greater than zero. The given
918 address needs to have a prefix length of 64. This flag allows using
919 privacy extensions in a manually configured network, just like if
920 stateless auto-configuration was active. Defaults to false.
921 AddPrefixRoute=
923 Takes a boolean. When true, the prefix route for the address is
924 automatically added. Defaults to true.
925 AutoJoin=
927 Takes a boolean. Joining multicast group on ethernet level via ip
928 maddr command would not work if we have an Ethernet switch that
929 does IGMP snooping since the switch would not replicate multicast
930 packets on ports that did not have IGMP reports for the multicast
931 addresses. Linux vxlan interfaces created via ip link add vxlan or
932 networkd's netdev kind vxlan have the group option that enables
933 then to do the required join. By extending ip address command with
934 option "autojoin" we can get similar functionality for openvswitch
935 (OVS) vxlan interfaces as well as other tunneling mechanisms that
936 need to receive multicast traffic. Defaults to "no".
937
939 A [Neighbor] section accepts the following keys. The neighbor section
940 adds a permanent, static entry to the neighbor table (IPv6) or ARP
941 table (IPv4) for the given hardware address on the links matched for
942 the network. Specify several [Neighbor] sections to configure several
943 static neighbors.
944 Address=
946 The IP address of the neighbor.
947 LinkLayerAddress=
949 The link layer address (MAC address or IP address) of the neighbor.
950
952 An [IPv6AddressLabel] section accepts the following keys. Specify
953 several [IPv6AddressLabel] sections to configure several address
954 labels. IPv6 address labels are used for address selection. See RFC
955 3484[13]. Precedence is managed by userspace, and only the label itself
956 is stored in the kernel.
957 Label=
959 The label for the prefix, an unsigned integer in the range
960 0...4294967294. 0xffffffff is reserved. This setting is mandatory.
961 Prefix=
963 IPv6 prefix is an address with a prefix length, separated by a
964 slash "/" character. This setting is mandatory.
965
967 An [RoutingPolicyRule] section accepts the following settings. Specify
968 several [RoutingPolicyRule] sections to configure several rules.
969 TypeOfService=
971 Takes a number between 0 and 255 that specifies the type of service
972 to match.
973 From=
975 Specifies the source address prefix to match. Possibly followed by
976 a slash and the prefix length.
977 To=
979 Specifies the destination address prefix to match. Possibly
980 followed by a slash and the prefix length.
981 FirewallMark=
983 Specifies the iptables firewall mark value to match (a number in
984 the range 1...4294967295). Optionally, the firewall mask (also a
985 number between 1...4294967295) can be suffixed with a slash ("/"),
986 e.g., "7/255".
987 Table=
989 Specifies the routing table identifier to lookup if the rule
990 selector matches. Takes one of predefined names "default", "main",
991 and "local", and names defined in RouteTable= in networkd.conf(5),
992 or a number between 1 and 4294967295. Defaults to "main".
993 Priority=
995 Specifies the priority of this rule. Priority= is an integer in
996 the range 0...4294967295. Higher number means lower priority, and
997 rules get processed in order of increasing number. Defaults to
998 unset, and the kernel will pick a value dynamically.
999 IncomingInterface=
1001 Specifies incoming device to match. If the interface is loopback,
1002 the rule only matches packets originating from this host.
1003 OutgoingInterface=
1005 Specifies the outgoing device to match. The outgoing interface is
1006 only available for packets originating from local sockets that are
1007 bound to a device.
1008 SourcePort=
1010 Specifies the source IP port or IP port range match in forwarding
1011 information base (FIB) rules. A port range is specified by the
1012 lower and upper port separated by a dash. Defaults to unset.
1013 DestinationPort=
1015 Specifies the destination IP port or IP port range match in
1016 forwarding information base (FIB) rules. A port range is specified
1017 by the lower and upper port separated by a dash. Defaults to unset.
1018 IPProtocol=
1020 Specifies the IP protocol to match in forwarding information base
1021 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1022 or IP protocol number such as "6" for "tcp" or "17" for "udp".
1023 Defaults to unset.
1024 InvertRule=
1026 A boolean. Specifies whether the rule is to be inverted. Defaults
1027 to false.
1028 Family=
1030 Takes a special value "ipv4", "ipv6", or "both". By default, the
1031 address family is determined by the address specified in To= or
1032 From=. If neither To= nor From= are specified, then defaults to
1033 "ipv4".
1034 User=
1036 Takes a username, a user ID, or a range of user IDs separated by a
1037 dash. Defaults to unset.
1038 SuppressPrefixLength=
1040 Takes a number N in the range 0...128 and rejects routing decisions
1041 that have a prefix length of N or less. Defaults to unset.
1042 SuppressInterfaceGroup=
1044 Takes an integer in the range 0...2147483647 and rejects routing
1045 decisions that have an interface with the same group id. It has the
1046 same meaning as suppress_ifgroup in ip rule. Defaults to unset.
1047 Type=
1049 Specifies Routing Policy Database (RPDB) rule type. Takes one of
1050 "blackhole", "unreachable" or "prohibit".
1051
1053 The [NextHop] section is used to manipulate entries in the kernel's
1054 "nexthop" tables. The [NextHop] section accepts the following settings.
1055 Specify several [NextHop] sections to configure several hops.
1056 Id=
1058 The id of the next hop. Takes an integer in the range
1059 1...4294967295. If unspecified, then automatically chosen by
1060 kernel.
1061 Gateway=
1063 As in the [Network] section.
1064 Family=
1066 Takes one of the special values "ipv4" or "ipv6". By default, the
1067 family is determined by the address specified in Gateway=. If
1068 Gateway= is not specified, then defaults to "ipv4".
1069 OnLink=
1071 Takes a boolean. If set to true, the kernel does not have to check
1072 if the gateway is reachable directly by the current machine (i.e.,
1073 attached to the local network), so that we can insert the nexthop
1074 in the kernel table without it being complained about. Defaults to
1075 "no".
1076 Blackhole=
1078 Takes a boolean. If enabled, packets to the corresponding routes
1079 are discarded silently, and Gateway= cannot be specified. Defaults
1080 to "no".
1081 Group=
1083 Takes a whitespace separated list of nexthop IDs. Each ID must be
1084 in the range 1...4294967295. Optionally, each nexthop ID can take a
1085 weight after a colon ("id[:weight]"). The weight must be in the
1086 range 1...255. If the weight is not specified, then it is assumed
1087 that the weight is 1. This setting cannot be specified with
1088 Gateway=, Family=, Blackhole=. This setting can be specified
1089 multiple times. If an empty string is assigned, then the all
1090 previous assignments are cleared. Defaults to unset.
1091
1093 The [Route] section accepts the following settings. Specify several
1094 [Route] sections to configure several routes.
1095 Gateway=
1097 Takes the gateway address or the special values "_dhcp4" and
1098 "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1099 address provided by DHCPv4 or IPv6 RA is used.
1100 GatewayOnLink=
1102 Takes a boolean. If set to true, the kernel does not have to check
1103 if the gateway is reachable directly by the current machine (i.e.,
1104 attached to the local network), so that we can insert the route in
1105 the kernel table without it being complained about. Defaults to
1106 "no".
1107 Destination=
1109 The destination prefix of the route. Possibly followed by a slash
1110 and the prefix length. If omitted, a full-length host route is
1111 assumed.
1112 Source=
1114 The source prefix of the route. Possibly followed by a slash and
1115 the prefix length. If omitted, a full-length host route is assumed.
1116 Metric=
1118 The metric of the route. Takes an unsigned integer in the range
1119 0...4294967295. Defaults to unset, and the kernel's default will be
1120 used.
1121 IPv6Preference=
1123 Specifies the route preference as defined in RFC 4191[14] for
1124 Router Discovery messages. Which can be one of "low" the route has
1125 a lowest priority, "medium" the route has a default priority or
1126 "high" the route has a highest priority.
1127 Scope=
1129 The scope of the IPv4 route, which can be "global", "site", "link",
1130 "host", or "nowhere":
1131 • "global" means the route can reach hosts more than one hop
1133 away.
1134 • "site" means an interior route in the local autonomous system.
1136 • "link" means the route can only reach hosts on the local
1138 network (one hop away).
1139 • "host" means the route will not leave the local machine (used
1141 for internal addresses like 127.0.0.1).
1142 • "nowhere" means the destination doesn't exist.
1144 For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1146 and "link" if Type= is "broadcast", "multicast", or "anycast". In
1147 other cases, defaults to "global". The value is not used for IPv6.
1148 PreferredSource=
1150 The preferred source address of the route. The address must be in
1151 the format described in inet_pton(3).
1152 Table=
1154 The table identifier for the route. Takes one of predefined names
1155 "default", "main", and "local", and names defined in RouteTable= in
1156 networkd.conf(5), or a number between 1 and 4294967295. The table
1157 can be retrieved using ip route show table num. If unset and Type=
1158 is "local", "broadcast", "anycast", or "nat", then "local" is used.
1159 In other cases, defaults to "main".
1160 Protocol=
1162 The protocol identifier for the route. Takes a number between 0 and
1163 255 or the special values "kernel", "boot", "static", "ra" and
1164 "dhcp". Defaults to "static".
1165 Type=
1167 Specifies the type for the route. Takes one of "unicast", "local",
1168 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1169 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1170 route is defined, i.e. a route indicating the path to take to a
1171 destination network address. If "blackhole", packets to the defined
1172 route are discarded silently. If "unreachable", packets to the
1173 defined route are discarded and the ICMP message "Host Unreachable"
1174 is generated. If "prohibit", packets to the defined route are
1175 discarded and the ICMP message "Communication Administratively
1176 Prohibited" is generated. If "throw", route lookup in the current
1177 routing table will fail and the route selection process will return
1178 to Routing Policy Database (RPDB). Defaults to "unicast".
1179 InitialCongestionWindow=
1181 The TCP initial congestion window is used during the start of a TCP
1182 connection. During the start of a TCP session, when a client
1183 requests a resource, the server's initial congestion window
1184 determines how many packets will be sent during the initial burst
1185 of data without waiting for acknowledgement. Takes a number between
1186 1 and 1023. Note that 100 is considered an extremely large value
1187 for this option. When unset, the kernel's default (typically 10)
1188 will be used.
1189 InitialAdvertisedReceiveWindow=
1191 The TCP initial advertised receive window is the amount of receive
1192 data (in bytes) that can initially be buffered at one time on a
1193 connection. The sending host can send only that amount of data
1194 before waiting for an acknowledgment and window update from the
1195 receiving host. Takes a number between 1 and 1023. Note that 100 is
1196 considered an extremely large value for this option. When unset,
1197 the kernel's default will be used.
1198 QuickAck=
1200 Takes a boolean. When true enables TCP quick ack mode for the
1201 route. When unset, the kernel's default will be used.
1202 FastOpenNoCookie=
1204 Takes a boolean. When true enables TCP fastopen without a cookie on
1205 a per-route basis. When unset, the kernel's default will be used.
1206 TTLPropagate=
1208 Takes a boolean. When true enables TTL propagation at Label
1209 Switched Path (LSP) egress. When unset, the kernel's default will
1210 be used.
1211 MTUBytes=
1213 The maximum transmission unit in bytes to set for the route. The
1214 usual suffixes K, M, G, are supported and are understood to the
1215 base of 1024.
1216 TCPAdvertisedMaximumSegmentSize=
1218 Specifies the Path MSS (in bytes) hints given on TCP layer. The
1219 usual suffixes K, M, G, are supported and are understood to the
1220 base of 1024. An unsigned integer in the range 1...4294967294. When
1221 unset, the kernel's default will be used.
1222 MultiPathRoute=address[@name] [weight]
1224 Configures multipath route. Multipath routing is the technique of
1225 using multiple alternative paths through a network. Takes gateway
1226 address. Optionally, takes a network interface name or index
1227 separated with "@", and a weight in 1..256 for this multipath route
1228 separated with whitespace. This setting can be specified multiple
1229 times. If an empty string is assigned, then the all previous
1230 assignments are cleared.
1231 NextHop=
1233 Specifies the nexthop id. Takes an unsigned integer in the range
1234 1...4294967295. If set, the corresponding [NextHop] section must be
1235 configured. Defaults to unset.
1236
1238 The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1239 with the DHCP= setting described above:
1240 SendHostname=
1242 When true (the default), the machine's hostname (or the value
1243 specified with Hostname=, described below) will be sent to the DHCP
1244 server. Note that the hostname must consist only of 7-bit ASCII
1245 lower-case characters and no spaces or dots, and be formatted as a
1246 valid DNS domain name. Otherwise, the hostname is not sent even if
1247 this option is true.
