1IP-LINK(8)                           Linux                          IP-LINK(8)
2
3
4

NAME

6       ip-link - network device configuration
7

SYNOPSIS

9       ip link  { COMMAND | help }
10
11
12       ip link add [ link DEVICE ] [ name ] NAME
13               [ txqueuelen PACKETS ]
14               [ address LLADDR ] [ broadcast LLADDR ]
15               [ mtu MTU ] [ index IDX ]
16               [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17               [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18               [ gro_max_size BYTES ]
19               type TYPE [ ARGS ]
20
21       ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
22
23       ip link set { DEVICE | group GROUP }
24               [ { up | down } ]
25               [ type ETYPE TYPE_ARGS ]
26               [ arp { on | off } ]
27               [ dynamic { on | off } ]
28               [ multicast { on | off } ]
29               [ allmulticast { on | off } ]
30               [ promisc { on | off } ]
31               [ protodown { on | off } ]
32               [ protodown_reason PREASON { on | off } ]
33               [ trailers { on | off } ]
34               [ txqueuelen PACKETS ]
35               [ max_gso_size BYTES ] [ max_gso_segs SEGMENTS ] [ max_gro_size
36               BYTES ]
37               [ name NEWNAME ]
38               [ address LLADDR ]
39               [ broadcast LLADDR ]
40               [ mtu MTU ]
41               [ netns { PID | NETNSNAME } ]
42               [ link-netnsid ID ]
43               [ alias NAME ]
44               [ vf NUM [ mac LLADDR ]
45                        [ VFVLAN-LIST ]
46                        [ rate TXRATE ]
47                        [ max_tx_rate TXRATE ]
48                        [ min_tx_rate TXRATE ]
49                        [ spoofchk { on | off } ]
50                        [ query_rss { on | off } ]
51                        [ state { auto | enable | disable } ]
52                        [ trust { on | off } ]
53                        [ node_guid eui64 ]
54                        [ port_guid eui64 ] ]
55               [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
56                       object FILE [ section NAME ] [ verbose ] |
57                       pinned FILE } ]
58               [ master DEVICE ]
59               [ nomaster ]
60               [ vrf NAME ]
61               [ addrgenmode { eui64 | none | stable_secret | random } ]
62               [ macaddr [ MACADDR ]
63                         [ { flush | add | del } MACADDR ]
64                         [ set MACADDR ] ]
65
66                 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
67                         ] [ type ETYPE ] [ vrf NAME ] [ nomaster ]
68
69                 ip link xstats type TYPE [ ARGS ]
70
71                 ip link afstats [ dev DEVICE ]
72
73                 ip link help [ TYPE ]
74
75                 TYPE := [ amt | bridge | bond | can | dummy | hsr | ifb |
76                         ipoib | macvlan | macvtap | vcan | vxcan | veth |
77                         vlan | vxlan | ip6tnl | ipip | sit | gre | gretap |
78                         erspan | ip6gre | ip6gretap | ip6erspan | vti | nlmon
79                         | ipvlan | ipvtap | lowpan | geneve | bareudp | vrf |
80                         macsec | netdevsim | rmnet | xfrm | gtp ]
81
82                 ETYPE := [ TYPE | bridge_slave | bond_slave ]
83
84                 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
85
86                 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
87                         ]
88
89         ip link property add dev DEVICE [ altname NAME .. ]
90
91         ip link property del dev DEVICE [ altname NAME .. ]
92
93

DESCRIPTION

95   ip link add - add virtual link
96       link DEVICE
97              specifies the physical device to act operate on.
98
99              NAME specifies the name of the new virtual device.
100
101              TYPE specifies the type of the new device.
102
103              Link types:
104
105                      bridge - Ethernet Bridge device
106
107                      bond - Bonding device
108
109                      dummy - Dummy network interface
110
111                      hsr - High-availability Seamless Redundancy device
112
113                      ifb - Intermediate Functional Block device
114
115                      ipoib - IP over Infiniband device
116
117                      macvlan - Virtual interface base on link layer address
118                      (MAC)
119
120                      macvtap - Virtual interface based on link layer address
121                      (MAC) and TAP.
122
123                      vcan - Virtual Controller Area Network interface
124
125                      vxcan - Virtual Controller Area Network tunnel interface
126
127                      veth - Virtual ethernet interface
128
129                      vlan - 802.1q tagged virtual LAN interface
130
131                      vxlan - Virtual eXtended LAN
132
133                      ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
134
135                      ipip - Virtual tunnel interface IPv4 over IPv4
136
137                      sit - Virtual tunnel interface IPv6 over IPv4
138
139                      gre - Virtual tunnel interface GRE over IPv4
140
141                      gretap - Virtual L2 tunnel interface GRE over IPv4
142
143                      erspan - Encapsulated Remote SPAN over GRE and IPv4
144
145                      ip6gre - Virtual tunnel interface GRE over IPv6
146
147                      ip6gretap - Virtual L2 tunnel interface GRE over IPv6
148
149                      ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
150
151                      vti - Virtual tunnel interface
152
153                      nlmon - Netlink monitoring device
154
155                      ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
156
157                      ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
158                      TAP
159
160                      lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
161                      / Bluetooth
162
163                      geneve - GEneric NEtwork Virtualization Encapsulation
164
165                      bareudp - Bare UDP L3 encapsulation support
166
167                      amt - Automatic Multicast Tunneling (AMT)
168
169                      macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
170                      sec)
171
172                      vrf - Interface for L3 VRF domains
173
174                      netdevsim - Interface for netdev API tests
175
176                      rmnet - Qualcomm rmnet device
177
178                      xfrm - Virtual xfrm interface
179
180                      gtp - GPRS Tunneling Protocol
181
182
183       numtxqueues QUEUE_COUNT
184              specifies the number of transmit queues for new device.
185
186
187       numrxqueues QUEUE_COUNT
188              specifies the number of receive queues for new device.
189
190
191       gso_max_size BYTES
192              specifies the recommended maximum size of a Generic Segment Off‐
193              load packet the new device should accept.
194
195
196       gso_max_segs SEGMENTS
197              specifies the recommended maximum number of a Generic Segment
198              Offload segments the new device should accept.
199
200
201       gro_max_size BYTES
202              specifies the maximum size of a packet built by GRO stack on
203              this device.
204
205
206       index IDX
207              specifies the desired index of the new virtual device. The link
208              creation fails, if the index is busy.
209
210
211       VLAN Type Support
212              For a link of type VLAN the following additional arguments are
213              supported:
214
215              ip link add link DEVICE name NAME type vlan [ protocol
216              VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
217              | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
218              bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
219              egress-qos-map QOS-MAP ]
220
221
222                      protocol VLAN_PROTO - either 802.1Q or 802.1ad.
223
224                      id VLANID - specifies the VLAN Identifier to use. Note
225                      that numbers with a leading " 0 " or " 0x " are inter‐
226                      preted as octal or hexadecimal, respectively.
227
228                      reorder_hdr { on | off } - specifies whether ethernet
229                      headers are reordered or not (default is on).
230
231                          If reorder_hdr is on then VLAN header will be not
232                          inserted immediately but only before passing to the
233                          physical device (if this device does not support
234                          VLAN offloading), the similar on the RX direction -
235                          by default the packet will be untagged before being
236                          received by VLAN device. Reordering allows one to
237                          accelerate tagging on egress and to hide VLAN header
238                          on ingress so the packet looks like regular Ethernet
239                          packet, at the same time it might be confusing for
240                          packet capture as the VLAN header does not exist
241                          within the packet.
242
243                          VLAN offloading can be checked by ethtool(8):
244
245                              ethtool -k <phy_dev> | grep tx-vlan-offload
246
247                          where <phy_dev> is the physical device to which VLAN
248                          device is bound.
