1SYSTEMD.NETWORK(5)              systemd.network             SYSTEMD.NETWORK(5)
2
3
4

NAME

6       systemd.network - Network configuration
7

SYNOPSIS

9       network.network
10

DESCRIPTION

12       A plain ini-style text file that encodes network configuration for
13       matching network interfaces, used by systemd-networkd(8). See
14       systemd.syntax(7) for a general description of the syntax.
15
16       The main network file must have the extension .network; other
17       extensions are ignored. Networks are applied to links whenever the
18       links appear.
19
20       The .network files are read from the files located in the system
21       network directories /usr/lib/systemd/network and
22       /usr/local/lib/systemd/network, the volatile runtime network directory
23       /run/systemd/network and the local administration network directory
24       /etc/systemd/network. All configuration files are collectively sorted
25       and processed in alphanumeric order, regardless of the directories in
26       which they live. However, files with identical filenames replace each
27       other. It is recommended that each filename is prefixed with a number
28       (e.g.  10-eth0.network). Otherwise, the default .network files or those
29       generated by systemd-network-generator.service(8) may take precedence
30       over user configured files. Files in /etc/ have the highest priority,
31       files in /run/ take precedence over files with the same name under
32       /usr/. This can be used to override a system-supplied configuration
33       file with a local file if needed. As a special case, an empty file
34       (file size 0) or symlink with the same name pointing to /dev/null
35       disables the configuration file entirely (it is "masked").
36
37       Along with the network file foo.network, a "drop-in" directory
38       foo.network.d/ may exist. All files with the suffix ".conf" from this
39       directory will be merged in the alphanumeric order and parsed after the
40       main file itself has been parsed. This is useful to alter or add
41       configuration settings, without having to modify the main configuration
42       file. Each drop-in file must have appropriate section headers.
43
44       In addition to /etc/systemd/network, drop-in ".d" directories can be
45       placed in /usr/lib/systemd/network or /run/systemd/network directories.
46       Drop-in files in /etc/ take precedence over those in /run/ which in
47       turn take precedence over those in /usr/lib/. Drop-in files under any
48       of these directories take precedence over the main network file
49       wherever located.
50

[MATCH] SECTION OPTIONS

52       The network file contains a [Match] section, which determines if a
53       given network file may be applied to a given interface; and a [Network]
54       section specifying how the interface should be configured. The first
55       (in alphanumeric order) of the network files that matches a given
56       interface is applied, all later files are ignored, even if they match
57       as well.
58
59       A network file is said to match a network interface if all matches
60       specified by the [Match] section are satisfied. When a network file
61       does not contain valid settings in [Match] section, then the file will
62       match all interfaces and systemd-networkd warns about that. Hint: to
63       avoid the warning and to make it clear that all interfaces shall be
64       matched, add the following:
65
66           Name=*
67
68       The following keys are accepted:
69
70       MACAddress=
71           A whitespace-separated list of hardware addresses. The acceptable
72           formats are:
73
74           colon-delimited hexadecimal
75               Each field must be one byte. E.g.  "12:34:56:78:90:ab" or
76               "AA:BB:CC:DD:EE:FF".
77
78           hyphen-delimited hexadecimal
79               Each field must be one byte. E.g.  "12-34-56-78-90-ab" or
80               "AA-BB-CC-DD-EE-FF".
81
82           dot-delimited hexadecimal
83               Each field must be two bytes. E.g.  "1234.5678.90ab" or
84               "AABB.CCDD.EEFF".
85
86           IPv4 address format
87               E.g.  "127.0.0.1" or "192.168.0.1".
88
89           IPv6 address format
90               E.g.  "2001:0db8:85a3::8a2e:0370:7334" or "::1".
91
92           The total length of each MAC address must be 4 (for IPv4 tunnel), 6
93           (for Ethernet), 16 (for IPv6 tunnel), or 20 (for InfiniBand). This
94           option may appear more than once, in which case the lists are
95           merged. If the empty string is assigned to this option, the list of
96           hardware addresses defined prior to this is reset. Defaults to
97           unset.
98
99       PermanentMACAddress=
100           A whitespace-separated list of hardware's permanent addresses.
101           While MACAddress= matches the device's current MAC address, this
102           matches the device's permanent MAC address, which may be different
103           from the current one. Use full colon-, hyphen- or dot-delimited
104           hexadecimal, or IPv4 or IPv6 address format. This option may appear
105           more than once, in which case the lists are merged. If the empty
106           string is assigned to this option, the list of hardware addresses
107           defined prior to this is reset. Defaults to unset.
108
109       Path=
110           A whitespace-separated list of shell-style globs matching the
111           persistent path, as exposed by the udev property ID_PATH.
112
113       Driver=
114           A whitespace-separated list of shell-style globs matching the
115           driver currently bound to the device, as exposed by the udev
116           property ID_NET_DRIVER of its parent device, or if that is not set,
117           the driver as exposed by ethtool -i of the device itself. If the
118           list is prefixed with a "!", the test is inverted.
119
120       Type=
121           A whitespace-separated list of shell-style globs matching the
122           device type, as exposed by networkctl list. If the list is prefixed
123           with a "!", the test is inverted. Some valid values are "ether",
124           "loopback", "wlan", "wwan". Valid types are named either from the
125           udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
126           this is not comprehensive.
127
128       Kind=
129           A whitespace-separated list of shell-style globs matching the
130           device kind, as exposed by networkctl status INTERFACE or ip -d
131           link show INTERFACE. If the list is prefixed with a "!", the test
132           is inverted. Some valid values are "bond", "bridge", "gre", "tun",
133           "veth". Valid kinds are given by netlink's "IFLA_INFO_KIND"
134           attribute, so this is not comprehensive.
135
136       Property=
137           A whitespace-separated list of udev property names with their
138           values after equals sign ("="). If multiple properties are
139           specified, the test results are ANDed. If the list is prefixed with
140           a "!", the test is inverted. If a value contains white spaces, then
141           please quote whole key and value pair. If a value contains
142           quotation, then please escape the quotation with "\".
143
144           Example: if a .link file has the following:
145
146               Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
147
148           then, the .link file matches only when an interface has all the
149           above three properties.
150
151       Name=
152           A whitespace-separated list of shell-style globs matching the
153           device name, as exposed by the udev property "INTERFACE", or
154           device's alternative names. If the list is prefixed with a "!", the
155           test is inverted.
156
157       WLANInterfaceType=
158           A whitespace-separated list of wireless network type. Supported
159           values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
160           "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
161           "nan". If the list is prefixed with a "!", the test is inverted.
162
163       SSID=
164           A whitespace-separated list of shell-style globs matching the SSID
165           of the currently connected wireless LAN. If the list is prefixed
166           with a "!", the test is inverted.
167
168       BSSID=
169           A whitespace-separated list of hardware address of the currently
170           connected wireless LAN. Use full colon-, hyphen- or dot-delimited
171           hexadecimal. See the example in MACAddress=. This option may appear
172           more than once, in which case the lists are merged. If the empty
173           string is assigned to this option, the list is reset.
174
175       Host=
176           Matches against the hostname or machine ID of the host. See
177           ConditionHost= in systemd.unit(5) for details. When prefixed with
178           an exclamation mark ("!"), the result is negated. If an empty
179           string is assigned, the previously assigned value is cleared.
180
181       Virtualization=
182           Checks whether the system is executed in a virtualized environment
183           and optionally test whether it is a specific implementation. See
184           ConditionVirtualization= in systemd.unit(5) for details. When
185           prefixed with an exclamation mark ("!"), the result is negated. If
186           an empty string is assigned, the previously assigned value is
187           cleared.
188
189       KernelCommandLine=
190           Checks whether a specific kernel command line option is set. See
191           ConditionKernelCommandLine= in systemd.unit(5) for details. When
192           prefixed with an exclamation mark ("!"), the result is negated. If
193           an empty string is assigned, the previously assigned value is
194           cleared.
195
196       KernelVersion=
197           Checks whether the kernel version (as reported by uname -r) matches
198           a certain expression. See ConditionKernelVersion= in
199           systemd.unit(5) for details. When prefixed with an exclamation mark
200           ("!"), the result is negated. If an empty string is assigned, the
201           previously assigned value is cleared.
202
203       Credential=
204           Checks whether the specified credential was passed to the
205           systemd-udevd.service service. See System and Service
206           Credentials[1] for details. When prefixed with an exclamation mark
207           ("!"), the result is negated. If an empty string is assigned, the
208           previously assigned value is cleared.
209
210       Architecture=
211           Checks whether the system is running on a specific architecture.
212           See ConditionArchitecture= in systemd.unit(5) for details. When
213           prefixed with an exclamation mark ("!"), the result is negated. If
214           an empty string is assigned, the previously assigned value is
215           cleared.
216
217       Firmware=
218           Checks whether the system is running on a machine with the
219           specified firmware. See ConditionFirmware= in systemd.unit(5) for
220           details. When prefixed with an exclamation mark ("!"), the result
221           is negated. If an empty string is assigned, the previously assigned
222           value is cleared.
223

[LINK] SECTION OPTIONS

225       The [Link] section accepts the following keys:
226
227       MACAddress=
228           The hardware address to set for the device.
229
230       MTUBytes=
231           The maximum transmission unit in bytes to set for the device. The
232           usual suffixes K, M, G, are supported and are understood to the
233           base of 1024.
234
235           Note that if IPv6 is enabled on the interface, and the MTU is
236           chosen below 1280 (the minimum MTU for IPv6) it will automatically
237           be increased to this value.
238
239       ARP=
240           Takes a boolean. If set to true, the ARP (low-level Address
241           Resolution Protocol) for this interface is enabled. When unset, the
242           kernel's default will be used.
243
244           For example, disabling ARP is useful when creating multiple MACVLAN
245           or VLAN virtual interfaces atop a single lower-level physical
246           interface, which will then only serve as a link/"bridge" device
247           aggregating traffic to the same physical link and not participate
248           in the network otherwise. Defaults to unset.
249
250       Multicast=
251           Takes a boolean. If set to true, the multicast flag on the device
252           is enabled. Defaults to unset.
253
254       AllMulticast=
255           Takes a boolean. If set to true, the driver retrieves all multicast
256           packets from the network. This happens when multicast routing is
257           enabled. Defaults to unset.
258
259       Promiscuous=
260           Takes a boolean. If set to true, promiscuous mode of the interface
261           is enabled. Defaults to unset.
262
263           If this is set to false for the underlying link of a "passthru"
264           mode MACVLAN/MACVTAP, the virtual interface will be created with
265           the "nopromisc" flag set.
266
267       Unmanaged=
268           Takes a boolean. When "yes", no attempts are made to bring up or
269           configure matching links, equivalent to when there are no matching
270           network files. Defaults to "no".
271
272           This is useful for preventing later matching network files from
273           interfering with certain interfaces that are fully controlled by
274           other applications.
275
276       Group=
277           Link groups are similar to port ranges found in managed switches.
278           When network interfaces are added to a numbered group, operations
279           on all the interfaces from that group can be performed at once.
280           Takes an unsigned integer in the range 0...2147483647. Defaults to
281           unset.
282
283       RequiredForOnline=
284           Takes a boolean or a minimum operational state and an optional
285           maximum operational state. Please see networkctl(1) for possible
286           operational states. When "yes", the network is deemed required when
287           determining whether the system is online (including when running
288           systemd-networkd-wait-online). When "no", the network is ignored
289           when determining the online state. When a minimum operational state
290           and an optional maximum operational state are set, "yes" is
291           implied, and this controls the minimum and maximum operational
292           state required for the network interface to be considered online.
293
294           Defaults to "yes" when ActivationPolicy= is not set, or set to
295           "up", "always-up", or "bound". Defaults to "no" when
296           ActivationPolicy= is set to "manual" or "down". This is forced to
297           "no" when ActivationPolicy= is set to "always-down".
298
299           The network will be brought up normally (as configured by
300           ActivationPolicy=), but in the event that there is no address being
301           assigned by DHCP or the cable is not plugged in, the link will
302           simply remain offline and be skipped automatically by
303           systemd-networkd-wait-online if "RequiredForOnline=no".
304
305       RequiredFamilyForOnline=
306           Takes an address family. When specified, an IP address in the given
307           family is deemed required when determining whether the link is
308           online (including when running systemd-networkd-wait-online). Takes
309           one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
310           that this option has no effect if "RequiredForOnline=no", or if
311           "RequiredForOnline=" specifies a minimum operational state below
312           "degraded".
313
314       ActivationPolicy=
315           Specifies the policy for systemd-networkd managing the link
316           administrative state. Specifically, this controls how
317           systemd-networkd changes the network device's "IFF_UP" flag, which
318           is sometimes controlled by system administrators by running e.g.,
319           ip link set dev eth0 up or ip link set dev eth0 down, and can also
320           be changed with networkctl up eth0 or networkctl down eth0.
321
322           Takes one of "up", "always-up", "manual", "always-down", "down", or
323           "bound". When "manual", systemd-networkd will not change the link's
324           admin state automatically; the system administrator must bring the
325           interface up or down manually, as desired. When "up" (the default)
326           or "always-up", or "down" or "always-down", systemd-networkd will
327           set the link up or down, respectively, when the interface is
328           (re)configured. When "always-up" or "always-down", systemd-networkd
329           will set the link up or down, respectively, any time
330           systemd-networkd detects a change in the administrative state. When
331           BindCarrier= is also set, this is automatically set to "bound" and
332           any other value is ignored.
333
334           When the policy is set to "down" or "manual", the default value of
335           RequiredForOnline= is "no". When the policy is set to
336           "always-down", the value of RequiredForOnline= forced to "no".
337
338           The administrative state is not the same as the carrier state, so
339           using "always-up" does not mean the link will never lose carrier.
340           The link carrier depends on both the administrative state as well
341           as the network device's physical connection. However, to avoid
342           reconfiguration failures, when using "always-up",
343           IgnoreCarrierLoss= is forced to true.
344

[SR-IOV] SECTION OPTIONS

346       The [SR-IOV] section accepts the following keys. Specify several
347       [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
348       ability to partition a single physical PCI resource into virtual PCI
349       functions which can then be injected into a VM. In the case of network
350       VFs, SR-IOV improves north-south network performance (that is, traffic
351       with endpoints outside the host machine) by allowing traffic to bypass
352       the host machine’s network stack.
353
354       VirtualFunction=
355           Specifies a Virtual Function (VF), lightweight PCIe function
356           designed solely to move data in and out. Takes an integer in the
357           range 0...2147483646. This option is compulsory.
358
359       VLANId=
360           Specifies VLAN ID of the virtual function. Takes an integer in the
361           range 1...4095.
362
363       QualityOfService=
364           Specifies quality of service of the virtual function. Takes an
365           integer in the range 1...4294967294.
366
367       VLANProtocol=
368           Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
369           "802.1ad".
370
371       MACSpoofCheck=
372           Takes a boolean. Controls the MAC spoof checking. When unset, the
373           kernel's default will be used.
374
375       QueryReceiveSideScaling=
376           Takes a boolean. Toggle the ability of querying the receive side
377           scaling (RSS) configuration of the virtual function (VF). The VF
378           RSS information like RSS hash key may be considered sensitive on
379           some devices where this information is shared between VF and the
380           physical function (PF). When unset, the kernel's default will be
381           used.
382
383       Trust=
384           Takes a boolean. Allows one to set trust mode of the virtual
385           function (VF). When set, VF users can set a specific feature which
386           may impact security and/or performance. When unset, the kernel's
387           default will be used.
388
389       LinkState=
390           Allows one to set the link state of the virtual function (VF).
391           Takes a boolean or a special value "auto". Setting to "auto" means
392           a reflection of the physical function (PF) link state, "yes" lets
393           the VF to communicate with other VFs on this host even if the PF
394           link state is down, "no" causes the hardware to drop any packets
395           sent by the VF. When unset, the kernel's default will be used.
396
397       MACAddress=
398           Specifies the MAC address for the virtual function.
399

