1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ protodown_reason PREASON { on | off } ]
32 [ trailers { on | off } ]
33 [ txqueuelen PACKETS ]
34 [ name NEWNAME ]
35 [ address LLADDR ]
36 [ broadcast LLADDR ]
37 [ mtu MTU ]
38 [ netns { PID | NETNSNAME } ]
39 [ link-netnsid ID ]
40 [ alias NAME ]
41 [ vf NUM [ mac LLADDR ]
42 [ VFVLAN-LIST ]
43 [ rate TXRATE ]
44 [ max_tx_rate TXRATE ]
45 [ min_tx_rate TXRATE ]
46 [ spoofchk { on | off } ]
47 [ query_rss { on | off } ]
48 [ state { auto | enable | disable } ]
49 [ trust { on | off } ]
50 [ node_guid eui64 ]
51 [ port_guid eui64 ] ]
52 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
53 object FILE [ section NAME ] [ verbose ] |
54 pinned FILE } ]
55 [ master DEVICE ]
56 [ nomaster ]
57 [ vrf NAME ]
58 [ addrgenmode { eui64 | none | stable_secret | random } ]
59 [ macaddr [ MACADDR ]
60 [ { flush | add | del } MACADDR ]
61 [ set MACADDR ] ]
62 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
64 ] [ type ETYPE ] [ vrf NAME ]
65 ip link xstats type TYPE [ ARGS ]
67 ip link afstats [ dev DEVICE ]
69 ip link help [ TYPE ]
71 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
73 macvlan | macvtap | vcan | vxcan | veth | vlan |
74 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
75 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
76 | ipvtap | lowpan | geneve | bareudp | vrf | macsec |
77 netdevsim | rmnet | xfrm ]
78 ETYPE := [ TYPE | bridge_slave | bond_slave ]
80 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
82 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
84 ]
85 ip link property add dev DEVICE [ altname NAME .. ]
87 ip link property del dev DEVICE [ altname NAME .. ]
89
92 ip link add - add virtual link
93 link DEVICE
94 specifies the physical device to act operate on.
95 NAME specifies the name of the new virtual device.
97 TYPE specifies the type of the new device.
99 Link types:
101 bridge - Ethernet Bridge device
103 bond - Bonding device
105 dummy - Dummy network interface
107 hsr - High-availability Seamless Redundancy device
109 ifb - Intermediate Functional Block device
111 ipoib - IP over Infiniband device
113 macvlan - Virtual interface base on link layer address
115 (MAC)
116 macvtap - Virtual interface based on link layer address
118 (MAC) and TAP.
119 vcan - Virtual Controller Area Network interface
121 vxcan - Virtual Controller Area Network tunnel interface
123 veth - Virtual ethernet interface
125 vlan - 802.1q tagged virtual LAN interface
127 vxlan - Virtual eXtended LAN
129 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
131 ipip - Virtual tunnel interface IPv4 over IPv4
133 sit - Virtual tunnel interface IPv6 over IPv4
135 gre - Virtual tunnel interface GRE over IPv4
137 gretap - Virtual L2 tunnel interface GRE over IPv4
139 erspan - Encapsulated Remote SPAN over GRE and IPv4
141 ip6gre - Virtual tunnel interface GRE over IPv6
143 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
145 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
147 vti - Virtual tunnel interface
149 nlmon - Netlink monitoring device
151 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
153 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
155 TAP
156 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
158 / Bluetooth
159 geneve - GEneric NEtwork Virtualization Encapsulation
161 bareudp - Bare UDP L3 encapsulation support
163 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
165 sec)
166 vrf - Interface for L3 VRF domains
168 netdevsim - Interface for netdev API tests
170 rmnet - Qualcomm rmnet device
172 xfrm - Virtual xfrm interface
174 numtxqueues QUEUE_COUNT
177 specifies the number of transmit queues for new device.
178 numrxqueues QUEUE_COUNT
181 specifies the number of receive queues for new device.
182 gso_max_size BYTES
185 specifies the recommended maximum size of a Generic Segment Off‐
186 load packet the new device should accept.
187 gso_max_segs SEGMENTS
190 specifies the recommended maximum number of a Generic Segment
191 Offload segments the new device should accept.
192 index IDX
195 specifies the desired index of the new virtual device. The link
196 creation fails, if the index is busy.
197 VLAN Type Support
200 For a link of type VLAN the following additional arguments are
201 supported:
202 ip link add link DEVICE name NAME type vlan [ protocol
204 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
205 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
206 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
207 egress-qos-map QOS-MAP ]
208 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
211 id VLANID - specifies the VLAN Identifier to use. Note
213 that numbers with a leading " 0 " or " 0x " are inter‐
214 preted as octal or hexadecimal, respectively.
215 reorder_hdr { on | off } - specifies whether ethernet
217 headers are reordered or not (default is on).
218 If reorder_hdr is on then VLAN header will be not
220 inserted immediately but only before passing to the
221 physical device (if this device does not support
222 VLAN offloading), the similar on the RX direction -
223 by default the packet will be untagged before being
224 received by VLAN device. Reordering allows to accel‐
225 erate tagging on egress and to hide VLAN header on
226 ingress so the packet looks like regular Ethernet
227 packet, at the same time it might be confusing for
228 packet capture as the VLAN header does not exist
229 within the packet.
230 VLAN offloading can be checked by ethtool(8):
232 ethtool -k <phy_dev> | grep tx-vlan-offload
234 where <phy_dev> is the physical device to which VLAN
236 device is bound.
237 gvrp { on | off } - specifies whether this VLAN should
239 be registered using GARP VLAN
240 Registration Protocol.
241 mvrp { on | off } - specifies whether this VLAN should
243 be registered using Multiple VLAN
244 Registration Protocol.
245 loose_binding { on | off } - specifies whether the VLAN
247 device state is bound to the physical device state.
248 bridge_binding { on | off } - specifies whether the VLAN
250 device link state tracks the state of bridge ports that
251 are members of the VLAN.
252 ingress-qos-map QOS-MAP - defines a mapping of VLAN
254 header prio field to the Linux internal packet priority
255 on incoming frames. The format is FROM:TO with multiple
256 mappings separated by spaces.