1248 Hostname=
1250 Use this value for the hostname which is sent to the DHCP server,
1251 instead of machine's hostname. Note that the specified hostname
1252 must consist only of 7-bit ASCII lower-case characters and no
1253 spaces or dots, and be formatted as a valid DNS domain name.
1254 MUDURL=
1256 When configured, the specified Manufacturer Usage Description (MUD)
1257 URL will be sent to the DHCPv4 server. Takes a URL of length up to
1258 255 characters. A superficial verification that the string is a
1259 valid URL will be performed. DHCPv4 clients are intended to have at
1260 most one MUD URL associated with them. See RFC 8520[15].
1261 MUD is an embedded software standard defined by the IETF that
1263 allows IoT device makers to advertise device specifications,
1264 including the intended communication patterns for their device when
1265 it connects to the network. The network can then use this to author
1266 a context-specific access policy, so the device functions only
1267 within those parameters.
1268 ClientIdentifier=
1270 The DHCPv4 client identifier to use. Takes one of mac, duid or
1271 duid-only. If set to mac, the MAC address of the link is used. If
1272 set to duid, an RFC4361-compliant Client ID, which is the
1273 combination of IAID and DUID (see below), is used. If set to
1274 duid-only, only DUID is used, this may not be RFC compliant, but
1275 some setups may require to use this. Defaults to duid.
1276 VendorClassIdentifier=
1278 The vendor class identifier used to identify vendor type and
1279 configuration.
1280 UserClass=
1282 A DHCPv4 client can use UserClass option to identify the type or
1283 category of user or applications it represents. The information
1284 contained in this option is a string that represents the user class
1285 of which the client is a member. Each class sets an identifying
1286 string of information to be used by the DHCP service to classify
1287 clients. Takes a whitespace-separated list of strings.
1288 DUIDType=
1290 Override the global DUIDType= setting for this network. See
1291 networkd.conf(5) for a description of possible values.
1292 DUIDRawData=
1294 Override the global DUIDRawData= setting for this network. See
1295 networkd.conf(5) for a description of possible values.
1296 IAID=
1298 The DHCP Identity Association Identifier (IAID) for the interface,
1299 a 32-bit unsigned integer.
1300 Anonymize=
1302 Takes a boolean. When true, the options sent to the DHCP server
1303 will follow the RFC 7844[16] (Anonymity Profiles for DHCP Clients)
1304 to minimize disclosure of identifying information. Defaults to
1305 false.
1306 This option should only be set to true when MACAddressPolicy= is
1308 set to random (see systemd.link(5)).
1309 When true, SendHostname=, ClientIdentifier=,
1311 VendorClassIdentifier=, UserClass=, RequestOptions=, SendOption=,
1312 SendVendorOption=, and MUDURL= are ignored.
1313 With this option enabled DHCP requests will mimic those generated
1315 by Microsoft Windows, in order to reduce the ability to fingerprint
1316 and recognize installations. This means DHCP request sizes will
1317 grow and lease data will be more comprehensive than normally,
1318 though most of the requested data is not actually used.
1319 RequestOptions=
1321 Sets request options to be sent to the server in the DHCPv4 request
1322 options list. A whitespace-separated list of integers in the range
1323 1...254. Defaults to unset.
1324 SendOption=
1326 Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1327 option number, data type and data separated with a colon
1328 ("option:type:value"). The option number must be an integer in the
1329 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1330 "ipv4address", or "string". Special characters in the data string
1331 may be escaped using C-style escapes[17]. This setting can be
1332 specified multiple times. If an empty string is specified, then all
1333 options specified earlier are cleared. Defaults to unset.
1334 SendVendorOption=
1336 Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1337 option number, data type and data separated with a colon
1338 ("option:type:value"). The option number must be an integer in the
1339 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1340 "ipv4address", or "string". Special characters in the data string
1341 may be escaped using C-style escapes[17]. This setting can be
1342 specified multiple times. If an empty string is specified, then all
1343 options specified earlier are cleared. Defaults to unset.
1344 IPServiceType=
1346 Takes one of the special values "none", "CS6", or "CS4". When
1347 "none" no IP service type is set to the packet sent from the DHCPv4
1348 client. When "CS6" (network control) or "CS4" (realtime), the
1349 corresponding service type will be set. Defaults to "CS6".
1350 Label=
1352 Specifies the label for the IPv4 address received from the DHCP
1353 server. The label must be a 7-bit ASCII string with a length of
1354 1...15 characters. Defaults to unset.
1355 UseDNS=
1357 When true (the default), the DNS servers received from the DHCP
1358 server will be used.
1359 This corresponds to the nameserver option in resolv.conf(5).
1361 RoutesToDNS=
1363 When true, the routes to the DNS servers received from the DHCP
1364 server will be configured. When UseDNS= is disabled, this setting
1365 is ignored. Defaults to true.
1366 UseNTP=
1368 When true (the default), the NTP servers received from the DHCP
1369 server will be used by systemd-timesyncd.service.
1370 RoutesToNTP=
1372 When true, the routes to the NTP servers received from the DHCP
1373 server will be configured. When UseNTP= is disabled, this setting
1374 is ignored. Defaults to true.
1375 UseSIP=
1377 When true (the default), the SIP servers received from the DHCP
1378 server will be collected and made available to client programs.
1379 UseMTU=
1381 When true, the interface maximum transmission unit from the DHCP
1382 server will be used on the current link. If MTUBytes= is set, then
1383 this setting is ignored. Defaults to false.
1384 Note, some drivers will reset the interfaces if the MTU is changed.
1386 For such interfaces, please try to use IgnoreCarrierLoss= with a
1387 short timespan, e.g. "3 seconds".
1388 UseHostname=
1390 When true (the default), the hostname received from the DHCP server
1391 will be set as the transient hostname of the system.
1392 UseDomains=
1394 Takes a boolean, or the special value route. When true, the domain
1395 name received from the DHCP server will be used as DNS search
1396 domain over this link, similar to the effect of the Domains=
1397 setting. If set to route, the domain name received from the DHCP
1398 server will be used for routing DNS queries only, but not for
1399 searching, similar to the effect of the Domains= setting when the
1400 argument is prefixed with "~". Defaults to false.
1401 It is recommended to enable this option only on trusted networks,
1403 as setting this affects resolution of all hostnames, in particular
1404 of single-label names. It is generally safer to use the supplied
1405 domain only as routing domain, rather than as search domain, in
1406 order to not have it affect local resolution of single-label names.
1407 When set to true, this setting corresponds to the domain option in
1409 resolv.conf(5).
1410 UseRoutes=
1412 When true (the default), the static routes will be requested from
1413 the DHCP server and added to the routing table with a metric of
1414 1024, and a scope of global, link or host, depending on the route's
1415 destination and gateway. If the destination is on the local host,
1416 e.g., 127.x.x.x, or the same as the link's own address, the scope
1417 will be set to host. Otherwise if the gateway is null (a direct
1418 route), a link scope will be used. For anything else, scope
1419 defaults to global.
1420 RouteMetric=
1422 Set the routing metric for routes specified by the DHCP server
1423 (including the prefix route added for the specified prefix). Takes
1424 an unsigned integer in the range 0...4294967295. Defaults to 1024.
1425 RouteTable=num
1427 The table identifier for DHCP routes (a number between 1 and
1428 4294967295, or 0 to unset). The table can be retrieved using ip
1429 route show table num.
1430 When used in combination with VRF=, the VRF's routing table is used
1432 when this parameter is not specified.
1433 RouteMTUBytes=
1435 Specifies the MTU for the DHCP routes. Please see the [Route]
1436 section for further details.
1437 UseGateway=
1439 When true, the gateway will be requested from the DHCP server and
1440 added to the routing table with a metric of 1024, and a scope of
1441 link. When unset, the value specified with UseRoutes= is used.
1442 UseTimezone=
1444 When true, the timezone received from the DHCP server will be set
1445 as timezone of the local system. Defaults to false.
1446 Use6RD=
1448 When true, subnets of the received IPv6 prefix are assigned to
1449 downstream interfaces which enables DHCPPrefixDelegation=. See also
1450 DHCPPrefixDelegation= in the [Network] section, the
1451 [DHCPPrefixDelegation] section, and RFC 5969[18]. Defaults to
1452 false.
1453 FallbackLeaseLifetimeSec=
1455 Allows one to set DHCPv4 lease lifetime when DHCPv4 server does not
1456 send the lease lifetime. Takes one of "forever" or "infinity". If
1457 specified, the acquired address never expires. Defaults to unset.
1458 RequestBroadcast=
1460 Request the server to use broadcast messages before the IP address
1461 has been configured. This is necessary for devices that cannot
1462 receive RAW packets, or that cannot receive packets at all before
1463 an IP address has been configured. On the other hand, this must not
1464 be enabled on networks where broadcasts are filtered out.
1465 MaxAttempts=
1467 Specifies how many times the DHCPv4 client configuration should be
1468 attempted. Takes a number or "infinity". Defaults to "infinity".
1469 Note that the time between retries is increased exponentially, up
1470 to approximately one per minute, so the network will not be
1471 overloaded even if this number is high. The default is suitable in
1472 most circumstances.
1473 ListenPort=
1475 Set the port from which the DHCP client packets originate.
1476 DenyList=
1478 A whitespace-separated list of IPv4 addresses. Each address can
1479 optionally take a prefix length after "/". DHCP offers from servers
1480 in the list are rejected. Note that if AllowList= is configured
1481 then DenyList= is ignored.
1482 AllowList=
1484 A whitespace-separated list of IPv4 addresses. Each address can
1485 optionally take a prefix length after "/". DHCP offers from servers
1486 in the list are accepted.
1487 SendRelease=
1489 When true, the DHCPv4 client sends a DHCP release packet when it
1490 stops. Defaults to true.
1491 SendDecline=
1493 A boolean. When true, systemd-networkd performs IPv4 Duplicate
1494 Address Detection to the acquired address by the DHCPv4 client. If
1495 duplicate is detected, the DHCPv4 client rejects the address by
1496 sending a DHCPDECLINE packet to the DHCP server, and tries to
1497 obtain an IP address again. See RFC 5227[10]. Defaults to false.
1498
1500 The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1501 with the DHCP= setting described above, or invoked by the IPv6 Router
1502 Advertisement:
1503 MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1505 As in the [DHCPv4] section.
1506 SendOption=
1508 As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1509 fields to store option numbers, the option number is an integer in
1510 the range 1...65536.
1511 SendVendorOption=
1513 Send an arbitrary vendor option in the DHCPv6 request. Takes an
1514 enterprise identifier, DHCP option number, data type, and data
1515 separated with a colon ("enterprise identifier:option:type:value").
1516 Enterprise identifier is an unsigned integer in the range
1517 1...4294967294. The option number must be an integer in the range
1518 1...254. Data type takes one of "uint8", "uint16", "uint32",
1519 "ipv4address", "ipv6address", or "string". Special characters in
1520 the data string may be escaped using C-style escapes[17]. This
1521 setting can be specified multiple times. If an empty string is
1522 specified, then all options specified earlier are cleared. Defaults
1523 to unset.
1524 UserClass=
1526 A DHCPv6 client can use User Class option to identify the type or
1527 category of user or applications it represents. The information
1528 contained in this option is a string that represents the user class
1529 of which the client is a member. Each class sets an identifying
1530 string of information to be used by the DHCP service to classify
1531 clients. Special characters in the data string may be escaped using
1532 C-style escapes[17]. This setting can be specified multiple times.
1533 If an empty string is specified, then all options specified earlier
1534 are cleared. Takes a whitespace-separated list of strings. Note
1535 that currently NUL bytes are not allowed.
1536 VendorClass=
1538 A DHCPv6 client can use VendorClass option to identify the vendor
1539 that manufactured the hardware on which the client is running. The
1540 information contained in the data area of this option is contained
1541 in one or more opaque fields that identify details of the hardware
1542 configuration. Takes a whitespace-separated list of strings.
1543 PrefixDelegationHint=
1545 Takes an IPv6 address with prefix length in the same format as the
1546 Address= in the [Network] section. The DHCPv6 client will include a
1547 prefix hint in the DHCPv6 solicitation sent to the server. The
1548 prefix length must be in the range 1...128. Defaults to unset.
1549 UseAddress=
1551 When true (the default), the IP addresses provided by the DHCPv6
1552 server will be assigned.
1553 UseDelegatedPrefix=
1555 When true (the default), the client will request the DHCPv6 server
1556 to delegate prefixes. If the server provides prefixes to be
1557 delegated, then subnets of the prefixes are assigned to the
1558 interfaces which enables DHCPPrefixDelegation=. See also the
1559 DHCPPrefixDelegation= setting in the [Network] section, settings in
1560 the [DHCPPrefixDelegation] section, and RFC 8415[19].