[NETWORK] SECTION OPTIONS

401       The [Network] section accepts the following keys:
402
403       Description=
404           A description of the device. This is only used for presentation
405           purposes.
406
407       DHCP=
408           Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
409           "ipv4", or "ipv6". Defaults to "no".
410
411           Note that DHCPv6 will by default be triggered by Router
412           Advertisements, if reception is enabled, regardless of this
413           parameter. By explicitly enabling DHCPv6 support here, the DHCPv6
414           client will be started in the mode specified by the WithoutRA=
415           setting in the [DHCPv6] section, regardless of the presence of
416           routers on the link, or what flags the routers pass. See
417           IPv6AcceptRA=.
418
419           Furthermore, note that by default the domain name specified through
420           DHCP is not used for name resolution. See option UseDomains= below.
421
422           See the [DHCPv4] or [DHCPv6] sections below for further
423           configuration options for the DHCP client support.
424
425       DHCPServer=
426           Takes a boolean. If set to "yes", DHCPv4 server will be started.
427           Defaults to "no". Further settings for the DHCP server may be set
428           in the [DHCPServer] section described below.
429
430       LinkLocalAddressing=
431           Enables link-local address autoconfiguration. Accepts yes, no,
432           ipv4, and ipv6. An IPv6 link-local address is configured when yes
433           or ipv6. An IPv4 link-local address is configured when yes or ipv4
434           and when DHCPv4 autoconfiguration has been unsuccessful for some
435           time. (IPv4 link-local address autoconfiguration will usually
436           happen in parallel with repeated attempts to acquire a DHCPv4
437           lease).
438
439           Defaults to no when KeepMaster= or Bridge= is set or when the
440           specified MACVLAN=/MACVTAP= has Mode=passthru, or ipv6 otherwise.
441
442       IPv6LinkLocalAddressGenerationMode=
443           Specifies how IPv6 link-local address is generated. Takes one of
444           "eui64", "none", "stable-privacy" and "random". When unset,
445           "stable-privacy" is used if IPv6StableSecretAddress= is specified,
446           and if not, "eui64" is used. Note that if LinkLocalAddressing= is
447           "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
448           ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
449           setting IPv6LinkLocalAddressGenerationMode=none disables to
450           configure an IPv6 link-local address.
451
452       IPv6StableSecretAddress=
453           Takes an IPv6 address. The specified address will be used as a
454           stable secret for generating IPv6 link-local address. If this
455           setting is specified, and IPv6LinkLocalAddressGenerationMode= is
456           unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
457           implied. If this setting is not specified, and "stable-privacy" is
458           set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
459           address will be generated from the local machine ID and the
460           interface name.
461
462       IPv4LLStartAddress=
463           Specifies the first IPv4 link-local address to try. Takes an IPv4
464           address for example 169.254.1.2, from the link-local address range:
465           169.254.0.0/16 except for 169.254.0.0/24 and 169.254.255.0/24. This
466           setting may be useful if the device should always have the same
467           address as long as there is no address conflict. When unset, a
468           random address will be automatically selected. Defaults to unset.
469
470       IPv4LLRoute=
471           Takes a boolean. If set to true, sets up the route needed for
472           non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
473           false.
474
475       DefaultRouteOnDevice=
476           Takes a boolean. If set to true, sets up the IPv4 default route
477           bound to the interface. Defaults to false. This is useful when
478           creating routes on point-to-point interfaces. This is equivalent to
479           e.g. the following,
480
481               ip route add default dev veth99
482
483           or,
484
485               [Route]
486               Gateway=0.0.0.0
487
488           Currently, there are no way to specify e.g., the table for the
489           route configured by this setting. To configure the default route
490           with such an additional property, please use the following instead:
491
492               [Route]
493               Gateway=0.0.0.0
494               Table=1234
495
496           If you'd like to create an IPv6 default route bound to the
497           interface, please use the following:
498
499               [Route]
500               Gateway=::
501               Table=1234
502
503       LLMNR=
504           Takes a boolean or "resolve". When true, enables Link-Local
505           Multicast Name Resolution[2] on the link. When set to "resolve",
506           only resolution is enabled, but not host registration and
507           announcement. Defaults to true. This setting is read by systemd-
508           resolved.service(8).
509
510       MulticastDNS=
511           Takes a boolean or "resolve". When true, enables Multicast DNS[3]
512           support on the link. When set to "resolve", only resolution is
513           enabled, but not host or service registration and announcement.
514           Defaults to false. This setting is read by systemd-
515           resolved.service(8).
516
517       DNSOverTLS=
518           Takes a boolean or "opportunistic". When true, enables
519           DNS-over-TLS[4] support on the link. When set to "opportunistic",
520           compatibility with non-DNS-over-TLS servers is increased, by
521           automatically turning off DNS-over-TLS servers in this case. This
522           option defines a per-interface setting for resolved.conf(5)'s
523           global DNSOverTLS= option. Defaults to unset, and the global
524           setting will be used. This setting is read by systemd-
525           resolved.service(8).
526
527       DNSSEC=
528           Takes a boolean or "allow-downgrade". When true, enables DNSSEC[5]
529           DNS validation support on the link. When set to "allow-downgrade",
530           compatibility with non-DNSSEC capable networks is increased, by
531           automatically turning off DNSSEC in this case. This option defines
532           a per-interface setting for resolved.conf(5)'s global DNSSEC=
533           option. Defaults to unset, and the global setting will be used.
534           This setting is read by systemd-resolved.service(8).
535
536       DNSSECNegativeTrustAnchors=
537           A space-separated list of DNSSEC negative trust anchor domains. If
538           specified and DNSSEC is enabled, look-ups done via the interface's
539           DNS server will be subject to the list of negative trust anchors,
540           and not require authentication for the specified domains, or
541           anything below it. Use this to disable DNSSEC authentication for
542           specific private domains, that cannot be proven valid using the
543           Internet DNS hierarchy. Defaults to the empty list. This setting is
544           read by systemd-resolved.service(8).
545
546       LLDP=
547           Controls support for Ethernet LLDP packet reception. LLDP is a
548           link-layer protocol commonly implemented on professional routers
549           and bridges which announces which physical port a system is
550           connected to, as well as other related data. Accepts a boolean or
551           the special value "routers-only". When true, incoming LLDP packets
552           are accepted and a database of all LLDP neighbors maintained. If
553           "routers-only" is set only LLDP data of various types of routers is
554           collected and LLDP data about other types of devices ignored (such
555           as stations, telephones and others). If false, LLDP reception is
556           disabled. Defaults to "routers-only". Use networkctl(1) to query
557           the collected neighbor data. LLDP is only available on Ethernet
558           links. See EmitLLDP= below for enabling LLDP packet emission from
559           the local system.
560
561       EmitLLDP=
562           Controls support for Ethernet LLDP packet emission. Accepts a
563           boolean parameter or the special values "nearest-bridge",
564           "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
565           turns off LLDP packet emission. If not false, a short LLDP packet
566           with information about the local system is sent out in regular
567           intervals on the link. The LLDP packet will contain information
568           about the local hostname, the local machine ID (as stored in
569           machine-id(5)) and the local interface name, as well as the pretty
570           hostname of the system (as set in machine-info(5)). LLDP emission
571           is only available on Ethernet links. Note that this setting passes
572           data suitable for identification of host to the network and should
573           thus not be enabled on untrusted networks, where such
574           identification data should not be made available. Use this option
575           to permit other systems to identify on which interfaces they are
576           connected to this system. The three special values control
577           propagation of the LLDP packets. The "nearest-bridge" setting
578           permits propagation only to the nearest connected bridge,
579           "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
580           but not any other bridges, and "customer-bridge" permits
581           propagation until a customer bridge is reached. For details about
582           these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
583           this setting to true is equivalent to "nearest-bridge", the
584           recommended and most restricted level of propagation. See LLDP=
585           above for an option to enable LLDP reception.
586
587       BindCarrier=
588           A link name or a list of link names. When set, controls the
589           behavior of the current link. When all links in the list are in an
590           operational down state, the current link is brought down. When at
591           least one link has carrier, the current interface is brought up.
592
593           This forces ActivationPolicy= to be set to "bound".
594
595       Address=
596           A static IPv4 or IPv6 address and its prefix length, separated by a
597           "/" character. Specify this key more than once to configure several
598           addresses. The format of the address must be as described in
599           inet_pton(3). This is a short-hand for an [Address] section only
600           containing an Address key (see below). This option may be specified
601           more than once.
602
603           If the specified address is "0.0.0.0" (for IPv4) or "::" (for
604           IPv6), a new address range of the requested size is automatically
605           allocated from a system-wide pool of unused ranges. Note that the
606           prefix length must be equal or larger than 8 for IPv4, and 64 for
607           IPv6. The allocated range is checked against all current network
608           interfaces and all known network configuration files to avoid
609           address range conflicts. The default system-wide pool consists of
610           192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
611           for IPv6. This functionality is useful to manage a large number of
612           dynamically created network interfaces with the same network
613           configuration and automatic address range assignment.
614
615       Gateway=
616           The gateway address, which must be in the format described in
617           inet_pton(3). This is a short-hand for a [Route] section only
618           containing a Gateway= key. This option may be specified more than
619           once.
620
621       DNS=
622           A DNS server address, which must be in the format described in
623           inet_pton(3). This option may be specified more than once. Each
624           address can optionally take a port number separated with ":", a
625           network interface name or index separated with "%", and a Server
626           Name Indication (SNI) separated with "#". When IPv6 address is
627           specified with a port number, then the address must be in the
628           square brackets. That is, the acceptable full formats are
629           "111.222.333.444:9953%ifname#example.com" for IPv4 and
630           "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
631           string is assigned, then the all previous assignments are cleared.
632           This setting is read by systemd-resolved.service(8).
633
634       Domains=
635           A whitespace-separated list of domains which should be resolved
636           using the DNS servers on this link. Each item in the list should be
637           a domain name, optionally prefixed with a tilde ("~"). The domains
638           with the prefix are called "routing-only domains". The domains
639           without the prefix are called "search domains" and are first used
640           as search suffixes for extending single-label hostnames (hostnames
641           containing no dots) to become fully qualified domain names (FQDNs).
642           If a single-label hostname is resolved on this interface, each of
643           the specified search domains are appended to it in turn, converting
644           it into a fully qualified domain name, until one of them may be
645           successfully resolved.
646
647           Both "search" and "routing-only" domains are used for routing of
648           DNS queries: look-ups for hostnames ending in those domains (hence
649           also single label names, if any "search domains" are listed), are
650           routed to the DNS servers configured for this interface. The domain
651           routing logic is particularly useful on multi-homed hosts with DNS
652           servers serving particular private DNS zones on each interface.
653
654           The "routing-only" domain "~."  (the tilde indicating definition of
655           a routing domain, the dot referring to the DNS root domain which is
656           the implied suffix of all valid DNS names) has special effect. It
657           causes all DNS traffic which does not match another configured
658           domain routing entry to be routed to DNS servers specified for this
659           interface. This setting is useful to prefer a certain set of DNS
660           servers if a link on which they are connected is available.
661
662           This setting is read by systemd-resolved.service(8). "Search
663           domains" correspond to the domain and search entries in
664           resolv.conf(5). Domain name routing has no equivalent in the
665           traditional glibc API, which has no concept of domain name servers
666           limited to a specific link.
667
668       DNSDefaultRoute=
669           Takes a boolean argument. If true, this link's configured DNS
670           servers are used for resolving domain names that do not match any
671           link's configured Domains= setting. If false, this link's
672           configured DNS servers are never used for such domains, and are
673           exclusively used for resolving names that match at least one of the
674           domains configured on this link. If not specified defaults to an
675           automatic mode: queries not matching any link's configured domains
676           will be routed to this link if it has no routing-only domains
677           configured.
678
679       NTP=
680           An NTP server address (either an IP address, or a hostname). This
681           option may be specified more than once. This setting is read by
682           systemd-timesyncd.service(8).
683
684       IPForward=
685           Configures IP packet forwarding for the system. If enabled,
686           incoming packets on any network interface will be forwarded to any
687           other interfaces according to the routing table. Takes a boolean,
688           or the values "ipv4" or "ipv6", which only enable IP packet
689           forwarding for the specified address family. This controls the
690           net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
691           of the network interface (see IP Sysctl[7] for details about sysctl
692           options). Defaults to "no".
693
694           Note: this setting controls a global kernel option, and does so one
695           way only: if a network that has this setting enabled is set up the
696           global setting is turned on. However, it is never turned off again,
697           even after all networks with this setting enabled are shut down
698           again.
699
700           To allow IP packet forwarding only between specific network
701           interfaces use a firewall.
702
703       IPMasquerade=
704           Configures IP masquerading for the network interface. If enabled,
705           packets forwarded from the network interface will be appear as
706           coming from the local host. Takes one of "ipv4", "ipv6", "both", or
707           "no". Defaults to "no". If enabled, this automatically sets
708           IPForward= to one of "ipv4", "ipv6" or "yes".
709
710           Note. Any positive boolean values such as "yes" or "true" are now
711           deprecated. Please use one of the values in the above.
712
713       IPv6PrivacyExtensions=
714           Configures use of stateless temporary addresses that change over
715           time (see RFC 4941[8], Privacy Extensions for Stateless Address
716           Autoconfiguration in IPv6). Takes a boolean or the special values
717           "prefer-public" and "kernel". When true, enables the privacy
718           extensions and prefers temporary addresses over public addresses.
719           When "prefer-public", enables the privacy extensions, but prefers
720           public addresses over temporary addresses. When false, the privacy
721           extensions remain disabled. When "kernel", the kernel's default
722           setting will be left in place. Defaults to "no".
723
724       IPv6AcceptRA=
725           Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
726           support for the interface. If true, RAs are accepted; if false, RAs
727           are ignored. When RAs are accepted, they may trigger the start of
728           the DHCPv6 client if the relevant flags are set in the RA data, or
729           if no routers are found on the link. The default is to disable RA
730           reception for bridge devices or when IP forwarding is enabled, and
731           to enable it otherwise. Cannot be enabled on devices aggregated in
732           a bond device or when link-local addressing is disabled.
733
734           Further settings for the IPv6 RA support may be configured in the
735           [IPv6AcceptRA] section, see below.
736
737           Also see IP Sysctl[7] in the kernel documentation regarding
738           "accept_ra", but note that systemd's setting of 1 (i.e. true)
739           corresponds to kernel's setting of 2.
740
741           Note that kernel's implementation of the IPv6 RA protocol is always
742           disabled, regardless of this setting. If this option is enabled, a
743           userspace implementation of the IPv6 RA protocol is used, and the
744           kernel's own implementation remains disabled, since
745           systemd-networkd needs to know all details supplied in the
746           advertisements, and these are not available from the kernel if the
747           kernel's own implementation is used.
748
749       IPv6DuplicateAddressDetection=
750           Configures the amount of IPv6 Duplicate Address Detection (DAD)
751           probes to send. When unset, the kernel's default will be used.
752
753       IPv6HopLimit=
754           Configures IPv6 Hop Limit. For each router that forwards the
755           packet, the hop limit is decremented by 1. When the hop limit field
756           reaches zero, the packet is discarded. When unset, the kernel's
757           default will be used.
758
759       IPv4AcceptLocal=
760           Takes a boolean. Accept packets with local source addresses. In
761           combination with suitable routing, this can be used to direct
762           packets between two local interfaces over the wire and have them
763           accepted properly. When unset, the kernel's default will be used.
764
765       IPv4RouteLocalnet=
766           Takes a boolean. When true, the kernel does not consider loopback
767           addresses as martian source or destination while routing. This
768           enables the use of 127.0.0.0/8 for local routing purposes. When
769           unset, the kernel's default will be used.
770
771       IPv4ProxyARP=
772           Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
773           technique in which one host, usually a router, answers ARP requests
774           intended for another machine. By "faking" its identity, the router
775           accepts responsibility for routing packets to the "real"
776           destination. See RFC 1027[9]. When unset, the kernel's default will
777           be used.
778
779       IPv6ProxyNDP=
780           Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
781           Discovery Protocol) is a technique for IPv6 to allow routing of
782           addresses to a different destination when peers expect them to be
783           present on a certain physical link. In this case a router answers
784           Neighbour Advertisement messages intended for another machine by
785           offering its own MAC address as destination. Unlike proxy ARP for
786           IPv4, it is not enabled globally, but will only send Neighbour
787           Advertisement messages for addresses in the IPv6 neighbor proxy
788           table, which can also be shown by ip -6 neighbour show proxy.
789           systemd-networkd will control the per-interface `proxy_ndp` switch
790           for each configured interface depending on this option. When unset,
791           the kernel's default will be used.
792
793       IPv6ProxyNDPAddress=
794           An IPv6 address, for which Neighbour Advertisement messages will be
795           proxied. This option may be specified more than once.
796           systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
797           kernel's IPv6 neighbor proxy table. This setting implies
798           IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP= has been set to
799           false. When unset, the kernel's default will be used.
800
801       IPv6SendRA=
802           Whether to enable or disable Router Advertisement sending on a
803           link. Takes a boolean value. When enabled, prefixes configured in
804           [IPv6Prefix] sections and routes configured in the
805           [IPv6RoutePrefix] sections are distributed as defined in the
806           [IPv6SendRA] section. If DHCPPrefixDelegation= is enabled, then the
807           delegated prefixes are also distributed. See DCHPPrefixDelegation=
808           setting and the [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
809           [DHCPPrefixDelegation] sections for more configuration options.
810
811       DHCPPrefixDelegation=
812           Takes a boolean value. When enabled, requests subnet prefixes on
813           another link via the DHCPv6 protocol or via the 6RD option in the
814           DHCPv4 protocol. An address within each delegated prefix will be
815           assigned, and the prefixes will be announced through IPv6 Router
816           Advertisement if IPv6SendRA= is enabled. This behaviour can be
817           configured in the [DHCPPrefixDelegation] section. Defaults to
818           disabled.
819
820       IPv6MTUBytes=
821           Configures IPv6 maximum transmission unit (MTU). An integer greater
822           than or equal to 1280 bytes. When unset, the kernel's default will
823           be used.
824
825       KeepMaster=
826           Takes a boolean value. When enabled, the current master interface
827           index will not be changed, and BatmanAdvanced=, Bond=, Bridge=, and
828           VRF= settings are ignored. This may be useful when a netdev with a
829           master interface is created by another program, e.g.  systemd-
830           nspawn(1). Defaults to false.
831
832       BatmanAdvanced=, Bond=, Bridge=, VRF=
833           The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
834           interface to add the link to. See systemd.netdev(5).
835
836       IPoIB=, IPVLAN=, IPVTAP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=,
837       VXLAN=, Xfrm=
838           The name of an IPoIB, IPVLAN, IPVTAP, MACsec, MACVLAN, MACVTAP,
839           tunnel, VLAN, VXLAN, or Xfrm to be created on the link. See
840           systemd.netdev(5). This option may be specified more than once.
841
842       ActiveSlave=
843           Takes a boolean. Specifies the new active slave. The "ActiveSlave="
844           option is only valid for following modes: "active-backup",
845           "balance-alb", and "balance-tlb". Defaults to false.
846
847       PrimarySlave=
848           Takes a boolean. Specifies which slave is the primary device. The
849           specified device will always be the active slave while it is
850           available. Only when the primary is off-line will alternate devices
851           be used. This is useful when one slave is preferred over another,
852           e.g. when one slave has higher throughput than another. The
853           "PrimarySlave=" option is only valid for following modes:
854           "active-backup", "balance-alb", and "balance-tlb". Defaults to
855           false.
856
857       ConfigureWithoutCarrier=
858           Takes a boolean. Allows networkd to configure a specific link even
859           if it has no carrier. Defaults to false. If enabled, and the
860           IgnoreCarrierLoss= setting is not explicitly set, then it is
861           enabled as well.
862
863       IgnoreCarrierLoss=
864           Takes a boolean or a timespan. When true, systemd-networkd retains
865           both the static and dynamic configuration of the interface even if
866           its carrier is lost. When false, systemd-networkd drops both the
867           static and dynamic configuration of the interface. When a timespan
868           is specified, systemd-networkd waits for the specified timespan,
869           and ignores the carrier loss if the link regain its carrier within
870           the timespan. Setting 0 seconds is equivalent to "no", and
871           "infinite" is equivalent to "yes".
872
873           Setting a finite timespan may be useful when e.g. in the following
874           cases:
875
876           •   A wireless interface connecting to a network which has multiple
877               access points with the same SSID.
878
879           •   Enslaving a wireless interface to a bond interface, which may
880               disconnect from the connected access point and causes its
881               carrier to be lost.
882
883           •   The driver of the interface resets when the MTU is changed.
884
885           When Bond= is specified to a wireless interface, defaults to 3
886           seconds. When the DHCPv4 client is enabled and UseMTU= in the
887           [DHCPv4] section enabled, defaults to 5 seconds. Otherwise,
888           defaults to the value specified with ConfigureWithoutCarrier=. When
889           ActivationPolicy= is set to "always-up", this is forced to "yes",
890           and ignored any user specified values.
891
892       KeepConfiguration=
893           Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
894           "static", systemd-networkd will not drop static addresses and
895           routes on starting up process. When set to "dhcp-on-stop",
896           systemd-networkd will not drop addresses and routes on stopping the
897           daemon. When "dhcp", the addresses and routes provided by a DHCP
898           server will never be dropped even if the DHCP lease expires. This
899           is contrary to the DHCP specification, but may be the best choice
900           if, e.g., the root filesystem relies on this connection. The
901           setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
902           "static". Defaults to "dhcp-on-stop" when systemd-networkd is
903           running in initrd, "yes" when the root filesystem is a network
904           filesystem, and "no" otherwise.
905