257 egress-qos-map QOS-MAP - defines a mapping of Linux in‐
259 ternal packet priority to VLAN header prio field but for
260 outgoing frames. The format is the same as for ingress-
261 qos-map.
262 Linux packet priority can be set by iptables(8):
264 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
266 SIFY --set-class 0:4
267 and this "4" priority can be used in the egress qos
269 mapping to set VLAN prio "5":
270 ip link set veth0.10 type vlan egress 4:5
272 VXLAN Type Support
275 For a link of type VXLAN the following additional arguments are
276 supported:
277 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
279 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
280 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
281 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
282 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
283 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
284 ] [ [no]external ] [ gbp ] [ gpe ]
285 id VNI - specifies the VXLAN Network Identifier (or
288 VXLAN Segment Identifier) to use.
289 dev PHYS_DEV - specifies the physical device to use for
291 tunnel endpoint communication.
292 group IPADDR - specifies the multicast IP address to
295 join. This parameter cannot be specified with the re‐
296 mote parameter.
297 remote IPADDR - specifies the unicast destination IP ad‐
300 dress to use in outgoing packets when the destination
301 link layer address is not known in the VXLAN device for‐
302 warding database. This parameter cannot be specified
303 with the group parameter.
304 local IPADDR - specifies the source IP address to use in
307 outgoing packets.
308 ttl TTL - specifies the TTL value to use in outgoing
311 packets.
312 tos TOS - specifies the TOS value to use in outgoing
315 packets.
316 df DF - specifies the usage of the Don't Fragment flag
319 (DF) bit in outgoing packets with IPv4 headers. The
320 value inherit causes the bit to be copied from the orig‐
321 inal IP header. The values unset and set cause the bit
322 to be always unset or always set, respectively. By de‐
323 fault, the bit is not set.
324 flowlabel FLOWLABEL - specifies the flow label to use in
327 outgoing packets.
328 dstport PORT - specifies the UDP destination port to
331 communicate to the remote
332 VXLAN tunnel endpoint.
333 srcport MIN MAX - specifies the range of port numbers to
336 use as UDP source ports to communicate to the remote
337 VXLAN tunnel endpoint.
338 [no]learning - specifies if unknown source link layer
341 addresses and IP addresses are entered into the VXLAN
342 device forwarding database.
343 [no]rsc - specifies if route short circuit is turned on.
346 [no]proxy - specifies ARP proxy is turned on.
349 [no]l2miss - specifies if netlink LLADDR miss notifica‐
352 tions are generated.
353 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
356 tions are generated.
357 [no]udpcsum - specifies if UDP checksum is calculated
360 for transmitted packets over IPv4.
361 [no]udp6zerocsumtx - skip UDP checksum calculation for
364 transmitted packets over IPv6.
365 [no]udp6zerocsumrx - allow incoming UDP packets over
368 IPv6 with zero checksum field.
369 ageing SECONDS - specifies the lifetime in seconds of
372 FDB entries learnt by the kernel.
373 maxaddress NUMBER - specifies the maximum number of FDB
376 entries.
377 [no]external - specifies whether an external control
380 plane (e.g. ip route encap) or the internal FDB should
381 be used.
382 gbp - enables the Group Policy extension (VXLAN-GBP).
385 Allows to transport group policy context across
387 VXLAN network peers. If enabled, includes the mark
388 of a packet in the VXLAN header for outgoing packets
389 and fills the packet mark based on the information
390 found in the VXLAN header for incoming packets.
391 Format of upper 16 bits of packet mark (flags);
393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
395 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
396 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
397 D := Don't Learn bit. When set, this bit indicates
399 that the egress VTEP MUST NOT learn the source ad‐
400 dress of the encapsulated frame.
401 A := Indicates that the group policy has already
403 been applied to this packet. Policies MUST NOT be
404 applied by devices when the A bit is set.
405 Format of lower 16 bits of packet mark (policy ID):
407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
409 | Group Policy ID |
410 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
411 Example:
413 iptables -A OUTPUT [...] -j MARK --set-mark
414 0x800FF
415 gpe - enables the Generic Protocol extension (VXLAN-
419 GPE). Currently, this is only supported together with
420 the external keyword.
421 VETH, VXCAN Type Support
425 For a link of types VETH/VXCAN the following additional argu‐
426 ments are supported:
427 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
429 peer name NAME - specifies the virtual pair device name
432 of the VETH/VXCAN tunnel.
433 IPIP, SIT Type Support
437 For a link of type IPIPorSIT the following additional arguments
438 are supported:
439 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
441 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
442 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
443 mode { ip6ip | ipip | mplsip | any } ] [ external ]
444 remote ADDR - specifies the remote address of the tun‐
447 nel.
448 local ADDR - specifies the fixed local address for tun‐
451 neled packets. It must be an address on another inter‐
452 face on this host.
453 encap { fou | gue | none } - specifies type of secondary
456 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
457 indicates Generic UDP Encapsulation.
458 encap-sport { PORT | auto } - specifies the source port
461 in UDP encapsulation. PORT indicates the port by num‐
462 ber, "auto" indicates that the port number should be
463 chosen automatically (the kernel picks a flow based on
464 the flow hash of the encapsulated packet).
465 [no]encap-csum - specifies if UDP checksums are enabled
468 in the secondary encapsulation.
469 [no]encap-remcsum - specifies if Remote Checksum Offload
472 is enabled. This is only applicable for Generic UDP En‐
473 capsulation.
474 mode { ip6ip | ipip | mplsip | any } - specifies mode in
477 which device should run. "ip6ip" indicates IPv6-Over-
478 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
479 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
480 Over IPv4. Supported for SIT where the default is
481 "ip6ip" and IPIP where the default is "ipip".
482 IPv6-Over-IPv4 is not supported for IPIP.
483 external - make this tunnel externally controlled (e.g.
486 ip route encap).
487 GRE Type Support
490 For a link of type GRE or GRETAP the following additional argu‐
491 ments are supported:
492 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
494 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
495 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
496 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
497 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
498 remcsum ] [ external ]
499 remote ADDR - specifies the remote address of the tun‐
502 nel.
503 local ADDR - specifies the fixed local address for tun‐
506 neled packets. It must be an address on another inter‐
507 face on this host.
508 [no][i|o]seq - serialize packets. The oseq flag enables
511 sequencing of outgoing packets. The iseq flag requires
512 that all input packets are serialized.