249
250                      gvrp { on | off } - specifies whether this VLAN should
251                      be registered using GARP VLAN Registration Protocol.
252
253                      mvrp { on | off } - specifies whether this VLAN should
254                      be registered using Multiple VLAN Registration Protocol.
255
256                      loose_binding { on | off } - specifies whether the VLAN
257                      device state is bound to the physical device state.
258
259                      bridge_binding { on | off } - specifies whether the VLAN
260                      device link state tracks the state of bridge ports that
261                      are members of the VLAN.
262
263                      ingress-qos-map QOS-MAP - defines a mapping of VLAN
264                      header prio field to the Linux internal packet priority
265                      on incoming frames. The format is FROM:TO with multiple
266                      mappings separated by spaces.
267
268                      egress-qos-map QOS-MAP - defines a mapping of Linux in‐
269                      ternal packet priority to VLAN header prio field but for
270                      outgoing frames. The format is the same as for ingress-
271                      qos-map.
272
273                          Linux packet priority can be set by iptables(8):
274
275                              iptables -t mangle -A POSTROUTING [...] -j CLAS‐
276                              SIFY --set-class 0:4
277
278                          and this "4" priority can be used in the egress qos
279                          mapping to set VLAN prio "5":
280
281                              ip link set veth0.10 type vlan egress 4:5
282
283
284       VXLAN Type Support
285              For a link of type VXLAN the following additional arguments are
286              supported:
287
288              ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV  ] [ { group
289              | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
290              TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
291              port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
292              [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
293              ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
294              ] [ [no]external ] [ gbp ] [ gpe ]
295
296
297                      id VNI - specifies the VXLAN Network Identifier (or
298                      VXLAN Segment Identifier) to use.
299
300                      dev PHYS_DEV - specifies the physical device to use for
301                      tunnel endpoint communication.
302
303
304                      group IPADDR - specifies the multicast IP address to
305                      join.  This parameter cannot be specified with the re‐
306                      mote parameter.
307
308
309                      remote IPADDR - specifies the unicast destination IP ad‐
310                      dress to use in outgoing packets when the destination
311                      link layer address is not known in the VXLAN device for‐
312                      warding database. This parameter cannot be specified
313                      with the group parameter.
314
315
316                      local IPADDR - specifies the source IP address to use in
317                      outgoing packets.
318
319
320                      ttl TTL - specifies the TTL value to use in outgoing
321                      packets.
322
323
324                      tos TOS - specifies the TOS value to use in outgoing
325                      packets.
326
327
328                      df DF - specifies the usage of the Don't Fragment flag
329                      (DF) bit in outgoing packets with IPv4 headers. The
330                      value inherit causes the bit to be copied from the orig‐
331                      inal IP header. The values unset and set cause the bit
332                      to be always unset or always set, respectively. By de‐
333                      fault, the bit is not set.
334
335
336                      flowlabel FLOWLABEL - specifies the flow label to use in
337                      outgoing packets.
338
339
340                      dstport PORT - specifies the UDP destination port to
341                      communicate to the remote
342                        VXLAN tunnel endpoint.
343
344
345                      srcport MIN MAX - specifies the range of port numbers to
346                      use as UDP source ports to communicate to the remote
347                      VXLAN tunnel endpoint.
348
349
350                      [no]learning - specifies if unknown source link layer
351                      addresses and IP addresses are entered into the VXLAN
352                      device forwarding database.
353
354
355                      [no]rsc - specifies if route short circuit is turned on.
356
357
358                      [no]proxy - specifies ARP proxy is turned on.
359
360
361                      [no]l2miss - specifies if netlink LLADDR miss notifica‐
362                      tions are generated.
363
364
365                      [no]l3miss - specifies if netlink IP ADDR miss notifica‐
366                      tions are generated.
367
368
369                      [no]udpcsum - specifies if UDP checksum is calculated
370                      for transmitted packets over IPv4.
371
372
373                      [no]udp6zerocsumtx - skip UDP checksum calculation for
374                      transmitted packets over IPv6.
375
376
377                      [no]udp6zerocsumrx - allow incoming UDP packets over
378                      IPv6 with zero checksum field.
379
380
381                      ageing SECONDS - specifies the lifetime in seconds of
382                      FDB entries learnt by the kernel.
383
384
385                      maxaddress NUMBER - specifies the maximum number of FDB
386                      entries.
387
388
389                      [no]external - specifies whether an external control
390                      plane (e.g. ip route encap) or the internal FDB should
391                      be used.
392
393
394                      gbp - enables the Group Policy extension (VXLAN-GBP).
395
396                          Allows one to transport group policy context across
397                          VXLAN network peers.  If enabled, includes the mark
398                          of a packet in the VXLAN header for outgoing packets
399                          and fills the packet mark based on the information
400                          found in the VXLAN header for incoming packets.
401
402                          Format of upper 16 bits of packet mark (flags);
403
404                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
405                            |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
406                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
407
408                            D := Don't Learn bit. When set, this bit indicates
409                            that the egress VTEP MUST NOT learn the source ad‐
410                            dress of the encapsulated frame.
411
412                            A := Indicates that the group policy has already
413                            been applied to this packet. Policies MUST NOT be
414                            applied by devices when the A bit is set.
415
416                          Format of lower 16 bits of packet mark (policy ID):
417
418                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
419                            |        Group Policy ID        |
420                            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
421
422                          Example:
423                            iptables -A OUTPUT [...] -j MARK --set-mark
424                          0x800FF
425
426
427
428                      gpe - enables the Generic Protocol extension (VXLAN-
429                      GPE). Currently, this is only supported together with
430                      the external keyword.
431
432
433
434       VETH, VXCAN Type Support
435              For a link of types VETH/VXCAN the following additional argu‐
436              ments are supported:
437
438              ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
439
440
441                      peer name NAME - specifies the virtual pair device name
442                      of the VETH/VXCAN tunnel.
443
444
445
446       IPIP, SIT Type Support
447              For a link of type IPIPorSIT the following additional arguments
448              are supported:
449
450              ip link add DEVICE type { ipip | sit }  remote ADDR local ADDR [
451              encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
452              encap-dport PORT ] [ [no]encap-csum ] [  [no]encap-remcsum ] [
453              mode  { ip6ip | ipip | mplsip | any } ] [ external ]
454
455
456                      remote ADDR - specifies the remote address of the tun‐
457                      nel.
458
459
460                      local ADDR - specifies the fixed local address for tun‐
461                      neled packets.  It must be an address on another inter‐
462                      face on this host.
463
464
465                      encap { fou | gue | none } - specifies type of secondary
466                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
467                      indicates Generic UDP Encapsulation.
468
469
470                      encap-sport { PORT | auto } - specifies the source port
471                      in UDP encapsulation.  PORT indicates the port by num‐
472                      ber, "auto" indicates that the port number should be
473                      chosen automatically (the kernel picks a flow based on
474                      the flow hash of the encapsulated packet).
475
476
477                      [no]encap-csum - specifies if UDP checksums are enabled
478                      in the secondary encapsulation.
479
480
481                      [no]encap-remcsum - specifies if Remote Checksum Offload
482                      is enabled. This is only applicable for Generic UDP En‐
483                      capsulation.
484
485
486                      mode { ip6ip | ipip | mplsip | any } - specifies mode in
487                      which device should run. "ip6ip" indicates IPv6-Over-
488                      IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
489                      cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
490                      Over IPv4. Supported for SIT where the default is
491                      "ip6ip" and IPIP where the default is "ipip".
492                      IPv6-Over-IPv4 is not supported for IPIP.
493
494
495                      external - make this tunnel externally controlled (e.g.
496                      ip route encap).