[ADDRESS] SECTION OPTIONS

907       An [Address] section accepts the following keys. Specify several
908       [Address] sections to configure several addresses.
909
910       Address=
911           As in the [Network] section. This setting is mandatory. Each
912           [Address] section can contain one Address= setting.
913
914       Peer=
915           The peer address in a point-to-point connection. Accepts the same
916           format as the Address= setting.
917
918       Broadcast=
919           Takes an IPv4 address or boolean value. The address must be in the
920           format described in inet_pton(3). If set to true, then the IPv4
921           broadcast address will be derived from the Address= setting. If set
922           to false, then the broadcast address will not be set. Defaults to
923           true, except for wireguard interfaces, where it default to false.
924
925       Label=
926           Specifies the label for the IPv4 address. The label must be a 7-bit
927           ASCII string with a length of 1...15 characters. Defaults to unset.
928
929       PreferredLifetime=
930           Allows the default "preferred lifetime" of the address to be
931           overridden. Only three settings are accepted: "forever",
932           "infinity", which is the default and means that the address never
933           expires, and "0", which means that the address is considered
934           immediately "expired" and will not be used, unless explicitly
935           requested. A setting of PreferredLifetime=0 is useful for addresses
936           which are added to be used only by a specific application, which is
937           then configured to use them explicitly.
938
939       Scope=
940           The scope of the address, which can be "global" (valid everywhere
941           on the network, even through a gateway), "link" (only valid on this
942           device, will not traverse a gateway) or "host" (only valid within
943           the device itself, e.g. 127.0.0.1) or an integer in the range
944           0...255. Defaults to "global".
945
946       RouteMetric=
947           The metric of the prefix route, which is pointing to the subnet of
948           the configured IP address, taking the configured prefix length into
949           account. Takes an unsigned integer in the range 0...4294967295.
950           When unset or set to 0, the kernel's default value is used. This
951           setting will be ignored when AddPrefixRoute= is false.
952
953       HomeAddress=
954           Takes a boolean. Designates this address the "home address" as
955           defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
956
957       DuplicateAddressDetection=
958           Takes one of "ipv4", "ipv6", "both", or "none". When "ipv4",
959           performs IPv4 Address Conflict Detection. See RFC 5227[11]. When
960           "ipv6", performs IPv6 Duplicate Address Detection. See RFC
961           4862[12]. Defaults to "ipv4" for IPv4 link-local addresses, "ipv6"
962           for IPv6 addresses, and "none" otherwise.
963
964       ManageTemporaryAddress=
965           Takes a boolean. If true the kernel manage temporary addresses
966           created from this one as template on behalf of Privacy Extensions
967           RFC 3041[13]. For this to become active, the use_tempaddr sysctl
968           setting has to be set to a value greater than zero. The given
969           address needs to have a prefix length of 64. This flag allows using
970           privacy extensions in a manually configured network, just like if
971           stateless auto-configuration was active. Defaults to false.
972
973       AddPrefixRoute=
974           Takes a boolean. When true, the prefix route for the address is
975           automatically added. Defaults to true.
976
977       AutoJoin=
978           Takes a boolean. Joining multicast group on ethernet level via ip
979           maddr command would not work if we have an Ethernet switch that
980           does IGMP snooping since the switch would not replicate multicast
981           packets on ports that did not have IGMP reports for the multicast
982           addresses. Linux vxlan interfaces created via ip link add vxlan or
983           networkd's netdev kind vxlan have the group option that enables
984           them to do the required join. By extending ip address command with
985           option "autojoin" we can get similar functionality for openvswitch
986           (OVS) vxlan interfaces as well as other tunneling mechanisms that
987           need to receive multicast traffic. Defaults to "no".
988
989       NetLabel=label
990           This setting provides a method for integrating static and dynamic
991           network configuration into Linux NetLabel[14] subsystem rules, used
992           by Linux Security Modules (LSMs)[15] for network access control.
993           The label, with suitable LSM rules, can be used to control
994           connectivity of (for example) a service with peers in the local
995           network. At least with SELinux, only the ingress can be controlled
996           but not egress. The benefit of using this setting is that it may be
997           possible to apply interface independent part of NetLabel
998           configuration at very early stage of system boot sequence, at the
999           time when the network interfaces are not available yet, with
1000           netlabelctl(8), and the per-interface configuration with
1001           systemd-networkd once the interfaces appear later. Currently this
1002           feature is only implemented for SELinux.
1003
1004           The option expects a single NetLabel label. The label must conform
1005           to lexical restrictions of LSM labels. When an interface is
1006           configured with IP addresses, the addresses and subnetwork masks
1007           will be appended to the NetLabel Fallback Peer Labeling[16] rules.
1008           They will be removed when the interface is deconfigured. Failures
1009           to manage the labels will be ignored.
1010
1011           Warning: Once labeling is enabled for network traffic, a lot of LSM
1012           access control points in Linux networking stack go from dormant to
1013           active. Care should be taken to avoid getting into a situation
1014           where for example remote connectivity is broken, when the security
1015           policy hasn't been updated to consider LSM per-packet access
1016           controls and no rules would allow any network traffic. Also note
1017           that additional configuration with netlabelctl(8) is needed.
1018
1019           Example:
1020
1021               [Address]
1022               NetLabel=system_u:object_r:localnet_peer_t:s0
1023
1024           With the example rules applying for interface "eth0", when the
1025           interface is configured with an IPv4 address of 10.0.0.123/8,
1026           systemd-networkd performs the equivalent of netlabelctl operation
1027
1028               netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
1029
1030           and the reverse operation when the IPv4 address is deconfigured.
1031           The configuration can be used with LSM rules; in case of SELinux to
1032           allow a SELinux domain to receive data from objects of SELinux
1033           "peer" class. For example:
1034
1035               type localnet_peer_t;
1036               allow my_server_t localnet_peer_t:peer recv;
1037
1038           The effect of the above configuration and rules (in absence of
1039           other rules as may be the case) is to only allow "my_server_t" (and
1040           nothing else) to receive data from local subnet 10.0.0.0/8 of
1041           interface "eth0".
1042

[NEIGHBOR] SECTION OPTIONS

1044       A [Neighbor] section accepts the following keys. The neighbor section
1045       adds a permanent, static entry to the neighbor table (IPv6) or ARP
1046       table (IPv4) for the given hardware address on the links matched for
1047       the network. Specify several [Neighbor] sections to configure several
1048       static neighbors.
1049
1050       Address=
1051           The IP address of the neighbor.
1052
1053       LinkLayerAddress=
1054           The link layer address (MAC address or IP address) of the neighbor.
1055

[IPV6ADDRESSLABEL] SECTION OPTIONS

1057       An [IPv6AddressLabel] section accepts the following keys. Specify
1058       several [IPv6AddressLabel] sections to configure several address
1059       labels. IPv6 address labels are used for address selection. See RFC
1060       3484[17]. Precedence is managed by userspace, and only the label itself
1061       is stored in the kernel.
1062
1063       Label=
1064           The label for the prefix, an unsigned integer in the range
1065           0...4294967294. 0xffffffff is reserved. This setting is mandatory.
1066
1067       Prefix=
1068           IPv6 prefix is an address with a prefix length, separated by a
1069           slash "/" character. This setting is mandatory.
1070

[ROUTINGPOLICYRULE] SECTION OPTIONS

1072       An [RoutingPolicyRule] section accepts the following settings. Specify
1073       several [RoutingPolicyRule] sections to configure several rules.
1074
1075       TypeOfService=
1076           Takes a number between 0 and 255 that specifies the type of service
1077           to match.
1078
1079       From=
1080           Specifies the source address prefix to match. Possibly followed by
1081           a slash and the prefix length.
1082
1083       To=
1084           Specifies the destination address prefix to match. Possibly
1085           followed by a slash and the prefix length.
1086
1087       FirewallMark=
1088           Specifies the iptables firewall mark value to match (a number in
1089           the range 1...4294967295). Optionally, the firewall mask (also a
1090           number between 1...4294967295) can be suffixed with a slash ("/"),
1091           e.g., "7/255".
1092
1093       Table=
1094           Specifies the routing table identifier to look up if the rule
1095           selector matches. Takes one of predefined names "default", "main",
1096           and "local", and names defined in RouteTable= in networkd.conf(5),
1097           or a number between 1 and 4294967295. Defaults to "main".
1098
1099       Priority=
1100           Specifies the priority of this rule.  Priority= is an integer in
1101           the range 0...4294967295. Higher number means lower priority, and
1102           rules get processed in order of increasing number. Defaults to
1103           unset, and the kernel will pick a value dynamically.
1104
1105       IncomingInterface=
1106           Specifies incoming device to match. If the interface is loopback,
1107           the rule only matches packets originating from this host.
1108
1109       OutgoingInterface=
1110           Specifies the outgoing device to match. The outgoing interface is
1111           only available for packets originating from local sockets that are
1112           bound to a device.
1113
1114       SourcePort=
1115           Specifies the source IP port or IP port range match in forwarding
1116           information base (FIB) rules. A port range is specified by the
1117           lower and upper port separated by a dash. Defaults to unset.
1118
1119       DestinationPort=
1120           Specifies the destination IP port or IP port range match in
1121           forwarding information base (FIB) rules. A port range is specified
1122           by the lower and upper port separated by a dash. Defaults to unset.
1123
1124       IPProtocol=
1125           Specifies the IP protocol to match in forwarding information base
1126           (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1127           or IP protocol number such as "6" for "tcp" or "17" for "udp".
1128           Defaults to unset.
1129
1130       InvertRule=
1131           A boolean. Specifies whether the rule is to be inverted. Defaults
1132           to false.
1133
1134       Family=
1135           Takes a special value "ipv4", "ipv6", or "both". By default, the
1136           address family is determined by the address specified in To= or
1137           From=. If neither To= nor From= are specified, then defaults to
1138           "ipv4".
1139
1140       User=
1141           Takes a username, a user ID, or a range of user IDs separated by a
1142           dash. Defaults to unset.
1143
1144       SuppressPrefixLength=
1145           Takes a number N in the range 0...128 and rejects routing decisions
1146           that have a prefix length of N or less. Defaults to unset.
1147
1148       SuppressInterfaceGroup=
1149           Takes an integer in the range 0...2147483647 and rejects routing
1150           decisions that have an interface with the same group id. It has the
1151           same meaning as suppress_ifgroup in ip rule. Defaults to unset.
1152
1153       Type=
1154           Specifies Routing Policy Database (RPDB) rule type. Takes one of
1155           "blackhole", "unreachable" or "prohibit".
1156

[NEXTHOP] SECTION OPTIONS

1158       The [NextHop] section is used to manipulate entries in the kernel's
1159       "nexthop" tables. The [NextHop] section accepts the following settings.
1160       Specify several [NextHop] sections to configure several hops.
1161
1162       Id=
1163           The id of the next hop. Takes an integer in the range
1164           1...4294967295. If unspecified, then automatically chosen by
1165           kernel.
1166
1167       Gateway=
1168           As in the [Network] section.
1169
1170       Family=
1171           Takes one of the special values "ipv4" or "ipv6". By default, the
1172           family is determined by the address specified in Gateway=. If
1173           Gateway= is not specified, then defaults to "ipv4".
1174
1175       OnLink=
1176           Takes a boolean. If set to true, the kernel does not have to check
1177           if the gateway is reachable directly by the current machine (i.e.,
1178           attached to the local network), so that we can insert the nexthop
1179           in the kernel table without it being complained about. Defaults to
1180           "no".
1181
1182       Blackhole=
1183           Takes a boolean. If enabled, packets to the corresponding routes
1184           are discarded silently, and Gateway= cannot be specified. Defaults
1185           to "no".
1186
1187       Group=
1188           Takes a whitespace separated list of nexthop IDs. Each ID must be
1189           in the range 1...4294967295. Optionally, each nexthop ID can take a
1190           weight after a colon ("id[:weight]"). The weight must be in the
1191           range 1...255. If the weight is not specified, then it is assumed
1192           that the weight is 1. This setting cannot be specified with
1193           Gateway=, Family=, Blackhole=. This setting can be specified
1194           multiple times. If an empty string is assigned, then the all
1195           previous assignments are cleared. Defaults to unset.
1196

[ROUTE] SECTION OPTIONS

1198       The [Route] section accepts the following settings. Specify several
1199       [Route] sections to configure several routes.
1200
1201       Gateway=
1202           Takes the gateway address or the special values "_dhcp4" and
1203           "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1204           address provided by DHCPv4 or IPv6 RA is used.
1205
1206       GatewayOnLink=
1207           Takes a boolean. If set to true, the kernel does not have to check
1208           if the gateway is reachable directly by the current machine (i.e.,
1209           attached to the local network), so that we can insert the route in
1210           the kernel table without it being complained about. Defaults to
1211           "no".
1212
1213       Destination=
1214           The destination prefix of the route. Possibly followed by a slash
1215           and the prefix length. If omitted, a full-length host route is
1216           assumed.
1217
1218       Source=
1219           The source prefix of the route. Possibly followed by a slash and
1220           the prefix length. If omitted, a full-length host route is assumed.
1221
1222       Metric=
1223           The metric of the route. Takes an unsigned integer in the range
1224           0...4294967295. Defaults to unset, and the kernel's default will be
1225           used.
1226
1227       IPv6Preference=
1228           Specifies the route preference as defined in RFC 4191[18] for
1229           Router Discovery messages. Which can be one of "low" the route has
1230           a lowest priority, "medium" the route has a default priority or
1231           "high" the route has a highest priority.
1232
1233       Scope=
1234           The scope of the IPv4 route, which can be "global", "site", "link",
1235           "host", or "nowhere":
1236
1237           •   "global" means the route can reach hosts more than one hop
1238               away.
1239
1240           •   "site" means an interior route in the local autonomous system.
1241
1242           •   "link" means the route can only reach hosts on the local
1243               network (one hop away).
1244
1245           •   "host" means the route will not leave the local machine (used
1246               for internal addresses like 127.0.0.1).
1247
1248           •   "nowhere" means the destination doesn't exist.
1249
1250           For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1251           and "link" if Type= is "broadcast", "multicast", "anycast", or
1252           "unicast". In other cases, defaults to "global". The value is not
1253           used for IPv6.
1254
1255       PreferredSource=
1256           The preferred source address of the route. The address must be in
1257           the format described in inet_pton(3).
1258
1259       Table=
1260           The table identifier for the route. Takes one of predefined names
1261           "default", "main", and "local", and names defined in RouteTable= in
1262           networkd.conf(5), or a number between 1 and 4294967295. The table
1263           can be retrieved using ip route show table num. If unset and Type=
1264           is "local", "broadcast", "anycast", or "nat", then "local" is used.
1265           In other cases, defaults to "main".
1266
1267       Protocol=
1268           The protocol identifier for the route. Takes a number between 0 and
1269           255 or the special values "kernel", "boot", "static", "ra" and
1270           "dhcp". Defaults to "static".
1271
1272       Type=
1273           Specifies the type for the route. Takes one of "unicast", "local",
1274           "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1275           "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1276           route is defined, i.e. a route indicating the path to take to a
1277           destination network address. If "blackhole", packets to the defined
1278           route are discarded silently. If "unreachable", packets to the
1279           defined route are discarded and the ICMP message "Host Unreachable"
1280           is generated. If "prohibit", packets to the defined route are
1281           discarded and the ICMP message "Communication Administratively
1282           Prohibited" is generated. If "throw", route lookup in the current
1283           routing table will fail and the route selection process will return
1284           to Routing Policy Database (RPDB). Defaults to "unicast".
1285
1286       InitialCongestionWindow=
1287           The TCP initial congestion window is used during the start of a TCP
1288           connection. During the start of a TCP session, when a client
1289           requests a resource, the server's initial congestion window
1290           determines how many packets will be sent during the initial burst
1291           of data without waiting for acknowledgement. Takes a number between
1292           1 and 1023. Note that 100 is considered an extremely large value
1293           for this option. When unset, the kernel's default (typically 10)
1294           will be used.
1295
1296       InitialAdvertisedReceiveWindow=
1297           The TCP initial advertised receive window is the amount of receive
1298           data (in bytes) that can initially be buffered at one time on a
1299           connection. The sending host can send only that amount of data
1300           before waiting for an acknowledgment and window update from the
1301           receiving host. Takes a number between 1 and 1023. Note that 100 is
1302           considered an extremely large value for this option. When unset,
1303           the kernel's default will be used.
1304
1305       QuickAck=
1306           Takes a boolean. When true, the TCP quick ACK mode for the route is
1307           enabled. When unset, the kernel's default will be used.
1308
1309       FastOpenNoCookie=
1310           Takes a boolean. When true enables TCP fastopen without a cookie on
1311           a per-route basis. When unset, the kernel's default will be used.
1312
1313       TTLPropagate=
1314           Takes a boolean. When true enables TTL propagation at Label
1315           Switched Path (LSP) egress. When unset, the kernel's default will
1316           be used.
1317
1318       MTUBytes=
1319           The maximum transmission unit in bytes to set for the route. The
1320           usual suffixes K, M, G, are supported and are understood to the
1321           base of 1024.
1322
1323       TCPAdvertisedMaximumSegmentSize=
1324           Specifies the Path MSS (in bytes) hints given on TCP layer. The
1325           usual suffixes K, M, G, are supported and are understood to the
1326           base of 1024. An unsigned integer in the range 1...4294967294. When
1327           unset, the kernel's default will be used.
1328
1329       TCPCongestionControlAlgorithm=
1330           Specifies the TCP congestion control algorithm for the route. Takes
1331           a name of the algorithm, e.g.  "bbr", "dctcp", or "vegas". When
1332           unset, the kernel's default will be used.
1333
1334       MultiPathRoute=address[@name] [weight]
1335           Configures multipath route. Multipath routing is the technique of
1336           using multiple alternative paths through a network. Takes gateway
1337           address. Optionally, takes a network interface name or index
1338           separated with "@", and a weight in 1..256 for this multipath route
1339           separated with whitespace. This setting can be specified multiple
1340           times. If an empty string is assigned, then the all previous
1341           assignments are cleared.
1342
1343       NextHop=
1344           Specifies the nexthop id. Takes an unsigned integer in the range
1345           1...4294967295. If set, the corresponding [NextHop] section must be
1346           configured. Defaults to unset.
1347