513 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
516 KEY is either a number or an IPv4 address-like dotted
517 quad. The key parameter specifies the same key to use
518 in both directions. The ikey and okey parameters spec‐
519 ify different keys for input and output.
520 [no][i|o]csum - generate/require checksums for tunneled
523 packets. The ocsum flag calculates checksums for outgo‐
524 ing packets. The icsum flag requires that all input
525 packets have the correct checksum. The csum flag is
526 equivalent to the combination icsum ocsum .
527 ttl TTL - specifies the TTL value to use in outgoing
530 packets.
531 tos TOS - specifies the TOS value to use in outgoing
534 packets.
535 [no]pmtudisc - enables/disables Path MTU Discovery on
538 this tunnel. It is enabled by default. Note that a
539 fixed ttl is incompatible with this option: tunneling
540 with a fixed ttl always makes pmtu discovery.
541 [no]ignore-df - enables/disables IPv4 DF suppression on
544 this tunnel. Normally datagrams that exceed the MTU
545 will be fragmented; the presence of the DF flag inhibits
546 this, resulting instead in an ICMP Unreachable (Fragmen‐
547 tation Required) message. Enabling this attribute
548 causes the DF flag to be ignored.
549 dev PHYS_DEV - specifies the physical device to use for
552 tunnel endpoint communication.
553 encap { fou | gue | none } - specifies type of secondary
556 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
557 indicates Generic UDP Encapsulation.
558 encap-sport { PORT | auto } - specifies the source port
561 in UDP encapsulation. PORT indicates the port by num‐
562 ber, "auto" indicates that the port number should be
563 chosen automatically (the kernel picks a flow based on
564 the flow hash of the encapsulated packet).
565 [no]encap-csum - specifies if UDP checksums are enabled
568 in the secondary encapsulation.
569 [no]encap-remcsum - specifies if Remote Checksum Offload
572 is enabled. This is only applicable for Generic UDP En‐
573 capsulation.
574 external - make this tunnel externally controlled (e.g.
577 ip route encap).
578 IP6GRE/IP6GRETAP Type Support
582 For a link of type IP6GRE/IP6GRETAP the following additional ar‐
583 guments are supported:
584 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
586 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
587 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
588 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
589 localremote ] [ dev PHYS_DEV ] [ external ]
590 remote ADDR - specifies the remote IPv6 address of the
593 tunnel.
594 local ADDR - specifies the fixed local IPv6 address for
597 tunneled packets. It must be an address on another in‐
598 terface on this host.
599 [no][i|o]seq - serialize packets. The oseq flag enables
602 sequencing of outgoing packets. The iseq flag requires
603 that all input packets are serialized.
604 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
607 KEY is either a number or an IPv4 address-like dotted
608 quad. The key parameter specifies the same key to use
609 in both directions. The ikey and okey parameters spec‐
610 ify different keys for input and output.
611 [no][i|o]csum - generate/require checksums for tunneled
614 packets. The ocsum flag calculates checksums for outgo‐
615 ing packets. The icsum flag requires that all input
616 packets have the correct checksum. The csum flag is
617 equivalent to the combination icsum ocsum.
618 hoplimit TTL - specifies Hop Limit value to use in out‐
621 going packets.
622 encaplimit ELIM - specifies a fixed encapsulation limit.
625 Default is 4.
626 flowlabel FLOWLABEL - specifies a fixed flowlabel.
629 [no]allow-localremote - specifies whether to allow re‐
632 mote endpoint to have an address configured on local
633 host.
634 tclass TCLASS - specifies the traffic class field on
637 tunneled packets, which can be specified as either a
638 two-digit hex value (e.g. c0) or a predefined string
639 (e.g. internet). The value inherit causes the field to
640 be copied from the original IP header. The values in‐
641 herit/STRING or inherit/00..ff will set the field to
642 STRING or 00..ff when tunneling non-IP packets. The de‐
643 fault value is 00.
644 external - make this tunnel externally controlled (or
647 not, which is the default). In the kernel, this is re‐
648 ferred to as collect metadata mode. This flag is mutu‐
649 ally exclusive with the remote, local, seq, key, csum,
650 hoplimit, encaplimit, flowlabel and tclass options.
651 IPoIB Type Support
655 For a link of type IPoIB the following additional arguments are
656 supported:
657 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
659 MODE ]
660 pkey PKEY - specifies the IB P-Key to use.
663 mode MODE - specifies the mode (datagram or connected)
665 to use.
666 ERSPAN Type Support
669 For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
670 guments are supported:
671 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
673 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
674 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
675 mote ] [ external ]
676 remote ADDR - specifies the remote address of the tun‐
679 nel.
680 local ADDR - specifies the fixed local address for tun‐
683 neled packets. It must be an address on another inter‐
684 face on this host.
685 erspan_ver version - specifies the ERSPAN version num‐
688 ber. version indicates the ERSPAN version to be cre‐
689 ated: 0 for version 0 type I, 1 for version 1 (type II)
690 or 2 for version 2 (type III).
691 erspan IDX - specifies the ERSPAN v1 index field. IDX
694 indicates a 20 bit index/port number associated with the
695 ERSPAN traffic's source port and direction.
696 erspan_dir { ingress | egress } - specifies the ERSPAN
699 v2 mirrored traffic's direction.
700 erspan_hwid hwid - an unique identifier of an ERSPAN v2
703 engine within a system. hwid is a 6-bit value for users
704 to configure.
705 [no]allow-localremote - specifies whether to allow re‐
708 mote endpoint to have an address configured on local
709 host.
710 external - make this tunnel externally controlled (or
713 not, which is the default). In the kernel, this is re‐
714 ferred to as collect metadata mode. This flag is mutu‐
715 ally exclusive with the remote, local, erspan_ver,
716 erspan, erspan_dir and erspan_hwid options.
717 GENEVE Type Support
721 For a link of type GENEVE the following additional arguments are
722 supported:
723 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
725 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
726 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
727 [no]udp6zerocsumrx ]
728 id VNI - specifies the Virtual Network Identifier to
731 use.
732 remote IPADDR - specifies the unicast destination IP ad‐
735 dress to use in outgoing packets.