497
498
499       GRE Type Support
500              For a link of type GRE or GRETAP the following additional argu‐
501              ments are supported:
502
503              ip link add DEVICE type { gre | gretap }  remote ADDR local ADDR
504              [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
505              [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
506              PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
507              auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
508              remcsum ] [ external ]
509
510
511                      remote ADDR - specifies the remote address of the tun‐
512                      nel.
513
514
515                      local ADDR - specifies the fixed local address for tun‐
516                      neled packets.  It must be an address on another inter‐
517                      face on this host.
518
519
520                      [no][i|o]seq - serialize packets.  The oseq flag enables
521                      sequencing of outgoing packets.  The iseq flag requires
522                      that all input packets are serialized.
523
524
525                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
526                      KEY is either a number or an IPv4 address-like dotted
527                      quad.  The key parameter specifies the same key to use
528                      in both directions.  The ikey and okey parameters spec‐
529                      ify different keys for input and output.
530
531
532                      [no][i|o]csum - generate/require checksums for tunneled
533                      packets.  The ocsum flag calculates checksums for outgo‐
534                      ing packets.  The icsum flag requires that all input
535                      packets have the correct checksum. The csum flag is
536                      equivalent to the combination icsum ocsum .
537
538
539                      ttl TTL - specifies the TTL value to use in outgoing
540                      packets.
541
542
543                      tos TOS - specifies the TOS value to use in outgoing
544                      packets.
545
546
547                      [no]pmtudisc - enables/disables Path MTU Discovery on
548                      this tunnel.  It is enabled by default. Note that a
549                      fixed ttl is incompatible with this option: tunneling
550                      with a fixed ttl always makes pmtu discovery.
551
552
553                      [no]ignore-df - enables/disables IPv4 DF suppression on
554                      this tunnel.  Normally datagrams that exceed the MTU
555                      will be fragmented; the presence of the DF flag inhibits
556                      this, resulting instead in an ICMP Unreachable (Fragmen‐
557                      tation Required) message.  Enabling this attribute
558                      causes the DF flag to be ignored.
559
560
561                      dev PHYS_DEV - specifies the physical device to use for
562                      tunnel endpoint communication.
563
564
565                      encap { fou | gue | none } - specifies type of secondary
566                      UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
567                      indicates Generic UDP Encapsulation.
568
569
570                      encap-sport { PORT | auto } - specifies the source port
571                      in UDP encapsulation.  PORT indicates the port by num‐
572                      ber, "auto" indicates that the port number should be
573                      chosen automatically (the kernel picks a flow based on
574                      the flow hash of the encapsulated packet).
575
576
577                      [no]encap-csum - specifies if UDP checksums are enabled
578                      in the secondary encapsulation.
579
580
581                      [no]encap-remcsum - specifies if Remote Checksum Offload
582                      is enabled. This is only applicable for Generic UDP En‐
583                      capsulation.
584
585
586                      external - make this tunnel externally controlled (e.g.
587                      ip route encap).
588
589
590
591       IP6GRE/IP6GRETAP Type Support
592              For a link of type IP6GRE/IP6GRETAP the following additional ar‐
593              guments are supported:
594
595              ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
596              ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
597              [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
598              TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
599              localremote ] [ dev PHYS_DEV ] [ external ]
600
601
602                      remote ADDR - specifies the remote IPv6 address of the
603                      tunnel.
604
605
606                      local ADDR - specifies the fixed local IPv6 address for
607                      tunneled packets.  It must be an address on another in‐
608                      terface on this host.
609
610
611                      [no][i|o]seq - serialize packets.  The oseq flag enables
612                      sequencing of outgoing packets.  The iseq flag requires
613                      that all input packets are serialized.
614
615
616                      [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
617                      KEY is either a number or an IPv4 address-like dotted
618                      quad.  The key parameter specifies the same key to use
619                      in both directions.  The ikey and okey parameters spec‐
620                      ify different keys for input and output.
621
622
623                      [no][i|o]csum - generate/require checksums for tunneled
624                      packets.  The ocsum flag calculates checksums for outgo‐
625                      ing packets.  The icsum flag requires that all input
626                      packets have the correct checksum. The csum flag is
627                      equivalent to the combination icsum ocsum.
628
629
630                      hoplimit TTL - specifies Hop Limit value to use in out‐
631                      going packets.
632
633
634                      encaplimit ELIM - specifies a fixed encapsulation limit.
635                      Default is 4.
636
637
638                      flowlabel FLOWLABEL - specifies a fixed flowlabel.
639
640
641                      [no]allow-localremote - specifies whether to allow re‐
642                      mote endpoint to have an address configured on local
643                      host.
644
645
646                      tclass TCLASS - specifies the traffic class field on
647                      tunneled packets, which can be specified as either a
648                      two-digit hex value (e.g. c0) or a predefined string
649                      (e.g. internet).  The value inherit causes the field to
650                      be copied from the original IP header. The values in‐
651                      herit/STRING or inherit/00..ff will set the field to
652                      STRING or 00..ff when tunneling non-IP packets. The de‐
653                      fault value is 00.
654
655
656                      external - make this tunnel externally controlled (or
657                      not, which is the default).  In the kernel, this is re‐
658                      ferred to as collect metadata mode.  This flag is mutu‐
659                      ally exclusive with the remote, local, seq, key, csum,
660                      hoplimit, encaplimit, flowlabel and tclass options.
661
662
663
664       IPoIB Type Support
665              For a link of type IPoIB the following additional arguments are
666              supported:
667
668              ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
669              MODE ]
670
671
672                      pkey PKEY - specifies the IB P-Key to use.
673
674                      mode MODE - specifies the mode (datagram or connected)
675                      to use.
676
677
678       ERSPAN Type Support
679              For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
680              guments are supported:
681
682              ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
683              ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
684              { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
685              mote ] [ external ]
686
687
688                      remote ADDR - specifies the remote address of the tun‐
689                      nel.
690
691
692                      local ADDR - specifies the fixed local address for tun‐
693                      neled packets.  It must be an address on another inter‐
694                      face on this host.
695
696
697                      erspan_ver version - specifies the ERSPAN version num‐
698                      ber.  version indicates the ERSPAN version to be cre‐
699                      ated: 0 for version 0 type I, 1 for version 1 (type II)
700                      or 2 for version 2 (type III).
701
702
703                      erspan IDX - specifies the ERSPAN v1 index field.  IDX
704                      indicates a 20 bit index/port number associated with the
705                      ERSPAN traffic's source port and direction.
706
707
708                      erspan_dir { ingress | egress } - specifies the ERSPAN
709                      v2 mirrored traffic's direction.
710
711
712                      erspan_hwid hwid - an unique identifier of an ERSPAN v2
713                      engine within a system.  hwid is a 6-bit value for users
714                      to configure.
715
716
717                      [no]allow-localremote - specifies whether to allow re‐
718                      mote endpoint to have an address configured on local
719                      host.
720
721
722                      external - make this tunnel externally controlled (or
723                      not, which is the default).  In the kernel, this is re‐
724                      ferred to as collect metadata mode.  This flag is mutu‐
725                      ally exclusive with the remote, local, erspan_ver,
726                      erspan, erspan_dir and erspan_hwid options.
727
728
729
730       GENEVE Type Support
731              For a link of type GENEVE the following additional arguments are
732              supported:
733
734              ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
735              [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
736              [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
737              [no]udp6zerocsumrx ] [ innerprotoinherit ]
738
739
740                      id VNI - specifies the Virtual Network Identifier to
741                      use.
742
743
744                      remote IPADDR - specifies the unicast destination IP ad‐
745                      dress to use in outgoing packets.
746
747
748                      ttl TTL - specifies the TTL value to use in outgoing
749                      packets. "0" or "auto" means use whatever default value,
750                      "inherit" means inherit the inner protocol's ttl. De‐
751                      fault option is "0".