1561 UseDNS=, UseNTP=, UseHostname=, UseDomains=
1563 As in the [DHCPv4] section.
1564 WithoutRA=
1566 Allows DHCPv6 client to start without router advertisements's
1567 managed or other address configuration flag. Takes one of "no",
1568 "solicit" or "information-request". If this is not specified,
1569 "solicit" is used when DHCPPrefixDelegation= is enabled and
1570 UplinkInterface=:self is specified in the [DHCPPrefixDelegation]
1571 section. Otherwise, defaults to "no", and the DHCPv6 client will be
1572 started when an RA is received. See also the DHCPv6Client= setting
1573 in the [IPv6AcceptRA] section.
1574
1576 The [DHCPPrefixDelegation] section configures subnet prefixes of the
1577 delegated prefixes acquired by a DHCPv6 client, or by a DHCPv4 client
1578 through the 6RD option on another interface. The settings in this
1579 section are used only when the DHCPPrefixDelegation= setting in the
1580 [Network] section is enabled.
1581 UplinkInterface=
1583 Specifies the name or the index of the uplink interface, or one of
1584 the special values ":self" and ":auto". When ":self", the interface
1585 itself is considered the uplink interface, and WithoutRA=solicit is
1586 implied if the setting is not explicitly specified. When ":auto",
1587 the first link which acquired prefixes to be delegated from the
1588 DHCPv6 or DHCPv4 server is selected. Defaults to ":auto".
1589 SubnetId=
1591 Configure a specific subnet ID on the interface from a (previously)
1592 received prefix delegation. You can either set "auto" (the default)
1593 or a specific subnet ID (as defined in RFC 4291[20], section
1594 2.5.4), in which case the allowed value is hexadecimal, from 0 to
1595 0x7fffffffffffffff inclusive.
1596 Announce=
1598 Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1599 is enabled, the delegated prefixes are distributed through the IPv6
1600 Router Advertisement. This setting will be ignored when the
1601 DHCPPrefixDelegation= setting is enabled on the upstream interface.
1602 Defaults to yes.
1603 Assign=
1605 Takes a boolean. Specifies whether to add an address from the
1606 delegated prefixes which are received from the WAN interface by the
1607 DHCPv6 Prefix Delegation. When true (on LAN interfce), the EUI-64
1608 algorithm will be used by default to form an interface identifier
1609 from the delegated prefixes. See also Token= setting below.
1610 Defaults to yes.
1611 Token=
1613 Specifies an optional address generation mode for assigning an
1614 address in each delegated prefix. This accepts the same syntax as
1615 Token= in the [IPv6AcceptRA] section. If Assign= is set to false,
1616 then this setting will be ignored. Defaults to unset, which means
1617 the EUI-64 algorithm will be used.
1618 ManageTemporaryAddress=
1620 As in the [Address] section, but defaults to true.
1621 RouteMetric=
1623 The metric of the route to the delegated prefix subnet. Takes an
1624 unsigned integer in the range 0...4294967295. When set to 0, the
1625 kernel's default value is used. Defaults to 256.
1626
1628 The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1629 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1630 above:
1631 Token=
1633 Specifies an optional address generation mode for the Stateless
1634 Address Autoconfiguration (SLAAC). The following values are
1635 supported:
1636 eui64
1638 The EUI-64 algorithm will be used to generate an address for
1639 that prefix. Only supported by Ethernet or InfiniBand
1640 interfaces.
1641 static:ADDRESS
1643 An IPv6 address must be specified after a colon (":"), and the
1644 lower bits of the supplied address are combined with the upper
1645 bits of a prefix received in a Router Advertisement (RA)
1646 message to form a complete address. Note that if multiple
1647 prefixes are received in an RA message, or in multiple RA
1648 messages, addresses will be formed from each of them using the
1649 supplied address. This mode implements SLAAC but uses a static
1650 interface identifier instead of an identifier generated by
1651 using the EUI-64 algorithm. Because the interface identifier is
1652 static, if Duplicate Address Detection detects that the
1653 computed address is a duplicate (in use by another node on the
1654 link), then this mode will fail to provide an address for that
1655 prefix. If an IPv6 address without mode is specified, then
1656 "static" mode is assumed.
1657 prefixstable[:ADDRESS][,UUID]
1659 The algorithm specified in RFC 7217[21] will be used to
1660 generate interface identifiers. This mode can optionally take
1661 an IPv6 address separated with a colon (":"). If an IPv6
1662 address is specified, then an interface identifier is generated
1663 only when a prefix received in an RA message matches the
1664 supplied address.
1665 This mode can also optionally take a non-null UUID in the
1667 format which sd_id128_from_string() accepts, e.g.
1668 "86b123b969ba4b7eb8b3d8605123525a" or
1669 "86b123b9-69ba-4b7e-b8b3-d8605123525a". If a UUID is specified,
1670 the value is used as the secret key to generate interface
1671 identifiers. If not specified, then an application specific ID
1672 generated with the system's machine-ID will be used as the
1673 secret key. See sd-id128(3), sd_id128_from_string(3), and
1674 sd_id128_get_machine(3).
1675 Note that the "prefixstable" algorithm uses both the interface
1677 name and MAC address as input to the hash to compute the
1678 interface identifier, so if either of those are changed the
1679 resulting interface identifier (and address) will be changed,
1680 even if the prefix received in the RA message has not been
1681 changed.
1682 If no address generation mode is specified (which is the default),
1684 or a received prefix does not match any of the addresses provided
1685 in "prefixstable" mode, then the EUI-64 algorithm will be used for
1686 Ethernet or InfiniBand interfaces, otherwise "prefixstable" will be
1687 used to form an interface identifier for that prefix.
1688 This setting can be specified multiple times. If an empty string is
1690 assigned, then the all previous assignments are cleared.
1691 Examples:
1693 Token=eui64
1695 Token=::1a:2b:3c:4d
1696 Token=static:::1a:2b:3c:4d
1697 Token=prefixstable
1698 Token=prefixstable:2002:da8:1::
1699 UseDNS=
1701 When true (the default), the DNS servers received in the Router
1702 Advertisement will be used.
1703 This corresponds to the nameserver option in resolv.conf(5).
1705 UseDomains=
1707 Takes a boolean, or the special value "route". When true, the
1708 domain name received via IPv6 Router Advertisement (RA) will be
1709 used as DNS search domain over this link, similar to the effect of
1710 the Domains= setting. If set to "route", the domain name received
1711 via IPv6 RA will be used for routing DNS queries only, but not for
1712 searching, similar to the effect of the Domains= setting when the
1713 argument is prefixed with "~". Defaults to false.
1714 It is recommended to enable this option only on trusted networks,
1716 as setting this affects resolution of all hostnames, in particular
1717 of single-label names. It is generally safer to use the supplied
1718 domain only as routing domain, rather than as search domain, in
1719 order to not have it affect local resolution of single-label names.
1720 When set to true, this setting corresponds to the domain option in
1722 resolv.conf(5).
1723 RouteTable=num
1725 The table identifier for the routes received in the Router
1726 Advertisement (a number between 1 and 4294967295, or 0 to unset).
1727 The table can be retrieved using ip route show table num.
1728 RouteMetric=
1730 Set the routing metric for the routes received in the Router
1731 Advertisement. Takes an unsigned integer in the range
1732 0...4294967295. Defaults to 1024.
1733 UseMTU=
1735 Takes a boolean. When true, the MTU received in the Router
1736 Advertisement will be used. Defaults to true.
1737 UseGateway=
1739 When true (the default), the router address will be configured as
1740 the default gateway.
1741 UseRoutePrefix=
1743 When true (the default), the routes corresponding to the route
1744 prefixes received in the Router Advertisement will be configured.
1745 UseAutonomousPrefix=
1747 When true (the default), the autonomous prefix received in the
1748 Router Advertisement will be used and take precedence over any
1749 statically configured ones.
1750 UseOnLinkPrefix=
1752 When true (the default), the onlink prefix received in the Router
1753 Advertisement will be used and takes precedence over any statically
1754 configured ones.
1755 RouterDenyList=
1757 A whitespace-separated list of IPv6 router addresses. Each address
1758 can optionally take a prefix length after "/". Any information
1759 advertised by the listed router is ignored.
1760 RouterAllowList=
1762 A whitespace-separated list of IPv6 router addresses. Each address
1763 can optionally take a prefix length after "/". Only information
1764 advertised by the listed router is accepted. Note that if
1765 RouterAllowList= is configured then RouterDenyList= is ignored.
1766 PrefixDenyList=
1768 A whitespace-separated list of IPv6 prefixes. Each prefix can
1769 optionally take its prefix length after "/". IPv6 prefixes supplied
1770 via router advertisements in the list are ignored.
1771 PrefixAllowList=
1773 A whitespace-separated list of IPv6 prefixes. Each prefix can
1774 optionally take its prefix length after "/". IPv6 prefixes supplied
1775 via router advertisements in the list are allowed. Note that if
1776 PrefixAllowList= is configured then PrefixDenyList= is ignored.
1777 RouteDenyList=
1779 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1780 optionally take its prefix length after "/". IPv6 route prefixes
1781 supplied via router advertisements in the list are ignored.
1782 RouteAllowList=
1784 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1785 optionally take its prefix length after "/". IPv6 route prefixes
1786 supplied via router advertisements in the list are allowed. Note
1787 that if RouteAllowList= is configured then RouteDenyList= is
1788 ignored.
1789 DHCPv6Client=
1791 Takes a boolean, or the special value "always". When true, the
1792 DHCPv6 client will be started when the RA has the managed or other
1793 information flag. If set to "always", the DHCPv6 client will be
1794 started in managed mode when an RA is received, even if neither
1795 managed nor other information flag is set in the RA. This will be
1796 ignored when WithoutRA= in the [DHCPv6] section is enabled, or
1797 UplinkInterface=:self in the [DHCPPrefixDelegation] section is
1798 specified. Defaults to true.
1799
1801 The [DHCPServer] section contains settings for the DHCP server, if
1802 enabled via the DHCPServer= option described above:
1803 ServerAddress=
1805 Specifies server address for the DHCP server. Takes an IPv4 address
1806 with prefix length, for example "192.168.0.1/24". This setting may
1807 be useful when the link on which the DHCP server is running has
1808 multiple static addresses. When unset, one of static addresses in
1809 the link will be automatically selected. Defaults to unset.
1810 PoolOffset=, PoolSize=
1812 Configures the pool of addresses to hand out. The pool is a
1813 contiguous sequence of IP addresses in the subnet configured for
1814 the server address, which does not include the subnet nor the
1815 broadcast address. PoolOffset= takes the offset of the pool from
1816 the start of subnet, or zero to use the default value. PoolSize=
1817 takes the number of IP addresses in the pool or zero to use the
1818 default value. By default, the pool starts at the first address
1819 after the subnet address and takes up the rest of the subnet,
1820 excluding the broadcast address. If the pool includes the server
1821 address (the default), this is reserved and not handed out to
1822 clients.
1823 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1825 Control the default and maximum DHCP lease time to pass to clients.
1826 These settings take time values in seconds or another common time
1827 unit, depending on the suffix. The default lease time is used for
1828 clients that did not ask for a specific lease time. If a client
1829 asks for a lease time longer than the maximum lease time, it is
1830 automatically shortened to the specified time. The default lease
1831 time defaults to 1h, the maximum lease time to 12h. Shorter lease
1832 times are beneficial if the configuration data in DHCP leases
1833 changes frequently and clients shall learn the new settings with
1834 shorter latencies. Longer lease times reduce the generated DHCP
1835 network traffic.
1836 UplinkInterface=
1838 Specifies the name or the index of the uplink interface, or one of
1839 the special values ":none" and ":auto". When emitting DNS, NTP, or
1840 SIP servers is enabled but no servers are specified, the servers
1841 configured in the uplink interface will be emitted. When ":auto",
1842 the link which has a default gateway with the highest priority will
1843 be automatically selected. When ":none", no uplink interface will
1844 be selected. Defaults to ":auto".
1845 EmitDNS=, DNS=
1847 EmitDNS= takes a boolean. Configures whether the DHCP leases handed
1848 out to clients shall contain DNS server information. Defaults to
1849 "yes". The DNS servers to pass to clients may be configured with
1850 the DNS= option, which takes a list of IPv4 addresses. If the
1851 EmitDNS= option is enabled but no servers configured, the servers
1852 are automatically propagated from an "uplink" interface that has
1853 appropriate servers set. The "uplink" interface is determined by
1854 the default route of the system with the highest priority. Note
1855 that this information is acquired at the time the lease is handed
1856 out, and does not take uplink interfaces into account that acquire
1857 DNS server information at a later point. If no suitable uplink
1858 interface is found the DNS server data from /etc/resolv.conf is
1859 used. Also, note that the leases are not refreshed if the uplink
1860 network configuration changes. To ensure clients regularly acquire
1861 the most current uplink DNS server information, it is thus
1862 advisable to shorten the DHCP lease time via MaxLeaseTimeSec=
1863 described above.