[DHCPV4] SECTION OPTIONS

1349       The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1350       with the DHCP= setting described above:
1351
1352       SendHostname=
1353           When true (the default), the machine's hostname (or the value
1354           specified with Hostname=, described below) will be sent to the DHCP
1355           server. Note that the hostname must consist only of 7-bit ASCII
1356           lower-case characters and no spaces or dots, and be formatted as a
1357           valid DNS domain name. Otherwise, the hostname is not sent even if
1358           this option is true.
1359
1360       Hostname=
1361           Use this value for the hostname which is sent to the DHCP server,
1362           instead of machine's hostname. Note that the specified hostname
1363           must consist only of 7-bit ASCII lower-case characters and no
1364           spaces or dots, and be formatted as a valid DNS domain name.
1365
1366       MUDURL=
1367           When configured, the specified Manufacturer Usage Description (MUD)
1368           URL will be sent to the DHCPv4 server. Takes a URL of length up to
1369           255 characters. A superficial verification that the string is a
1370           valid URL will be performed. DHCPv4 clients are intended to have at
1371           most one MUD URL associated with them. See RFC 8520[19].
1372
1373           MUD is an embedded software standard defined by the IETF that
1374           allows IoT device makers to advertise device specifications,
1375           including the intended communication patterns for their device when
1376           it connects to the network. The network can then use this to author
1377           a context-specific access policy, so the device functions only
1378           within those parameters.
1379
1380       ClientIdentifier=
1381           The DHCPv4 client identifier to use. Takes one of mac, duid or
1382           duid-only. If set to mac, the MAC address of the link is used. If
1383           set to duid, an RFC4361-compliant Client ID, which is the
1384           combination of IAID and DUID (see below), is used. If set to
1385           duid-only, only DUID is used, this may not be RFC compliant, but
1386           some setups may require to use this. Defaults to duid.
1387
1388       VendorClassIdentifier=
1389           The vendor class identifier used to identify vendor type and
1390           configuration.
1391
1392       UserClass=
1393           A DHCPv4 client can use UserClass option to identify the type or
1394           category of user or applications it represents. The information
1395           contained in this option is a string that represents the user class
1396           of which the client is a member. Each class sets an identifying
1397           string of information to be used by the DHCP service to classify
1398           clients. Takes a whitespace-separated list of strings.
1399
1400       DUIDType=
1401           Override the global DUIDType= setting for this network. See
1402           networkd.conf(5) for a description of possible values.
1403
1404       DUIDRawData=
1405           Override the global DUIDRawData= setting for this network. See
1406           networkd.conf(5) for a description of possible values.
1407
1408       IAID=
1409           The DHCP Identity Association Identifier (IAID) for the interface,
1410           a 32-bit unsigned integer.
1411
1412       Anonymize=
1413           Takes a boolean. When true, the options sent to the DHCP server
1414           will follow the RFC 7844[20] (Anonymity Profiles for DHCP Clients)
1415           to minimize disclosure of identifying information. Defaults to
1416           false.
1417
1418           This option should only be set to true when MACAddressPolicy= is
1419           set to random (see systemd.link(5)).
1420
1421           When true, ClientIdentifier=mac, SendHostname=no, Use6RD=no,
1422           UseCaptivePortal=no, UseMTU=no, UseNTP=no, UseSIP=no, and
1423           UseTimezone=no are implied and these settings in the .network file
1424           are silently ignored. Also, Hostname=, MUDURL=, RequestOptions=,
1425           SendOption=, SendVendorOption=, UserClass=, and
1426           VendorClassIdentifier= are silently ignored.
1427
1428           With this option enabled DHCP requests will mimic those generated
1429           by Microsoft Windows, in order to reduce the ability to fingerprint
1430           and recognize installations. This means DHCP request sizes will
1431           grow and lease data will be more comprehensive than normally,
1432           though most of the requested data is not actually used.
1433
1434       RequestOptions=
1435           Sets request options to be sent to the server in the DHCPv4 request
1436           options list. A whitespace-separated list of integers in the range
1437           1...254. Defaults to unset.
1438
1439       SendOption=
1440           Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1441           option number, data type and data separated with a colon
1442           ("option:type:value"). The option number must be an integer in the
1443           range 1...254. The type takes one of "uint8", "uint16", "uint32",
1444           "ipv4address", or "string". Special characters in the data string
1445           may be escaped using C-style escapes[21]. This setting can be
1446           specified multiple times. If an empty string is specified, then all
1447           options specified earlier are cleared. Defaults to unset.
1448
1449       SendVendorOption=
1450           Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1451           option number, data type and data separated with a colon
1452           ("option:type:value"). The option number must be an integer in the
1453           range 1...254. The type takes one of "uint8", "uint16", "uint32",
1454           "ipv4address", or "string". Special characters in the data string
1455           may be escaped using C-style escapes[21]. This setting can be
1456           specified multiple times. If an empty string is specified, then all
1457           options specified earlier are cleared. Defaults to unset.
1458
1459       IPServiceType=
1460           Takes one of the special values "none", "CS6", or "CS4". When
1461           "none" no IP service type is set to the packet sent from the DHCPv4
1462           client. When "CS6" (network control) or "CS4" (realtime), the
1463           corresponding service type will be set. Defaults to "CS6".
1464
1465       SocketPriority=
1466           The Linux socket option SO_PRIORITY applied to the raw IP socket
1467           used for initial DHCPv4 messages. Unset by default. Usual values
1468           range from 0 to 6. More details about SO_PRIORITY socket option in
1469           socket(7). Can be used in conjunction with [VLAN] section
1470           EgressQOSMaps= setting of .netdev file to set the 802.1Q VLAN
1471           ethernet tagged header priority, see systemd.netdev(5).
1472
1473       Label=
1474           Specifies the label for the IPv4 address received from the DHCP
1475           server. The label must be a 7-bit ASCII string with a length of
1476           1...15 characters. Defaults to unset.
1477
1478       UseDNS=
1479           When true (the default), the DNS servers received from the DHCP
1480           server will be used.
1481
1482           This corresponds to the nameserver option in resolv.conf(5).
1483
1484       RoutesToDNS=
1485           When true, the routes to the DNS servers received from the DHCP
1486           server will be configured. When UseDNS= is disabled, this setting
1487           is ignored. Defaults to true.
1488
1489       UseNTP=
1490           When true (the default), the NTP servers received from the DHCP
1491           server will be used by systemd-timesyncd.service.
1492
1493       RoutesToNTP=
1494           When true, the routes to the NTP servers received from the DHCP
1495           server will be configured. When UseNTP= is disabled, this setting
1496           is ignored. Defaults to true.
1497
1498       UseSIP=
1499           When true (the default), the SIP servers received from the DHCP
1500           server will be collected and made available to client programs.
1501
1502       UseMTU=
1503           When true, the interface maximum transmission unit from the DHCP
1504           server will be used on the current link. If MTUBytes= is set, then
1505           this setting is ignored. Defaults to false.
1506
1507           Note, some drivers will reset the interfaces if the MTU is changed.
1508           For such interfaces, please try to use IgnoreCarrierLoss= with a
1509           short timespan, e.g.  "3 seconds".
1510
1511       UseHostname=
1512           When true (the default), the hostname received from the DHCP server
1513           will be set as the transient hostname of the system.
1514
1515       UseDomains=
1516           Takes a boolean, or the special value route. When true, the domain
1517           name received from the DHCP server will be used as DNS search
1518           domain over this link, similarly to the effect of the Domains=
1519           setting. If set to route, the domain name received from the DHCP
1520           server will be used for routing DNS queries only, but not for
1521           searching, similarly to the effect of the Domains= setting when the
1522           argument is prefixed with "~". Defaults to false.
1523
1524           It is recommended to enable this option only on trusted networks,
1525           as setting this affects resolution of all hostnames, in particular
1526           of single-label names. It is generally safer to use the supplied
1527           domain only as routing domain, rather than as search domain, in
1528           order to not have it affect local resolution of single-label names.
1529
1530           When set to true, this setting corresponds to the domain option in
1531           resolv.conf(5).
1532
1533       UseRoutes=
1534           When true (the default), the static routes will be requested from
1535           the DHCP server and added to the routing table with a metric of
1536           1024, and a scope of global, link or host, depending on the route's
1537           destination and gateway. If the destination is on the local host,
1538           e.g., 127.x.x.x, or the same as the link's own address, the scope
1539           will be set to host. Otherwise if the gateway is null (a direct
1540           route), a link scope will be used. For anything else, scope
1541           defaults to global.
1542
1543       RouteMetric=
1544           Set the routing metric for routes specified by the DHCP server
1545           (including the prefix route added for the specified prefix). Takes
1546           an unsigned integer in the range 0...4294967295. Defaults to 1024.
1547
1548       RouteTable=num
1549           The table identifier for DHCP routes. Takes one of predefined names
1550           "default", "main", and "local", and names defined in RouteTable= in
1551           networkd.conf(5), or a number between 1...4294967295.
1552
1553           When used in combination with VRF=, the VRF's routing table is used
1554           when this parameter is not specified.
1555
1556       RouteMTUBytes=
1557           Specifies the MTU for the DHCP routes. Please see the [Route]
1558           section for further details.
1559
1560       QuickAck=
1561           Takes a boolean. When true, the TCP quick ACK mode is enabled for
1562           the routes configured by the acquired DHCPv4 lease. When unset, the
1563           kernel's default will be used.
1564
1565       UseGateway=
1566           When true, the gateway will be requested from the DHCP server and
1567           added to the routing table with a metric of 1024, and a scope of
1568           link. When unset, the value specified with UseRoutes= is used.
1569
1570       UseTimezone=
1571           When true, the timezone received from the DHCP server will be set
1572           as timezone of the local system. Defaults to false.
1573
1574       Use6RD=
1575           When true, subnets of the received IPv6 prefix are assigned to
1576           downstream interfaces which enables DHCPPrefixDelegation=. See also
1577           DHCPPrefixDelegation= in the [Network] section, the
1578           [DHCPPrefixDelegation] section, and RFC 5969[22]. Defaults to
1579           false.
1580
1581       FallbackLeaseLifetimeSec=
1582           Allows one to set DHCPv4 lease lifetime when DHCPv4 server does not
1583           send the lease lifetime. Takes one of "forever" or "infinity". If
1584           specified, the acquired address never expires. Defaults to unset.
1585
1586       RequestBroadcast=
1587           Request the server to use broadcast messages before the IP address
1588           has been configured. This is necessary for devices that cannot
1589           receive RAW packets, or that cannot receive packets at all before
1590           an IP address has been configured. On the other hand, this must not
1591           be enabled on networks where broadcasts are filtered out.
1592
1593       MaxAttempts=
1594           Specifies how many times the DHCPv4 client configuration should be
1595           attempted. Takes a number or "infinity". Defaults to "infinity".
1596           Note that the time between retries is increased exponentially, up
1597           to approximately one per minute, so the network will not be
1598           overloaded even if this number is high. The default is suitable in
1599           most circumstances.
1600
1601       ListenPort=
1602           Set the port from which the DHCP client packets originate.
1603
1604       DenyList=
1605           A whitespace-separated list of IPv4 addresses. Each address can
1606           optionally take a prefix length after "/". DHCP offers from servers
1607           in the list are rejected. Note that if AllowList= is configured
1608           then DenyList= is ignored.
1609
1610       AllowList=
1611           A whitespace-separated list of IPv4 addresses. Each address can
1612           optionally take a prefix length after "/". DHCP offers from servers
1613           in the list are accepted.
1614
1615       SendRelease=
1616           When true, the DHCPv4 client sends a DHCP release packet when it
1617           stops. Defaults to true.
1618
1619       SendDecline=
1620           A boolean. When true, systemd-networkd performs IPv4 Duplicate
1621           Address Detection to the acquired address by the DHCPv4 client. If
1622           duplicate is detected, the DHCPv4 client rejects the address by
1623           sending a DHCPDECLINE packet to the DHCP server, and tries to
1624           obtain an IP address again. See RFC 5227[11]. Defaults to false.
1625
1626       NetLabel=
1627           This applies the NetLabel for the addresses received with DHCP,
1628           like NetLabel= in [Address] section applies it to statically
1629           configured addresses. See NetLabel= in [Address] section for more
1630           details.
1631

[DHCPV6] SECTION OPTIONS

1633       The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1634       with the DHCP= setting described above, or invoked by the IPv6 Router
1635       Advertisement:
1636
1637       MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1638           As in the [DHCPv4] section.
1639
1640       SendOption=
1641           As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1642           fields to store option numbers, the option number is an integer in
1643           the range 1...65536.
1644
1645       SendVendorOption=
1646           Send an arbitrary vendor option in the DHCPv6 request. Takes an
1647           enterprise identifier, DHCP option number, data type, and data
1648           separated with a colon ("enterprise identifier:option:type:value").
1649           Enterprise identifier is an unsigned integer in the range
1650           1...4294967294. The option number must be an integer in the range
1651           1...254. Data type takes one of "uint8", "uint16", "uint32",
1652           "ipv4address", "ipv6address", or "string". Special characters in
1653           the data string may be escaped using C-style escapes[21]. This
1654           setting can be specified multiple times. If an empty string is
1655           specified, then all options specified earlier are cleared. Defaults
1656           to unset.
1657
1658       UserClass=
1659           A DHCPv6 client can use User Class option to identify the type or
1660           category of user or applications it represents. The information
1661           contained in this option is a string that represents the user class
1662           of which the client is a member. Each class sets an identifying
1663           string of information to be used by the DHCP service to classify
1664           clients. Special characters in the data string may be escaped using
1665           C-style escapes[21]. This setting can be specified multiple times.
1666           If an empty string is specified, then all options specified earlier
1667           are cleared. Takes a whitespace-separated list of strings. Note
1668           that currently NUL bytes are not allowed.
1669
1670       VendorClass=
1671           A DHCPv6 client can use VendorClass option to identify the vendor
1672           that manufactured the hardware on which the client is running. The
1673           information contained in the data area of this option is contained
1674           in one or more opaque fields that identify details of the hardware
1675           configuration. Takes a whitespace-separated list of strings.
1676
1677       PrefixDelegationHint=
1678           Takes an IPv6 address with prefix length in the same format as the
1679           Address= in the [Network] section. The DHCPv6 client will include a
1680           prefix hint in the DHCPv6 solicitation sent to the server. The
1681           prefix length must be in the range 1...128. Defaults to unset.
1682
1683       RapidCommit=
1684           Takes a boolean. The DHCPv6 client can obtain configuration
1685           parameters from a DHCPv6 server through a rapid two-message
1686           exchange (solicit and reply). When the rapid commit option is set
1687           by both the DHCPv6 client and the DHCPv6 server, the two-message
1688           exchange is used. Otherwise, the four-message exchange (solicit,
1689           advertise, request, and reply) is used. The two-message exchange
1690           provides faster client configuration. See RFC 3315[23] for details.
1691           Defaults to true, and the two-message exchange will be used if the
1692           server support it.
1693
1694       UseAddress=
1695           When true (the default), the IP addresses provided by the DHCPv6
1696           server will be assigned.
1697
1698       UseDelegatedPrefix=
1699           When true (the default), the client will request the DHCPv6 server
1700           to delegate prefixes. If the server provides prefixes to be
1701           delegated, then subnets of the prefixes are assigned to the
1702           interfaces that have DHCPPrefixDelegation=yes. See also the
1703           DHCPPrefixDelegation= setting in the [Network] section, settings in
1704           the [DHCPPrefixDelegation] section, and RFC 8415[24].
1705
1706       UseDNS=, UseNTP=, UseHostname=, UseDomains=, NetLabel=, SendRelease=
1707           As in the [DHCPv4] section.
1708
1709       WithoutRA=
1710           Allows DHCPv6 client to start without router advertisements's
1711           "managed" or "other configuration" flag. Takes one of "no",
1712           "solicit", or "information-request". If this is not specified,
1713           "solicit" is used when DHCPPrefixDelegation= is enabled and
1714           UplinkInterface=:self is specified in the [DHCPPrefixDelegation]
1715           section. Otherwise, defaults to "no", and the DHCPv6 client will be
1716           started when an RA is received. See also the DHCPv6Client= setting
1717           in the [IPv6AcceptRA] section.
1718

[DHCPPREFIXDELEGATION] SECTION OPTIONS

1720       The [DHCPPrefixDelegation] section configures subnet prefixes of the
1721       delegated prefixes acquired by a DHCPv6 client or by a DHCPv4 client
1722       through the 6RD option on another interface. The settings in this
1723       section are used only when the DHCPPrefixDelegation= setting in the
1724       [Network] section is enabled.
1725
1726       UplinkInterface=
1727           Specifies the name or the index of the uplink interface, or one of
1728           the special values ":self" and ":auto". When ":self", the interface
1729           itself is considered the uplink interface, and WithoutRA=solicit is
1730           implied if the setting is not explicitly specified. When ":auto",
1731           the first link which acquired prefixes to be delegated from the
1732           DHCPv6 or DHCPv4 server is selected. Defaults to ":auto".
1733
1734       SubnetId=
1735           Configure a specific subnet ID on the interface from a (previously)
1736           received prefix delegation. You can either set "auto" (the default)
1737           or a specific subnet ID (as defined in RFC 4291[25], section
1738           2.5.4), in which case the allowed value is hexadecimal, from 0 to
1739           0x7fffffffffffffff inclusive.
1740
1741       Announce=
1742           Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1743           is enabled, the delegated prefixes are distributed through the IPv6
1744           Router Advertisement. This setting will be ignored when the
1745           DHCPPrefixDelegation= setting is enabled on the upstream interface.
1746           Defaults to yes.
1747
1748       Assign=
1749           Takes a boolean. Specifies whether to add an address from the
1750           delegated prefixes which are received from the WAN interface by the
1751           DHCPv6 Prefix Delegation. When true (on LAN interface), the EUI-64
1752           algorithm will be used by default to form an interface identifier
1753           from the delegated prefixes. See also Token= setting below.
1754           Defaults to yes.
1755
1756       Token=
1757           Specifies an optional address generation mode for assigning an
1758           address in each delegated prefix. This accepts the same syntax as
1759           Token= in the [IPv6AcceptRA] section. If Assign= is set to false,
1760           then this setting will be ignored. Defaults to unset, which means
1761           the EUI-64 algorithm will be used.
1762
1763       ManageTemporaryAddress=
1764           As in the [Address] section, but defaults to true.
1765
1766       RouteMetric=
1767           The metric of the route to the delegated prefix subnet. Takes an
1768           unsigned integer in the range 0...4294967295. When set to 0, the
1769           kernel's default value is used. Defaults to 256.
1770
1771       NetLabel=
1772           This applies the NetLabel for the addresses received with DHCP,
1773           like NetLabel= in [Address] section applies it to statically
1774           configured addresses. See NetLabel= in [Address] section for more
1775           details.
1776

[IPV6ACCEPTRA] SECTION OPTIONS

1778       The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1779       (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1780       above:
1781
1782       Token=
1783           Specifies an optional address generation mode for the Stateless
1784           Address Autoconfiguration (SLAAC). The following values are
1785           supported:
1786
1787           eui64
1788               The EUI-64 algorithm will be used to generate an address for
1789               that prefix. Only supported by Ethernet or InfiniBand
1790               interfaces.
1791
1792           static:ADDRESS
1793               An IPv6 address must be specified after a colon (":"), and the
1794               lower bits of the supplied address are combined with the upper
1795               bits of a prefix received in a Router Advertisement (RA)
1796               message to form a complete address. Note that if multiple
1797               prefixes are received in an RA message, or in multiple RA
1798               messages, addresses will be formed from each of them using the
1799               supplied address. This mode implements SLAAC but uses a static
1800               interface identifier instead of an identifier generated by
1801               using the EUI-64 algorithm. Because the interface identifier is
1802               static, if Duplicate Address Detection detects that the
1803               computed address is a duplicate (in use by another node on the
1804               link), then this mode will fail to provide an address for that
1805               prefix. If an IPv6 address without mode is specified, then
1806               "static" mode is assumed.
1807
1808           prefixstable[:ADDRESS][,UUID]
1809               The algorithm specified in RFC 7217[26] will be used to
1810               generate interface identifiers. This mode can optionally take
1811               an IPv6 address separated with a colon (":"). If an IPv6
1812               address is specified, then an interface identifier is generated
1813               only when a prefix received in an RA message matches the
1814               supplied address.
1815
1816               This mode can also optionally take a non-null UUID in the
1817               format which sd_id128_from_string() accepts, e.g.
1818               "86b123b969ba4b7eb8b3d8605123525a" or
1819               "86b123b9-69ba-4b7e-b8b3-d8605123525a". If a UUID is specified,
1820               the value is used as the secret key to generate interface
1821               identifiers. If not specified, then an application specific ID
1822               generated with the system's machine-ID will be used as the
1823               secret key. See sd-id128(3), sd_id128_from_string(3), and
1824               sd_id128_get_machine(3).
1825
1826               Note that the "prefixstable" algorithm uses both the interface
1827               name and MAC address as input to the hash to compute the
1828               interface identifier, so if either of those are changed the
1829               resulting interface identifier (and address) will be changed,
1830               even if the prefix received in the RA message has not been
1831               changed.
1832
1833           If no address generation mode is specified (which is the default),
1834           or a received prefix does not match any of the addresses provided
1835           in "prefixstable" mode, then the EUI-64 algorithm will be used for
1836           Ethernet or InfiniBand interfaces, otherwise "prefixstable" will be
1837           used to form an interface identifier for that prefix.
1838
1839           This setting can be specified multiple times. If an empty string is
1840           assigned, then the all previous assignments are cleared.
1841
1842           Examples:
1843
1844               Token=eui64
1845               Token=::1a:2b:3c:4d
1846               Token=static:::1a:2b:3c:4d
1847               Token=prefixstable
1848               Token=prefixstable:2002:da8:1::
1849
1850       UseDNS=
1851           When true (the default), the DNS servers received in the Router
1852           Advertisement will be used.
1853
1854           This corresponds to the nameserver option in resolv.conf(5).
1855
1856       UseDomains=
1857           Takes a boolean, or the special value "route". When true, the
1858           domain name received via IPv6 Router Advertisement (RA) will be
1859           used as DNS search domain over this link, similarly to the effect
1860           of the Domains= setting. If set to "route", the domain name
1861           received via IPv6 RA will be used for routing DNS queries only, but
1862           not for searching, similarly to the effect of the Domains= setting
1863           when the argument is prefixed with "~". Defaults to false.
1864
1865           It is recommended to enable this option only on trusted networks,
1866           as setting this affects resolution of all hostnames, in particular
1867           of single-label names. It is generally safer to use the supplied
1868           domain only as routing domain, rather than as search domain, in
1869           order to not have it affect local resolution of single-label names.
1870
1871           When set to true, this setting corresponds to the domain option in
1872           resolv.conf(5).
1873
1874       RouteTable=num
1875           The table identifier for the routes received in the Router
1876           Advertisement. Takes one of predefined names "default", "main", and
1877           "local", and names defined in RouteTable= in networkd.conf(5), or a
1878           number between 1...4294967295.
1879
1880           When used in combination with VRF=, the VRF's routing table is used
1881           when this parameter is not specified.
1882
1883       RouteMetric=
1884           Set the routing metric for the routes received in the Router
1885           Advertisement. Takes an unsigned integer in the range
1886           0...4294967295, or three unsigned integer separated with ":", in
1887           that case the first one is used when the router preference is high,
1888           the second is for medium preference, and the last is for low
1889           preference ("high:medium:low"). Defaults to "512:1024:2048".
1890
1891       QuickAck=
1892           Takes a boolean. When true, the TCP quick ACK mode is enabled for
1893           the routes configured by the received RAs. When unset, the kernel's
1894           default will be used.
1895
1896       UseMTU=
1897           Takes a boolean. When true, the MTU received in the Router
1898           Advertisement will be used. Defaults to true.
1899
1900       UseGateway=
1901           When true (the default), the router address will be configured as
1902           the default gateway.
1903
1904       UseRoutePrefix=
1905           When true (the default), the routes corresponding to the route
1906           prefixes received in the Router Advertisement will be configured.
1907
1908       UseAutonomousPrefix=
1909           When true (the default), the autonomous prefix received in the
1910           Router Advertisement will be used and take precedence over any
1911           statically configured ones.
1912
1913       UseOnLinkPrefix=
1914           When true (the default), the onlink prefix received in the Router
1915           Advertisement will be used and takes precedence over any statically
1916           configured ones.
1917
1918       RouterDenyList=
1919           A whitespace-separated list of IPv6 router addresses. Each address
1920           can optionally take a prefix length after "/". Any information
1921           advertised by the listed router is ignored.
1922
1923       RouterAllowList=
1924           A whitespace-separated list of IPv6 router addresses. Each address
1925           can optionally take a prefix length after "/". Only information
1926           advertised by the listed router is accepted. Note that if
1927           RouterAllowList= is configured then RouterDenyList= is ignored.
1928
1929       PrefixDenyList=
1930           A whitespace-separated list of IPv6 prefixes. Each prefix can
1931           optionally take its prefix length after "/". IPv6 prefixes supplied
1932           via router advertisements in the list are ignored.
1933
1934       PrefixAllowList=
1935           A whitespace-separated list of IPv6 prefixes. Each prefix can
1936           optionally take its prefix length after "/". IPv6 prefixes supplied
1937           via router advertisements in the list are allowed. Note that if
1938           PrefixAllowList= is configured then PrefixDenyList= is ignored.
1939
1940       RouteDenyList=
1941           A whitespace-separated list of IPv6 route prefixes. Each prefix can
1942           optionally take its prefix length after "/". IPv6 route prefixes
1943           supplied via router advertisements in the list are ignored.
1944
1945       RouteAllowList=
1946           A whitespace-separated list of IPv6 route prefixes. Each prefix can
1947           optionally take its prefix length after "/". IPv6 route prefixes
1948           supplied via router advertisements in the list are allowed. Note
1949           that if RouteAllowList= is configured then RouteDenyList= is
1950           ignored.
1951
1952       DHCPv6Client=
1953           Takes a boolean, or the special value "always". When true, the
1954           DHCPv6 client will be started in "solicit" mode if the RA has the
1955           "managed" flag or "information-request" mode if the RA lacks the
1956           "managed" flag but has the "other configuration" flag. If set to
1957           "always", the DHCPv6 client will be started in "solicit" mode when
1958           an RA is received, even if neither the "managed" nor the "other
1959           configuration" flag is set in the RA. This will be ignored when
1960           WithoutRA= in the [DHCPv6] section is enabled, or
1961           UplinkInterface=:self in the [DHCPPrefixDelegation] section is
1962           specified. Defaults to true.
1963
1964       NetLabel=
1965           This applies the NetLabel for the addresses received with RA, like
1966           NetLabel= in [Address] section applies it to statically configured
1967           addresses. See NetLabel= in [Address] section for more details.
1968