752
753
754                      tos TOS - specifies the TOS value to use in outgoing
755                      packets.
756
757
758                      df DF - specifies the usage of the Don't Fragment flag
759                      (DF) bit in outgoing packets with IPv4 headers. The
760                      value inherit causes the bit to be copied from the orig‐
761                      inal IP header. The values unset and set cause the bit
762                      to be always unset or always set, respectively. By de‐
763                      fault, the bit is not set.
764
765
766                      flowlabel FLOWLABEL - specifies the flow label to use in
767                      outgoing packets.
768
769
770                      dstport PORT - select a destination port other than the
771                      default of 6081.
772
773
774                      [no]external - make this tunnel externally controlled
775                      (or not, which is the default). This flag is mutually
776                      exclusive with the id, remote, ttl, tos and flowlabel
777                      options.
778
779
780                      [no]udpcsum - specifies if UDP checksum is calculated
781                      for transmitted packets over IPv4.
782
783
784                      [no]udp6zerocsumtx - skip UDP checksum calculation for
785                      transmitted packets over IPv6.
786
787
788                      [no]udp6zerocsumrx - allow incoming UDP packets over
789                      IPv6 with zero checksum field.
790
791
792                      innerprotoinherit - use IPv4/IPv6 as inner protocol in‐
793                      stead of Ethernet.
794
795
796
797       Bareudp Type Support
798              For a link of type Bareudp the following additional arguments
799              are supported:
800
801              ip link add DEVICE type bareudp dstport PORT ethertype PROTO [
802              srcportmin PORT ] [ [no]multiproto ]
803
804
805                      dstport PORT - specifies the destination port for the
806                      UDP tunnel.
807
808
809                      ethertype PROTO - specifies the ethertype of the L3 pro‐
810                      tocol being tunnelled.  ethertype can be given as plain
811                      Ethernet protocol number or using the protocol name
812                      ("ipv4", "ipv6", "mpls_uc", etc.).
813
814
815                      srcportmin PORT - selects the lowest value of the UDP
816                      tunnel source port range.
817
818
819                      [no]multiproto - activates support for protocols similar
820                      to the one specified by ethertype.  When ethertype is
821                      "mpls_uc" (that is, unicast MPLS), this allows the tun‐
822                      nel to also handle multicast MPLS.  When ethertype is
823                      "ipv4", this allows the tunnel to also handle IPv6. This
824                      option is disabled by default.
825
826
827       AMT Type Support
828              For a link of type AMT the following additional arguments are
829              supported:
830
831              ip link add DEVICE type AMT discovery IPADDR mode { gateway |
832              relay } local IPADDR dev PHYS_DEV [ relay_port PORT ] [ gate‐
833              way_port PORT ] [ max_tunnels NUMBER ]
834
835
836                      discovery IPADDR - specifies the unicast discovery IP
837                      address to use to find remote IP address.
838
839                      mode { gateway | relay } - specifies the role of AMT,
840                      Gateway or Relay
841
842                      local IPADDR - specifies the source IP address to use in
843                      outgoing packets.
844
845                      dev PHYS_DEV - specifies the underlying physical inter‐
846                      face from which transform traffic is sent and received.
847
848                      relay_port PORT - specifies the UDP Relay port to commu‐
849                      nicate to the Relay.
850
851                      gateway_port PORT - specifies the UDP Gateway port to
852                      communicate to the Gateway.
853
854                      max_tunnels NUMBER - specifies the maximum number of
855                      tunnels.
856
857
858
859       MACVLAN and MACVTAP Type Support
860              For a link of type MACVLAN or MACVTAP the following additional
861              arguments are supported:
862
863              ip link add link DEVICE name NAME type { macvlan | macvtap }
864              mode { private | vepa | bridge | passthru  [ nopromisc ] |
865              source [ nodst ] }  [ bcqueuelen { LENGTH } ]
866
867
868                      type { macvlan | macvtap } - specifies the link type to
869                      use.  macvlan creates just a virtual interface, while
870                      macvtap in addition creates a character device /dev/tapX
871                      to be used just like a tuntap device.
872
873                      mode private - Do not allow communication between
874                      macvlan instances on the same physical interface, even
875                      if the external switch supports hairpin mode.
876
877                      mode vepa - Virtual Ethernet Port Aggregator mode. Data
878                      from one macvlan instance to the other on the same phys‐
879                      ical interface is transmitted over the physical inter‐
880                      face. Either the attached switch needs to support hair‐
881                      pin mode, or there must be a TCP/IP router forwarding
882                      the packets in order to allow communication. This is the
883                      default mode.
884
885                      mode bridge - In bridge mode, all endpoints are directly
886                      connected to each other, communication is not redirected
887                      through the physical interface's peer.
888
889                      mode passthru [ nopromisc ] - This mode gives more power
890                      to a single endpoint, usually in macvtap mode. It is not
891                      allowed for more than one endpoint on the same physical
892                      interface. All traffic will be forwarded to this end‐
893                      point, allowing virtio guests to change MAC address or
894                      set promiscuous mode in order to bridge the interface or
895                      create vlan interfaces on top of it. By default, this
896                      mode forces the underlying interface into promiscuous
897                      mode. Passing the nopromisc flag prevents this, so the
898                      promisc flag may be controlled using standard tools.
899
900                      mode source [ nodst ] - allows one to set a list of al‐
901                      lowed mac address, which is used to match against source
902                      mac address from received frames on underlying inter‐
903                      face. This allows creating mac based VLAN associations,
904                      instead of standard port or tag based. The feature is
905                      useful to deploy 802.1x mac based behavior, where driv‐
906                      ers of underlying interfaces doesn't allows that. By de‐
907                      fault, packets are also considered (duplicated) for des‐
908                      tination-based MACVLAN. Passing the nodst flag stops
909                      matching packets from also going through the destina‐
910                      tion-based flow.
911
912                      bcqueuelen { LENGTH } - Set the length of the RX queue
913                      used to process broadcast and multicast packets.  LENGTH
914                      must be a positive integer in the range [0-4294967295].
915                      Setting a length of 0 will effectively drop all broad‐
916                      cast/multicast traffic.  If not specified the macvlan
917                      driver default (1000) is used.  Note that all macvlans
918                      that share the same underlying device are using the same
919                      queue. The parameter here is a request, the actual queue
920                      length used will be the maximum length that any macvlan
921                      interface has requested.  When listing device parameters
922                      both the bcqueuelen parameter as well as the actual used
923                      bcqueuelen are listed to better help the user understand
924                      the setting.
925
926
927       High-availability Seamless Redundancy (HSR) Support
928              For a link of type HSR the following additional arguments are
929              supported:
930
931              ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
932              slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
933              proto { 0 | 1 } ]
934
935
936                      type hsr - specifies the link type to use, here HSR.
937
938                      slave1 SLAVE1-IF - Specifies the physical device used
939                      for the first of the two ring ports.
940
941                      slave2 SLAVE2-IF - Specifies the physical device used
942                      for the second of the two ring ports.
943
944                      supervision ADDR-BYTE - The last byte of the multicast
945                      address used for HSR supervision frames.  Default option
946                      is "0", possible values 0-255.
947
948                      version { 0 | 1 } - Selects the protocol version of the
949                      interface. Default option is "0", which corresponds to
950                      the 2010 version of the HSR standard. Option "1" acti‐
951                      vates the 2012 version.
952
953                      proto { 0 | 1 } - Selects the protocol at the interface.