1864 EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
1866 EmitLPR=, LPR=
1867 Similar to the EmitDNS= and DNS= settings described above, these
1868 settings configure whether and what server information for the
1869 indicate protocol shall be emitted as part of the DHCP lease. The
1870 same syntax, propagation semantics and defaults apply as for
1871 EmitDNS= and DNS=.
1872 EmitRouter=, Router=
1874 The EmitRouter= setting takes a boolean value, and configures
1875 whether the DHCP lease should contain the router option. The
1876 Router= setting takes an IPv4 address, and configures the router
1877 address to be emitted. When the Router= setting is not specified,
1878 then the server address will be used for the router option. When
1879 the EmitRouter= setting is disabled, the Router= setting will be
1880 ignored. The EmitRouter= setting defaults to true, and the Router=
1881 setting defaults to unset.
1882 EmitTimezone=, Timezone=
1884 Takes a boolean. Configures whether the DHCP leases handed out to
1885 clients shall contain timezone information. Defaults to "yes". The
1886 Timezone= setting takes a timezone string (such as "Europe/Berlin"
1887 or "UTC") to pass to clients. If no explicit timezone is set, the
1888 system timezone of the local host is propagated, as determined by
1889 the /etc/localtime symlink.
1890 SendOption=
1892 Send a raw option with value via DHCPv4 server. Takes a DHCP option
1893 number, data type and data ("option:type:value"). The option number
1894 is an integer in the range 1...254. The type takes one of "uint8",
1895 "uint16", "uint32", "ipv4address", "ipv6address", or "string".
1896 Special characters in the data string may be escaped using C-style
1897 escapes[17]. This setting can be specified multiple times. If an
1898 empty string is specified, then all options specified earlier are
1899 cleared. Defaults to unset.
1900 SendVendorOption=
1902 Send a vendor option with value via DHCPv4 server. Takes a DHCP
1903 option number, data type and data ("option:type:value"). The option
1904 number is an integer in the range 1...254. The type takes one of
1905 "uint8", "uint16", "uint32", "ipv4address", or "string". Special
1906 characters in the data string may be escaped using C-style
1907 escapes[17]. This setting can be specified multiple times. If an
1908 empty string is specified, then all options specified earlier are
1909 cleared. Defaults to unset.
1910 BindToInterface=
1912 Takes a boolean value. When "yes", DHCP server socket will be bound
1913 to its network interface and all socket communication will be
1914 restricted to this interface. Defaults to "yes", except if
1915 RelayTarget= is used (see below), in which case it defaults to
1916 "no".
1917 RelayTarget=
1919 Takes an IPv4 address, which must be in the format described in
1920 inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
1921 RFC 1542[22]. The address is the address of DHCP server or another
1922 relay agent to forward DHCP messages to and from.
1923 RelayAgentCircuitId=
1925 Specifies value for Agent Circuit ID suboption of Relay Agent
1926 Information option. Takes a string, which must be in the format
1927 "string:value", where "value" should be replaced with the value of
1928 the suboption. Defaults to unset (means no Agent Circuit ID
1929 suboption is generated). Ignored if RelayTarget= is not specified.
1930 RelayAgentRemoteId=
1932 Specifies value for Agent Remote ID suboption of Relay Agent
1933 Information option. Takes a string, which must be in the format
1934 "string:value", where "value" should be replaced with the value of
1935 the suboption. Defaults to unset (means no Agent Remote ID
1936 suboption is generated). Ignored if RelayTarget= is not specified.
1937
1939 The "[DHCPServerStaticLease]" section configures a static DHCP lease to
1940 assign a fixed IPv4 address to a specific device based on its MAC
1941 address. This section can be specified multiple times.
1942 MACAddress=
1944 The hardware address of a device to match. This key is mandatory.
1945 Address=
1947 The IPv4 address that should be assigned to the device that was
1948 matched with MACAddress=. This key is mandatory.
1949
1951 The [IPv6SendRA] section contains settings for sending IPv6 Router
1952 Advertisements and whether to act as a router, if enabled via the
1953 IPv6SendRA= option described above. IPv6 network prefixes or routes are
1954 defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
1955 Managed=, OtherInformation=
1957 Takes a boolean. Controls whether a DHCPv6 server is used to
1958 acquire IPv6 addresses on the network link when Managed= is set to
1959 "true" or if only additional network information can be obtained
1960 via DHCPv6 for the network link when OtherInformation= is set to
1961 "true". Both settings default to "false", which means that a DHCPv6
1962 server is not being used.
1963 RouterLifetimeSec=
1965 Takes a timespan. Configures the IPv6 router lifetime in seconds.
1966 The value must be 0 seconds, or between 4 seconds and 9000 seconds.
1967 When set to 0, the host is not acting as a router. Defaults to 1800
1968 seconds (30 minutes).
1969 RouterPreference=
1971 Configures IPv6 router preference if RouterLifetimeSec= is
1972 non-zero. Valid values are "high", "medium" and "low", with
1973 "normal" and "default" added as synonyms for "medium" just to make
1974 configuration easier. See RFC 4191[14] for details. Defaults to
1975 "medium".
1976 UplinkInterface=
1978 Specifies the name or the index of the uplink interface, or one of
1979 the special values ":none" and ":auto". When emitting DNS servers
1980 or search domains is enabled but no servers are specified, the
1981 servers configured in the uplink interface will be emitted. When
1982 ":auto", the value specified to the same setting in the
1983 [DHCPPrefixDelegation] section will be used if
1984 DHCPPrefixDelegation= is enabled, otherwise the link which has a
1985 default gateway with the highest priority will be automatically
1986 selected. When ":none", no uplink interface will be selected.
1987 Defaults to ":auto".
1988 EmitDNS=, DNS=
1990 DNS= specifies a list of recursive DNS server IPv6 addresses that
1991 are distributed via Router Advertisement messages when EmitDNS= is
1992 true. DNS= also takes special value "_link_local"; in that case
1993 the IPv6 link local address is distributed. If DNS= is empty, DNS
1994 servers are read from the [Network] section. If the [Network]
1995 section does not contain any DNS servers either, DNS servers from
1996 the uplink interface specified in UplinkInterface= will be used.
1997 When EmitDNS= is false, no DNS server information is sent in Router
1998 Advertisement messages. EmitDNS= defaults to true.
1999 EmitDomains=, Domains=
2001 A list of DNS search domains distributed via Router Advertisement
2002 messages when EmitDomains= is true. If Domains= is empty, DNS
2003 search domains are read from the [Network] section. If the
2004 [Network] section does not contain any DNS search domains either,
2005 DNS search domains from the uplink interface specified in
2006 UplinkInterface= will be used. When EmitDomains= is false, no DNS
2007 search domain information is sent in Router Advertisement messages.
2008 EmitDomains= defaults to true.
2009 DNSLifetimeSec=
2011 Lifetime in seconds for the DNS server addresses listed in DNS= and
2012 search domains listed in Domains=. Defaults to 3600 seconds (one
2013 hour).
2014
2016 One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
2017 announced via Router Advertisements. See RFC 4861[23] for further
2018 details.
2019 AddressAutoconfiguration=, OnLink=
2021 Takes a boolean to specify whether IPv6 addresses can be
2022 autoconfigured with this prefix and whether the prefix can be used
2023 for onlink determination. Both settings default to "true" in order
2024 to ease configuration.
2025 Prefix=
2027 The IPv6 prefix that is to be distributed to hosts. Similarly to
2028 configuring static IPv6 addresses, the setting is configured as an
2029 IPv6 prefix and its prefix length, separated by a "/" character.
2030 Use multiple [IPv6Prefix] sections to configure multiple IPv6
2031 prefixes since prefix lifetimes, address autoconfiguration and
2032 onlink status may differ from one prefix to another.
2033 PreferredLifetimeSec=, ValidLifetimeSec=
2035 Preferred and valid lifetimes for the prefix measured in seconds.
2036 PreferredLifetimeSec= defaults to 1800 seconds (30 minutes) and
2037 ValidLifetimeSec= defaults to 3600 seconds (one hour).
2038 Assign=
2040 Takes a boolean. When true, adds an address from the prefix.
2041 Default to false.
2042 Token=
2044 Specifies an optional address generation mode for assigning an
2045 address in each prefix. This accepts the same syntax as Token= in
2046 the [IPv6AcceptRA] section. If Assign= is set to false, then this
2047 setting will be ignored. Defaults to unset, which means the EUI-64
2048 algorithm will be used.
2049 RouteMetric=
2051 The metric of the prefix route. Takes an unsigned integer in the
2052 range 0...4294967295. When unset or set to 0, the kernel's default
2053 value is used. This setting is ignored when Assign= is false.
2054
2056 One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
2057 that are announced via Router Advertisements. See RFC 4191[14] for
2058 further details.
2059 Route=
2061 The IPv6 route that is to be distributed to hosts. Similarly to
2062 configuring static IPv6 routes, the setting is configured as an
2063 IPv6 prefix routes and its prefix route length, separated by a "/"
2064 character. Use multiple [IPv6PrefixRoutes] sections to configure
2065 multiple IPv6 prefix routes.
2066 LifetimeSec=
2068 Lifetime for the route prefix measured in seconds. LifetimeSec=
2069 defaults to 3600 seconds (one hour).
2070
2072 The [Bridge] section accepts the following keys:
2073 UnicastFlood=
2075 Takes a boolean. Controls whether the bridge should flood traffic
2076 for which an FDB entry is missing and the destination is unknown
2077 through this port. When unset, the kernel's default will be used.
2078 MulticastFlood=
2080 Takes a boolean. Controls whether the bridge should flood traffic
2081 for which an MDB entry is missing and the destination is unknown
2082 through this port. When unset, the kernel's default will be used.
2083 MulticastToUnicast=
2085 Takes a boolean. Multicast to unicast works on top of the multicast
2086 snooping feature of the bridge. Which means unicast copies are only
2087 delivered to hosts which are interested in it. When unset, the
2088 kernel's default will be used.
2089 NeighborSuppression=
2091 Takes a boolean. Configures whether ARP and ND neighbor suppression
2092 is enabled for this port. When unset, the kernel's default will be
2093 used.
2094 Learning=
2096 Takes a boolean. Configures whether MAC address learning is enabled
2097 for this port. When unset, the kernel's default will be used.
2098 HairPin=
2100 Takes a boolean. Configures whether traffic may be sent back out of
2101 the port on which it was received. When this flag is false, then
2102 the bridge will not forward traffic back out of the receiving port.
2103 When unset, the kernel's default will be used.
2104 UseBPDU=
2106 Takes a boolean. Configures whether STP Bridge Protocol Data Units
2107 will be processed by the bridge port. When unset, the kernel's
2108 default will be used.
2109 FastLeave=
2111 Takes a boolean. This flag allows the bridge to immediately stop
2112 multicast traffic on a port that receives an IGMP Leave message. It
2113 is only used with IGMP snooping if enabled on the bridge. When
2114 unset, the kernel's default will be used.
2115 AllowPortToBeRoot=
2117 Takes a boolean. Configures whether a given port is allowed to
2118 become a root port. Only used when STP is enabled on the bridge.
2119 When unset, the kernel's default will be used.
2120 ProxyARP=
2122 Takes a boolean. Configures whether proxy ARP to be enabled on this
2123 port. When unset, the kernel's default will be used.
2124 ProxyARPWiFi=
2126 Takes a boolean. Configures whether proxy ARP to be enabled on this
2127 port which meets extended requirements by IEEE 802.11 and Hotspot
2128 2.0 specifications. When unset, the kernel's default will be used.
2129 MulticastRouter=
2131 Configures this port for having multicast routers attached. A port
2132 with a multicast router will receive all multicast traffic. Takes
2133 one of "no" to disable multicast routers on this port, "query" to
2134 let the system detect the presence of routers, "permanent" to
2135 permanently enable multicast traffic forwarding on this port, or
2136 "temporary" to enable multicast routers temporarily on this port,
2137 not depending on incoming queries. When unset, the kernel's default
2138 will be used.
2139 Cost=
2141 Sets the "cost" of sending packets of this interface. Each port in
2142 a bridge may have a different speed and the cost is used to decide
2143 which link to use. Faster interfaces should have lower costs. It is
2144 an integer value between 1 and 65535.
2145 Priority=
2147 Sets the "priority" of sending packets on this interface. Each port
2148 in a bridge may have a different priority which is used to decide
2149 which link to use. Lower value means higher priority. It is an
2150 integer value between 0 to 63. Networkd does not set any default,
2151 meaning the kernel default value of 32 is used.