736 ttl TTL - specifies the TTL value to use in outgoing
739 packets. "0" or "auto" means use whatever default value,
740 "inherit" means inherit the inner protocol's ttl. De‐
741 fault option is "0".
742 tos TOS - specifies the TOS value to use in outgoing
745 packets.
746 df DF - specifies the usage of the Don't Fragment flag
749 (DF) bit in outgoing packets with IPv4 headers. The
750 value inherit causes the bit to be copied from the orig‐
751 inal IP header. The values unset and set cause the bit
752 to be always unset or always set, respectively. By de‐
753 fault, the bit is not set.
754 flowlabel FLOWLABEL - specifies the flow label to use in
757 outgoing packets.
758 dstport PORT - select a destination port other than the
761 default of 6081.
762 [no]external - make this tunnel externally controlled
765 (or not, which is the default). This flag is mutually
766 exclusive with the id, remote, ttl, tos and flowlabel
767 options.
768 [no]udpcsum - specifies if UDP checksum is calculated
771 for transmitted packets over IPv4.
772 [no]udp6zerocsumtx - skip UDP checksum calculation for
775 transmitted packets over IPv6.
776 [no]udp6zerocsumrx - allow incoming UDP packets over
779 IPv6 with zero checksum field.
780 Bareudp Type Support
784 For a link of type Bareudp the following additional arguments
785 are supported:
786 ip link add DEVICE type bareudp dstport PORT ethertype PROTO [
788 srcportmin PORT ] [ [no]multiproto ]
789 dstport PORT - specifies the destination port for the
792 UDP tunnel.
793 ethertype PROTO - specifies the ethertype of the L3 pro‐
796 tocol being tunnelled. ethertype can be given as plain
797 Ethernet protocol number or using the protocol name
798 ("ipv4", "ipv6", "mpls_uc", etc.).
799 srcportmin PORT - selects the lowest value of the UDP
802 tunnel source port range.
803 [no]multiproto - activates support for protocols similar
806 to the one specified by ethertype. When ethertype is
807 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
808 nel to also handle multicast MPLS. When ethertype is
809 "ipv4", this allows the tunnel to also handle IPv6. This
810 option is disabled by default.
811 MACVLAN and MACVTAP Type Support
814 For a link of type MACVLAN or MACVTAP the following additional
815 arguments are supported:
816 ip link add link DEVICE name NAME type { macvlan | macvtap }
818 mode { private | vepa | bridge | passthru [ nopromisc ] |
819 source [ nodst ] } [ bcqueuelen { LENGTH } ]
820 type { macvlan | macvtap } - specifies the link type to
823 use. macvlan creates just a virtual interface, while
824 macvtap in addition creates a character device /dev/tapX
825 to be used just like a tuntap device.
826 mode private - Do not allow communication between
828 macvlan instances on the same physical interface, even
829 if the external switch supports hairpin mode.
830 mode vepa - Virtual Ethernet Port Aggregator mode. Data
832 from one macvlan instance to the other on the same phys‐
833 ical interface is transmitted over the physical inter‐
834 face. Either the attached switch needs to support hair‐
835 pin mode, or there must be a TCP/IP router forwarding
836 the packets in order to allow communication. This is the
837 default mode.
838 mode bridge - In bridge mode, all endpoints are directly
840 connected to each other, communication is not redirected
841 through the physical interface's peer.
842 mode passthru [ nopromisc ] - This mode gives more power
844 to a single endpoint, usually in macvtap mode. It is not
845 allowed for more than one endpoint on the same physical
846 interface. All traffic will be forwarded to this end‐
847 point, allowing virtio guests to change MAC address or
848 set promiscuous mode in order to bridge the interface or
849 create vlan interfaces on top of it. By default, this
850 mode forces the underlying interface into promiscuous
851 mode. Passing the nopromisc flag prevents this, so the
852 promisc flag may be controlled using standard tools.
853 mode source [ nodst ] - allows one to set a list of al‐
855 lowed mac address, which is used to match against source
856 mac address from received frames on underlying inter‐
857 face. This allows creating mac based VLAN associations,
858 instead of standard port or tag based. The feature is
859 useful to deploy 802.1x mac based behavior, where driv‐
860 ers of underlying interfaces doesn't allows that. By de‐
861 fault, packets are also considered (duplicated) for des‐
862 tination-based MACVLAN. Passing the nodst flag stops
863 matching packets from also going through the destina‐
864 tion-based flow.
865 bcqueuelen { LENGTH } - Set the length of the RX queue
867 used to process broadcast and multicast packets. LENGTH
868 must be a positive integer in the range [0-4294967295].
869 Setting a length of 0 will effectively drop all broad‐
870 cast/multicast traffic. If not specified the macvlan
871 driver default (1000) is used. Note that all macvlans
872 that share the same underlying device are using the same
873 queue. The parameter here is a request, the actual queue
874 length used will be the maximum length that any macvlan
875 interface has requested. When listing device parameters
876 both the bcqueuelen parameter as well as the actual used
877 bcqueuelen are listed to better help the user understand
878 the setting.
879 High-availability Seamless Redundancy (HSR) Support
882 For a link of type HSR the following additional arguments are
883 supported:
884 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
886 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
887 proto { 0 | 1 } ]
888 type hsr - specifies the link type to use, here HSR.
891 slave1 SLAVE1-IF - Specifies the physical device used
893 for the first of the two ring ports.
894 slave2 SLAVE2-IF - Specifies the physical device used
896 for the second of the two ring ports.
897 supervision ADDR-BYTE - The last byte of the multicast
899 address used for HSR supervision frames. Default option
900 is "0", possible values 0-255.
901 version { 0 | 1 } - Selects the protocol version of the
903 interface. Default option is "0", which corresponds to
904 the 2010 version of the HSR standard. Option "1" acti‐
905 vates the 2012 version.
906 proto { 0 | 1 } - Selects the protocol at the interface.