954                      Default option is "0", which corresponds to the HSR
955                      standard. Option "1" activates the Parallel Redundancy
956                      Protocol (PRP).
957
958
959       BRIDGE Type Support
960              For a link of type BRIDGE the following additional arguments are
961              supported:
962
963              ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
964              group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
965              FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
966              stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
967              VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [ vlan_de‐
968              fault_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
969              VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
970              [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_vlan_snooping MUL‐
971              TICAST_VLAN_SNOOPING ] [ mcast_router MULTICAST_ROUTER ] [
972              mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ] [ mcast_querier
973              MULTICAST_QUERIER ] [ mcast_hash_elasticity HASH_ELASTICITY ] [
974              mcast_hash_max HASH_MAX ] [ mcast_last_member_count LAST_MEM‐
975              BER_COUNT ] [ mcast_startup_query_count STARTUP_QUERY_COUNT ] [
976              mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
977              bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
978              QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
979              mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
980              mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
981              mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
982              IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
983              bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
984              [ nf_call_arptables NF_CALL_ARPTABLES ]
985
986
987                      ageing_time AGEING_TIME - configure the bridge's FDB en‐
988                      tries ageing time, ie the number of seconds a MAC ad‐
989                      dress will be kept in the FDB after a packet has been
990                      received from that address. after this time has passed,
991                      entries are cleaned up.
992
993                      group_fwd_mask MASK - set the group forward mask. This
994                      is the bitmask that is applied to decide whether to for‐
995                      ward incoming frames destined to link-local addresses,
996                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
997                      0, ie the bridge does not forward any link-local
998                      frames).
999
1000                      group_address ADDRESS - set the MAC address of the mul‐
1001                      ticast group this bridge uses for STP.  The address must
1002                      be a link-local address in standard Ethernet MAC address
1003                      format, ie an address of the form 01:80:C2:00:00:0X,
1004                      with X
1005                       in [0, 4..f].
1006
1007                      forward_delay FORWARD_DELAY - set the forwarding delay
1008                      in seconds, ie the time spent in LISTENING state (before
1009                      moving to LEARNING) and in LEARNING state (before moving
1010                      to FORWARDING). Only relevant if STP is enabled. Valid
1011                      values are between 2 and 30.
1012
1013                      hello_time HELLO_TIME - set the time in seconds between
1014                      hello packets sent by the bridge, when it is a root
1015                      bridge or a designated bridges.  Only relevant if STP is
1016                      enabled. Valid values are between 1 and 10.
1017
1018                      max_age MAX_AGE - set the hello packet timeout, ie the
1019                      time in seconds until another bridge in the spanning
1020                      tree is assumed to be dead, after reception of its last
1021                      hello message. Only relevant if STP is enabled. Valid
1022                      values are between 6 and 40.
1023
1024                      stp_state STP_STATE - turn spanning tree protocol on
1025                      (STP_STATE > 0) or off (STP_STATE == 0).  for this
1026                      bridge.
1027
1028                      priority PRIORITY - set this bridge's spanning tree pri‐
1029                      ority, used during STP root bridge election.  PRIORITY
1030                      is a 16bit unsigned integer.
1031
1032                      vlan_filtering VLAN_FILTERING - turn VLAN filtering on
1033                      (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0).  When
1034                      disabled, the bridge will not consider the VLAN tag when
1035                      handling packets.
1036
1037                      vlan_protocol { 802.1Q | 802.1ad } - set the protocol
1038                      used for VLAN filtering.
1039
1040                      vlan_default_pvid VLAN_DEFAULT_PVID - set the default
1041                      PVID (native/untagged VLAN ID) for this bridge.
1042
1043                      vlan_stats_enabled VLAN_STATS_ENABLED - enable
1044                      (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
1045                      == 0) per-VLAN stats accounting.
1046
1047                      vlan_stats_per_port VLAN_STATS_PER_PORT - enable
1048                      (VLAN_STATS_PER_PORT == 1) or disable
1049                      (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
1050                      counting. Can be changed only when there are no port
1051                      VLANs configured.
1052
1053                      mcast_snooping MULTICAST_SNOOPING - turn multicast
1054                      snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
1055                      CAST_SNOOPING == 0).
1056
1057                      mcast_vlan_snooping MULTICAST_VLAN_SNOOPING - turn mul‐
1058                      ticast VLAN snooping on (MULTICAST_VLAN_SNOOPING > 0) or
1059                      off (MULTICAST_VLAN_SNOOPING == 0).
1060
1061                      mcast_router MULTICAST_ROUTER - set bridge's multicast
1062                      router if IGMP snooping is enabled.  MULTICAST_ROUTER is
1063                      an integer value having the following meaning:
1064
1065                              0 - disabled.
1066
1067                              1 - automatic (queried).
1068
1069                              2 - permanently enabled.
1070
1071                      mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1072                      to use the bridge's own IP address as source address for
1073                      IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1074                      of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1075
1076                      mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1077                      CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1078                      IGMP querier, ie sending of multicast queries by the
1079                      bridge (default: disabled).
1080
1081                      mcast_querier_interval QUERIER_INTERVAL - interval be‐
1082                      tween queries sent by other routers. if no queries are
1083                      seen after this delay has passed, the bridge will start
1084                      to send its own queries (as if mcast_querier was en‐
1085                      abled).
1086
1087                      mcast_hash_elasticity HASH_ELASTICITY - set multicast
1088                      database hash elasticity, ie the maximum chain length in
1089                      the multicast hash table (defaults to 4).
1090
1091                      mcast_hash_max HASH_MAX - set maximum size of multicast
1092                      hash table (defaults to 512, value must be a power of
1093                      2).
1094
1095                      mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1096                      cast last member count, ie the number of queries the
1097                      bridge will send before stopping forwarding a multicast
1098                      group after a "leave" message has been received (de‐
1099                      faults to 2).
1100
1101                      mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1102                      val between queries to find remaining members of a
1103                      group, after a "leave" message is received.
1104
1105                      mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1106                      number of IGMP queries to send during startup phase (de‐
1107                      faults to 2).
1108
1109                      mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1110                      interval between queries in the startup phase.
1111
1112                      mcast_query_interval QUERY_INTERVAL - interval between
1113                      queries sent by the bridge after the end of the startup
1114                      phase.
1115
1116                      mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1117                      set the Max Response Time/Maximum Response Delay for
1118                      IGMP/MLD queries sent by the bridge.
1119
1120                      mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1121                      after which the bridge will leave a group, if no member‐
1122                      ship reports for this group are received.
1123
1124                      mcast_stats_enabled MCAST_STATS_ENABLED - enable
1125                      (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1126                      ABLED == 0) multicast (IGMP/MLD) stats accounting.
1127
1128                      mcast_igmp_version IGMP_VERSION - set the IGMP version.
1129
1130                      mcast_mld_version MLD_VERSION - set the MLD version.
1131
1132                      nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1133                      ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1134                      hooks on the bridge.
1135
1136                      nf_call_ip6tables NF_CALL_IP6TABLES - enable
1137                      (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1138                      0) ip6tables hooks on the bridge.
1139
1140                      nf_call_arptables NF_CALL_ARPTABLES - enable
1141                      (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1142                      0) arptables hooks on the bridge.
1143
1144
1145
1146
1147       MACsec Type Support
1148              For a link of type MACsec the following additional arguments are
1149              supported:
1150
1151              ip link add link DEVICE name NAME type macsec [ [ address
1152              <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1153              icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1154              off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1155              tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1156              [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1157              ]
1158
1159
1160                      address <lladdr> - sets the system identifier component
1161                      of secure channel for this MACsec device.
1162
1163
1164                      port PORT - sets the port number component of secure
1165                      channel for this MACsec device, in a range from 1 to
1166                      65535 inclusive. Numbers with a leading " 0 " or " 0x "
1167                      are interpreted as octal and hexadecimal, respectively.
1168
1169
1170                      sci SCI - sets the secure channel identifier for this
1171                      MACsec device.  SCI is a 64bit wide number in hexadeci‐
1172                      mal format.
1173
1174
1175                      cipher CIPHER_SUITE - defines the cipher suite to use.