2152
2154 The [BridgeFDB] section manages the forwarding database table of a port
2155 and accepts the following keys. Specify several [BridgeFDB] sections to
2156 configure several static MAC table entries.
2157 MACAddress=
2159 As in the [Network] section. This key is mandatory.
2160 Destination=
2162 Takes an IP address of the destination VXLAN tunnel endpoint.
2163 VLANId=
2165 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2166 ID information is appended to the new static MAC table entry.
2167 VNI=
2169 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2170 connect to the remote VXLAN tunnel endpoint. Takes a number in the
2171 range 1...16777215. Defaults to unset.
2172 AssociatedWith=
2174 Specifies where the address is associated with. Takes one of "use",
2175 "self", "master" or "router". "use" means the address is in use.
2176 User space can use this option to indicate to the kernel that the
2177 fdb entry is in use. "self" means the address is associated with
2178 the port drivers fdb. Usually hardware. "master" means the address
2179 is associated with master devices fdb. "router" means the
2180 destination address is associated with a router. Note that it's
2181 valid if the referenced device is a VXLAN type device and has route
2182 shortcircuit enabled. Defaults to "self".
2183 OutgoingInterface=
2185 Specifies the name or index of the outgoing interface for the VXLAN
2186 device driver to reach the remote VXLAN tunnel endpoint. Defaults
2187 to unset.
2188
2190 The [BridgeMDB] section manages the multicast membership entries
2191 forwarding database table of a port and accepts the following keys.
2192 Specify several [BridgeMDB] sections to configure several permanent
2193 multicast membership entries.
2194 MulticastGroupAddress=
2196 Specifies the IPv4 or IPv6 multicast group address to add. This
2197 setting is mandatory.
2198 VLANId=
2200 The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2201 4094. Optional, defaults to 0.
2202
2204 The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2205 accepts the following keys:
2206 MUDURL=
2208 When configured, the specified Manufacturer Usage Descriptions
2209 (MUD) URL will be sent in LLDP packets. The syntax and semantics
2210 are the same as for MUDURL= in the [DHCPv4] section described
2211 above.
2212 The MUD URLs received via LLDP packets are saved and can be read
2214 using the sd_lldp_neighbor_get_mud_url() function.
2215
2217 The [CAN] section manages the Controller Area Network (CAN bus) and
2218 accepts the following keys:
2219 BitRate=
2221 The bitrate of CAN device in bits per second. The usual SI prefixes
2222 (K, M) with the base of 1000 can be used here. Takes a number in
2223 the range 1...4294967295.
2224 SamplePoint=
2226 Optional sample point in percent with one decimal (e.g. "75%",
2227 "87.5%") or permille (e.g. "875‰"). This will be ignored when
2228 BitRate= is unspecified.
2229 TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=,
2231 PhaseBufferSegment2=, SyncJumpWidth=
2232 Specifies the time quanta, propagation segment, phase buffer
2233 segment 1 and 2, and the synchronization jump width, which allow
2234 one to define the CAN bit-timing in a hardware independent format
2235 as proposed by the Bosch CAN 2.0 Specification. TimeQuantaNSec=
2236 takes a timespan in nanoseconds. PropagationSegment=,
2237 PhaseBufferSegment1=, PhaseBufferSegment2=, and SyncJumpWidth= take
2238 number of time quantum specified in TimeQuantaNSec= and must be an
2239 unsigned integer in the range 0...4294967295. These settings except
2240 for SyncJumpWidth= will be ignored when BitRate= is specified.
2241 DataBitRate=, DataSamplePoint=
2243 The bitrate and sample point for the data phase, if CAN-FD is used.
2244 These settings are analogous to the BitRate= and SamplePoint= keys.
2245 DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=,
2247 DataPhaseBufferSegment2=, DataSyncJumpWidth=
2248 Specifies the time quanta, propagation segment, phase buffer
2249 segment 1 and 2, and the synchronization jump width for the data
2250 phase, if CAN-FD is used. These settings are analogous to the
2251 TimeQuantaNSec= or related settings.
2252 FDMode=
2254 Takes a boolean. When "yes", CAN-FD mode is enabled for the
2255 interface. Note, that a bitrate and optional sample point should
2256 also be set for the CAN-FD data phase using the DataBitRate= and
2257 DataSamplePoint= keys, or DataTimeQuanta= and related settings.
2258 FDNonISO=
2260 Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2261 interface. When unset, the kernel's default will be used.
2262 RestartSec=
2264 Automatic restart delay time. If set to a non-zero value, a restart
2265 of the CAN controller will be triggered automatically in case of a
2266 bus-off condition after the specified delay time. Subsecond delays
2267 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
2268 postfix. Using "infinity" or "0" will turn the automatic restart
2269 off. By default automatic restart is disabled.
2270 Termination=
2272 Takes a boolean or a termination resistor value in ohm in the range
2273 0...65535. When "yes", the termination resistor is set to 120 ohm.
2274 When "no" or "0" is set, the termination resistor is disabled. When
2275 unset, the kernel's default will be used.
2276 TripleSampling=
2278 Takes a boolean. When "yes", three samples (instead of one) are
2279 used to determine the value of a received bit by majority rule.
2280 When unset, the kernel's default will be used.
2281 BusErrorReporting=
2283 Takes a boolean. When "yes", reporting of CAN bus errors is
2284 activated (those include single bit, frame format, and bit stuffing
2285 errors, unable to send dominant bit, unable to send recessive bit,
2286 bus overload, active error announcement, error occurred on
2287 transmission). When unset, the kernel's default will be used. Note:
2288 in case of a CAN bus with a single CAN device, sending a CAN frame
2289 may result in a huge number of CAN bus errors.
2290 ListenOnly=
2292 Takes a boolean. When "yes", listen-only mode is enabled. When the
2293 interface is in listen-only mode, the interface neither transmit
2294 CAN frames nor send ACK bit. Listen-only mode is important to debug
2295 CAN networks without interfering with the communication or
2296 acknowledge the CAN frame. When unset, the kernel's default will be
2297 used.
2298 Loopback=
2300 Takes a boolean. When "yes", loopback mode is enabled. When the
2301 loopback mode is enabled, the interface treats messages transmitted
2302 by itself as received messages. The loopback mode is important to
2303 debug CAN networks. When unset, the kernel's default will be used.
2304 OneShot=
2306 Takes a boolean. When "yes", one-shot mode is enabled. When unset,
2307 the kernel's default will be used.
2308 PresumeAck=
2310 Takes a boolean. When "yes", the interface will ignore missing CAN
2311 ACKs. When unset, the kernel's default will be used.
2312 ClassicDataLengthCode=
2314 Takes a boolean. When "yes", the interface will handle the 4bit
2315 data length code (DLC). When unset, the kernel's default will be
2316 used.
2317
2319 The [IPoIB] section manages the IP over Infiniband and accepts the
2320 following keys:
2321 Mode=
2323 Takes one of the special values "datagram" or "connected". Defaults
2324 to unset, and the kernel's default is used.
2325 When "datagram", the Infiniband unreliable datagram (UD) transport
2327 is used, and so the interface MTU is equal to the IB L2 MTU minus
2328 the IPoIB encapsulation header (4 bytes). For example, in a typical
2329 IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
2330 bytes.
2331 When "connected", the Infiniband reliable connected (RC) transport
2333 is used. Connected mode takes advantage of the connected nature of
2334 the IB transport and allows an MTU up to the maximal IP packet size
2335 of 64K, which reduces the number of IP packets needed for handling
2336 large UDP datagrams, TCP segments, etc and increases the
2337 performance for large messages.
2338 IgnoreUserspaceMulticastGroup=
2340 Takes an boolean value. When true, the kernel ignores multicast
2341 groups handled by userspace. Defaults to unset, and the kernel's
2342 default is used.
2343
2345 The [QDisc] section manages the traffic control queueing discipline
2346 (qdisc).
2347 Parent=
2349 Specifies the parent Queueing Discipline (qdisc). Takes one of
2350 "clsact" or "ingress". This is mandatory.
2351 Handle=
2353 Configures the major number of unique identifier of the qdisc,
2354 known as the handle. Takes a hexadecimal number in the range
2355 0x1–0xffff. Defaults to unset.
2356
2358 The [NetworkEmulator] section manages the queueing discipline (qdisc)
2359 of the network emulator. It can be used to configure the kernel packet
2360 scheduler and simulate packet delay and loss for UDP or TCP
2361 applications, or limit the bandwidth usage of a particular service to
2362 simulate internet connections.
2363 Parent=
2365 Configures the parent Queueing Discipline (qdisc). Takes one of
2366 "root", "clsact", "ingress" or a class identifier. The class
2367 identifier is specified as the major and minor numbers in
2368 hexadecimal in the range 0x1–Oxffff separated with a colon
2369 ("major:minor"). Defaults to "root".
2370 Handle=
2372 Configures the major number of unique identifier of the qdisc,
2373 known as the handle. Takes a hexadecimal number in the range
2374 0x1–0xffff. Defaults to unset.
2375 DelaySec=
2377 Specifies the fixed amount of delay to be added to all packets
2378 going out of the interface. Defaults to unset.
2379 DelayJitterSec=
2381 Specifies the chosen delay to be added to the packets outgoing to
2382 the network interface. Defaults to unset.
2383 PacketLimit=
2385 Specifies the maximum number of packets the qdisc may hold queued
2386 at a time. An unsigned integer in the range 0...4294967294.
2387 Defaults to 1000.
2388 LossRate=
2390 Specifies an independent loss probability to be added to the
2391 packets outgoing from the network interface. Takes a percentage
2392 value, suffixed with "%". Defaults to unset.
2393 DuplicateRate=
2395 Specifies that the chosen percent of packets is duplicated before
2396 queuing them. Takes a percentage value, suffixed with "%". Defaults
2397 to unset.
2398
2400 The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2401 of token bucket filter (tbf).
2402 Parent=
2404 Configures the parent Queueing Discipline (qdisc). Takes one of
2405 "root", "clsact", "ingress" or a class identifier. The class
2406 identifier is specified as the major and minor numbers in
2407 hexadecimal in the range 0x1–Oxffff separated with a colon
2408 ("major:minor"). Defaults to "root".
2409 Handle=
2411 Configures the major number of unique identifier of the qdisc,
2412 known as the handle. Takes a hexadecimal number in the range
2413 0x1–0xffff. Defaults to unset.
2414 LatencySec=
2416 Specifies the latency parameter, which specifies the maximum amount
2417 of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2418 to unset.
2419 LimitBytes=
2421 Takes the number of bytes that can be queued waiting for tokens to
2422 become available. When the size is suffixed with K, M, or G, it is
2423 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2424 base of 1024. Defaults to unset.
2425 BurstBytes=
2427 Specifies the size of the bucket. This is the maximum amount of
2428 bytes that tokens can be available for instantaneous transfer. When
2429 the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2430 Megabytes, or Gigabytes, respectively, to the base of 1024.
2431 Defaults to unset.
2432 Rate=
2434 Specifies the device specific bandwidth. When suffixed with K, M,
2435 or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2436 Gigabits, respectively, to the base of 1000. Defaults to unset.
2437 MPUBytes=
2439 The Minimum Packet Unit (MPU) determines the minimal token usage
2440 (specified in bytes) for a packet. When suffixed with K, M, or G,
2441 the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2442 respectively, to the base of 1024. Defaults to zero.
2443 PeakRate=
2445 Takes the maximum depletion rate of the bucket. When suffixed with
2446 K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2447 Gigabits, respectively, to the base of 1000. Defaults to unset.
2448 MTUBytes=
2450 Specifies the size of the peakrate bucket. When suffixed with K, M,
2451 or G, the specified size is parsed as Kilobytes, Megabytes, or
2452 Gigabytes, respectively, to the base of 1024. Defaults to unset.
2453
2455 The [PIE] section manages the queueing discipline (qdisc) of
2456 Proportional Integral controller-Enhanced (PIE).
2457 Parent=
2459 Configures the parent Queueing Discipline (qdisc). Takes one of
2460 "root", "clsact", "ingress" or a class identifier. The class
2461 identifier is specified as the major and minor numbers in
2462 hexadecimal in the range 0x1–Oxffff separated with a colon
2463 ("major:minor"). Defaults to "root".
2464 Handle=
2466 Configures the major number of unique identifier of the qdisc,
2467 known as the handle. Takes a hexadecimal number in the range
2468 0x1–0xffff. Defaults to unset.
2469 PacketLimit=
2471 Specifies the hard limit on the queue size in number of packets.
2472 When this limit is reached, incoming packets are dropped. An
2473 unsigned integer in the range 1...4294967294. Defaults to unset and
2474 kernel's default is used.