908 Default option is "0", which corresponds to the HSR
909 standard. Option "1" activates the Parallel Redundancy
910 Protocol (PRP).
911 BRIDGE Type Support
914 For a link of type BRIDGE the following additional arguments are
915 supported:
916 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
918 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
919 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
920 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
921 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [ vlan_de‐
922 fault_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
923 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
924 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
925 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
926 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
927 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
928 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
929 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
930 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
931 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
932 val QUERY_INTERVAL ] [ mcast_query_response_interval QUERY_RE‐
933 SPONSE_INTERVAL ] [ mcast_startup_query_interval
934 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled MCAST_STATS_EN‐
935 ABLED ] [ mcast_igmp_version IGMP_VERSION ] [ mcast_mld_version
936 MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTABLES ] [
937 nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arptables
938 NF_CALL_ARPTABLES ]
939 ageing_time AGEING_TIME - configure the bridge's FDB en‐
942 tries ageing time, ie the number of seconds a MAC ad‐
943 dress will be kept in the FDB after a packet has been
944 received from that address. after this time has passed,
945 entries are cleaned up.
946 group_fwd_mask MASK - set the group forward mask. This
948 is the bitmask that is applied to decide whether to for‐
949 ward incoming frames destined to link-local addresses,
950 ie addresses of the form 01:80:C2:00:00:0X (defaults to
951 0, ie the bridge does not forward any link-local
952 frames).
953 group_address ADDRESS - set the MAC address of the mul‐
955 ticast group this bridge uses for STP. The address must
956 be a link-local address in standard Ethernet MAC address
957 format, ie an address of the form 01:80:C2:00:00:0X,
958 with X
959 in [0, 4..f].
960 forward_delay FORWARD_DELAY - set the forwarding delay
962 in seconds, ie the time spent in LISTENING state (before
963 moving to LEARNING) and in LEARNING state (before moving
964 to FORWARDING). Only relevant if STP is enabled. Valid
965 values are between 2 and 30.
966 hello_time HELLO_TIME - set the time in seconds between
968 hello packets sent by the bridge, when it is a root
969 bridge or a designated bridges. Only relevant if STP is
970 enabled. Valid values are between 1 and 10.
971 max_age MAX_AGE - set the hello packet timeout, ie the
973 time in seconds until another bridge in the spanning
974 tree is assumed to be dead, after reception of its last
975 hello message. Only relevant if STP is enabled. Valid
976 values are between 6 and 40.
977 stp_state STP_STATE - turn spanning tree protocol on
979 (STP_STATE > 0) or off (STP_STATE == 0). for this
980 bridge.
981 priority PRIORITY - set this bridge's spanning tree pri‐
983 ority, used during STP root bridge election. PRIORITY
984 is a 16bit unsigned integer.
985 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
987 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
988 disabled, the bridge will not consider the VLAN tag when
989 handling packets.
990 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
992 used for VLAN filtering.
993 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
995 PVID (native/untagged VLAN ID) for this bridge.
996 vlan_stats_enabled VLAN_STATS_ENABLED - enable
998 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
999 == 0) per-VLAN stats accounting.
1000 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
1002 (VLAN_STATS_PER_PORT == 1) or disable
1003 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
1004 counting. Can be changed only when there are no port
1005 VLANs configured.
1006 mcast_snooping MULTICAST_SNOOPING - turn multicast
1008 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
1009 CAST_SNOOPING == 0).
1010 mcast_router MULTICAST_ROUTER - set bridge's multicast
1012 router if IGMP snooping is enabled. MULTICAST_ROUTER is
1013 an integer value having the following meaning:
1014 0 - disabled.
1016 1 - automatic (queried).
1018 2 - permanently enabled.
1020 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1022 to use the bridge's own IP address as source address for
1023 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1024 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1025 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1027 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1028 IGMP querier, ie sending of multicast queries by the
1029 bridge (default: disabled).
1030 mcast_querier_interval QUERIER_INTERVAL - interval be‐
1032 tween queries sent by other routers. if no queries are
1033 seen after this delay has passed, the bridge will start
1034 to send its own queries (as if mcast_querier was en‐
1035 abled).
1036 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1038 database hash elasticity, ie the maximum chain length in
1039 the multicast hash table (defaults to 4).
1040 mcast_hash_max HASH_MAX - set maximum size of multicast
1042 hash table (defaults to 512, value must be a power of
1043 2).
1044 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1046 cast last member count, ie the number of queries the
1047 bridge will send before stopping forwarding a multicast
1048 group after a "leave" message has been received (de‐
1049 faults to 2).
1050 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1052 val between queries to find remaining members of a
1053 group, after a "leave" message is received.
1054 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1056 number of IGMP queries to send during startup phase (de‐
1057 faults to 2).
1058 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1060 interval between queries in the startup phase.
1061 mcast_query_interval QUERY_INTERVAL - interval between
1063 queries sent by the bridge after the end of the startup
1064 phase.
1065 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1067 set the Max Response Time/Maximum Response Delay for
1068 IGMP/MLD queries sent by the bridge.
1069 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1071 after which the bridge will leave a group, if no member‐
1072 ship reports for this group are received.
1073 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1075 (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1076 ABLED == 0) multicast (IGMP/MLD) stats accounting.
1077 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1079 mcast_mld_version MLD_VERSION - set the MLD version.
1081 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1083 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1084 hooks on the bridge.
1085 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1087 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1088 0) ip6tables hooks on the bridge.
1089 nf_call_arptables NF_CALL_ARPTABLES - enable
1091 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1092 0) arptables hooks on the bridge.
1093 MACsec Type Support
1098 For a link of type MACsec the following additional arguments are
1099 supported:
1100 ip link add link DEVICE name NAME type macsec [ [ address
1102 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1103 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1104 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1105 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1106 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1107 ]
1108 address <lladdr> - sets the system identifier component
1111 of secure channel for this MACsec device.
1112 port PORT - sets the port number component of secure
1115 channel for this MACsec device, in a range from 1 to
1116 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1117 are interpreted as octal and hexadecimal, respectively.
1118 sci SCI - sets the secure channel identifier for this
1121 MACsec device. SCI is a 64bit wide number in hexadeci‐
1122 mal format.
1123 cipher CIPHER_SUITE - defines the cipher suite to use.
1126 icvlen LENGTH - sets the length of the Integrity Check
1129 Value (ICV).
1130 encrypt on or encrypt off - switches between authenti‐
1133 cated encryption, or authenticity mode only.
1134 send_sci on or send_sci off - specifies whether the SCI
1137 is included in every packet, or only when it is neces‐
1138 sary.
1139 end_station on or end_station off - sets the End Station
1142 bit.
1143 scb on or scb off - sets the Single Copy Broadcast bit.