1176
1177
1178                      icvlen LENGTH - sets the length of the Integrity Check
1179                      Value (ICV).
1180
1181
1182                      encrypt on or encrypt off - switches between authenti‐
1183                      cated encryption, or authenticity mode only.
1184
1185
1186                      send_sci on or send_sci off - specifies whether the SCI
1187                      is included in every packet, or only when it is neces‐
1188                      sary.
1189
1190
1191                      end_station on or end_station off - sets the End Station
1192                      bit.
1193
1194
1195                      scb on or scb off - sets the Single Copy Broadcast bit.
1196
1197
1198                      protect on or protect off - enables MACsec protection on
1199                      the device.
1200
1201
1202                      replay on or replay off - enables replay protection on
1203                      the device.
1204
1205
1206
1207                              window SIZE - sets the size of the replay win‐
1208                              dow.
1209
1210
1211
1212                      validate strict or validate check or validate disabled -
1213                      sets the validation mode on the device.
1214
1215
1216                      encodingsa AN - sets the active secure association for
1217                      transmission.
1218
1219
1220
1221       VRF Type Support
1222              For a link of type VRF the following additional arguments are
1223              supported:
1224
1225              ip link add DEVICE type vrf table TABLE
1226
1227
1228                      table table id associated with VRF device
1229
1230
1231
1232       RMNET Type Support
1233              For a link of type RMNET the following additional arguments are
1234              supported:
1235
1236              ip link add link DEVICE name NAME type rmnet mux_id MUXID
1237
1238
1239                      mux_id MUXID - specifies the mux identifier for the rm‐
1240                      net device, possible values 1-254.
1241
1242
1243
1244       XFRM Type Support
1245              For a link of type XFRM the following additional arguments are
1246              supported:
1247
1248              ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1249
1250
1251                      dev PHYS_DEV - specifies the underlying physical inter‐
1252                      face from which transform traffic is sent and received.
1253
1254
1255                      if_id IF-ID - specifies the hexadecimal lookup key used
1256                      to send traffic to and from specific xfrm policies.
1257                      Policies must be configured with the same key. If not
1258                      set, the key defaults to 0 and will match any policies
1259                      which similarly do not have a lookup key configuration.
1260
1261
1262
1263       GTP Type Support
1264              For a link of type GTP the following additional arguments are
1265              supported:
1266
1267              ip link add DEVICE type gtp role ROLE hsize HSIZE
1268
1269
1270                      role ROLE - specifies the role of the GTP device, either
1271                      sgsn or ggsn
1272
1273
1274                      hsize HSIZE - specifies size of the hashtable which
1275                      stores PDP contexts
1276
1277
1278                      restart_count RESTART_COUNT - GTP instance restart
1279                      counter
1280
1281
1282
1283   ip link delete - delete virtual link
1284       dev DEVICE
1285              specifies the virtual device to act operate on.
1286
1287
1288       group GROUP
1289              specifies the group of virtual links to delete. Group 0 is not
1290              allowed to be deleted since it is the default group.
1291
1292
1293       type TYPE
1294              specifies the type of the device.
1295
1296
1297   ip link set - change device attributes
1298       Warning: If multiple parameter changes are requested, ip aborts immedi‐
1299       ately after any of the changes have failed.  This is the only case when
1300       ip can move the system to an unpredictable state. The solution is to
1301       avoid changing several parameters with one ip link set call.  The modi‐
1302       fier change is equivalent to set.
1303
1304
1305
1306       dev DEVICE
1307              DEVICE specifies network device to operate on. When configuring
1308              SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1309              ify the associated Physical Function (PF) device.
1310
1311
1312       group GROUP
1313              GROUP has a dual role: If both group and dev are present, then
1314              move the device to the specified group. If only a group is spec‐
1315              ified, then the command operates on all devices in that group.
1316
1317
1318       up and down
1319              change the state of the device to UP or DOWN.
1320
1321
1322       arp on or arp off
1323              change the NOARP flag on the device.
1324
1325
1326       multicast on or multicast off
1327              change the MULTICAST flag on the device.
1328
1329
1330       allmulticast on or allmulticast off
1331              change the ALLMULTI flag on the device. When enabled, instructs
1332              network driver to retrieve all multicast packets from the net‐
1333              work to the kernel for further processing.
1334
1335
1336       promisc on or promisc off
1337              change the PROMISC flag on the device. When enabled, activates
1338              promiscuous operation of the network device.
1339
1340
1341       trailers on or trailers off
1342              change the NOTRAILERS flag on the device, NOT used by the Linux
1343              and exists for BSD compatibility.
1344
1345
1346       protodown on or protodown off
1347              change the PROTODOWN state on the device. Indicates that a pro‐
1348              tocol error has been detected on the port. Switch drivers can
1349              react to this error by doing a phys down on the switch port.
1350
1351
1352       protodown_reason PREASON on or off
1353              set PROTODOWN reasons on the device. protodown reason bit names
1354              can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1355              sible reasons bits 0-31
1356
1357
1358       dynamic on or dynamic off
1359              change the DYNAMIC flag on the device. Indicates that address
1360              can change when interface goes down (currently NOT used by the
1361              Linux).
1362
1363
1364       name NAME
1365              change the name of the device. This operation is not recommended
1366              if the device is running or has some addresses already config‐
1367              ured.
1368
1369
1370       txqueuelen NUMBER
1371
1372       txqlen NUMBER
1373              change the transmit queue length of the device.
1374
1375
1376       mtu NUMBER
1377              change the MTU of the device.
1378
1379
1380       address LLADDRESS
1381              change the station address of the interface.
1382
1383
1384       broadcast LLADDRESS
1385
1386       brd LLADDRESS
1387
1388       peer LLADDRESS
1389              change the link layer broadcast address or the peer address when
1390              the interface is POINTOPOINT.
1391
1392
1393       netns NETNSNAME | PID
1394              move the device to the network namespace associated with name
1395              NETNSNAME or process PID.
1396
1397              Some devices are not allowed to change network namespace: loop‐
1398              back, bridge, wireless. These are network namespace local de‐
1399              vices. In such case ip tool will return "Invalid argument" er‐
1400              ror. It is possible to find out if device is local to a single
1401              network namespace by checking netns-local flag in the output of
1402              the ethtool:
1403
1404                      ethtool -k DEVICE
1405
1406              To change network namespace for wireless devices the iw tool can
1407              be used. But it allows one to change network namespace only for
1408              physical devices and by process PID.
1409
1410
1411       alias NAME
1412              give the device a symbolic name for easy reference.
1413
1414
1415       group GROUP
1416              specify the group the device belongs to.  The available groups
1417              are listed in file /etc/iproute2/group.
1418
1419
1420       vf NUM specify a Virtual Function device to be configured. The associ‐
1421              ated PF device must be specified using the dev parameter.
1422
1423                      mac LLADDRESS - change the station address for the spec‐
1424                      ified VF. The vf parameter must be specified.
1425
1426
1427                      vlan VLANID - change the assigned VLAN for the specified
1428                      VF. When specified, all traffic sent from the VF will be
1429                      tagged with the specified VLAN ID. Incoming traffic will
1430                      be filtered for the specified VLAN ID, and will have all
1431                      VLAN tags stripped before being passed to the VF. Set‐
1432                      ting this parameter to 0 disables VLAN tagging and fil‐
1433                      tering. The vf parameter must be specified.
1434
1435
1436                      qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1437                      VLAN tag. When specified, all VLAN tags transmitted by
1438                      the VF will include the specified priority bits in the
1439                      VLAN tag. If not specified, the value is assumed to be
1440                      0. Both the vf and vlan parameters must be specified.
1441                      Setting both vlan and qos as 0 disables VLAN tagging and
1442                      filtering for the VF.