2475
2477 The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2478 Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2479 Parent=
2481 Configures the parent Queueing Discipline (qdisc). Takes one of
2482 "root", "clsact", "ingress" or a class identifier. The class
2483 identifier is specified as the major and minor numbers in
2484 hexadecimal in the range 0x1–Oxffff separated with a colon
2485 ("major:minor"). Defaults to "root".
2486 Handle=
2488 Configures the major number of unique identifier of the qdisc,
2489 known as the handle. Takes a hexadecimal number in the range
2490 0x1–0xffff. Defaults to unset.
2491 PacketLimit=
2493 Specifies the hard limit on the queue size in number of packets.
2494 When this limit is reached, incoming packets are dropped. An
2495 unsigned integer ranges 1 to 4294967294. Defaults to unset and
2496 kernel's default is used.
2497
2499 The [StochasticFairBlue] section manages the queueing discipline
2500 (qdisc) of stochastic fair blue (sfb).
2501 Parent=
2503 Configures the parent Queueing Discipline (qdisc). Takes one of
2504 "root", "clsact", "ingress" or a class identifier. The class
2505 identifier is specified as the major and minor numbers in
2506 hexadecimal in the range 0x1–Oxffff separated with a colon
2507 ("major:minor"). Defaults to "root".
2508 Handle=
2510 Configures the major number of unique identifier of the qdisc,
2511 known as the handle. Takes a hexadecimal number in the range
2512 0x1–0xffff. Defaults to unset.
2513 PacketLimit=
2515 Specifies the hard limit on the queue size in number of packets.
2516 When this limit is reached, incoming packets are dropped. An
2517 unsigned integer in the range 0...4294967294. Defaults to unset and
2518 kernel's default is used.
2519
2521 The [StochasticFairnessQueueing] section manages the queueing
2522 discipline (qdisc) of stochastic fairness queueing (sfq).
2523 Parent=
2525 Configures the parent Queueing Discipline (qdisc). Takes one of
2526 "root", "clsact", "ingress" or a class identifier. The class
2527 identifier is specified as the major and minor numbers in
2528 hexadecimal in the range 0x1–Oxffff separated with a colon
2529 ("major:minor"). Defaults to "root".
2530 Handle=
2532 Configures the major number of unique identifier of the qdisc,
2533 known as the handle. Takes a hexadecimal number in the range
2534 0x1–0xffff. Defaults to unset.
2535 PerturbPeriodSec=
2537 Specifies the interval in seconds for queue algorithm perturbation.
2538 Defaults to unset.
2539
2541 The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2542 limited Packet First In First Out (bfifo).
2543 Parent=
2545 Configures the parent Queueing Discipline (qdisc). Takes one of
2546 "root", "clsact", "ingress" or a class identifier. The class
2547 identifier is specified as the major and minor numbers in
2548 hexadecimal in the range 0x1–Oxffff separated with a colon
2549 ("major:minor"). Defaults to "root".
2550 Handle=
2552 Configures the major number of unique identifier of the qdisc,
2553 known as the handle. Takes a hexadecimal number in the range
2554 0x1–0xffff. Defaults to unset.
2555 LimitBytes=
2557 Specifies the hard limit in bytes on the FIFO buffer size. The size
2558 limit prevents overflow in case the kernel is unable to dequeue
2559 packets as quickly as it receives them. When this limit is reached,
2560 incoming packets are dropped. When suffixed with K, M, or G, the
2561 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2562 respectively, to the base of 1024. Defaults to unset and kernel
2563 default is used.
2564
2566 The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2567 First In First Out (pfifo).
2568 Parent=
2570 Configures the parent Queueing Discipline (qdisc). Takes one of
2571 "root", "clsact", "ingress" or a class identifier. The class
2572 identifier is specified as the major and minor numbers in
2573 hexadecimal in the range 0x1–Oxffff separated with a colon
2574 ("major:minor"). Defaults to "root".
2575 Handle=
2577 Configures the major number of unique identifier of the qdisc,
2578 known as the handle. Takes a hexadecimal number in the range
2579 0x1–0xffff. Defaults to unset.
2580 PacketLimit=
2582 Specifies the hard limit on the number of packets in the FIFO
2583 queue. The size limit prevents overflow in case the kernel is
2584 unable to dequeue packets as quickly as it receives them. When this
2585 limit is reached, incoming packets are dropped. An unsigned integer
2586 in the range 0...4294967294. Defaults to unset and kernel's default
2587 is used.
2588
2590 The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2591 Packet First In First Out Head Drop (pfifo_head_drop).
2592 Parent=
2594 Configures the parent Queueing Discipline (qdisc). Takes one of
2595 "root", "clsact", "ingress" or a class identifier. The class
2596 identifier is specified as the major and minor numbers in
2597 hexadecimal in the range 0x1–Oxffff separated with a colon
2598 ("major:minor"). Defaults to "root".
2599 Handle=
2601 Configures the major number of unique identifier of the qdisc,
2602 known as the handle. Takes a hexadecimal number in the range
2603 0x1–0xffff. Defaults to unset.
2604 PacketLimit=
2606 As in [PFIFO] section.
2607
2609 The [PFIFOFast] section manages the queueing discipline (qdisc) of
2610 Packet First In First Out Fast (pfifo_fast).
2611 Parent=
2613 Configures the parent Queueing Discipline (qdisc). Takes one of
2614 "root", "clsact", "ingress" or a class identifier. The class
2615 identifier is specified as the major and minor numbers in
2616 hexadecimal in the range 0x1–Oxffff separated with a colon
2617 ("major:minor"). Defaults to "root".
2618 Handle=
2620 Configures the major number of unique identifier of the qdisc,
2621 known as the handle. Takes a hexadecimal number in the range
2622 0x1–0xffff. Defaults to unset.
2623
2625 The [CAKE] section manages the queueing discipline (qdisc) of Common
2626 Applications Kept Enhanced (CAKE).
2627 Parent=
2629 Configures the parent Queueing Discipline (qdisc). Takes one of
2630 "root", "clsact", "ingress" or a class identifier. The class
2631 identifier is specified as the major and minor numbers in
2632 hexadecimal in the range 0x1–Oxffff separated with a colon
2633 ("major:minor"). Defaults to "root".
2634 Handle=
2636 Configures the major number of unique identifier of the qdisc,
2637 known as the handle. Takes a hexadecimal number in the range
2638 0x1–0xffff. Defaults to unset.
2639 Bandwidth=
2641 Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2642 specified size is parsed as Kilobits, Megabits, or Gigabits,
2643 respectively, to the base of 1000. Defaults to unset and kernel's
2644 default is used.
2645 AutoRateIngress=
2647 Takes a boolean value. Enables automatic capacity estimation based
2648 on traffic arriving at this qdisc. This is most likely to be useful
2649 with cellular links, which tend to change quality randomly. If this
2650 setting is enabled, the Bandwidth= setting is used as an initial
2651 estimate. Defaults to unset, and the kernel's default is used.
2652 OverheadBytes=
2654 Specifies that bytes to be addeded to the size of each packet.
2655 Bytes may be negative. Takes an integer in the range -64...256.
2656 Defaults to unset and kernel's default is used.
2657 MPUBytes=
2659 Rounds each packet (including overhead) up to the specified bytes.
2660 Takes an integer in the range 1...256. Defaults to unset and
2661 kernel's default is used.
2662 CompensationMode=
2664 Takes one of "none", "atm", or "ptm". Specifies the compensation
2665 mode for overhead calculation. When "none", no compensation is
2666 taken into account. When "atm", enables the compensation for ATM
2667 cell framing, which is normally found on ADSL links. When "ptm",
2668 enables the compensation for PTM encoding, which is normally found
2669 on VDSL2 links and uses a 64b/65b encoding scheme. Defaults to
2670 unset and the kernel's default is used.
2671 UseRawPacketSize=
2673 Takes a boolean value. When true, the packet size reported by the
2674 Linux kernel will be used, instead of the underlying IP packet
2675 size. Defaults to unset, and the kernel's default is used.
2676 FlowIsolationMode=
2678 CAKE places packets from different flows into different queues,
2679 then packets from each queue are delivered fairly. This specifies
2680 whether the fairness is based on source address, destination
2681 address, individual flows, or any combination of those. The
2682 available values are:
2683 none
2685 The flow isolation is disabled, and all traffic passes through
2686 a single queue.
2687 src-host
2689 Flows are defined only by source address. Equivalnet to the
2690 "srchost" option for tc qdisc command. See also tc-cake(8).
2691 dst-host
2693 Flows are defined only by destination address. Equivalnet to
2694 the "srchost" option for tc qdisc command. See also tc-cake(8).
2695 hosts
2697 Flows are defined by source-destination host pairs. Equivalent
2698 to the same option for tc qdisc command. See also tc-cake(8).
2699 flows
2701 Flows are defined by the entire 5-tuple of source address,
2702 destination address, transport protocol, source port and
2703 destination port. Equivalent to the same option for tc qdisc
2704 command. See also tc-cake(8).
2705 dual-src-host
2707 Flows are defined by the 5-tuple (see "flows" in the above),
2708 and fairness is applied first over source addresses, then over
2709 individual flows. Equivalnet to the "dual-srchost" option for
2710 tc qdisc command. See also tc-cake(8).
2711 dual-dst-host
2713 Flows are defined by the 5-tuple (see "flows" in the above),
2714 and fairness is applied first over destination addresses, then
2715 over individual flows. Equivalnet to the "dual-dsthost" option
2716 for tc qdisc command. See also tc-cake(8).
2717 triple
2719 Flows are defined by the 5-tuple (see "flows"), and fairness is
2720 applied over source and destination addresses, and also over
2721 individual flows. Equivalnet to the "triple-isolate" option for
2722 tc qdisc command. See also tc-cake(8).
2723 Defaults to unset and the kernel's default is used.
2725 NAT=
2727 Takes a boolean value. When true, CAKE performs a NAT lookup before
2728 applying flow-isolation rules, to determine the true addresses and
2729 port numbers of the packet, to improve fairness between hosts
2730 inside the NAT. This has no practical effect when
2731 FlowIsolationMode= is "none" or "flows", or if NAT is performed on
2732 a different host. Defaults to unset, and the kernel's default is
2733 used.
2734 PriorityQueueingPreset=
2736 CAKE divides traffic into "tins", and each tin has its own
2737 independent set of flow-isolation queues, bandwidth threshold, and
2738 priority. This specifies the preset of tin profiles. The available
2739 values are:
2740 besteffort
2742 Disables priority queueing by placing all traffic in one tin.
2743 precedence
2745 Enables priority queueing based on the legacy interpretation of
2746 TOS "Precedence" field. Use of this preset on the modern
2747 Internet is firmly discouraged.
2748 diffserv8
2750 Enables priority queueing based on the Differentiated Service
2751 ("DiffServ") field with eight tins: Background Traffic, High
2752 Throughput, Best Effort, Video Streaming, Low Latency
2753 Transactions, Interactive Shell, Minimum Latency, and Network
2754 Control.
2755 diffserv4
2757 Enables priority queueing based on the Differentiated Service
2758 ("DiffServ") field with four tins: Background Traffic, Best
2759 Effort, Streaming Media, and Latency Sensitive.
2760 diffserv3
2762 Enables priority queueing based on the Differentiated Service
2763 ("DiffServ") field with three tins: Background Traffic, Best
2764 Effort, and Latency Sensitive.
2765 Defaults to unset, and the kernel's default is used.
2767 FirewallMark=
2769 Takes an integer in the range 1...4294967295. When specified,
2770 firewall-mark-based overriding of CAKE's tin selection is enabled.
2771 Defaults to unset, and the kernel's default is used.
2772 Wash=
2774 Takes a boolean value. When true, CAKE clears the DSCP fields,
2775 except for ECN bits, of any packet passing through CAKE. Defaults
2776 to unset, and the kernel's default is used.
2777 SplitGSO=
2779 Takes a boolean value. When true, CAKE will split General
2780 Segmentation Offload (GSO) super-packets into their on-the-wire
2781 components and dequeue them individually. Defaults to unset, and
2782 the kernel's default is used.
2783
2785 The [ControlledDelay] section manages the queueing discipline (qdisc)
2786 of controlled delay (CoDel).
2787 Parent=
2789 Configures the parent Queueing Discipline (qdisc). Takes one of
2790 "root", "clsact", "ingress" or a class identifier. The class
2791 identifier is specified as the major and minor numbers in
2792 hexadecimal in the range 0x1–Oxffff separated with a colon
2793 ("major:minor"). Defaults to "root".
2794 Handle=
2796 Configures the major number of unique identifier of the qdisc,
2797 known as the handle. Takes a hexadecimal number in the range
2798 0x1–0xffff. Defaults to unset.