1146 protect on or protect off - enables MACsec protection on
1149 the device.
1150 replay on or replay off - enables replay protection on
1153 the device.
1154 window SIZE - sets the size of the replay win‐
1158 dow.
1159 validate strict or validate check or validate disabled -
1163 sets the validation mode on the device.
1164 encodingsa AN - sets the active secure association for
1167 transmission.
1168 VRF Type Support
1172 For a link of type VRF the following additional arguments are
1173 supported:
1174 ip link add DEVICE type vrf table TABLE
1176 table table id associated with VRF device
1179 RMNET Type Support
1183 For a link of type RMNET the following additional arguments are
1184 supported:
1185 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1187 mux_id MUXID - specifies the mux identifier for the rm‐
1190 net device, possible values 1-254.
1191 XFRM Type Support
1195 For a link of type XFRM the following additional arguments are
1196 supported:
1197 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1199 dev PHYS_DEV - specifies the underlying physical inter‐
1202 face from which transform traffic is sent and received.
1203 if_id IF-ID - specifies the hexadecimal lookup key used
1206 to send traffic to and from specific xfrm policies.
1207 Policies must be configured with the same key. If not
1208 set, the key defaults to 0 and will match any policies
1209 which similarly do not have a lookup key configuration.
1210 ip link delete - delete virtual link
1214 dev DEVICE
1215 specifies the virtual device to act operate on.
1216 group GROUP
1219 specifies the group of virtual links to delete. Group 0 is not
1220 allowed to be deleted since it is the default group.
1221 type TYPE
1224 specifies the type of the device.
1225 ip link set - change device attributes
1228 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1229 ately after any of the changes have failed. This is the only case when
1230 ip can move the system to an unpredictable state. The solution is to
1231 avoid changing several parameters with one ip link set call. The modi‐
1232 fier change is equivalent to set.
1233 dev DEVICE
1237 DEVICE specifies network device to operate on. When configuring
1238 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1239 ify the associated Physical Function (PF) device.
1240 group GROUP
1243 GROUP has a dual role: If both group and dev are present, then
1244 move the device to the specified group. If only a group is spec‐
1245 ified, then the command operates on all devices in that group.
1246 up and down
1249 change the state of the device to UP or DOWN.
1250 arp on or arp off
1253 change the NOARP flag on the device.
1254 multicast on or multicast off
1257 change the MULTICAST flag on the device.
1258 allmulticast on or allmulticast off
1261 change the ALLMULTI flag on the device. When enabled, instructs
1262 network driver to retrieve all multicast packets from the net‐
1263 work to the kernel for further processing.
1264 promisc on or promisc off
1267 change the PROMISC flag on the device. When enabled, activates
1268 promiscuous operation of the network device.
1269 trailers on or trailers off
1272 change the NOTRAILERS flag on the device, NOT used by the Linux
1273 and exists for BSD compatibility.
1274 protodown on or protodown off
1277 change the PROTODOWN state on the device. Indicates that a pro‐
1278 tocol error has been detected on the port. Switch drivers can
1279 react to this error by doing a phys down on the switch port.
1280 protodown_reason PREASON on or off
1283 set PROTODOWN reasons on the device. protodown reason bit names
1284 can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1285 sible reasons bits 0-31
1286 dynamic on or dynamic off
1289 change the DYNAMIC flag on the device. Indicates that address
1290 can change when interface goes down (currently NOT used by the
1291 Linux).
1292 name NAME
1295 change the name of the device. This operation is not recommended
1296 if the device is running or has some addresses already config‐
1297 ured.
1298 txqueuelen NUMBER
1301 txqlen NUMBER
1303 change the transmit queue length of the device.
1304 mtu NUMBER
1307 change the MTU of the device.
1308 address LLADDRESS
1311 change the station address of the interface.
1312 broadcast LLADDRESS
1315 brd LLADDRESS
1317 peer LLADDRESS
1319 change the link layer broadcast address or the peer address when
1320 the interface is POINTOPOINT.
1321 netns NETNSNAME | PID
1324 move the device to the network namespace associated with name
1325 NETNSNAME or process PID.
1326 Some devices are not allowed to change network namespace: loop‐
1328 back, bridge, wireless. These are network namespace local de‐
1329 vices. In such case ip tool will return "Invalid argument" er‐
1330 ror. It is possible to find out if device is local to a single
1331 network namespace by checking netns-local flag in the output of
1332 the ethtool:
1333 ethtool -k DEVICE
1335 To change network namespace for wireless devices the iw tool can
1337 be used. But it allows to change network namespace only for
1338 physical devices and by process PID.
1339 alias NAME
1342 give the device a symbolic name for easy reference.
1343 group GROUP
1346 specify the group the device belongs to. The available groups
1347 are listed in file /etc/iproute2/group.
1348 vf NUM specify a Virtual Function device to be configured. The associ‐
1351 ated PF device must be specified using the dev parameter.
1352 mac LLADDRESS - change the station address for the spec‐
1354 ified VF. The vf parameter must be specified.
1355 vlan VLANID - change the assigned VLAN for the specified
1358 VF. When specified, all traffic sent from the VF will be
1359 tagged with the specified VLAN ID. Incoming traffic will
1360 be filtered for the specified VLAN ID, and will have all
1361 VLAN tags stripped before being passed to the VF. Set‐
1362 ting this parameter to 0 disables VLAN tagging and fil‐
1363 tering. The vf parameter must be specified.
1364 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1367 VLAN tag. When specified, all VLAN tags transmitted by
1368 the VF will include the specified priority bits in the
1369 VLAN tag. If not specified, the value is assumed to be
1370 0. Both the vf and vlan parameters must be specified.
1371 Setting both vlan and qos as 0 disables VLAN tagging and
1372 filtering for the VF.
1373 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1376 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1377 traffic sent from the VF will be tagged with VLAN S-Tag.
1378 Incoming traffic will have VLAN S-Tags stripped before
1379 being passed to the VF. Setting to 802.1ad also enables
1380 an option to concatenate another VLAN tag, so both S-TAG
1381 and C-TAG will be inserted/stripped for outgoing/incom‐
1382 ing traffic, respectively. If not specified, the value
1383 is assumed to be 802.1Q. Both the vf and vlan parameters
1384 must be specified.