1443
1444
1445                      proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1446                      tag, either 802.1Q or 802.1ad.  Setting to 802.1ad, all
1447                      traffic sent from the VF will be tagged with VLAN S-Tag.
1448                      Incoming traffic will have VLAN S-Tags stripped before
1449                      being passed to the VF.  Setting to 802.1ad also enables
1450                      an option to concatenate another VLAN tag, so both S-TAG
1451                      and C-TAG will be inserted/stripped for outgoing/incom‐
1452                      ing traffic, respectively.  If not specified, the value
1453                      is assumed to be 802.1Q. Both the vf and vlan parameters
1454                      must be specified.
1455
1456
1457                      rate TXRATE -- change the allowed transmit bandwidth, in
1458                      Mbps, for the specified VF.  Setting this parameter to 0
1459                      disables rate limiting.  vf parameter must be specified.
1460                      Please use new API max_tx_rate option instead.
1461
1462
1463                      max_tx_rate TXRATE - change the allowed maximum transmit
1464                      bandwidth, in Mbps, for the specified VF.  Setting this
1465                      parameter to 0 disables rate limiting.  vf parameter
1466                      must be specified.
1467
1468
1469                      min_tx_rate TXRATE - change the allowed minimum transmit
1470                      bandwidth, in Mbps, for the specified VF.  Minimum
1471                      TXRATE should be always <= Maximum TXRATE.  Setting this
1472                      parameter to 0 disables rate limiting.  vf parameter
1473                      must be specified.
1474
1475
1476                      spoofchk on|off - turn packet spoof checking on or off
1477                      for the specified VF.
1478
1479                      query_rss on|off - toggle the ability of querying the
1480                      RSS configuration of a specific VF. VF RSS information
1481                      like RSS hash key may be considered sensitive on some
1482                      devices where this information is shared between VF and
1483                      PF and thus its querying may be prohibited by default.
1484
1485                      state auto|enable|disable - set the virtual link state
1486                      as seen by the specified VF. Setting to auto means a re‐
1487                      flection of the PF link state, enable lets the VF to
1488                      communicate with other VFs on this host even if the PF
1489                      link state is down, disable causes the HW to drop any
1490                      packets sent by the VF.
1491
1492                      trust on|off - trust the specified VF user. This enables
1493                      that VF user can set a specific feature which may impact
1494                      security and/or performance. (e.g. VF multicast promis‐
1495                      cuous mode)
1496
1497                      node_guid eui64 - configure node GUID for Infiniband
1498                      VFs.
1499
1500                      port_guid eui64 - configure port GUID for Infiniband
1501                      VFs.
1502
1503
1504       xdp object | pinned | off
1505              set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1506              every packet at driver level.  ip link output will indicate a
1507              xdp flag for the networking device. If the driver does not have
1508              native XDP support, the kernel will fall back to a slower,
1509              driver-independent "generic" XDP variant. The ip link output
1510              will in that case indicate xdpgeneric instead of xdp only. If
1511              the driver does have native XDP support, but the program is
1512              loaded under xdpgeneric object | pinned then the kernel will use
1513              the generic XDP variant instead of the native one.  xdpdrv has
1514              the opposite effect of requestsing that the automatic fallback
1515              to the generic XDP variant be disabled and in case driver is not
1516              XDP-capable error should be returned.  xdpdrv also disables
1517              hardware offloads.  xdpoffload in ip link output indicates that
1518              the program has been offloaded to hardware and can also be used
1519              to request the "offload" mode, much like xdpgeneric it forces
1520              program to be installed specifically in HW/FW of the apater.
1521
1522              off (or none ) - Detaches any currently attached XDP/BPF program
1523              from the given device.
1524
1525              object FILE - Attaches a XDP/BPF program to the given device.
1526              The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1527              contains the BPF program code, map specifications, etc. If a
1528              XDP/BPF program is already attached to the given device, an er‐
1529              ror will be thrown. If no XDP/BPF program is currently attached,
1530              the device supports XDP and the program from the BPF ELF file
1531              passes the kernel verifier, then it will be attached to the de‐
1532              vice. If the option -force is passed to ip then any prior at‐
1533              tached XDP/BPF program will be atomically overridden and no er‐
1534              ror will be thrown in this case. If no section option is passed,
1535              then the default section name ("prog") will be assumed, other‐
1536              wise the provided section name will be used. If no verbose op‐
1537              tion is passed, then a verifier log will only be dumped on load
1538              error.  See also EXAMPLES section for usage examples.
1539
1540              section NAME - Specifies a section name that contains the BPF
1541              program code. If no section name is specified, the default one
1542              ("prog") will be used. This option is to be passed with the ob‐
1543              ject option.
1544
1545              verbose - Act in verbose mode. For example, even in case of suc‐
1546              cess, this will print the verifier log in case a program was
1547              loaded from a BPF ELF file.
1548
1549              pinned FILE - Attaches a XDP/BPF program to the given device.
1550              The FILE points to an already pinned BPF program in the BPF file
1551              system. The option section doesn't apply here, but otherwise se‐
1552              mantics are the same as with the option object described al‐
1553              ready.
1554
1555
1556       master DEVICE
1557              set master device of the device (enslave device).
1558
1559
1560       nomaster
1561              unset master device of the device (release device).
1562
1563
1564       addrgenmode eui64|none|stable_secret|random
1565              set the IPv6 address generation mode
1566
1567              eui64 - use a Modified EUI-64 format interface identifier
1568
1569              none - disable automatic address generation
1570
1571              stable_secret - generate the interface identifier based on a
1572              preset
1573                /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1574
1575              random - like stable_secret, but auto-generate a new random se‐
1576              cret if none is set
1577
1578
1579       link-netnsid
1580              set peer netnsid for a cross-netns interface
1581
1582
1583       type ETYPE TYPE_ARGS
1584              Change type-specific settings. For a list of supported types and
1585              arguments refer to the description of ip link add above. In ad‐
1586              dition to that, it is possible to manipulate settings to slave
1587              devices:
1588
1589
1590       Bridge Slave Support
1591              For a link with master bridge the following additional arguments
1592              are supported:
1593
1594              ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1595              priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1596              on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1597              } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1598              { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1599              MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1600              bcast_flood { on | off } ] [ mcast_flood { on | off } ] [
1601              mcast_to_unicast { on | off } ] [ group_fwd_mask MASK ] [
1602              neigh_suppress { on | off } ] [ vlan_tunnel { on | off } ] [
1603              isolated { on | off } ] [ locked { on | off } backup_port DEVICE
1604              ] [ nobackup_port ]
1605
1606
1607                      fdb_flush - flush bridge slave's fdb dynamic entries.
1608
1609                      state STATE - Set port state.  STATE is a number repre‐
1610                      senting the following states: 0 (disabled), 1 (listen‐
1611                      ing), 2 (learning), 3 (forwarding), 4 (blocking).
1612
1613                      priority PRIO - set port priority (allowed values are
1614                      between 0 and 63, inclusively).
1615
1616                      cost COST - set port cost (allowed values are between 1
1617                      and 65535, inclusively).
1618
1619                      guard { on | off } - block incoming BPDU packets on this
1620                      port.
1621
1622                      hairpin { on | off } - enable hairpin mode on this port.
1623                      This will allow incoming packets on this port to be re‐
1624                      flected back.
1625
1626                      fastleave { on | off } - enable multicast fast leave on
1627                      this port.
1628
1629                      root_block { on | off } - block this port from becoming
1630                      the bridge's root port.
1631
1632                      learning { on | off } - allow MAC address learning on
1633                      this port.
1634
1635                      flood { on | off } - open the flood gates on this port,
1636                      i.e. forward all unicast frames to this port also. Re‐
1637                      quires proxy_arp and proxy_arp_wifi to be turned off.