2799 PacketLimit=
2801 Specifies the hard limit on the queue size in number of packets.
2802 When this limit is reached, incoming packets are dropped. An
2803 unsigned integer in the range 0...4294967294. Defaults to unset and
2804 kernel's default is used.
2805 TargetSec=
2807 Takes a timespan. Specifies the acceptable minimum
2808 standing/persistent queue delay. Defaults to unset and kernel's
2809 default is used.
2810 IntervalSec=
2812 Takes a timespan. This is used to ensure that the measured minimum
2813 delay does not become too stale. Defaults to unset and kernel's
2814 default is used.
2815 ECN=
2817 Takes a boolean. This can be used to mark packets instead of
2818 dropping them. Defaults to unset and kernel's default is used.
2819 CEThresholdSec=
2821 Takes a timespan. This sets a threshold above which all packets are
2822 marked with ECN Congestion Experienced (CE). Defaults to unset and
2823 kernel's default is used.
2824
2826 The [DeficitRoundRobinScheduler] section manages the queueing
2827 discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
2828 Parent=
2830 Configures the parent Queueing Discipline (qdisc). Takes one of
2831 "root", "clsact", "ingress" or a class identifier. The class
2832 identifier is specified as the major and minor numbers in
2833 hexadecimal in the range 0x1–Oxffff separated with a colon
2834 ("major:minor"). Defaults to "root".
2835 Handle=
2837 Configures the major number of unique identifier of the qdisc,
2838 known as the handle. Takes a hexadecimal number in the range
2839 0x1–0xffff. Defaults to unset.
2840
2842 The [DeficitRoundRobinSchedulerClass] section manages the traffic
2843 control class of Deficit Round Robin Scheduler (DRR).
2844 Parent=
2846 Configures the parent Queueing Discipline (qdisc). Takes one of
2847 "root", or a qdisc identifier. The qdisc identifier is specified as
2848 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2849 separated with a colon ("major:minor"). Defaults to "root".
2850 ClassId=
2852 Configures the unique identifier of the class. It is specified as
2853 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
2854 separated with a colon ("major:minor"). Defaults to unset.
2855 QuantumBytes=
2857 Specifies the amount of bytes a flow is allowed to dequeue before
2858 the scheduler moves to the next class. When suffixed with K, M, or
2859 G, the specified size is parsed as Kilobytes, Megabytes, or
2860 Gigabytes, respectively, to the base of 1024. Defaults to the MTU
2861 of the interface.
2862
2864 The [EnhancedTransmissionSelection] section manages the queueing
2865 discipline (qdisc) of Enhanced Transmission Selection (ETS).
2866 Parent=
2868 Configures the parent Queueing Discipline (qdisc). Takes one of
2869 "root", "clsact", "ingress" or a class identifier. The class
2870 identifier is specified as the major and minor numbers in
2871 hexadecimal in the range 0x1–Oxffff separated with a colon
2872 ("major:minor"). Defaults to "root".
2873 Handle=
2875 Configures the major number of unique identifier of the qdisc,
2876 known as the handle. Takes a hexadecimal number in the range
2877 0x1–0xffff. Defaults to unset.
2878 Bands=
2880 Specifies the number of bands. An unsigned integer in the range
2881 1...16. This value has to be at least large enough to cover the
2882 strict bands specified through the StrictBands= and
2883 bandwidth-sharing bands specified in QuantumBytes=.
2884 StrictBands=
2886 Specifies the number of bands that should be created in strict
2887 mode. An unsigned integer in the range 1...16.
2888 QuantumBytes=
2890 Specifies the white-space separated list of quantum used in
2891 band-sharing bands. When suffixed with K, M, or G, the specified
2892 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
2893 to the base of 1024. This setting can be specified multiple times.
2894 If an empty string is assigned, then the all previous assignments
2895 are cleared.
2896 PriorityMap=
2898 The priority map maps the priority of a packet to a band. The
2899 argument is a whitespace separated list of numbers. The first
2900 number indicates which band the packets with priority 0 should be
2901 put to, the second is for priority 1, and so on. There can be up to
2902 16 numbers in the list. If there are fewer, the default band that
2903 traffic with one of the unmentioned priorities goes to is the last
2904 one. Each band number must be in the range 0...255. This setting
2905 can be specified multiple times. If an empty string is assigned,
2906 then the all previous assignments are cleared.
2907
2909 The [GenericRandomEarlyDetection] section manages the queueing
2910 discipline (qdisc) of Generic Random Early Detection (GRED).
2911 Parent=
2913 Configures the parent Queueing Discipline (qdisc). Takes one of
2914 "root", "clsact", "ingress" or a class identifier. The class
2915 identifier is specified as the major and minor numbers in
2916 hexadecimal in the range 0x1–Oxffff separated with a colon
2917 ("major:minor"). Defaults to "root".
2918 Handle=
2920 Configures the major number of unique identifier of the qdisc,
2921 known as the handle. Takes a hexadecimal number in the range
2922 0x1–0xffff. Defaults to unset.
2923 VirtualQueues=
2925 Specifies the number of virtual queues. Takes an integer in the
2926 range 1...16. Defaults to unset and kernel's default is used.
2927 DefaultVirtualQueue=
2929 Specifies the number of default virtual queue. This must be less
2930 than VirtualQueue=. Defaults to unset and kernel's default is used.
2931 GenericRIO=
2933 Takes a boolean. It turns on the RIO-like buffering scheme.
2934 Defaults to unset and kernel's default is used.
2935
2937 The [FairQueueingControlledDelay] section manages the queueing
2938 discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
2939 Parent=
2941 Configures the parent Queueing Discipline (qdisc). Takes one of
2942 "root", "clsact", "ingress" or a class identifier. The class
2943 identifier is specified as the major and minor numbers in
2944 hexadecimal in the range 0x1–Oxffff separated with a colon
2945 ("major:minor"). Defaults to "root".
2946 Handle=
2948 Configures the major number of unique identifier of the qdisc,
2949 known as the handle. Takes a hexadecimal number in the range
2950 0x1–0xffff. Defaults to unset.
2951 PacketLimit=
2953 Specifies the hard limit on the real queue size. When this limit is
2954 reached, incoming packets are dropped. Defaults to unset and
2955 kernel's default is used.
2956 MemoryLimitBytes=
2958 Specifies the limit on the total number of bytes that can be queued
2959 in this FQ-CoDel instance. When suffixed with K, M, or G, the
2960 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2961 respectively, to the base of 1024. Defaults to unset and kernel's
2962 default is used.
2963 Flows=
2965 Specifies the number of flows into which the incoming packets are
2966 classified. Defaults to unset and kernel's default is used.
2967 TargetSec=
2969 Takes a timespan. Specifies the acceptable minimum
2970 standing/persistent queue delay. Defaults to unset and kernel's
2971 default is used.
2972 IntervalSec=
2974 Takes a timespan. This is used to ensure that the measured minimum
2975 delay does not become too stale. Defaults to unset and kernel's
2976 default is used.
2977 QuantumBytes=
2979 Specifies the number of bytes used as the "deficit" in the fair
2980 queuing algorithm timespan. When suffixed with K, M, or G, the
2981 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2982 respectively, to the base of 1024. Defaults to unset and kernel's
2983 default is used.
2984 ECN=
2986 Takes a boolean. This can be used to mark packets instead of
2987 dropping them. Defaults to unset and kernel's default is used.
2988 CEThresholdSec=
2990 Takes a timespan. This sets a threshold above which all packets are
2991 marked with ECN Congestion Experienced (CE). Defaults to unset and
2992 kernel's default is used.
2993
2995 The [FairQueueing] section manages the queueing discipline (qdisc) of
2996 fair queue traffic policing (FQ).
2997 Parent=
2999 Configures the parent Queueing Discipline (qdisc). Takes one of
3000 "root", "clsact", "ingress" or a class identifier. The class
3001 identifier is specified as the major and minor numbers in
3002 hexadecimal in the range 0x1–Oxffff separated with a colon
3003 ("major:minor"). Defaults to "root".
3004 Handle=
3006 Configures the major number of unique identifier of the qdisc,
3007 known as the handle. Takes a hexadecimal number in the range
3008 0x1–0xffff. Defaults to unset.
3009 PacketLimit=
3011 Specifies the hard limit on the real queue size. When this limit is
3012 reached, incoming packets are dropped. Defaults to unset and
3013 kernel's default is used.
3014 FlowLimit=
3016 Specifies the hard limit on the maximum number of packets queued
3017 per flow. Defaults to unset and kernel's default is used.
3018 QuantumBytes=
3020 Specifies the credit per dequeue RR round, i.e. the amount of bytes
3021 a flow is allowed to dequeue at once. When suffixed with K, M, or
3022 G, the specified size is parsed as Kilobytes, Megabytes, or
3023 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3024 kernel's default is used.
3025 InitialQuantumBytes=
3027 Specifies the initial sending rate credit, i.e. the amount of bytes
3028 a new flow is allowed to dequeue initially. When suffixed with K,
3029 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3030 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3031 kernel's default is used.
3032 MaximumRate=
3034 Specifies the maximum sending rate of a flow. When suffixed with K,
3035 M, or G, the specified size is parsed as Kilobits, Megabits, or
3036 Gigabits, respectively, to the base of 1000. Defaults to unset and
3037 kernel's default is used.
3038 Buckets=
3040 Specifies the size of the hash table used for flow lookups.
3041 Defaults to unset and kernel's default is used.
3042 OrphanMask=
3044 Takes an unsigned integer. For packets not owned by a socket, fq is
3045 able to mask a part of hash and reduce number of buckets associated
3046 with the traffic. Defaults to unset and kernel's default is used.
3047 Pacing=
3049 Takes a boolean, and enables or disables flow pacing. Defaults to
3050 unset and kernel's default is used.
3051 CEThresholdSec=
3053 Takes a timespan. This sets a threshold above which all packets are
3054 marked with ECN Congestion Experienced (CE). Defaults to unset and
3055 kernel's default is used.
3056
3058 The [TrivialLinkEqualizer] section manages the queueing discipline
3059 (qdisc) of trivial link equalizer (teql).
3060 Parent=
3062 Configures the parent Queueing Discipline (qdisc). Takes one of
3063 "root", "clsact", "ingress" or a class identifier. The class
3064 identifier is specified as the major and minor numbers in
3065 hexadecimal in the range 0x1–Oxffff separated with a colon
3066 ("major:minor"). Defaults to "root".
3067 Handle=
3069 Configures the major number of unique identifier of the qdisc,
3070 known as the handle. Takes a hexadecimal number in the range
3071 0x1–0xffff. Defaults to unset.
3072 Id=
3074 Specifies the interface ID "N" of teql. Defaults to "0". Note that
3075 when teql is used, currently, the module sch_teql with
3076 max_equalizers=N+1 option must be loaded before systemd-networkd is
3077 started.
3078
3080 The [HierarchyTokenBucket] section manages the queueing discipline
3081 (qdisc) of hierarchy token bucket (htb).
3082 Parent=
3084 Configures the parent Queueing Discipline (qdisc). Takes one of
3085 "root", "clsact", "ingress" or a class identifier. The class
3086 identifier is specified as the major and minor numbers in
3087 hexadecimal in the range 0x1–Oxffff separated with a colon
3088 ("major:minor"). Defaults to "root".
3089 Handle=
3091 Configures the major number of unique identifier of the qdisc,
3092 known as the handle. Takes a hexadecimal number in the range
3093 0x1–0xffff. Defaults to unset.
3094 DefaultClass=
3096 Takes the minor id in hexadecimal of the default class.
3097 Unclassified traffic gets sent to the class. Defaults to unset.
3098 RateToQuantum=
3100 Takes an unsigned integer. The DRR quantums are calculated by
3101 dividing the value configured in Rate= by RateToQuantum=.
3102
3104 The [HierarchyTokenBucketClass] section manages the traffic control
3105 class of hierarchy token bucket (htb).
3106 Parent=
3108 Configures the parent Queueing Discipline (qdisc). Takes one of
3109 "root", or a qdisc identifier. The qdisc identifier is specified as
3110 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
3111 separated with a colon ("major:minor"). Defaults to "root".
3112 ClassId=
3114 Configures the unique identifier of the class. It is specified as
3115 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
3116 separated with a colon ("major:minor"). Defaults to unset.
3117 Priority=
3119 Specifies the priority of the class. In the round-robin process,
3120 classes with the lowest priority field are tried for packets first.
3121 QuantumBytes=
3123 Specifies how many bytes to serve from leaf at once. When suffixed
3124 with K, M, or G, the specified size is parsed as Kilobytes,
3125 Megabytes, or Gigabytes, respectively, to the base of 1024.
3126 MTUBytes=
3128 Specifies the maximum packet size we create. When suffixed with K,
3129 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3130 Gigabytes, respectively, to the base of 1024.
