1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
3
4
6 systemd.network - Network configuration
7
9 network.network
10
12 A plain ini-style text file that encodes network configuration for
13 matching network interfaces, used by systemd-networkd(8). See
14 systemd.syntax(7) for a general description of the syntax.
15
16 The main network file must have the extension .network; other
17 extensions are ignored. Networks are applied to links whenever the
18 links appear.
19
20 The .network files are read from the files located in the system
21 network directories /usr/lib/systemd/network and
22 /usr/local/lib/systemd/network, the volatile runtime network directory
23 /run/systemd/network and the local administration network directory
24 /etc/systemd/network. All configuration files are collectively sorted
25 and processed in alphanumeric order, regardless of the directories in
26 which they live. However, files with identical filenames replace each
27 other. It is recommended that each filename is prefixed with a number
28 (e.g. 10-eth0.network). Otherwise, the default .network files or those
29 generated by systemd-network-generator.service(8) may take precedence
30 over user configured files. Files in /etc/ have the highest priority,
31 files in /run/ take precedence over files with the same name under
32 /usr/. This can be used to override a system-supplied configuration
33 file with a local file if needed. As a special case, an empty file
34 (file size 0) or symlink with the same name pointing to /dev/null
35 disables the configuration file entirely (it is "masked").
36
37 Along with the network file foo.network, a "drop-in" directory
38 foo.network.d/ may exist. All files with the suffix ".conf" from this
39 directory will be merged in the alphanumeric order and parsed after the
40 main file itself has been parsed. This is useful to alter or add
41 configuration settings, without having to modify the main configuration
42 file. Each drop-in file must have appropriate section headers.
43
44 In addition to /etc/systemd/network, drop-in ".d" directories can be
45 placed in /usr/lib/systemd/network or /run/systemd/network directories.
46 Drop-in files in /etc/ take precedence over those in /run/ which in
47 turn take precedence over those in /usr/lib/. Drop-in files under any
48 of these directories take precedence over the main network file
49 wherever located.
50
52 The network file contains a [Match] section, which determines if a
53 given network file may be applied to a given interface; and a [Network]
54 section specifying how the interface should be configured. The first
55 (in alphanumeric order) of the network files that matches a given
56 interface is applied, all later files are ignored, even if they match
57 as well.
58
59 A network file is said to match a network interface if all matches
60 specified by the [Match] section are satisfied. When a network file
61 does not contain valid settings in [Match] section, then the file will
62 match all interfaces and systemd-networkd warns about that. Hint: to
63 avoid the warning and to make it clear that all interfaces shall be
64 matched, add the following:
65
66 Name=*
67
68 The following keys are accepted:
69
70 MACAddress=
71 A whitespace-separated list of hardware addresses. The acceptable
72 formats are:
73
74 colon-delimited hexadecimal
75 Each field must be one byte. E.g. "12:34:56:78:90:ab" or
76 "AA:BB:CC:DD:EE:FF".
77
78 hyphen-delimited hexadecimal
79 Each field must be one byte. E.g. "12-34-56-78-90-ab" or
80 "AA-BB-CC-DD-EE-FF".
81
82 dot-delimited hexadecimal
83 Each field must be two bytes. E.g. "1234.5678.90ab" or
84 "AABB.CCDD.EEFF".
85
86 IPv4 address format
87 E.g. "127.0.0.1" or "192.168.0.1".
88
89 IPv6 address format
90 E.g. "2001:0db8:85a3::8a2e:0370:7334" or "::1".
91
92 The total length of each MAC address must be 4 (for IPv4 tunnel), 6
93 (for Ethernet), 16 (for IPv6 tunnel), or 20 (for InfiniBand). This
94 option may appear more than once, in which case the lists are
95 merged. If the empty string is assigned to this option, the list of
96 hardware addresses defined prior to this is reset. Defaults to
97 unset.
98
99 PermanentMACAddress=
100 A whitespace-separated list of hardware's permanent addresses.
101 While MACAddress= matches the device's current MAC address, this
102 matches the device's permanent MAC address, which may be different
103 from the current one. Use full colon-, hyphen- or dot-delimited
104 hexadecimal, or IPv4 or IPv6 address format. This option may appear
105 more than once, in which case the lists are merged. If the empty
106 string is assigned to this option, the list of hardware addresses
107 defined prior to this is reset. Defaults to unset.
108
109 Path=
110 A whitespace-separated list of shell-style globs matching the
111 persistent path, as exposed by the udev property ID_PATH.