1385 rate TXRATE -- change the allowed transmit bandwidth, in
1388 Mbps, for the specified VF. Setting this parameter to 0
1389 disables rate limiting. vf parameter must be specified.
1390 Please use new API max_tx_rate option instead.
1391 max_tx_rate TXRATE - change the allowed maximum transmit
1394 bandwidth, in Mbps, for the specified VF. Setting this
1395 parameter to 0 disables rate limiting. vf parameter
1396 must be specified.
1397 min_tx_rate TXRATE - change the allowed minimum transmit
1400 bandwidth, in Mbps, for the specified VF. Minimum
1401 TXRATE should be always <= Maximum TXRATE. Setting this
1402 parameter to 0 disables rate limiting. vf parameter
1403 must be specified.
1404 spoofchk on|off - turn packet spoof checking on or off
1407 for the specified VF.
1408 query_rss on|off - toggle the ability of querying the
1410 RSS configuration of a specific
1411 VF. VF RSS information like RSS hash key may be con‐
1412 sidered sensitive
1413 on some devices where this information is shared be‐
1414 tween VF and PF
1415 and thus its querying may be prohibited by default.
1416 state auto|enable|disable - set the virtual link state
1418 as seen by the specified VF. Setting to auto means a re‐
1419 flection of the PF link state, enable lets the VF to
1420 communicate with other VFs on this host even if the PF
1421 link state is down, disable causes the HW to drop any
1422 packets sent by the VF.
1423 trust on|off - trust the specified VF user. This enables
1425 that VF user can set a specific feature which may impact
1426 security and/or performance. (e.g. VF multicast promis‐
1427 cuous mode)
1428 node_guid eui64 - configure node GUID for Infiniband
1430 VFs.
1431 port_guid eui64 - configure port GUID for Infiniband
1433 VFs.
1434 xdp object | pinned | off
1437 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1438 every packet at driver level. ip link output will indicate a
1439 xdp flag for the networking device. If the driver does not have
1440 native XDP support, the kernel will fall back to a slower,
1441 driver-independent "generic" XDP variant. The ip link output
1442 will in that case indicate xdpgeneric instead of xdp only. If
1443 the driver does have native XDP support, but the program is
1444 loaded under xdpgeneric object | pinned then the kernel will use
1445 the generic XDP variant instead of the native one. xdpdrv has
1446 the opposite effect of requestsing that the automatic fallback
1447 to the generic XDP variant be disabled and in case driver is not
1448 XDP-capable error should be returned. xdpdrv also disables
1449 hardware offloads. xdpoffload in ip link output indicates that
1450 the program has been offloaded to hardware and can also be used
1451 to request the "offload" mode, much like xdpgeneric it forces
1452 program to be installed specifically in HW/FW of the apater.
1453 off (or none ) - Detaches any currently attached XDP/BPF program
1455 from the given device.
1456 object FILE - Attaches a XDP/BPF program to the given device.
1458 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1459 contains the BPF program code, map specifications, etc. If a
1460 XDP/BPF program is already attached to the given device, an er‐
1461 ror will be thrown. If no XDP/BPF program is currently attached,
1462 the device supports XDP and the program from the BPF ELF file
1463 passes the kernel verifier, then it will be attached to the de‐
1464 vice. If the option -force is passed to ip then any prior at‐
1465 tached XDP/BPF program will be atomically overridden and no er‐
1466 ror will be thrown in this case. If no section option is passed,
1467 then the default section name ("prog") will be assumed, other‐
1468 wise the provided section name will be used. If no verbose op‐
1469 tion is passed, then a verifier log will only be dumped on load
1470 error. See also EXAMPLES section for usage examples.
1471 section NAME - Specifies a section name that contains the BPF
1473 program code. If no section name is specified, the default one
1474 ("prog") will be used. This option is to be passed with the ob‐
1475 ject option.
1476 verbose - Act in verbose mode. For example, even in case of suc‐
1478 cess, this will print the verifier log in case a program was
1479 loaded from a BPF ELF file.
1480 pinned FILE - Attaches a XDP/BPF program to the given device.
1482 The FILE points to an already pinned BPF program in the BPF file
1483 system. The option section doesn't apply here, but otherwise se‐
1484 mantics are the same as with the option object described al‐
1485 ready.
1486 master DEVICE
1489 set master device of the device (enslave device).
1490 nomaster
1493 unset master device of the device (release device).
1494 addrgenmode eui64|none|stable_secret|random
1497 set the IPv6 address generation mode
1498 eui64 - use a Modified EUI-64 format interface identifier
1500 none - disable automatic address generation
1502 stable_secret - generate the interface identifier based on a
1504 preset
1505 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1506 random - like stable_secret, but auto-generate a new random se‐
1508 cret if none is set
1509 link-netnsid
1512 set peer netnsid for a cross-netns interface
1513 type ETYPE TYPE_ARGS
1516 Change type-specific settings. For a list of supported types and
1517 arguments refer to the description of ip link add above. In ad‐
1518 dition to that, it is possible to manipulate settings to slave
1519 devices:
1520 Bridge Slave Support
1523 For a link with master bridge the following additional arguments
1524 are supported:
1525 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1527 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1528 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1529 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1530 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1531 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1532 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1533 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1534 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1535 backup_port DEVICE ] [ nobackup_port ]
1536 fdb_flush - flush bridge slave's fdb dynamic entries.
1539 state STATE - Set port state. STATE is a number repre‐
1541 senting the following states: 0 (disabled), 1 (listen‐
1542 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1543 priority PRIO - set port priority (allowed values are
1545 between 0 and 63, inclusively).
1546 cost COST - set port cost (allowed values are between 1
1548 and 65535, inclusively).
1549 guard { on | off } - block incoming BPDU packets on this
1551 port.
1552 hairpin { on | off } - enable hairpin mode on this port.
1554 This will allow incoming packets on this port to be re‐
1555 flected back.
1556 fastleave { on | off } - enable multicast fast leave on
1558 this port.
1559 root_block { on | off } - block this port from becoming
1561 the bridge's root port.
1562 learning { on | off } - allow MAC address learning on
1564 this port.
1565 flood { on | off } - open the flood gates on this port,
1567 i.e. forward all unicast frames to this port also. Re‐
1568 quires proxy_arp and proxy_arp_wifi to be turned off.