3131 OverheadBytes=
3133 Takes an unsigned integer which specifies per-packet size overhead
3134 used in rate computations. When suffixed with K, M, or G, the
3135 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3136 respectively, to the base of 1024.
3137 Rate=
3139 Specifies the maximum rate this class and all its children are
3140 guaranteed. When suffixed with K, M, or G, the specified size is
3141 parsed as Kilobits, Megabits, or Gigabits, respectively, to the
3142 base of 1000. This setting is mandatory.
3143 CeilRate=
3145 Specifies the maximum rate at which a class can send, if its parent
3146 has bandwidth to spare. When suffixed with K, M, or G, the
3147 specified size is parsed as Kilobits, Megabits, or Gigabits,
3148 respectively, to the base of 1000. When unset, the value specified
3149 with Rate= is used.
3150 BufferBytes=
3152 Specifies the maximum bytes burst which can be accumulated during
3153 idle period. When suffixed with K, M, or G, the specified size is
3154 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
3155 base of 1024.
3156 CeilBufferBytes=
3158 Specifies the maximum bytes burst for ceil which can be accumulated
3159 during idle period. When suffixed with K, M, or G, the specified
3160 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3161 to the base of 1024.
3162
3164 The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
3165 of Heavy Hitter Filter (hhf).
3166 Parent=
3168 Configures the parent Queueing Discipline (qdisc). Takes one of
3169 "root", "clsact", "ingress" or a class identifier. The class
3170 identifier is specified as the major and minor numbers in
3171 hexadecimal in the range 0x1–Oxffff separated with a colon
3172 ("major:minor"). Defaults to "root".
3173 Handle=
3175 Configures the major number of unique identifier of the qdisc,
3176 known as the handle. Takes a hexadecimal number in the range
3177 0x1–0xffff. Defaults to unset.
3178 PacketLimit=
3180 Specifies the hard limit on the queue size in number of packets.
3181 When this limit is reached, incoming packets are dropped. An
3182 unsigned integer in the range 0...4294967294. Defaults to unset and
3183 kernel's default is used.
3184
3186 The [QuickFairQueueing] section manages the queueing discipline (qdisc)
3187 of Quick Fair Queueing (QFQ).
3188 Parent=
3190 Configures the parent Queueing Discipline (qdisc). Takes one of
3191 "root", "clsact", "ingress" or a class identifier. The class
3192 identifier is specified as the major and minor numbers in
3193 hexadecimal in the range 0x1–Oxffff separated with a colon
3194 ("major:minor"). Defaults to "root".
3195 Handle=
3197 Configures the major number of unique identifier of the qdisc,
3198 known as the handle. Takes a hexadecimal number in the range
3199 0x1–0xffff. Defaults to unset.
3200
3202 The [QuickFairQueueingClass] section manages the traffic control class
3203 of Quick Fair Queueing (qfq).
3204 Parent=
3206 Configures the parent Queueing Discipline (qdisc). Takes one of
3207 "root", or a qdisc identifier. The qdisc identifier is specified as
3208 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
3209 separated with a colon ("major:minor"). Defaults to "root".
3210 ClassId=
3212 Configures the unique identifier of the class. It is specified as
3213 the major and minor numbers in hexadecimal in the range 0x1–Oxffff
3214 separated with a colon ("major:minor"). Defaults to unset.
3215 Weight=
3217 Specifies the weight of the class. Takes an integer in the range
3218 1...1023. Defaults to unset in which case the kernel default is
3219 used.
3220 MaxPacketBytes=
3222 Specifies the maximum packet size in bytes for the class. When
3223 suffixed with K, M, or G, the specified size is parsed as
3224 Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
3225 1024. When unset, the kernel default is used.
3226
3228 The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
3229 port and accepts the following keys. Specify several [BridgeVLAN]
3230 sections to configure several VLAN entries. The VLANFiltering= option
3231 has to be enabled, see the [Bridge] section in systemd.netdev(5).
3232 VLAN=
3234 The VLAN ID allowed on the port. This can be either a single ID or
3235 a range M-N. Takes an integer in the range 1...4094.
3236 EgressUntagged=
3238 The VLAN ID specified here will be used to untag frames on egress.
3239 Configuring EgressUntagged= implicates the use of VLAN= above and
3240 will enable the VLAN ID for ingress as well. This can be either a
3241 single ID or a range M-N.
3242 PVID=
3244 The Port VLAN ID specified here is assigned to all untagged frames
3245 at ingress. PVID= can be used only once. Configuring PVID=
3246 implicates the use of VLAN= above and will enable the VLAN ID for
3247 ingress as well.
3248
3250 Example 1. Static network configuration
3251 # /etc/systemd/network/50-static.network
3253 [Match]
3254 Name=enp2s0
3255 [Network]
3257 Address=192.168.0.15/24
3258 Gateway=192.168.0.1
3259 This brings interface "enp2s0" up with a static address. The specified
3261 gateway will be used for a default route.
3262 Example 2. DHCP on ethernet links
3264 # /etc/systemd/network/80-dhcp.network
3266 [Match]
3267 Name=en*
3268 [Network]
3270 DHCP=yes
3271 This will enable DHCPv4 and DHCPv6 on all interfaces with names
3273 starting with "en" (i.e. ethernet interfaces).
3274 Example 3. IPv6 Prefix Delegation
3276 # /etc/systemd/network/55-ipv6-pd-upstream.network
3278 [Match]
3279 Name=enp1s0
3280 [Network]
3282 DHCP=ipv6
3283 # /etc/systemd/network/56-ipv6-pd-downstream.network
3285 [Match]
3286 Name=enp2s0
3287 [Network]
3289 IPv6SendRA=yes
3290 DHCPPrefixDelegation=yes
3291 This will enable DHCPv6-PD on the interface enp1s0 as an upstream
3293 interface where the DHCPv6 client is running and enp2s0 as a downstream
3294 interface where the prefix is delegated to. The delegated prefixes are
3295 distributed by IPv6 Router Advertisement on the downstream network.
3296 Example 4. A bridge with two enslaved links
3298 # /etc/systemd/network/25-bridge-static.network
3300 [Match]
3301 Name=bridge0
3302 [Network]
3304 Address=192.168.0.15/24
3305 Gateway=192.168.0.1
3306 DNS=192.168.0.1
3307 # /etc/systemd/network/25-bridge-slave-interface-1.network
3309 [Match]
3310 Name=enp2s0
3311 [Network]
3313 Bridge=bridge0
3314 # /etc/systemd/network/25-bridge-slave-interface-2.network
3316 [Match]
3317 Name=wlp3s0
3318 [Network]
3320 Bridge=bridge0
3321 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3323 The bridge will have the specified static address and network assigned,
3324 and a default route via the specified gateway will be added. The
3325 specified DNS server will be added to the global list of DNS resolvers.
3326 Example 5. Bridge port with VLAN forwarding
3328 # /etc/systemd/network/25-bridge-slave-interface-1.network
3330 [Match]
3331 Name=enp2s0
3332 [Network]
3334 Bridge=bridge0
3335 [BridgeVLAN]
3337 VLAN=1-32
3338 PVID=42
3339 EgressUntagged=42
3340 [BridgeVLAN]
3342 VLAN=100-200
3343 [BridgeVLAN]
3345 EgressUntagged=300-400
3346 This overrides the configuration specified in the previous example for
3348 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3349 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3350 300-400 will be untagged when they leave on this interface. Untagged
3351 packets which arrive on this interface will be assigned VLAN ID 42.
3352 Example 6. Various tunnels
3354 /etc/systemd/network/25-tunnels.network
3356 [Match]
3357 Name=ens1
3358 [Network]
3360 Tunnel=ipip-tun
3361 Tunnel=sit-tun
3362 Tunnel=gre-tun
3363 Tunnel=vti-tun
3364 /etc/systemd/network/25-tunnel-ipip.netdev
3367 [NetDev]
3368 Name=ipip-tun
3369 Kind=ipip
3370 /etc/systemd/network/25-tunnel-sit.netdev
3373 [NetDev]
3374 Name=sit-tun
3375 Kind=sit
3376 /etc/systemd/network/25-tunnel-gre.netdev
3379 [NetDev]
3380 Name=gre-tun
3381 Kind=gre
3382 /etc/systemd/network/25-tunnel-vti.netdev
3385 [NetDev]
3386 Name=vti-tun
3387 Kind=vti
3388 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3391 tunnel, a GRE tunnel, and a VTI tunnel using it.
3392 Example 7. A bond device
3394 # /etc/systemd/network/30-bond1.network
3396 [Match]
3397 Name=bond1
3398 [Network]
3400 DHCP=ipv6
3401 # /etc/systemd/network/30-bond1.netdev
3403 [NetDev]
3404 Name=bond1
3405 Kind=bond
3406 # /etc/systemd/network/30-bond1-dev1.network
3408 [Match]
3409 MACAddress=52:54:00:e9:64:41
3410 [Network]
3412 Bond=bond1
3413 # /etc/systemd/network/30-bond1-dev2.network
3415 [Match]
3416 MACAddress=52:54:00:e9:64:42
3417 [Network]
3419 Bond=bond1
3420 This will create a bond device "bond1" and enslave the two devices with
3422 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3423 will be used to acquire an address.
3424 Example 8. Virtual Routing and Forwarding (VRF)
3426 Add the "bond1" interface to the VRF master interface "vrf1". This will
3428 redirect routes generated on this interface to be within the routing
3429 table defined during VRF creation. For kernels before 4.8 traffic won't
3430 be redirected towards the VRFs routing table unless specific ip-rules
3431 are added.
3432 # /etc/systemd/network/25-vrf.network
3434 [Match]
3435 Name=bond1
3436 [Network]
3438 VRF=vrf1
3439 Example 9. MacVTap
3441 This brings up a network interface "macvtap-test" and attaches it to
3443 "enp0s25".
3444 # /usr/lib/systemd/network/25-macvtap.network
3446 [Match]
3447 Name=enp0s25
3448 [Network]
3450 MACVTAP=macvtap-test
3451 Example 10. A Xfrm interface with physical underlying device.
3453 # /etc/systemd/network/27-xfrm.netdev
3455 [NetDev]
3456 Name=xfrm0
3457 Kind=xfrm
3458 [Xfrm]
3460 InterfaceId=7
3461 # /etc/systemd/network/27-eth0.network
3463 [Match]
3464 Name=eth0
3465 [Network]
3467 Xfrm=xfrm0
3468 This creates a "xfrm0" interface and binds it to the "eth0" device.
3470 This allows hardware based ipsec offloading to the "eth0" nic. If
3471 offloading is not needed, xfrm interfaces can be assigned to the "lo"
3472 device.
3473
3475 systemd(1), systemd-networkd.service(8), systemd.link(5),
3476 systemd.netdev(5), systemd-resolved.service(8)
3477
3479 1. Link-Local Multicast Name Resolution
3480 https://tools.ietf.org/html/rfc4795
3481 2. Multicast DNS
3483 https://tools.ietf.org/html/rfc6762
3484 3. DNS-over-TLS
3486 https://tools.ietf.org/html/rfc7858
3487 4. DNSSEC
3489 https://tools.ietf.org/html/rfc4033
3490 5. IEEE 802.1AB-2016
3492 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3493 6. ip-sysctl.txt
3495 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
3496 7. RFC 4941
3498 https://tools.ietf.org/html/rfc4941
3499 8. RFC 1027
3501 https://tools.ietf.org/html/rfc1027
3502 9. RFC 6275
3504 https://tools.ietf.org/html/rfc6275
3505 10. RFC 5227
3507 https://tools.ietf.org/html/rfc5227
3508 11. RFC 4862
3510 https://tools.ietf.org/html/rfc4862
3511 12. RFC 3041
3513 https://tools.ietf.org/html/rfc3041
3514 13. RFC 3484
3516 https://tools.ietf.org/html/rfc3484
3517 14. RFC 4191
3519 https://tools.ietf.org/html/rfc4191
3520 15. RFC 8520
3522 https://tools.ietf.org/html/rfc8520
3523 16. RFC 7844
3525 https://tools.ietf.org/html/rfc7844
3526 17. C-style escapes
3528 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3529 18. RFC 5969
3531 https://tools.ietf.org/html/rfc5969
3532 19. RFC 8415
3534 https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3
3535 20. RFC 4291
3537 https://tools.ietf.org/html/rfc4291#section-2.5.4
3538 21. RFC 7217
3540 https://tools.ietf.org/html/rfc7217
3541 22. RFC 1542
3543 https://tools.ietf.org/html/rfc1542
3544 23. RFC 4861
3546 https://tools.ietf.org/html/rfc4861
3547systemd 250 SYSTEMD.NETWORK(5)