112
113 Driver=
114 A whitespace-separated list of shell-style globs matching the
115 driver currently bound to the device, as exposed by the udev
116 property ID_NET_DRIVER of its parent device, or if that is not set,
117 the driver as exposed by ethtool -i of the device itself. If the
118 list is prefixed with a "!", the test is inverted.
119
120 Type=
121 A whitespace-separated list of shell-style globs matching the
122 device type, as exposed by networkctl list. If the list is prefixed
123 with a "!", the test is inverted. Some valid values are "ether",
124 "loopback", "wlan", "wwan". Valid types are named either from the
125 udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
126 this is not comprehensive.
127
128 Kind=
129 A whitespace-separated list of shell-style globs matching the
130 device kind, as exposed by networkctl status INTERFACE or ip -d
131 link show INTERFACE. If the list is prefixed with a "!", the test
132 is inverted. Some valid values are "bond", "bridge", "gre", "tun",
133 "veth". Valid kinds are given by netlink's "IFLA_INFO_KIND"
134 attribute, so this is not comprehensive.
135
136 Property=
137 A whitespace-separated list of udev property names with their
138 values after equals sign ("="). If multiple properties are
139 specified, the test results are ANDed. If the list is prefixed with
140 a "!", the test is inverted. If a value contains white spaces, then
141 please quote whole key and value pair. If a value contains
142 quotation, then please escape the quotation with "\".
143
144 Example: if a .link file has the following:
145
146 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
147
148 then, the .link file matches only when an interface has all the
149 above three properties.
150
151 Name=
152 A whitespace-separated list of shell-style globs matching the
153 device name, as exposed by the udev property "INTERFACE", or
154 device's alternative names. If the list is prefixed with a "!", the
155 test is inverted.
156
157 WLANInterfaceType=
158 A whitespace-separated list of wireless network type. Supported
159 values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
160 "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
161 "nan". If the list is prefixed with a "!", the test is inverted.
162
163 SSID=
164 A whitespace-separated list of shell-style globs matching the SSID
165 of the currently connected wireless LAN. If the list is prefixed
166 with a "!", the test is inverted.
167
168 BSSID=
169 A whitespace-separated list of hardware address of the currently
170 connected wireless LAN. Use full colon-, hyphen- or dot-delimited
171 hexadecimal. See the example in MACAddress=. This option may appear
172 more than once, in which case the lists are merged. If the empty
173 string is assigned to this option, the list is reset.
174
175 Host=
176 Matches against the hostname or machine ID of the host. See
177 ConditionHost= in systemd.unit(5) for details. When prefixed with
178 an exclamation mark ("!"), the result is negated. If an empty
179 string is assigned, the previously assigned value is cleared.
180
181 Virtualization=
182 Checks whether the system is executed in a virtualized environment
183 and optionally test whether it is a specific implementation. See
184 ConditionVirtualization= in systemd.unit(5) for details. When
185 prefixed with an exclamation mark ("!"), the result is negated. If
186 an empty string is assigned, the previously assigned value is
187 cleared.
188
189 KernelCommandLine=
190 Checks whether a specific kernel command line option is set. See
191 ConditionKernelCommandLine= in systemd.unit(5) for details. When
192 prefixed with an exclamation mark ("!"), the result is negated. If
193 an empty string is assigned, the previously assigned value is
194 cleared.
195
196 KernelVersion=
197 Checks whether the kernel version (as reported by uname -r) matches
198 a certain expression. See ConditionKernelVersion= in
199 systemd.unit(5) for details. When prefixed with an exclamation mark
200 ("!"), the result is negated. If an empty string is assigned, the
201 previously assigned value is cleared.
202
203 Credential=
204 Checks whether the specified credential was passed to the
205 systemd-udevd.service service. See System and Service
206 Credentials[1] for details. When prefixed with an exclamation mark
207 ("!"), the result is negated. If an empty string is assigned, the
208 previously assigned value is cleared.
209
210 Architecture=
211 Checks whether the system is running on a specific architecture.
212 See ConditionArchitecture= in systemd.unit(5) for details. When
213 prefixed with an exclamation mark ("!"), the result is negated. If
214 an empty string is assigned, the previously assigned value is
215 cleared.
216
217 Firmware=
218 Checks whether the system is running on a machine with the
219 specified firmware. See ConditionFirmware= in systemd.unit(5) for
220 details. When prefixed with an exclamation mark ("!"), the result
221 is negated. If an empty string is assigned, the previously assigned
222 value is cleared.