1638
1639                      proxy_arp { on | off } - enable proxy ARP on this port.
1640
1641                      proxy_arp_wifi { on | off } - enable proxy ARP on this
1642                      port which meets extended requirements by IEEE 802.11
1643                      and Hotspot 2.0 specifications.
1644
1645                      mcast_router MULTICAST_ROUTER - configure this port for
1646                      having multicast routers attached. A port with a multi‐
1647                      cast router will receive all multicast traffic.  MULTI‐
1648                      CAST_ROUTER may be either 0 to disable multicast routers
1649                      on this port, 1 to let the system detect the presence of
1650                      routers (this is the default), 2 to permanently enable
1651                      multicast traffic forwarding on this port or 3 to enable
1652                      multicast routers temporarily on this port, not depend‐
1653                      ing on incoming queries.
1654
1655                      mcast_fast_leave { on | off } - this is a synonym to the
1656                      fastleave option above.
1657
1658                      bcast_flood { on | off } - controls flooding of broad‐
1659                      cast traffic on the given port. By default this flag is
1660                      on.
1661
1662                      mcast_flood { on | off } - controls whether a given port
1663                      will flood multicast traffic for which there is no MDB
1664                      entry. By default this flag is on.
1665
1666                      mcast_to_unicast { on | off } - controls whether a given
1667                      port will replicate packets using unicast instead of
1668                      multicast. By default this flag is off.
1669
1670                      group_fwd_mask MASK - set the group forward mask. This
1671                      is the bitmask that is applied to decide whether to for‐
1672                      ward incoming frames destined to link-local addresses,
1673                      ie addresses of the form 01:80:C2:00:00:0X (defaults to
1674                      0, ie the bridge does not forward any link-local frames
1675                      coming on this port).
1676
1677                      neigh_suppress { on | off } - controls whether neigh
1678                      discovery (arp and nd) proxy and suppression is enabled
1679                      on the port. By default this flag is off.
1680
1681                      vlan_tunnel { on | off } - controls whether vlan to tun‐
1682                      nel mapping is enabled on the port. By default this flag
1683                      is off.
1684
1685                      locked { on | off } - sets or unsets a port in locked
1686                      mode, so that when enabled, hosts behind the port cannot
1687                      communicate through the port unless a FDB entry repre‐
1688                      senting the host is in the FDB. By default this flag is
1689                      off.
1690
1691                      backup_port DEVICE - if the port loses carrier all traf‐
1692                      fic will be redirected to the configured backup port
1693
1694                      nobackup_port - removes the currently configured backup
1695                      port
1696
1697
1698
1699       Bonding Slave Support
1700              For a link with master bond the following additional arguments
1701              are supported:
1702
1703              ip link set type bond_slave [ queue_id ID ]
1704
1705
1706                      queue_id ID - set the slave's queue ID (a 16bit unsigned
1707                      value).
1708
1709
1710
1711       MACVLAN and MACVTAP Support
1712              Modify list of allowed macaddr for link in source mode.
1713
1714              ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1715              ...  ]
1716
1717              Commands:
1718                      add - add MACADDR to allowed list
1719
1720                      set - replace allowed list
1721
1722                      del - remove MACADDR from allowed list
1723
1724                      flush - flush whole allowed list
1725
1726
1727              Update the broadcast/multicast queue length.
1728
1729              ip link set type { macvlan | macvap } [ bcqueuelen  LENGTH ]
1730
1731                      bcqueuelen LENGTH - Set the length of the RX queue used
1732                      to process broadcast and multicast packets.  LENGTH must
1733                      be a positive integer in the range [0-4294967295].  Set‐
1734                      ting a length of 0 will effectively drop all broad‐
1735                      cast/multicast traffic.  If not specified the macvlan
1736                      driver default (1000) is used.  Note that all macvlans
1737                      that share the same underlying device are using the same
1738                      queue. The parameter here is a request, the actual queue
1739                      length used will be the maximum length that any macvlan
1740                      interface has requested.  When listing device parameters
1741                      both the bcqueuelen parameter as well as the actual used
1742                      bcqueuelen are listed to better help the user understand
1743                      the setting.
1744
1745
1746   ip link show - display device attributes
1747       dev NAME (default)
1748              NAME specifies the network device to show.
1749
1750
1751       group GROUP
1752              GROUP specifies what group of devices to show.
1753
1754
1755       up     only display running interfaces.
1756
1757
1758       master DEVICE
1759              DEVICE specifies the master device which enslaves devices to
1760              show.
1761
1762
1763       vrf NAME
1764              NAME specifies the VRF which enslaves devices to show.
1765
1766
1767       type TYPE
1768              TYPE specifies the type of devices to show.
1769
1770              Note that the type name is not checked against the list of sup‐
1771              ported types - instead it is sent as-is to the kernel. Later it
1772              is used to filter the returned interface list by comparing it
1773              with the relevant attribute in case the kernel didn't filter al‐
1774              ready. Therefore any string is accepted, but may lead to empty
1775              output.
1776
1777
1778       nomaster
1779              only show devices with no master
1780
1781
1782   ip link xstats - display extended statistics
1783       type TYPE
1784              TYPE specifies the type of devices to display extended statis‐
1785              tics for.
1786
1787
1788   ip link afstats - display address-family specific statistics
1789       dev DEVICE
1790              DEVICE specifies the device to display address-family statistics
1791              for.
1792
1793
1794   ip link help - display help
1795       TYPE specifies which help of link type to display.
1796
1797
1798   GROUP
1799       may be a number or a string from the file /etc/iproute2/group which can
1800       be manually filled.
1801
1802

EXAMPLES

1804       ip link show
1805           Shows the state of all network interfaces on the system.
1806
1807       ip link show type bridge
1808           Shows the bridge devices.
1809
1810       ip link show type vlan
1811           Shows the vlan devices.
1812
1813       ip link show master br0
1814           Shows devices enslaved by br0
1815
1816       ip link set dev ppp0 mtu 1400
1817           Change the MTU the ppp0 device.
1818
1819       ip link add link eth0 name eth0.10 type vlan id 10
1820           Creates a new vlan device eth0.10 on device eth0.
1821
1822       ip link delete dev eth0.10
1823           Removes vlan device.
1824
1825       ip link help gre
1826           Display help for the gre link type.
1827
1828       ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1829       ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1830       remcsum
1831           Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1832           tion, and the outer UDP checksum and remote checksum offload are
1833           enabled.
1834
1835       ip link set dev eth0 xdp obj prog.o
1836           Attaches a XDP/BPF program to device eth0, where the program is lo‐
1837           cated in prog.o, section "prog" (default section). In case a
1838           XDP/BPF program is already attached, throw an error.
1839
1840       ip -force link set dev eth0 xdp obj prog.o sec foo
1841           Attaches a XDP/BPF program to device eth0, where the program is lo‐
1842           cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1843           ready attached, it will be overridden by the new one.
1844
1845       ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1846           Attaches a XDP/BPF program to device eth0, where the program was
1847           previously pinned as an object node into BPF file system under name
1848           foo.
1849
1850       ip link set dev eth0 xdp off
1851           If a XDP/BPF program is attached on device eth0, detach it and ef‐
1852           fectively turn off XDP for device eth0.
1853
1854       ip link add link wpan0 lowpan0 type lowpan
1855           Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1856           802.15.4 device wpan0.
1857
1858       ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1859       fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1860       erspan_hwid 17
1861           Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1862
1863

SEE ALSO

1865       ip(8), ip-netns(8), ethtool(8), iptables(8)
1866
1867

AUTHOR

1869       Original Manpage by Michail Litvak <mci@owl.openwall.com>
1870
1871
1872
1873iproute2                          13 Dec 2012                       IP-LINK(8)
Impressum