[DHCPSERVER] SECTION OPTIONS

1970       The [DHCPServer] section contains settings for the DHCP server, if
1971       enabled via the DHCPServer= option described above:
1972
1973       ServerAddress=
1974           Specifies server address for the DHCP server. Takes an IPv4 address
1975           with prefix length, for example 192.168.0.1/24. This setting may be
1976           useful when the link on which the DHCP server is running has
1977           multiple static addresses. When unset, one of static addresses in
1978           the link will be automatically selected. Defaults to unset.
1979
1980       PoolOffset=, PoolSize=
1981           Configures the pool of addresses to hand out. The pool is a
1982           contiguous sequence of IP addresses in the subnet configured for
1983           the server address, which does not include the subnet nor the
1984           broadcast address.  PoolOffset= takes the offset of the pool from
1985           the start of subnet, or zero to use the default value.  PoolSize=
1986           takes the number of IP addresses in the pool or zero to use the
1987           default value. By default, the pool starts at the first address
1988           after the subnet address and takes up the rest of the subnet,
1989           excluding the broadcast address. If the pool includes the server
1990           address (the default), this is reserved and not handed out to
1991           clients.
1992
1993       DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1994           Control the default and maximum DHCP lease time to pass to clients.
1995           These settings take time values in seconds or another common time
1996           unit, depending on the suffix. The default lease time is used for
1997           clients that did not ask for a specific lease time. If a client
1998           asks for a lease time longer than the maximum lease time, it is
1999           automatically shortened to the specified time. The default lease
2000           time defaults to 1h, the maximum lease time to 12h. Shorter lease
2001           times are beneficial if the configuration data in DHCP leases
2002           changes frequently and clients shall learn the new settings with
2003           shorter latencies. Longer lease times reduce the generated DHCP
2004           network traffic.
2005
2006       UplinkInterface=
2007           Specifies the name or the index of the uplink interface, or one of
2008           the special values ":none" and ":auto". When emitting DNS, NTP, or
2009           SIP servers is enabled but no servers are specified, the servers
2010           configured in the uplink interface will be emitted. When ":auto",
2011           the link which has a default gateway with the highest priority will
2012           be automatically selected. When ":none", no uplink interface will
2013           be selected. Defaults to ":auto".
2014
2015       EmitDNS=, DNS=
2016           EmitDNS= takes a boolean. Configures whether the DHCP leases handed
2017           out to clients shall contain DNS server information. Defaults to
2018           "yes". The DNS servers to pass to clients may be configured with
2019           the DNS= option, which takes a list of IPv4 addresses, or special
2020           value "_server_address" which will be converted to the address used
2021           by the DHCP server.
2022
2023           If the EmitDNS= option is enabled but no servers configured, the
2024           servers are automatically propagated from an "uplink" interface
2025           that has appropriate servers set. The "uplink" interface is
2026           determined by the default route of the system with the highest
2027           priority. Note that this information is acquired at the time the
2028           lease is handed out, and does not take uplink interfaces into
2029           account that acquire DNS server information at a later point. If no
2030           suitable uplink interface is found the DNS server data from
2031           /etc/resolv.conf is used. Also, note that the leases are not
2032           refreshed if the uplink network configuration changes. To ensure
2033           clients regularly acquire the most current uplink DNS server
2034           information, it is thus advisable to shorten the DHCP lease time
2035           via MaxLeaseTimeSec= described above.
2036
2037           This setting can be specified multiple times. If an empty string is
2038           specified, then all DNS servers specified earlier are cleared.
2039
2040       EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
2041       EmitLPR=, LPR=
2042           Similar to the EmitDNS= and DNS= settings described above, these
2043           settings configure whether and what server information for the
2044           indicate protocol shall be emitted as part of the DHCP lease. The
2045           same syntax, propagation semantics and defaults apply as for
2046           EmitDNS= and DNS=.
2047
2048       EmitRouter=, Router=
2049           The EmitRouter= setting takes a boolean value, and configures
2050           whether the DHCP lease should contain the router option. The
2051           Router= setting takes an IPv4 address, and configures the router
2052           address to be emitted. When the Router= setting is not specified,
2053           then the server address will be used for the router option. When
2054           the EmitRouter= setting is disabled, the Router= setting will be
2055           ignored. The EmitRouter= setting defaults to true, and the Router=
2056           setting defaults to unset.
2057
2058       EmitTimezone=, Timezone=
2059           Takes a boolean. Configures whether the DHCP leases handed out to
2060           clients shall contain timezone information. Defaults to "yes". The
2061           Timezone= setting takes a timezone string (such as "Europe/Berlin"
2062           or "UTC") to pass to clients. If no explicit timezone is set, the
2063           system timezone of the local host is propagated, as determined by
2064           the /etc/localtime symlink.
2065
2066       BootServerAddress=
2067           Takes an IPv4 address of the boot server used by e.g. PXE boot
2068           systems. When specified, this address is sent in the siaddr field
2069           of the DHCP message header. See RFC 2131[27] for more details.
2070           Defaults to unset.
2071
2072       BootServerName=
2073           Takes a name of the boot server used by e.g. PXE boot systems. When
2074           specified, this name is sent in the DHCP option 66 ("TFTP server
2075           name"). See RFC 2132[28] for more details. Defaults to unset.
2076
2077           Note that typically setting one of BootServerName= or
2078           BootServerAddress= is sufficient, but both can be set too, if
2079           desired.
2080
2081       BootFilename=
2082           Takes a path or URL to a file loaded by e.g. a PXE boot loader.
2083           When specified, this path is sent in the DHCP option 67 ("Bootfile
2084           name"). See RFC 2132[28] for more details. Defaults to unset.
2085
2086       SendOption=
2087           Send a raw option with value via DHCPv4 server. Takes a DHCP option
2088           number, data type and data ("option:type:value"). The option number
2089           is an integer in the range 1...254. The type takes one of "uint8",
2090           "uint16", "uint32", "ipv4address", "ipv6address", or "string".
2091           Special characters in the data string may be escaped using C-style
2092           escapes[21]. This setting can be specified multiple times. If an
2093           empty string is specified, then all options specified earlier are
2094           cleared. Defaults to unset.
2095
2096       SendVendorOption=
2097           Send a vendor option with value via DHCPv4 server. Takes a DHCP
2098           option number, data type and data ("option:type:value"). The option
2099           number is an integer in the range 1...254. The type takes one of
2100           "uint8", "uint16", "uint32", "ipv4address", or "string". Special
2101           characters in the data string may be escaped using C-style
2102           escapes[21]. This setting can be specified multiple times. If an
2103           empty string is specified, then all options specified earlier are
2104           cleared. Defaults to unset.
2105
2106       BindToInterface=
2107           Takes a boolean value. When "yes", DHCP server socket will be bound
2108           to its network interface and all socket communication will be
2109           restricted to this interface. Defaults to "yes", except if
2110           RelayTarget= is used (see below), in which case it defaults to
2111           "no".
2112
2113       RelayTarget=
2114           Takes an IPv4 address, which must be in the format described in
2115           inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
2116           RFC 1542[29]. The address is the address of DHCP server or another
2117           relay agent to forward DHCP messages to and from.
2118
2119       RelayAgentCircuitId=
2120           Specifies value for Agent Circuit ID suboption of Relay Agent
2121           Information option. Takes a string, which must be in the format
2122           "string:value", where "value" should be replaced with the value of
2123           the suboption. Defaults to unset (means no Agent Circuit ID
2124           suboption is generated). Ignored if RelayTarget= is not specified.
2125
2126       RelayAgentRemoteId=
2127           Specifies value for Agent Remote ID suboption of Relay Agent
2128           Information option. Takes a string, which must be in the format
2129           "string:value", where "value" should be replaced with the value of
2130           the suboption. Defaults to unset (means no Agent Remote ID
2131           suboption is generated). Ignored if RelayTarget= is not specified.
2132

[DHCPSERVERSTATICLEASE] SECTION OPTIONS

2134       The "[DHCPServerStaticLease]" section configures a static DHCP lease to
2135       assign a fixed IPv4 address to a specific device based on its MAC
2136       address. This section can be specified multiple times.
2137
2138       MACAddress=
2139           The hardware address of a device to match. This key is mandatory.
2140
2141       Address=
2142           The IPv4 address that should be assigned to the device that was
2143           matched with MACAddress=. This key is mandatory.
2144

[IPV6SENDRA] SECTION OPTIONS

2146       The [IPv6SendRA] section contains settings for sending IPv6 Router
2147       Advertisements and whether to act as a router, if enabled via the
2148       IPv6SendRA= option described above. IPv6 network prefixes or routes are
2149       defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
2150
2151       Managed=, OtherInformation=
2152           Takes a boolean. Controls whether a DHCPv6 server is used to
2153           acquire IPv6 addresses on the network link when Managed= is set to
2154           "true" or if only additional network information can be obtained
2155           via DHCPv6 for the network link when OtherInformation= is set to
2156           "true". Both settings default to "false", which means that a DHCPv6
2157           server is not being used.
2158
2159       RouterLifetimeSec=
2160           Takes a timespan. Configures the IPv6 router lifetime in seconds.
2161           The value must be 0 seconds, or between 4 seconds and 9000 seconds.
2162           When set to 0, the host is not acting as a router. Defaults to 1800
2163           seconds (30 minutes).
2164
2165       RouterPreference=
2166           Configures IPv6 router preference if RouterLifetimeSec= is
2167           non-zero. Valid values are "high", "medium" and "low", with
2168           "normal" and "default" added as synonyms for "medium" just to make
2169           configuration easier. See RFC 4191[18] for details. Defaults to
2170           "medium".
2171
2172       UplinkInterface=
2173           Specifies the name or the index of the uplink interface, or one of
2174           the special values ":none" and ":auto". When emitting DNS servers
2175           or search domains is enabled but no servers are specified, the
2176           servers configured in the uplink interface will be emitted. When
2177           ":auto", the value specified to the same setting in the
2178           [DHCPPrefixDelegation] section will be used if
2179           DHCPPrefixDelegation= is enabled, otherwise the link which has a
2180           default gateway with the highest priority will be automatically
2181           selected. When ":none", no uplink interface will be selected.
2182           Defaults to ":auto".
2183
2184       EmitDNS=, DNS=
2185           DNS= specifies a list of recursive DNS server IPv6 addresses that
2186           are distributed via Router Advertisement messages when EmitDNS= is
2187           true.  DNS= also takes special value "_link_local"; in that case
2188           the IPv6 link-local address is distributed. If DNS= is empty, DNS
2189           servers are read from the [Network] section. If the [Network]
2190           section does not contain any DNS servers either, DNS servers from
2191           the uplink interface specified in UplinkInterface= will be used.
2192           When EmitDNS= is false, no DNS server information is sent in Router
2193           Advertisement messages.  EmitDNS= defaults to true.
2194
2195       EmitDomains=, Domains=
2196           A list of DNS search domains distributed via Router Advertisement
2197           messages when EmitDomains= is true. If Domains= is empty, DNS
2198           search domains are read from the [Network] section. If the
2199           [Network] section does not contain any DNS search domains either,
2200           DNS search domains from the uplink interface specified in
2201           UplinkInterface= will be used. When EmitDomains= is false, no DNS
2202           search domain information is sent in Router Advertisement messages.
2203           EmitDomains= defaults to true.
2204
2205       DNSLifetimeSec=
2206           Lifetime in seconds for the DNS server addresses listed in DNS= and
2207           search domains listed in Domains=. Defaults to 3600 seconds (one
2208           hour).
2209

[IPV6PREFIX] SECTION OPTIONS

2211       One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
2212       announced via Router Advertisements. See RFC 4861[30] for further
2213       details.
2214
2215       AddressAutoconfiguration=, OnLink=
2216           Takes a boolean to specify whether IPv6 addresses can be
2217           autoconfigured with this prefix and whether the prefix can be used
2218           for onlink determination. Both settings default to "true" in order
2219           to ease configuration.
2220
2221       Prefix=
2222           The IPv6 prefix that is to be distributed to hosts. Similarly to
2223           configuring static IPv6 addresses, the setting is configured as an
2224           IPv6 prefix and its prefix length, separated by a "/" character.
2225           Use multiple [IPv6Prefix] sections to configure multiple IPv6
2226           prefixes since prefix lifetimes, address autoconfiguration and
2227           onlink status may differ from one prefix to another.
2228
2229       PreferredLifetimeSec=, ValidLifetimeSec=
2230           Preferred and valid lifetimes for the prefix measured in seconds.
2231           PreferredLifetimeSec= defaults to 1800 seconds (30 minutes) and
2232           ValidLifetimeSec= defaults to 3600 seconds (one hour).
2233
2234       Assign=
2235           Takes a boolean. When true, adds an address from the prefix.
2236           Default to false.
2237
2238       Token=
2239           Specifies an optional address generation mode for assigning an
2240           address in each prefix. This accepts the same syntax as Token= in
2241           the [IPv6AcceptRA] section. If Assign= is set to false, then this
2242           setting will be ignored. Defaults to unset, which means the EUI-64
2243           algorithm will be used.
2244
2245       RouteMetric=
2246           The metric of the prefix route. Takes an unsigned integer in the
2247           range 0...4294967295. When unset or set to 0, the kernel's default
2248           value is used. This setting is ignored when Assign= is false.
2249

[IPV6ROUTEPREFIX] SECTION OPTIONS

2251       One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
2252       that are announced via Router Advertisements. See RFC 4191[18] for
2253       further details.
2254
2255       Route=
2256           The IPv6 route that is to be distributed to hosts. Similarly to
2257           configuring static IPv6 routes, the setting is configured as an
2258           IPv6 prefix routes and its prefix route length, separated by a "/"
2259           character. Use multiple [IPv6RoutePrefix] sections to configure
2260           multiple IPv6 prefix routes.
2261
2262       LifetimeSec=
2263           Lifetime for the route prefix measured in seconds.  LifetimeSec=
2264           defaults to 3600 seconds (one hour).
2265

[BRIDGE] SECTION OPTIONS

2267       The [Bridge] section accepts the following keys:
2268
2269       UnicastFlood=
2270           Takes a boolean. Controls whether the bridge should flood traffic
2271           for which an FDB entry is missing and the destination is unknown
2272           through this port. When unset, the kernel's default will be used.
2273
2274       MulticastFlood=
2275           Takes a boolean. Controls whether the bridge should flood traffic
2276           for which an MDB entry is missing and the destination is unknown
2277           through this port. When unset, the kernel's default will be used.
2278
2279       MulticastToUnicast=
2280           Takes a boolean. Multicast to unicast works on top of the multicast
2281           snooping feature of the bridge. Which means unicast copies are only
2282           delivered to hosts which are interested in it. When unset, the
2283           kernel's default will be used.
2284
2285       NeighborSuppression=
2286           Takes a boolean. Configures whether ARP and ND neighbor suppression
2287           is enabled for this port. When unset, the kernel's default will be
2288           used.
2289
2290       Learning=
2291           Takes a boolean. Configures whether MAC address learning is enabled
2292           for this port. When unset, the kernel's default will be used.
2293
2294       HairPin=
2295           Takes a boolean. Configures whether traffic may be sent back out of
2296           the port on which it was received. When this flag is false, then
2297           the bridge will not forward traffic back out of the receiving port.
2298           When unset, the kernel's default will be used.
2299
2300       Isolated=
2301           Takes a boolean. Configures whether this port is isolated or not.
2302           Within a bridge, isolated ports can only communicate with
2303           non-isolated ports. When set to true, this port can only
2304           communicate with other ports whose Isolated setting is false. When
2305           set to false, this port can communicate with any other ports. When
2306           unset, the kernel's default will be used.
2307
2308       UseBPDU=
2309           Takes a boolean. Configures whether STP Bridge Protocol Data Units
2310           will be processed by the bridge port. When unset, the kernel's
2311           default will be used.
2312
2313       FastLeave=
2314           Takes a boolean. This flag allows the bridge to immediately stop
2315           multicast traffic on a port that receives an IGMP Leave message. It
2316           is only used with IGMP snooping if enabled on the bridge. When
2317           unset, the kernel's default will be used.
2318
2319       AllowPortToBeRoot=
2320           Takes a boolean. Configures whether a given port is allowed to
2321           become a root port. Only used when STP is enabled on the bridge.
2322           When unset, the kernel's default will be used.
2323
2324       ProxyARP=
2325           Takes a boolean. Configures whether proxy ARP to be enabled on this
2326           port. When unset, the kernel's default will be used.
2327
2328       ProxyARPWiFi=
2329           Takes a boolean. Configures whether proxy ARP to be enabled on this
2330           port which meets extended requirements by IEEE 802.11 and Hotspot
2331           2.0 specifications. When unset, the kernel's default will be used.
2332
2333       MulticastRouter=
2334           Configures this port for having multicast routers attached. A port
2335           with a multicast router will receive all multicast traffic. Takes
2336           one of "no" to disable multicast routers on this port, "query" to
2337           let the system detect the presence of routers, "permanent" to
2338           permanently enable multicast traffic forwarding on this port, or
2339           "temporary" to enable multicast routers temporarily on this port,
2340           not depending on incoming queries. When unset, the kernel's default
2341           will be used.
2342
2343       Cost=
2344           Sets the "cost" of sending packets of this interface. Each port in
2345           a bridge may have a different speed and the cost is used to decide
2346           which link to use. Faster interfaces should have lower costs. It is
2347           an integer value between 1 and 65535.
2348
2349       Priority=
2350           Sets the "priority" of sending packets on this interface. Each port
2351           in a bridge may have a different priority which is used to decide
2352           which link to use. Lower value means higher priority. It is an
2353           integer value between 0 to 63. Networkd does not set any default,
2354           meaning the kernel default value of 32 is used.
2355