223
225 The [Link] section accepts the following keys:
226
227 MACAddress=
228 The hardware address to set for the device.
229
230 MTUBytes=
231 The maximum transmission unit in bytes to set for the device. The
232 usual suffixes K, M, G, are supported and are understood to the
233 base of 1024.
234
235 Note that if IPv6 is enabled on the interface, and the MTU is
236 chosen below 1280 (the minimum MTU for IPv6) it will automatically
237 be increased to this value.
238
239 ARP=
240 Takes a boolean. If set to true, the ARP (low-level Address
241 Resolution Protocol) for this interface is enabled. When unset, the
242 kernel's default will be used.
243
244 For example, disabling ARP is useful when creating multiple MACVLAN
245 or VLAN virtual interfaces atop a single lower-level physical
246 interface, which will then only serve as a link/"bridge" device
247 aggregating traffic to the same physical link and not participate
248 in the network otherwise. Defaults to unset.
249
250 Multicast=
251 Takes a boolean. If set to true, the multicast flag on the device
252 is enabled. Defaults to unset.
253
254 AllMulticast=
255 Takes a boolean. If set to true, the driver retrieves all multicast
256 packets from the network. This happens when multicast routing is
257 enabled. Defaults to unset.
258
259 Promiscuous=
260 Takes a boolean. If set to true, promiscuous mode of the interface
261 is enabled. Defaults to unset.
262
263 If this is set to false for the underlying link of a "passthru"
264 mode MACVLAN/MACVTAP, the virtual interface will be created with
265 the "nopromisc" flag set.
266
267 Unmanaged=
268 Takes a boolean. When "yes", no attempts are made to bring up or
269 configure matching links, equivalent to when there are no matching
270 network files. Defaults to "no".
271
272 This is useful for preventing later matching network files from
273 interfering with certain interfaces that are fully controlled by
274 other applications.
275
276 Group=
277 Link groups are similar to port ranges found in managed switches.
278 When network interfaces are added to a numbered group, operations
279 on all the interfaces from that group can be performed at once.
280 Takes an unsigned integer in the range 0...2147483647. Defaults to
281 unset.
282
283 RequiredForOnline=
284 Takes a boolean or a minimum operational state and an optional
285 maximum operational state. Please see networkctl(1) for possible
286 operational states. When "yes", the network is deemed required when
287 determining whether the system is online (including when running
288 systemd-networkd-wait-online). When "no", the network is ignored
289 when determining the online state. When a minimum operational state
290 and an optional maximum operational state are set, "yes" is
291 implied, and this controls the minimum and maximum operational
292 state required for the network interface to be considered online.
293
294 Defaults to "yes" when ActivationPolicy= is not set, or set to
295 "up", "always-up", or "bound". Defaults to "no" when
296 ActivationPolicy= is set to "manual" or "down". This is forced to
297 "no" when ActivationPolicy= is set to "always-down".
298
299 The network will be brought up normally (as configured by
300 ActivationPolicy=), but in the event that there is no address being
301 assigned by DHCP or the cable is not plugged in, the link will
302 simply remain offline and be skipped automatically by
303 systemd-networkd-wait-online if "RequiredForOnline=no".
304
305 RequiredFamilyForOnline=
306 Takes an address family. When specified, an IP address in the given
307 family is deemed required when determining whether the link is
308 online (including when running systemd-networkd-wait-online). Takes
309 one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
310 that this option has no effect if "RequiredForOnline=no", or if
311 "RequiredForOnline=" specifies a minimum operational state below
312 "degraded".
313
314 ActivationPolicy=
315 Specifies the policy for systemd-networkd managing the link
316 administrative state. Specifically, this controls how
317 systemd-networkd changes the network device's "IFF_UP" flag, which
318 is sometimes controlled by system administrators by running e.g.,
319 ip link set dev eth0 up or ip link set dev eth0 down, and can also
320 be changed with networkctl up eth0 or networkctl down eth0.
321
322 Takes one of "up", "always-up", "manual", "always-down", "down", or
323 "bound". When "manual", systemd-networkd will not change the link's
324 admin state automatically; the system administrator must bring the
325 interface up or down manually, as desired. When "up" (the default)
326 or "always-up", or "down" or "always-down", systemd-networkd will
327 set the link up or down, respectively, when the interface is
328 (re)configured. When "always-up" or "always-down", systemd-networkd
329 will set the link up or down, respectively, any time
330 systemd-networkd detects a change in the administrative state. When
331 BindCarrier= is also set, this is automatically set to "bound" and
332 any other value is ignored.