1569 proxy_arp { on | off } - enable proxy ARP on this port.
1571 proxy_arp_wifi { on | off } - enable proxy ARP on this
1573 port which meets extended requirements by IEEE 802.11
1574 and Hotspot 2.0 specifications.
1575 mcast_router MULTICAST_ROUTER - configure this port for
1577 having multicast routers attached. A port with a multi‐
1578 cast router will receive all multicast traffic. MULTI‐
1579 CAST_ROUTER may be either 0 to disable multicast routers
1580 on this port, 1 to let the system detect the presence of
1581 routers (this is the default), 2 to permanently enable
1582 multicast traffic forwarding on this port or 3 to enable
1583 multicast routers temporarily on this port, not depend‐
1584 ing on incoming queries.
1585 mcast_fast_leave { on | off } - this is a synonym to the
1587 fastleave option above.
1588 mcast_flood { on | off } - controls whether a given port
1590 will flood multicast traffic for which
1591 there is no MDB entry.
1592 mcast_to_unicast { on | off } - controls whether a given
1594 port will replicate packets using unicast
1595 instead of multicast. By default this flag is off.
1596 group_fwd_mask MASK - set the group forward mask. This
1598 is the bitmask that is applied to decide whether to for‐
1599 ward incoming frames destined to link-local addresses,
1600 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1601 0, ie the bridge does not forward any link-local frames
1602 coming on this port).
1603 neigh_suppress { on | off } - controls whether neigh
1605 discovery (arp and nd) proxy and suppression is enabled
1606 on the port. By default this flag is off.
1607 vlan_tunnel { on | off } - controls whether vlan to tun‐
1609 nel mapping is enabled on the port. By default this flag
1610 is off.
1611 backup_port DEVICE - if the port loses carrier all traf‐
1613 fic will be redirected to the configured backup port
1614 nobackup_port - removes the currently configured backup
1616 port
1617 Bonding Slave Support
1621 For a link with master bond the following additional arguments
1622 are supported:
1623 ip link set type bond_slave [ queue_id ID ]
1625 queue_id ID - set the slave's queue ID (a 16bit unsigned
1628 value).
1629 MACVLAN and MACVTAP Support
1633 Modify list of allowed macaddr for link in source mode.
1634 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1636 ... ]
1637 Commands:
1639 add - add MACADDR to allowed list
1640 set - replace allowed list
1642 del - remove MACADDR from allowed list
1644 flush - flush whole allowed list
1646 Update the broadcast/multicast queue length.
1649 ip link set type { macvlan | macvap } [ bcqueuelen LENGTH ]
1651 bcqueuelen LENGTH - Set the length of the RX queue used
1653 to process broadcast and multicast packets. LENGTH must
1654 be a positive integer in the range [0-4294967295]. Set‐
1655 ting a length of 0 will effectively drop all broad‐
1656 cast/multicast traffic. If not specified the macvlan
1657 driver default (1000) is used. Note that all macvlans
1658 that share the same underlying device are using the same
1659 queue. The parameter here is a request, the actual queue
1660 length used will be the maximum length that any macvlan
1661 interface has requested. When listing device parameters
1662 both the bcqueuelen parameter as well as the actual used
1663 bcqueuelen are listed to better help the user understand
1664 the setting.
1665 ip link show - display device attributes
1668 dev NAME (default)
1669 NAME specifies the network device to show.
1670 group GROUP
1673 GROUP specifies what group of devices to show.
1674 up only display running interfaces.
1677 master DEVICE
1680 DEVICE specifies the master device which enslaves devices to
1681 show.
1682 vrf NAME
1685 NAME specifies the VRF which enslaves devices to show.
1686 type TYPE
1689 TYPE specifies the type of devices to show.
1690 Note that the type name is not checked against the list of sup‐
1692 ported types - instead it is sent as-is to the kernel. Later it
1693 is used to filter the returned interface list by comparing it
1694 with the relevant attribute in case the kernel didn't filter al‐
1695 ready. Therefore any string is accepted, but may lead to empty
1696 output.
1697 ip link xstats - display extended statistics
1700 type TYPE
1701 TYPE specifies the type of devices to display extended statis‐
1702 tics for.
1703 ip link afstats - display address-family specific statistics
1706 dev DEVICE
1707 DEVICE specifies the device to display address-family statistics
1708 for.
1709 ip link help - display help
1712 TYPE specifies which help of link type to display.
1713 GROUP
1716 may be a number or a string from the file /etc/iproute2/group which can
1717 be manually filled.
1718
1721 ip link show
1722 Shows the state of all network interfaces on the system.
1723 ip link show type bridge
1725 Shows the bridge devices.
1726 ip link show type vlan
1728 Shows the vlan devices.
1729 ip link show master br0
1731 Shows devices enslaved by br0
1732 ip link set dev ppp0 mtu 1400
1734 Change the MTU the ppp0 device.
1735 ip link add link eth0 name eth0.10 type vlan id 10
1737 Creates a new vlan device eth0.10 on device eth0.
1738 ip link delete dev eth0.10
1740 Removes vlan device.
1741 ip link help gre
1743 Display help for the gre link type.
1744 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1746 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1747 remcsum
1748 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1749 tion, and the outer UDP checksum and remote checksum offload are
1750 enabled.
1751 ip link set dev eth0 xdp obj prog.o
1753 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1754 cated in prog.o, section "prog" (default section). In case a
1755 XDP/BPF program is already attached, throw an error.
1756 ip -force link set dev eth0 xdp obj prog.o sec foo
1758 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1759 cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1760 ready attached, it will be overridden by the new one.
1761 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1763 Attaches a XDP/BPF program to device eth0, where the program was
1764 previously pinned as an object node into BPF file system under name
1765 foo.
1766 ip link set dev eth0 xdp off
1768 If a XDP/BPF program is attached on device eth0, detach it and ef‐
1769 fectively turn off XDP for device eth0.
1770 ip link add link wpan0 lowpan0 type lowpan
1772 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1773 802.15.4 device wpan0.
1774 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1776 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1777 erspan_hwid 17
1778 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1779
1782 ip(8), ip-netns(8), ethtool(8), iptables(8)
1783
1786 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1787iproute2 13 Dec 2012 IP-LINK(8)