[BRIDGEFDB] SECTION OPTIONS

2357       The [BridgeFDB] section manages the forwarding database table of a port
2358       and accepts the following keys. Specify several [BridgeFDB] sections to
2359       configure several static MAC table entries.
2360
2361       MACAddress=
2362           As in the [Network] section. This key is mandatory.
2363
2364       Destination=
2365           Takes an IP address of the destination VXLAN tunnel endpoint.
2366
2367       VLANId=
2368           The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2369           ID information is appended to the new static MAC table entry.
2370
2371       VNI=
2372           The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2373           connect to the remote VXLAN tunnel endpoint. Takes a number in the
2374           range 1...16777215. Defaults to unset.
2375
2376       AssociatedWith=
2377           Specifies where the address is associated with. Takes one of "use",
2378           "self", "master" or "router".  "use" means the address is in use.
2379           User space can use this option to indicate to the kernel that the
2380           fdb entry is in use.  "self" means the address is associated with
2381           the port drivers fdb. Usually hardware.  "master" means the address
2382           is associated with master devices fdb.  "router" means the
2383           destination address is associated with a router. Note that it's
2384           valid if the referenced device is a VXLAN type device and has route
2385           shortcircuit enabled. Defaults to "self".
2386
2387       OutgoingInterface=
2388           Specifies the name or index of the outgoing interface for the VXLAN
2389           device driver to reach the remote VXLAN tunnel endpoint. Defaults
2390           to unset.
2391

[BRIDGEMDB] SECTION OPTIONS

2393       The [BridgeMDB] section manages the multicast membership entries
2394       forwarding database table of a port and accepts the following keys.
2395       Specify several [BridgeMDB] sections to configure several permanent
2396       multicast membership entries.
2397
2398       MulticastGroupAddress=
2399           Specifies the IPv4 or IPv6 multicast group address to add. This
2400           setting is mandatory.
2401
2402       VLANId=
2403           The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2404           4094. Optional, defaults to 0.
2405

[LLDP] SECTION OPTIONS

2407       The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2408       accepts the following keys:
2409
2410       MUDURL=
2411           When configured, the specified Manufacturer Usage Descriptions
2412           (MUD) URL will be sent in LLDP packets. The syntax and semantics
2413           are the same as for MUDURL= in the [DHCPv4] section described
2414           above.
2415
2416           The MUD URLs received via LLDP packets are saved and can be read
2417           using the sd_lldp_neighbor_get_mud_url() function.
2418

[CAN] SECTION OPTIONS

2420       The [CAN] section manages the Controller Area Network (CAN bus) and
2421       accepts the following keys:
2422
2423       BitRate=
2424           The bitrate of CAN device in bits per second. The usual SI prefixes
2425           (K, M) with the base of 1000 can be used here. Takes a number in
2426           the range 1...4294967295.
2427
2428       SamplePoint=
2429           Optional sample point in percent with one decimal (e.g.  "75%",
2430           "87.5%") or permille (e.g.  "875‰"). This will be ignored when
2431           BitRate= is unspecified.
2432
2433       TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=,
2434       PhaseBufferSegment2=, SyncJumpWidth=
2435           Specifies the time quanta, propagation segment, phase buffer
2436           segment 1 and 2, and the synchronization jump width, which allow
2437           one to define the CAN bit-timing in a hardware independent format
2438           as proposed by the Bosch CAN 2.0 Specification.  TimeQuantaNSec=
2439           takes a timespan in nanoseconds.  PropagationSegment=,
2440           PhaseBufferSegment1=, PhaseBufferSegment2=, and SyncJumpWidth= take
2441           number of time quantum specified in TimeQuantaNSec= and must be an
2442           unsigned integer in the range 0...4294967295. These settings except
2443           for SyncJumpWidth= will be ignored when BitRate= is specified.
2444
2445       DataBitRate=, DataSamplePoint=
2446           The bitrate and sample point for the data phase, if CAN-FD is used.
2447           These settings are analogous to the BitRate= and SamplePoint= keys.
2448
2449       DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=,
2450       DataPhaseBufferSegment2=, DataSyncJumpWidth=
2451           Specifies the time quanta, propagation segment, phase buffer
2452           segment 1 and 2, and the synchronization jump width for the data
2453           phase, if CAN-FD is used. These settings are analogous to the
2454           TimeQuantaNSec= or related settings.
2455
2456       FDMode=
2457           Takes a boolean. When "yes", CAN-FD mode is enabled for the
2458           interface. Note, that a bitrate and optional sample point should
2459           also be set for the CAN-FD data phase using the DataBitRate= and
2460           DataSamplePoint= keys, or DataTimeQuanta= and related settings.
2461
2462       FDNonISO=
2463           Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2464           interface. When unset, the kernel's default will be used.
2465
2466       RestartSec=
2467           Automatic restart delay time. If set to a non-zero value, a restart
2468           of the CAN controller will be triggered automatically in case of a
2469           bus-off condition after the specified delay time. Subsecond delays
2470           can be specified using decimals (e.g.  "0.1s") or a "ms" or "us"
2471           postfix. Using "infinity" or "0" will turn the automatic restart
2472           off. By default automatic restart is disabled.
2473
2474       Termination=
2475           Takes a boolean or a termination resistor value in ohm in the range
2476           0...65535. When "yes", the termination resistor is set to 120 ohm.
2477           When "no" or "0" is set, the termination resistor is disabled. When
2478           unset, the kernel's default will be used.
2479
2480       TripleSampling=
2481           Takes a boolean. When "yes", three samples (instead of one) are
2482           used to determine the value of a received bit by majority rule.
2483           When unset, the kernel's default will be used.
2484
2485       BusErrorReporting=
2486           Takes a boolean. When "yes", reporting of CAN bus errors is
2487           activated (those include single bit, frame format, and bit stuffing
2488           errors, unable to send dominant bit, unable to send recessive bit,
2489           bus overload, active error announcement, error occurred on
2490           transmission). When unset, the kernel's default will be used. Note:
2491           in case of a CAN bus with a single CAN device, sending a CAN frame
2492           may result in a huge number of CAN bus errors.
2493
2494       ListenOnly=
2495           Takes a boolean. When "yes", listen-only mode is enabled. When the
2496           interface is in listen-only mode, the interface neither transmit
2497           CAN frames nor send ACK bit. Listen-only mode is important to debug
2498           CAN networks without interfering with the communication or
2499           acknowledge the CAN frame. When unset, the kernel's default will be
2500           used.
2501
2502       Loopback=
2503           Takes a boolean. When "yes", loopback mode is enabled. When the
2504           loopback mode is enabled, the interface treats messages transmitted
2505           by itself as received messages. The loopback mode is important to
2506           debug CAN networks. When unset, the kernel's default will be used.
2507
2508       OneShot=
2509           Takes a boolean. When "yes", one-shot mode is enabled. When unset,
2510           the kernel's default will be used.
2511
2512       PresumeAck=
2513           Takes a boolean. When "yes", the interface will ignore missing CAN
2514           ACKs. When unset, the kernel's default will be used.
2515
2516       ClassicDataLengthCode=
2517           Takes a boolean. When "yes", the interface will handle the 4bit
2518           data length code (DLC). When unset, the kernel's default will be
2519           used.
2520

[IPOIB] SECTION OPTIONS

2522       The [IPoIB] section manages the IP over Infiniband and accepts the
2523       following keys:
2524
2525       Mode=
2526           Takes one of the special values "datagram" or "connected". Defaults
2527           to unset, and the kernel's default is used.
2528
2529           When "datagram", the Infiniband unreliable datagram (UD) transport
2530           is used, and so the interface MTU is equal to the IB L2 MTU minus
2531           the IPoIB encapsulation header (4 bytes). For example, in a typical
2532           IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
2533           bytes.
2534
2535           When "connected", the Infiniband reliable connected (RC) transport
2536           is used. Connected mode takes advantage of the connected nature of
2537           the IB transport and allows an MTU up to the maximal IP packet size
2538           of 64K, which reduces the number of IP packets needed for handling
2539           large UDP datagrams, TCP segments, etc and increases the
2540           performance for large messages.
2541
2542       IgnoreUserspaceMulticastGroup=
2543           Takes an boolean value. When true, the kernel ignores multicast
2544           groups handled by userspace. Defaults to unset, and the kernel's
2545           default is used.
2546

[QDISC] SECTION OPTIONS

2548       The [QDisc] section manages the traffic control queueing discipline
2549       (qdisc).
2550
2551       Parent=
2552           Specifies the parent Queueing Discipline (qdisc). Takes one of
2553           "clsact" or "ingress". This is mandatory.
2554
2555       Handle=
2556           Configures the major number of unique identifier of the qdisc,
2557           known as the handle. Takes a hexadecimal number in the range
2558           0x1–0xffff. Defaults to unset.
2559

[NETWORKEMULATOR] SECTION OPTIONS

2561       The [NetworkEmulator] section manages the queueing discipline (qdisc)
2562       of the network emulator. It can be used to configure the kernel packet
2563       scheduler and simulate packet delay and loss for UDP or TCP
2564       applications, or limit the bandwidth usage of a particular service to
2565       simulate internet connections.
2566
2567       Parent=
2568           Configures the parent Queueing Discipline (qdisc). Takes one of
2569           "root", "clsact", "ingress" or a class identifier. The class
2570           identifier is specified as the major and minor numbers in
2571           hexadecimal in the range 0x1–0xffff separated with a colon
2572           ("major:minor"). Defaults to "root".
2573
2574       Handle=
2575           Configures the major number of unique identifier of the qdisc,
2576           known as the handle. Takes a hexadecimal number in the range
2577           0x1–0xffff. Defaults to unset.
2578
2579       DelaySec=
2580           Specifies the fixed amount of delay to be added to all packets
2581           going out of the interface. Defaults to unset.
2582
2583       DelayJitterSec=
2584           Specifies the chosen delay to be added to the packets outgoing to
2585           the network interface. Defaults to unset.
2586
2587       PacketLimit=
2588           Specifies the maximum number of packets the qdisc may hold queued
2589           at a time. An unsigned integer in the range 0...4294967294.
2590           Defaults to 1000.
2591
2592       LossRate=
2593           Specifies an independent loss probability to be added to the
2594           packets outgoing from the network interface. Takes a percentage
2595           value, suffixed with "%". Defaults to unset.
2596
2597       DuplicateRate=
2598           Specifies that the chosen percent of packets is duplicated before
2599           queuing them. Takes a percentage value, suffixed with "%". Defaults
2600           to unset.
2601

[TOKENBUCKETFILTER] SECTION OPTIONS

2603       The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2604       of token bucket filter (tbf).
2605
2606       Parent=
2607           Configures the parent Queueing Discipline (qdisc). Takes one of
2608           "root", "clsact", "ingress" or a class identifier. The class
2609           identifier is specified as the major and minor numbers in
2610           hexadecimal in the range 0x1–0xffff separated with a colon
2611           ("major:minor"). Defaults to "root".
2612
2613       Handle=
2614           Configures the major number of unique identifier of the qdisc,
2615           known as the handle. Takes a hexadecimal number in the range
2616           0x1–0xffff. Defaults to unset.
2617
2618       LatencySec=
2619           Specifies the latency parameter, which specifies the maximum amount
2620           of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2621           to unset.
2622
2623       LimitBytes=
2624           Takes the number of bytes that can be queued waiting for tokens to
2625           become available. When the size is suffixed with K, M, or G, it is
2626           parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2627           base of 1024. Defaults to unset.
2628
2629       BurstBytes=
2630           Specifies the size of the bucket. This is the maximum amount of
2631           bytes that tokens can be available for instantaneous transfer. When
2632           the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2633           Megabytes, or Gigabytes, respectively, to the base of 1024.
2634           Defaults to unset.
2635
2636       Rate=
2637           Specifies the device specific bandwidth. When suffixed with K, M,
2638           or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2639           Gigabits, respectively, to the base of 1000. Defaults to unset.
2640
2641       MPUBytes=
2642           The Minimum Packet Unit (MPU) determines the minimal token usage
2643           (specified in bytes) for a packet. When suffixed with K, M, or G,
2644           the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2645           respectively, to the base of 1024. Defaults to zero.
2646
2647       PeakRate=
2648           Takes the maximum depletion rate of the bucket. When suffixed with
2649           K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2650           Gigabits, respectively, to the base of 1000. Defaults to unset.
2651
2652       MTUBytes=
2653           Specifies the size of the peakrate bucket. When suffixed with K, M,
2654           or G, the specified size is parsed as Kilobytes, Megabytes, or
2655           Gigabytes, respectively, to the base of 1024. Defaults to unset.
2656

[PIE] SECTION OPTIONS

2658       The [PIE] section manages the queueing discipline (qdisc) of
2659       Proportional Integral controller-Enhanced (PIE).
2660
2661       Parent=
2662           Configures the parent Queueing Discipline (qdisc). Takes one of
2663           "root", "clsact", "ingress" or a class identifier. The class
2664           identifier is specified as the major and minor numbers in
2665           hexadecimal in the range 0x1–0xffff separated with a colon
2666           ("major:minor"). Defaults to "root".
2667
2668       Handle=
2669           Configures the major number of unique identifier of the qdisc,
2670           known as the handle. Takes a hexadecimal number in the range
2671           0x1–0xffff. Defaults to unset.
2672
2673       PacketLimit=
2674           Specifies the hard limit on the queue size in number of packets.
2675           When this limit is reached, incoming packets are dropped. An
2676           unsigned integer in the range 1...4294967294. Defaults to unset and
2677           kernel's default is used.
2678

[FLOWQUEUEPIE] SECTION OPTIONS

2680       The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2681       Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2682
2683       Parent=
2684           Configures the parent Queueing Discipline (qdisc). Takes one of
2685           "root", "clsact", "ingress" or a class identifier. The class
2686           identifier is specified as the major and minor numbers in
2687           hexadecimal in the range 0x1–0xffff separated with a colon
2688           ("major:minor"). Defaults to "root".
2689
2690       Handle=
2691           Configures the major number of unique identifier of the qdisc,
2692           known as the handle. Takes a hexadecimal number in the range
2693           0x1–0xffff. Defaults to unset.
2694
2695       PacketLimit=
2696           Specifies the hard limit on the queue size in number of packets.
2697           When this limit is reached, incoming packets are dropped. An
2698           unsigned integer ranges 1 to 4294967294. Defaults to unset and
2699           kernel's default is used.
2700

[STOCHASTICFAIRBLUE] SECTION OPTIONS

2702       The [StochasticFairBlue] section manages the queueing discipline
2703       (qdisc) of stochastic fair blue (sfb).
2704
2705       Parent=
2706           Configures the parent Queueing Discipline (qdisc). Takes one of
2707           "root", "clsact", "ingress" or a class identifier. The class
2708           identifier is specified as the major and minor numbers in
2709           hexadecimal in the range 0x1–0xffff separated with a colon
2710           ("major:minor"). Defaults to "root".
2711
2712       Handle=
2713           Configures the major number of unique identifier of the qdisc,
2714           known as the handle. Takes a hexadecimal number in the range
2715           0x1–0xffff. Defaults to unset.
2716
2717       PacketLimit=
2718           Specifies the hard limit on the queue size in number of packets.
2719           When this limit is reached, incoming packets are dropped. An
2720           unsigned integer in the range 0...4294967294. Defaults to unset and
2721           kernel's default is used.
2722

[STOCHASTICFAIRNESSQUEUEING] SECTION OPTIONS

2724       The [StochasticFairnessQueueing] section manages the queueing
2725       discipline (qdisc) of stochastic fairness queueing (sfq).
2726
2727       Parent=
2728           Configures the parent Queueing Discipline (qdisc). Takes one of
2729           "root", "clsact", "ingress" or a class identifier. The class
2730           identifier is specified as the major and minor numbers in
2731           hexadecimal in the range 0x1–0xffff separated with a colon
2732           ("major:minor"). Defaults to "root".
2733
2734       Handle=
2735           Configures the major number of unique identifier of the qdisc,
2736           known as the handle. Takes a hexadecimal number in the range
2737           0x1–0xffff. Defaults to unset.
2738
2739       PerturbPeriodSec=
2740           Specifies the interval in seconds for queue algorithm perturbation.
2741           Defaults to unset.
2742

[BFIFO] SECTION OPTIONS

2744       The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2745       limited Packet First In First Out (bfifo).
2746
2747       Parent=
2748           Configures the parent Queueing Discipline (qdisc). Takes one of
2749           "root", "clsact", "ingress" or a class identifier. The class
2750           identifier is specified as the major and minor numbers in
2751           hexadecimal in the range 0x1–0xffff separated with a colon
2752           ("major:minor"). Defaults to "root".
2753
2754       Handle=
2755           Configures the major number of unique identifier of the qdisc,
2756           known as the handle. Takes a hexadecimal number in the range
2757           0x1–0xffff. Defaults to unset.
2758
2759       LimitBytes=
2760           Specifies the hard limit in bytes on the FIFO buffer size. The size
2761           limit prevents overflow in case the kernel is unable to dequeue
2762           packets as quickly as it receives them. When this limit is reached,
2763           incoming packets are dropped. When suffixed with K, M, or G, the
2764           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2765           respectively, to the base of 1024. Defaults to unset and kernel
2766           default is used.
2767

[PFIFO] SECTION OPTIONS

2769       The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2770       First In First Out (pfifo).
2771
2772       Parent=
2773           Configures the parent Queueing Discipline (qdisc). Takes one of
2774           "root", "clsact", "ingress" or a class identifier. The class
2775           identifier is specified as the major and minor numbers in
2776           hexadecimal in the range 0x1–0xffff separated with a colon
2777           ("major:minor"). Defaults to "root".
2778
2779       Handle=
2780           Configures the major number of unique identifier of the qdisc,
2781           known as the handle. Takes a hexadecimal number in the range
2782           0x1–0xffff. Defaults to unset.
2783
2784       PacketLimit=
2785           Specifies the hard limit on the number of packets in the FIFO
2786           queue. The size limit prevents overflow in case the kernel is
2787           unable to dequeue packets as quickly as it receives them. When this
2788           limit is reached, incoming packets are dropped. An unsigned integer
2789           in the range 0...4294967294. Defaults to unset and kernel's default
2790           is used.
2791

[PFIFOHEADDROP] SECTION OPTIONS

2793       The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2794       Packet First In First Out Head Drop (pfifo_head_drop).
2795
2796       Parent=
2797           Configures the parent Queueing Discipline (qdisc). Takes one of
2798           "root", "clsact", "ingress" or a class identifier. The class
2799           identifier is specified as the major and minor numbers in
2800           hexadecimal in the range 0x1–0xffff separated with a colon
2801           ("major:minor"). Defaults to "root".
2802
2803       Handle=
2804           Configures the major number of unique identifier of the qdisc,
2805           known as the handle. Takes a hexadecimal number in the range
2806           0x1–0xffff. Defaults to unset.
2807
2808       PacketLimit=
2809           As in [PFIFO] section.
2810

[PFIFOFAST] SECTION OPTIONS

2812       The [PFIFOFast] section manages the queueing discipline (qdisc) of
2813       Packet First In First Out Fast (pfifo_fast).
2814
2815       Parent=
2816           Configures the parent Queueing Discipline (qdisc). Takes one of
2817           "root", "clsact", "ingress" or a class identifier. The class
2818           identifier is specified as the major and minor numbers in
2819           hexadecimal in the range 0x1–0xffff separated with a colon
2820           ("major:minor"). Defaults to "root".
2821
2822       Handle=
2823           Configures the major number of unique identifier of the qdisc,
2824           known as the handle. Takes a hexadecimal number in the range
2825           0x1–0xffff. Defaults to unset.
2826

[CAKE] SECTION OPTIONS

2828       The [CAKE] section manages the queueing discipline (qdisc) of Common
2829       Applications Kept Enhanced (CAKE).
2830
2831       Parent=
2832           Configures the parent Queueing Discipline (qdisc). Takes one of
2833           "root", "clsact", "ingress" or a class identifier. The class
2834           identifier is specified as the major and minor numbers in
2835           hexadecimal in the range 0x1–0xffff separated with a colon
2836           ("major:minor"). Defaults to "root".
2837
2838       Handle=
2839           Configures the major number of unique identifier of the qdisc,
2840           known as the handle. Takes a hexadecimal number in the range
2841           0x1–0xffff. Defaults to unset.
2842
2843       Bandwidth=
2844           Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2845           specified size is parsed as Kilobits, Megabits, or Gigabits,
2846           respectively, to the base of 1000. Defaults to unset and kernel's
2847           default is used.
2848
2849       AutoRateIngress=
2850           Takes a boolean value. Enables automatic capacity estimation based
2851           on traffic arriving at this qdisc. This is most likely to be useful
2852           with cellular links, which tend to change quality randomly. If this
2853           setting is enabled, the Bandwidth= setting is used as an initial
2854           estimate. Defaults to unset, and the kernel's default is used.
2855
2856       OverheadBytes=
2857           Specifies that bytes to be addeded to the size of each packet.
2858           Bytes may be negative. Takes an integer in the range -64...256.
2859           Defaults to unset and kernel's default is used.
2860
2861       MPUBytes=
2862           Rounds each packet (including overhead) up to the specified bytes.
2863           Takes an integer in the range 1...256. Defaults to unset and
2864           kernel's default is used.
2865
2866       CompensationMode=
2867           Takes one of "none", "atm", or "ptm". Specifies the compensation
2868           mode for overhead calculation. When "none", no compensation is
2869           taken into account. When "atm", enables the compensation for ATM
2870           cell framing, which is normally found on ADSL links. When "ptm",
2871           enables the compensation for PTM encoding, which is normally found
2872           on VDSL2 links and uses a 64b/65b encoding scheme. Defaults to
2873           unset and the kernel's default is used.
2874
2875       UseRawPacketSize=
2876           Takes a boolean value. When true, the packet size reported by the
2877           Linux kernel will be used, instead of the underlying IP packet
2878           size. Defaults to unset, and the kernel's default is used.
2879
2880       FlowIsolationMode=
2881           CAKE places packets from different flows into different queues,
2882           then packets from each queue are delivered fairly. This specifies
2883           whether the fairness is based on source address, destination
2884           address, individual flows, or any combination of those. The
2885           available values are:
2886
2887           none
2888               The flow isolation is disabled, and all traffic passes through
2889               a single queue.
2890
2891           src-host
2892               Flows are defined only by source address. Equivalent to the
2893               "srchost" option for tc qdisc command. See also tc-cake(8).
2894
2895           dst-host
2896               Flows are defined only by destination address. Equivalent to
2897               the "dsthost" option for tc qdisc command. See also tc-cake(8).
2898
2899           hosts
2900               Flows are defined by source-destination host pairs. Equivalent
2901               to the same option for tc qdisc command. See also tc-cake(8).
2902
2903           flows
2904               Flows are defined by the entire 5-tuple of source address,
2905               destination address, transport protocol, source port and
2906               destination port. Equivalent to the same option for tc qdisc
2907               command. See also tc-cake(8).
2908
2909           dual-src-host
2910               Flows are defined by the 5-tuple (see "flows" in the above),
2911               and fairness is applied first over source addresses, then over
2912               individual flows. Equivalent to the "dual-srchost" option for
2913               tc qdisc command. See also tc-cake(8).
2914
2915           dual-dst-host
2916               Flows are defined by the 5-tuple (see "flows" in the above),
2917               and fairness is applied first over destination addresses, then
2918               over individual flows. Equivalent to the "dual-dsthost" option
2919               for tc qdisc command. See also tc-cake(8).
2920
2921           triple
2922               Flows are defined by the 5-tuple (see "flows"), and fairness is
2923               applied over source and destination addresses, and also over
2924               individual flows. Equivalent to the "triple-isolate" option for
2925               tc qdisc command. See also tc-cake(8).
2926
2927           Defaults to unset and the kernel's default is used.
2928
2929       NAT=
2930           Takes a boolean value. When true, CAKE performs a NAT lookup before
2931           applying flow-isolation rules, to determine the true addresses and
2932           port numbers of the packet, to improve fairness between hosts
2933           inside the NAT. This has no practical effect when
2934           FlowIsolationMode= is "none" or "flows", or if NAT is performed on
2935           a different host. Defaults to unset, and the kernel's default is
2936           used.
2937
2938       PriorityQueueingPreset=
2939           CAKE divides traffic into "tins", and each tin has its own
2940           independent set of flow-isolation queues, bandwidth threshold, and
2941           priority. This specifies the preset of tin profiles. The available
2942           values are:
2943
2944           besteffort
2945               Disables priority queueing by placing all traffic in one tin.
2946
2947           precedence
2948               Enables priority queueing based on the legacy interpretation of
2949               TOS "Precedence" field. Use of this preset on the modern
2950               Internet is firmly discouraged.
2951
2952           diffserv8
2953               Enables priority queueing based on the Differentiated Service
2954               ("DiffServ") field with eight tins: Background Traffic, High
2955               Throughput, Best Effort, Video Streaming, Low Latency
2956               Transactions, Interactive Shell, Minimum Latency, and Network
2957               Control.
2958
2959           diffserv4
2960               Enables priority queueing based on the Differentiated Service
2961               ("DiffServ") field with four tins: Background Traffic, Best
2962               Effort, Streaming Media, and Latency Sensitive.
2963
2964           diffserv3
2965               Enables priority queueing based on the Differentiated Service
2966               ("DiffServ") field with three tins: Background Traffic, Best
2967               Effort, and Latency Sensitive.
2968
2969           Defaults to unset, and the kernel's default is used.
2970
2971       FirewallMark=
2972           Takes an integer in the range 1...4294967295. When specified,
2973           firewall-mark-based overriding of CAKE's tin selection is enabled.
2974           Defaults to unset, and the kernel's default is used.
2975
2976       Wash=
2977           Takes a boolean value. When true, CAKE clears the DSCP fields,
2978           except for ECN bits, of any packet passing through CAKE. Defaults
2979           to unset, and the kernel's default is used.
2980
2981       SplitGSO=
2982           Takes a boolean value. When true, CAKE will split General
2983           Segmentation Offload (GSO) super-packets into their on-the-wire
2984           components and dequeue them individually. Defaults to unset, and
2985           the kernel's default is used.
2986
2987       RTTSec=
2988           Specifies the RTT for the filter. Takes a timespan. Typical values
2989           are e.g. 100us for extremely high-performance 10GigE+ networks like
2990           datacentre, 1ms for non-WiFi LAN connections, 100ms for typical
2991           internet connections. Defaults to unset, and the kernel's default
2992           will be used.
2993
2994       AckFilter=
2995           Takes a boolean value, or special value "aggressive". If enabled,
2996           ACKs in each flow are queued and redundant ACKs to the upstream are
2997           dropped. If yes, the filter will always keep at least two redundant
2998           ACKs in the queue, while in "aggressive" mode, it will filter down
2999           to a single ACK. This may improve download throughput on links with
3000           very asymmetrical rate limits. Defaults to unset, and the kernel's
3001           default will be used.
3002

[CONTROLLEDDELAY] SECTION OPTIONS

3004       The [ControlledDelay] section manages the queueing discipline (qdisc)
3005       of controlled delay (CoDel).
3006
3007       Parent=
3008           Configures the parent Queueing Discipline (qdisc). Takes one of
3009           "root", "clsact", "ingress" or a class identifier. The class
3010           identifier is specified as the major and minor numbers in
3011           hexadecimal in the range 0x1–0xffff separated with a colon
3012           ("major:minor"). Defaults to "root".
3013
3014       Handle=
3015           Configures the major number of unique identifier of the qdisc,
3016           known as the handle. Takes a hexadecimal number in the range
3017           0x1–0xffff. Defaults to unset.
3018
3019       PacketLimit=
3020           Specifies the hard limit on the queue size in number of packets.
3021           When this limit is reached, incoming packets are dropped. An
3022           unsigned integer in the range 0...4294967294. Defaults to unset and
3023           kernel's default is used.
3024
3025       TargetSec=
3026           Takes a timespan. Specifies the acceptable minimum
3027           standing/persistent queue delay. Defaults to unset and kernel's
3028           default is used.
3029
3030       IntervalSec=
3031           Takes a timespan. This is used to ensure that the measured minimum
3032           delay does not become too stale. Defaults to unset and kernel's
3033           default is used.
3034
3035       ECN=
3036           Takes a boolean. This can be used to mark packets instead of
3037           dropping them. Defaults to unset and kernel's default is used.
3038
3039       CEThresholdSec=
3040           Takes a timespan. This sets a threshold above which all packets are
3041           marked with ECN Congestion Experienced (CE). Defaults to unset and
3042           kernel's default is used.
3043

[DEFICITROUNDROBINSCHEDULER] SECTION OPTIONS

3045       The [DeficitRoundRobinScheduler] section manages the queueing
3046       discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
3047
3048       Parent=
3049           Configures the parent Queueing Discipline (qdisc). Takes one of
3050           "root", "clsact", "ingress" or a class identifier. The class
3051           identifier is specified as the major and minor numbers in
3052           hexadecimal in the range 0x1–0xffff separated with a colon
3053           ("major:minor"). Defaults to "root".
3054
3055       Handle=
3056           Configures the major number of unique identifier of the qdisc,
3057           known as the handle. Takes a hexadecimal number in the range
3058           0x1–0xffff. Defaults to unset.
3059

[DEFICITROUNDROBINSCHEDULERCLASS] SECTION OPTIONS

3061       The [DeficitRoundRobinSchedulerClass] section manages the traffic
3062       control class of Deficit Round Robin Scheduler (DRR).
3063
3064       Parent=
3065           Configures the parent Queueing Discipline (qdisc). Takes one of
3066           "root", or a qdisc identifier. The qdisc identifier is specified as
3067           the major and minor numbers in hexadecimal in the range 0x1–0xffff
3068           separated with a colon ("major:minor"). Defaults to "root".
3069
3070       ClassId=
3071           Configures the unique identifier of the class. It is specified as
3072           the major and minor numbers in hexadecimal in the range 0x1–0xffff
3073           separated with a colon ("major:minor"). Defaults to unset.
3074
3075       QuantumBytes=
3076           Specifies the amount of bytes a flow is allowed to dequeue before
3077           the scheduler moves to the next class. When suffixed with K, M, or
3078           G, the specified size is parsed as Kilobytes, Megabytes, or
3079           Gigabytes, respectively, to the base of 1024. Defaults to the MTU
3080           of the interface.
3081

[ENHANCEDTRANSMISSIONSELECTION] SECTION OPTIONS

3083       The [EnhancedTransmissionSelection] section manages the queueing
3084       discipline (qdisc) of Enhanced Transmission Selection (ETS).
3085
3086       Parent=
3087           Configures the parent Queueing Discipline (qdisc). Takes one of
3088           "root", "clsact", "ingress" or a class identifier. The class
3089           identifier is specified as the major and minor numbers in
3090           hexadecimal in the range 0x1–0xffff separated with a colon
3091           ("major:minor"). Defaults to "root".
3092
3093       Handle=
3094           Configures the major number of unique identifier of the qdisc,
3095           known as the handle. Takes a hexadecimal number in the range
3096           0x1–0xffff. Defaults to unset.
3097
3098       Bands=
3099           Specifies the number of bands. An unsigned integer in the range
3100           1...16. This value has to be at least large enough to cover the
3101           strict bands specified through the StrictBands= and
3102           bandwidth-sharing bands specified in QuantumBytes=.
3103
3104       StrictBands=
3105           Specifies the number of bands that should be created in strict
3106           mode. An unsigned integer in the range 1...16.
3107
3108       QuantumBytes=
3109           Specifies the white-space separated list of quantum used in
3110           band-sharing bands. When suffixed with K, M, or G, the specified
3111           size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3112           to the base of 1024. This setting can be specified multiple times.
3113           If an empty string is assigned, then the all previous assignments
3114           are cleared.
3115
3116       PriorityMap=
3117           The priority map maps the priority of a packet to a band. The
3118           argument is a whitespace separated list of numbers. The first
3119           number indicates which band the packets with priority 0 should be
3120           put to, the second is for priority 1, and so on. There can be up to
3121           16 numbers in the list. If there are fewer, the default band that
3122           traffic with one of the unmentioned priorities goes to is the last
3123           one. Each band number must be in the range 0...255. This setting
3124           can be specified multiple times. If an empty string is assigned,
3125           then the all previous assignments are cleared.
3126

[GENERICRANDOMEARLYDETECTION] SECTION OPTIONS

3128       The [GenericRandomEarlyDetection] section manages the queueing
3129       discipline (qdisc) of Generic Random Early Detection (GRED).
3130
3131       Parent=
3132           Configures the parent Queueing Discipline (qdisc). Takes one of
3133           "root", "clsact", "ingress" or a class identifier. The class
3134           identifier is specified as the major and minor numbers in
3135           hexadecimal in the range 0x1–0xffff separated with a colon
3136           ("major:minor"). Defaults to "root".
3137
3138       Handle=
3139           Configures the major number of unique identifier of the qdisc,
3140           known as the handle. Takes a hexadecimal number in the range
3141           0x1–0xffff. Defaults to unset.
3142
3143       VirtualQueues=
3144           Specifies the number of virtual queues. Takes an integer in the
3145           range 1...16. Defaults to unset and kernel's default is used.
3146
3147       DefaultVirtualQueue=
3148           Specifies the number of default virtual queue. This must be less
3149           than VirtualQueue=. Defaults to unset and kernel's default is used.
3150
3151       GenericRIO=
3152           Takes a boolean. It turns on the RIO-like buffering scheme.
3153           Defaults to unset and kernel's default is used.
3154

[FAIRQUEUEINGCONTROLLEDDELAY] SECTION OPTIONS

3156       The [FairQueueingControlledDelay] section manages the queueing
3157       discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
3158
3159       Parent=
3160           Configures the parent Queueing Discipline (qdisc). Takes one of
3161           "root", "clsact", "ingress" or a class identifier. The class
3162           identifier is specified as the major and minor numbers in
3163           hexadecimal in the range 0x1–0xffff separated with a colon
3164           ("major:minor"). Defaults to "root".
3165
3166       Handle=
3167           Configures the major number of unique identifier of the qdisc,
3168           known as the handle. Takes a hexadecimal number in the range
3169           0x1–0xffff. Defaults to unset.
3170
3171       PacketLimit=
3172           Specifies the hard limit on the real queue size. When this limit is
3173           reached, incoming packets are dropped. Defaults to unset and
3174           kernel's default is used.
3175
3176       MemoryLimitBytes=
3177           Specifies the limit on the total number of bytes that can be queued
3178           in this FQ-CoDel instance. When suffixed with K, M, or G, the
3179           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3180           respectively, to the base of 1024. Defaults to unset and kernel's
3181           default is used.
3182
3183       Flows=
3184           Specifies the number of flows into which the incoming packets are
3185           classified. Defaults to unset and kernel's default is used.
3186
3187       TargetSec=
3188           Takes a timespan. Specifies the acceptable minimum
3189           standing/persistent queue delay. Defaults to unset and kernel's
3190           default is used.
3191
3192       IntervalSec=
3193           Takes a timespan. This is used to ensure that the measured minimum
3194           delay does not become too stale. Defaults to unset and kernel's
3195           default is used.
3196
3197       QuantumBytes=
3198           Specifies the number of bytes used as the "deficit" in the fair
3199           queuing algorithm timespan. When suffixed with K, M, or G, the
3200           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3201           respectively, to the base of 1024. Defaults to unset and kernel's
3202           default is used.
3203
3204       ECN=
3205           Takes a boolean. This can be used to mark packets instead of
3206           dropping them. Defaults to unset and kernel's default is used.
3207
3208       CEThresholdSec=
3209           Takes a timespan. This sets a threshold above which all packets are
3210           marked with ECN Congestion Experienced (CE). Defaults to unset and
3211           kernel's default is used.
3212

[FAIRQUEUEING] SECTION OPTIONS

3214       The [FairQueueing] section manages the queueing discipline (qdisc) of
3215       fair queue traffic policing (FQ).
3216
3217       Parent=
3218           Configures the parent Queueing Discipline (qdisc). Takes one of
3219           "root", "clsact", "ingress" or a class identifier. The class
3220           identifier is specified as the major and minor numbers in
3221           hexadecimal in the range 0x1–0xffff separated with a colon
3222           ("major:minor"). Defaults to "root".
3223
3224       Handle=
3225           Configures the major number of unique identifier of the qdisc,
3226           known as the handle. Takes a hexadecimal number in the range
3227           0x1–0xffff. Defaults to unset.
3228
3229       PacketLimit=
3230           Specifies the hard limit on the real queue size. When this limit is
3231           reached, incoming packets are dropped. Defaults to unset and
3232           kernel's default is used.
3233
3234       FlowLimit=
3235           Specifies the hard limit on the maximum number of packets queued
3236           per flow. Defaults to unset and kernel's default is used.
3237
3238       QuantumBytes=
3239           Specifies the credit per dequeue RR round, i.e. the amount of bytes
3240           a flow is allowed to dequeue at once. When suffixed with K, M, or
3241           G, the specified size is parsed as Kilobytes, Megabytes, or
3242           Gigabytes, respectively, to the base of 1024. Defaults to unset and
3243           kernel's default is used.
3244
3245       InitialQuantumBytes=
3246           Specifies the initial sending rate credit, i.e. the amount of bytes
3247           a new flow is allowed to dequeue initially. When suffixed with K,
3248           M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3249           Gigabytes, respectively, to the base of 1024. Defaults to unset and
3250           kernel's default is used.
3251
3252       MaximumRate=
3253           Specifies the maximum sending rate of a flow. When suffixed with K,
3254           M, or G, the specified size is parsed as Kilobits, Megabits, or
3255           Gigabits, respectively, to the base of 1000. Defaults to unset and
3256           kernel's default is used.
3257
3258       Buckets=
3259           Specifies the size of the hash table used for flow lookups.
3260           Defaults to unset and kernel's default is used.
3261
3262       OrphanMask=
3263           Takes an unsigned integer. For packets not owned by a socket, fq is
3264           able to mask a part of hash and reduce number of buckets associated
3265           with the traffic. Defaults to unset and kernel's default is used.
3266
3267       Pacing=
3268           Takes a boolean, and enables or disables flow pacing. Defaults to
3269           unset and kernel's default is used.
3270
3271       CEThresholdSec=
3272           Takes a timespan. This sets a threshold above which all packets are
3273           marked with ECN Congestion Experienced (CE). Defaults to unset and
3274           kernel's default is used.
3275

[TRIVIALLINKEQUALIZER] SECTION OPTIONS

3277       The [TrivialLinkEqualizer] section manages the queueing discipline
3278       (qdisc) of trivial link equalizer (teql).
3279
3280       Parent=
3281           Configures the parent Queueing Discipline (qdisc). Takes one of
3282           "root", "clsact", "ingress" or a class identifier. The class
3283           identifier is specified as the major and minor numbers in
3284           hexadecimal in the range 0x1–0xffff separated with a colon
3285           ("major:minor"). Defaults to "root".
3286
3287       Handle=
3288           Configures the major number of unique identifier of the qdisc,
3289           known as the handle. Takes a hexadecimal number in the range
3290           0x1–0xffff. Defaults to unset.
3291
3292       Id=
3293           Specifies the interface ID "N" of teql. Defaults to "0". Note that
3294           when teql is used, currently, the module sch_teql with
3295           max_equalizers=N+1 option must be loaded before systemd-networkd is
3296           started.
3297

[HIERARCHYTOKENBUCKET] SECTION OPTIONS

3299       The [HierarchyTokenBucket] section manages the queueing discipline
3300       (qdisc) of hierarchy token bucket (htb).
3301
3302       Parent=
3303           Configures the parent Queueing Discipline (qdisc). Takes one of
3304           "root", "clsact", "ingress" or a class identifier. The class
3305           identifier is specified as the major and minor numbers in
3306           hexadecimal in the range 0x1–0xffff separated with a colon
3307           ("major:minor"). Defaults to "root".
3308
3309       Handle=
3310           Configures the major number of unique identifier of the qdisc,
3311           known as the handle. Takes a hexadecimal number in the range
3312           0x1–0xffff. Defaults to unset.
3313
3314       DefaultClass=
3315           Takes the minor id in hexadecimal of the default class.
3316           Unclassified traffic gets sent to the class. Defaults to unset.
3317
3318       RateToQuantum=
3319           Takes an unsigned integer. The DRR quantums are calculated by
3320           dividing the value configured in Rate= by RateToQuantum=.
3321

[HIERARCHYTOKENBUCKETCLASS] SECTION OPTIONS

3323       The [HierarchyTokenBucketClass] section manages the traffic control
3324       class of hierarchy token bucket (htb).
3325
3326       Parent=
3327           Configures the parent Queueing Discipline (qdisc). Takes one of
3328           "root", or a qdisc identifier. The qdisc identifier is specified as
3329           the major and minor numbers in hexadecimal in the range 0x1–0xffff
3330           separated with a colon ("major:minor"). Defaults to "root".
3331
3332       ClassId=
3333           Configures the unique identifier of the class. It is specified as
3334           the major and minor numbers in hexadecimal in the range 0x1–0xffff
3335           separated with a colon ("major:minor"). Defaults to unset.
3336
3337       Priority=
3338           Specifies the priority of the class. In the round-robin process,
3339           classes with the lowest priority field are tried for packets first.
3340
3341       QuantumBytes=
3342           Specifies how many bytes to serve from leaf at once. When suffixed
3343           with K, M, or G, the specified size is parsed as Kilobytes,
3344           Megabytes, or Gigabytes, respectively, to the base of 1024.
3345
3346       MTUBytes=
3347           Specifies the maximum packet size we create. When suffixed with K,
3348           M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3349           Gigabytes, respectively, to the base of 1024.
3350
3351       OverheadBytes=
3352           Takes an unsigned integer which specifies per-packet size overhead
3353           used in rate computations. When suffixed with K, M, or G, the
3354           specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3355           respectively, to the base of 1024.
3356
3357       Rate=
3358           Specifies the maximum rate this class and all its children are
3359           guaranteed. When suffixed with K, M, or G, the specified size is
3360           parsed as Kilobits, Megabits, or Gigabits, respectively, to the
3361           base of 1000. This setting is mandatory.
3362
3363       CeilRate=
3364           Specifies the maximum rate at which a class can send, if its parent
3365           has bandwidth to spare. When suffixed with K, M, or G, the
3366           specified size is parsed as Kilobits, Megabits, or Gigabits,
3367           respectively, to the base of 1000. When unset, the value specified
3368           with Rate= is used.
3369
3370       BufferBytes=
3371           Specifies the maximum bytes burst which can be accumulated during
3372           idle period. When suffixed with K, M, or G, the specified size is
3373           parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
3374           base of 1024.
3375
3376       CeilBufferBytes=
3377           Specifies the maximum bytes burst for ceil which can be accumulated
3378           during idle period. When suffixed with K, M, or G, the specified
3379           size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3380           to the base of 1024.
3381

[HEAVYHITTERFILTER] SECTION OPTIONS

3383       The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
3384       of Heavy Hitter Filter (hhf).
3385
3386       Parent=
3387           Configures the parent Queueing Discipline (qdisc). Takes one of
3388           "root", "clsact", "ingress" or a class identifier. The class
3389           identifier is specified as the major and minor numbers in
3390           hexadecimal in the range 0x1–0xffff separated with a colon
3391           ("major:minor"). Defaults to "root".
3392
3393       Handle=
3394           Configures the major number of unique identifier of the qdisc,
3395           known as the handle. Takes a hexadecimal number in the range
3396           0x1–0xffff. Defaults to unset.
3397
3398       PacketLimit=
3399           Specifies the hard limit on the queue size in number of packets.
3400           When this limit is reached, incoming packets are dropped. An
3401           unsigned integer in the range 0...4294967294. Defaults to unset and
3402           kernel's default is used.
3403

[QUICKFAIRQUEUEING] SECTION OPTIONS

3405       The [QuickFairQueueing] section manages the queueing discipline (qdisc)
3406       of Quick Fair Queueing (QFQ).
3407
3408       Parent=
3409           Configures the parent Queueing Discipline (qdisc). Takes one of
3410           "root", "clsact", "ingress" or a class identifier. The class
3411           identifier is specified as the major and minor numbers in
3412           hexadecimal in the range 0x1–0xffff separated with a colon
3413           ("major:minor"). Defaults to "root".
3414
3415       Handle=
3416           Configures the major number of unique identifier of the qdisc,
3417           known as the handle. Takes a hexadecimal number in the range
3418           0x1–0xffff. Defaults to unset.
3419

[QUICKFAIRQUEUEINGCLASS] SECTION OPTIONS

3421       The [QuickFairQueueingClass] section manages the traffic control class
3422       of Quick Fair Queueing (qfq).
3423
3424       Parent=
3425           Configures the parent Queueing Discipline (qdisc). Takes one of
3426           "root", or a qdisc identifier. The qdisc identifier is specified as
3427           the major and minor numbers in hexadecimal in the range 0x1–0xffff
3428           separated with a colon ("major:minor"). Defaults to "root".
3429
3430       ClassId=
3431           Configures the unique identifier of the class. It is specified as
3432           the major and minor numbers in hexadecimal in the range 0x1–0xffff
3433           separated with a colon ("major:minor"). Defaults to unset.
3434
3435       Weight=
3436           Specifies the weight of the class. Takes an integer in the range
3437           1...1023. Defaults to unset in which case the kernel default is
3438           used.
3439
3440       MaxPacketBytes=
3441           Specifies the maximum packet size in bytes for the class. When
3442           suffixed with K, M, or G, the specified size is parsed as
3443           Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
3444           1024. When unset, the kernel default is used.
3445

[BRIDGEVLAN] SECTION OPTIONS

3447       The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
3448       port and accepts the following keys. Specify several [BridgeVLAN]
3449       sections to configure several VLAN entries. The VLANFiltering= option
3450       has to be enabled, see the [Bridge] section in systemd.netdev(5).
3451
3452       VLAN=
3453           The VLAN ID allowed on the port. This can be either a single ID or
3454           a range M-N. Takes an integer in the range 1...4094.
3455
3456       EgressUntagged=
3457           The VLAN ID specified here will be used to untag frames on egress.
3458           Configuring EgressUntagged= implicates the use of VLAN= above and
3459           will enable the VLAN ID for ingress as well. This can be either a
3460           single ID or a range M-N.
3461
3462       PVID=
3463           The Port VLAN ID specified here is assigned to all untagged frames
3464           at ingress.  PVID= can be used only once. Configuring PVID=
3465           implicates the use of VLAN= above and will enable the VLAN ID for
3466           ingress as well.
3467

EXAMPLES

3469       Example 1. Static network configuration
3470
3471           # /etc/systemd/network/50-static.network
3472           [Match]
3473           Name=enp2s0
3474
3475           [Network]
3476           Address=192.168.0.15/24
3477           Gateway=192.168.0.1
3478
3479       This brings interface "enp2s0" up with a static address. The specified
3480       gateway will be used for a default route.
3481
3482       Example 2. DHCP on ethernet links
3483
3484           # /etc/systemd/network/80-dhcp.network
3485           [Match]
3486           Name=en*
3487
3488           [Network]
3489           DHCP=yes
3490
3491       This will enable DHCPv4 and DHCPv6 on all interfaces with names
3492       starting with "en" (i.e. ethernet interfaces).
3493
3494       Example 3. IPv6 Prefix Delegation (DHCPv6 PD)
3495
3496           # /etc/systemd/network/55-dhcpv6-pd-upstream.network
3497           [Match]
3498           Name=enp1s0
3499
3500           [Network]
3501           DHCP=ipv6
3502
3503           # The below setting is optional, to also assign an address in the delegated prefix
3504           # to the upstream interface. If not necessary, then comment out the line below and
3505           # the [DHCPPrefixDelegation] section.
3506           DHCPPrefixDelegation=yes
3507
3508           # If the upstream network provides Router Advertisement with Managed bit set,
3509           # then comment out the line below and WithoutRA= setting in the [DHCPv6] section.
3510           IPv6AcceptRA=no
3511
3512           [DHCPv6]
3513           WithoutRA=solicit
3514
3515           [DHCPPrefixDelegation]
3516           UplinkInterface=:self
3517           SubnetId=0
3518           Announce=no
3519
3520           # /etc/systemd/network/55-dhcpv6-pd-downstream.network
3521           [Match]
3522           Name=enp2s0
3523
3524           [Network]
3525           DHCPPrefixDelegation=yes
3526           IPv6SendRA=yes
3527
3528           # It is expected that the host is acting as a router. So, usually it is not
3529           # necessary to receive Router Advertisement from other hosts in the downstream network.
3530           IPv6AcceptRA=no
3531
3532           [DHCPPrefixDelegation]
3533           UplinkInterface=enp1s0
3534           SubnetId=1
3535           Announce=yes
3536
3537       This will enable DHCPv6-PD on the interface enp1s0 as an upstream
3538       interface where the DHCPv6 client is running and enp2s0 as a downstream
3539       interface where the prefix is delegated to. The delegated prefixes are
3540       distributed by IPv6 Router Advertisement on the downstream network.
3541
3542       Example 4. IPv6 Prefix Delegation (DHCPv4 6RD)
3543
3544           # /etc/systemd/network/55-dhcpv4-6rd-upstream.network
3545           [Match]
3546           Name=enp1s0
3547
3548           [Network]
3549           DHCP=ipv4
3550
3551           # When DHCPv4-6RD is used, the upstream network does not support IPv6.
3552           # Hence, it is not necessary to wait for Router Advertisement, which is enabled by default.
3553           IPv6AcceptRA=no
3554
3555           [DHCPv4]
3556           Use6RD=yes
3557
3558           # /etc/systemd/network/55-dhcpv4-6rd-downstream.network
3559           [Match]
3560           Name=enp2s0
3561
3562           [Network]
3563           DHCPPrefixDelegation=yes
3564           IPv6SendRA=yes
3565
3566           # It is expected that the host is acting as a router. So, usually it is not
3567           # necessary to receive Router Advertisement from other hosts in the downstream network.
3568           IPv6AcceptRA=no
3569
3570           [DHCPPrefixDelegation]
3571           UplinkInterface=enp1s0
3572           SubnetId=1
3573           Announce=yes
3574
3575       This will enable DHCPv4-6RD on the interface enp1s0 as an upstream
3576       interface where the DHCPv4 client is running and enp2s0 as a downstream
3577       interface where the prefix is delegated to. The delegated prefixes are
3578       distributed by IPv6 Router Advertisement on the downstream network.
3579
3580       Example 5. A bridge with two enslaved links
3581
3582           # /etc/systemd/network/25-bridge-static.netdev
3583           [NetDev]
3584           Name=bridge0
3585           Kind=bridge
3586
3587           # /etc/systemd/network/25-bridge-static.network
3588           [Match]
3589           Name=bridge0
3590
3591           [Network]
3592           Address=192.168.0.15/24
3593           Gateway=192.168.0.1
3594           DNS=192.168.0.1
3595
3596           # /etc/systemd/network/25-bridge-slave-interface-1.network
3597           [Match]
3598           Name=enp2s0
3599
3600           [Network]
3601           Bridge=bridge0
3602
3603           # /etc/systemd/network/25-bridge-slave-interface-2.network
3604           [Match]
3605           Name=wlp3s0
3606
3607           [Network]
3608           Bridge=bridge0
3609
3610       This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3611       The bridge will have the specified static address and network assigned,
3612       and a default route via the specified gateway will be added. The
3613       specified DNS server will be added to the global list of DNS resolvers.
3614
3615       Example 6. Bridge port with VLAN forwarding
3616
3617           # /etc/systemd/network/25-bridge-slave-interface-1.network
3618           [Match]
3619           Name=enp2s0
3620
3621           [Network]
3622           Bridge=bridge0
3623
3624           [BridgeVLAN]
3625           VLAN=1-32
3626           PVID=42
3627           EgressUntagged=42
3628
3629           [BridgeVLAN]
3630           VLAN=100-200
3631
3632           [BridgeVLAN]
3633           EgressUntagged=300-400
3634
3635       This overrides the configuration specified in the previous example for
3636       the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3637       1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3638       300-400 will be untagged when they leave on this interface. Untagged
3639       packets which arrive on this interface will be assigned VLAN ID 42.
3640
3641       Example 7. Various tunnels
3642
3643           /etc/systemd/network/25-tunnels.network
3644           [Match]
3645           Name=ens1
3646
3647           [Network]
3648           Tunnel=ipip-tun
3649           Tunnel=sit-tun
3650           Tunnel=gre-tun
3651           Tunnel=vti-tun
3652
3653
3654           /etc/systemd/network/25-tunnel-ipip.netdev
3655           [NetDev]
3656           Name=ipip-tun
3657           Kind=ipip
3658
3659
3660           /etc/systemd/network/25-tunnel-sit.netdev
3661           [NetDev]
3662           Name=sit-tun
3663           Kind=sit
3664
3665
3666           /etc/systemd/network/25-tunnel-gre.netdev
3667           [NetDev]
3668           Name=gre-tun
3669           Kind=gre
3670
3671
3672           /etc/systemd/network/25-tunnel-vti.netdev
3673           [NetDev]
3674           Name=vti-tun
3675           Kind=vti
3676
3677
3678       This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3679       tunnel, a GRE tunnel, and a VTI tunnel using it.
3680
3681       Example 8. A bond device
3682
3683           # /etc/systemd/network/30-bond1.network
3684           [Match]
3685           Name=bond1
3686
3687           [Network]
3688           DHCP=ipv6
3689
3690           # /etc/systemd/network/30-bond1.netdev
3691           [NetDev]
3692           Name=bond1
3693           Kind=bond
3694
3695           # /etc/systemd/network/30-bond1-dev1.network
3696           [Match]
3697           MACAddress=52:54:00:e9:64:41
3698
3699           [Network]
3700           Bond=bond1
3701
3702           # /etc/systemd/network/30-bond1-dev2.network
3703           [Match]
3704           MACAddress=52:54:00:e9:64:42
3705
3706           [Network]
3707           Bond=bond1
3708
3709       This will create a bond device "bond1" and enslave the two devices with
3710       MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3711       will be used to acquire an address.
3712
3713       Example 9. Virtual Routing and Forwarding (VRF)
3714
3715       Add the "bond1" interface to the VRF master interface "vrf1". This will
3716       redirect routes generated on this interface to be within the routing
3717       table defined during VRF creation. For kernels before 4.8 traffic won't
3718       be redirected towards the VRFs routing table unless specific ip-rules
3719       are added.
3720
3721           # /etc/systemd/network/25-vrf.network
3722           [Match]
3723           Name=bond1
3724
3725           [Network]
3726           VRF=vrf1
3727
3728       Example 10. MacVTap
3729
3730       This brings up a network interface "macvtap-test" and attaches it to
3731       "enp0s25".
3732
3733           # /usr/lib/systemd/network/25-macvtap.network
3734           [Match]
3735           Name=enp0s25
3736
3737           [Network]
3738           MACVTAP=macvtap-test
3739
3740       Example 11. A Xfrm interface with physical underlying device.
3741
3742           # /etc/systemd/network/27-xfrm.netdev
3743           [NetDev]
3744           Name=xfrm0
3745           Kind=xfrm
3746
3747           [Xfrm]
3748           InterfaceId=7
3749
3750           # /etc/systemd/network/27-eth0.network
3751           [Match]
3752           Name=eth0
3753
3754           [Network]
3755           Xfrm=xfrm0
3756
3757       This creates a "xfrm0" interface and binds it to the "eth0" device.
3758       This allows hardware based ipsec offloading to the "eth0" nic. If
3759       offloading is not needed, xfrm interfaces can be assigned to the "lo"
3760       device.
3761

SEE ALSO

3763       systemd(1), systemd-networkd.service(8), systemd.link(5),
3764       systemd.netdev(5), systemd-network-generator.service(8), systemd-
3765       resolved.service(8)
3766

NOTES

3768        1. System and Service Credentials
3769           https://systemd.io/CREDENTIALS
3770
3771        2. Link-Local Multicast Name Resolution
3772           https://tools.ietf.org/html/rfc4795
3773
3774        3. Multicast DNS
3775           https://tools.ietf.org/html/rfc6762
3776
3777        4. DNS-over-TLS
3778           https://tools.ietf.org/html/rfc7858
3779
3780        5. DNSSEC
3781           https://tools.ietf.org/html/rfc4033
3782
3783        6. IEEE 802.1AB-2016
3784           https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3785
3786        7. IP Sysctl
3787           https://docs.kernel.org/networking/ip-sysctl.html
3788
3789        8. RFC 4941
3790           https://tools.ietf.org/html/rfc4941
3791
3792        9. RFC 1027
3793           https://tools.ietf.org/html/rfc1027
3794
3795       10. RFC 6275
3796           https://tools.ietf.org/html/rfc6275
3797
3798       11. RFC 5227
3799           https://tools.ietf.org/html/rfc5227
3800
3801       12. RFC 4862
3802           https://tools.ietf.org/html/rfc4862
3803
3804       13. RFC 3041
3805           https://tools.ietf.org/html/rfc3041
3806
3807       14. NetLabel
3808           https://docs.kernel.org/netlabel/index.html
3809
3810       15. Linux Security Modules (LSMs)
3811           https://en.wikipedia.org/wiki/Linux_Security_Modules
3812
3813       16. NetLabel Fallback Peer Labeling
3814           https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md
3815
3816       17. RFC 3484
3817           https://tools.ietf.org/html/rfc3484
3818
3819       18. RFC 4191
3820           https://tools.ietf.org/html/rfc4191
3821
3822       19. RFC 8520
3823           https://tools.ietf.org/html/rfc8520
3824
3825       20. RFC 7844
3826           https://tools.ietf.org/html/rfc7844
3827
3828       21. C-style escapes
3829           https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3830
3831       22. RFC 5969
3832           https://tools.ietf.org/html/rfc5969
3833
3834       23. RFC 3315
3835           https://tools.ietf.org/html/rfc3315#section-17.2.1
3836
3837       24. RFC 8415
3838           https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3
3839
3840       25. RFC 4291
3841           https://tools.ietf.org/html/rfc4291#section-2.5.4
3842
3843       26. RFC 7217
3844           https://tools.ietf.org/html/rfc7217
3845
3846       27. RFC 2131
3847           https://www.rfc-editor.org/rfc/rfc2131.html
3848
3849       28. RFC 2132
3850           https://www.rfc-editor.org/rfc/rfc2132.html
3851
3852       29. RFC 1542
3853           https://tools.ietf.org/html/rfc1542
3854
3855       30. RFC 4861
3856           https://tools.ietf.org/html/rfc4861
3857
3858
3859
3860systemd 253                                                 SYSTEMD.NETWORK(5)
Impressum