333
334 When the policy is set to "down" or "manual", the default value of
335 RequiredForOnline= is "no". When the policy is set to
336 "always-down", the value of RequiredForOnline= forced to "no".
337
338 The administrative state is not the same as the carrier state, so
339 using "always-up" does not mean the link will never lose carrier.
340 The link carrier depends on both the administrative state as well
341 as the network device's physical connection. However, to avoid
342 reconfiguration failures, when using "always-up",
343 IgnoreCarrierLoss= is forced to true.
344
346 The [SR-IOV] section accepts the following keys. Specify several
347 [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
348 ability to partition a single physical PCI resource into virtual PCI
349 functions which can then be injected into a VM. In the case of network
350 VFs, SR-IOV improves north-south network performance (that is, traffic
351 with endpoints outside the host machine) by allowing traffic to bypass
352 the host machine’s network stack.
353
354 VirtualFunction=
355 Specifies a Virtual Function (VF), lightweight PCIe function
356 designed solely to move data in and out. Takes an integer in the
357 range 0...2147483646. This option is compulsory.
358
359 VLANId=
360 Specifies VLAN ID of the virtual function. Takes an integer in the
361 range 1...4095.
362
363 QualityOfService=
364 Specifies quality of service of the virtual function. Takes an
365 integer in the range 1...4294967294.
366
367 VLANProtocol=
368 Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
369 "802.1ad".
370
371 MACSpoofCheck=
372 Takes a boolean. Controls the MAC spoof checking. When unset, the
373 kernel's default will be used.
374
375 QueryReceiveSideScaling=
376 Takes a boolean. Toggle the ability of querying the receive side
377 scaling (RSS) configuration of the virtual function (VF). The VF
378 RSS information like RSS hash key may be considered sensitive on
379 some devices where this information is shared between VF and the
380 physical function (PF). When unset, the kernel's default will be
381 used.
382
383 Trust=
384 Takes a boolean. Allows one to set trust mode of the virtual
385 function (VF). When set, VF users can set a specific feature which
386 may impact security and/or performance. When unset, the kernel's
387 default will be used.
388
389 LinkState=
390 Allows one to set the link state of the virtual function (VF).
391 Takes a boolean or a special value "auto". Setting to "auto" means
392 a reflection of the physical function (PF) link state, "yes" lets
393 the VF to communicate with other VFs on this host even if the PF
394 link state is down, "no" causes the hardware to drop any packets
395 sent by the VF. When unset, the kernel's default will be used.
396
397 MACAddress=
398 Specifies the MAC address for the virtual function.
399
401 The [Network] section accepts the following keys:
402
403 Description=
404 A description of the device. This is only used for presentation
405 purposes.
406
407 DHCP=
408 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
409 "ipv4", or "ipv6". Defaults to "no".
410
411 Note that DHCPv6 will by default be triggered by Router
412 Advertisements, if reception is enabled, regardless of this
413 parameter. By explicitly enabling DHCPv6 support here, the DHCPv6
414 client will be started in the mode specified by the WithoutRA=
415 setting in the [DHCPv6] section, regardless of the presence of
416 routers on the link, or what flags the routers pass. See
417 IPv6AcceptRA=.
418
419 Furthermore, note that by default the domain name specified through
420 DHCP is not used for name resolution. See option UseDomains= below.
421
422 See the [DHCPv4] or [DHCPv6] sections below for further
423 configuration options for the DHCP client support.
424
425 DHCPServer=
426 Takes a boolean. If set to "yes", DHCPv4 server will be started.
427 Defaults to "no". Further settings for the DHCP server may be set
428 in the [DHCPServer] section described below.
429
430 LinkLocalAddressing=
431 Enables link-local address autoconfiguration. Accepts yes, no,
432 ipv4, and ipv6. An IPv6 link-local address is configured when yes
433 or ipv6. An IPv4 link-local address is configured when yes or ipv4
434 and when DHCPv4 autoconfiguration has been unsuccessful for some
435 time. (IPv4 link-local address autoconfiguration will usually
436 happen in parallel with repeated attempts to acquire a DHCPv4
437 lease).
438
439 Defaults to no when KeepMaster= or Bridge= is set or when the
440 specified MACVLAN=/MACVTAP= has Mode=passthru, or ipv6 otherwise.
441
442 IPv6LinkLocalAddressGenerationMode=
443 Specifies how IPv6 link-local address is generated. Takes one of
444 "eui64", "none", "stable-privacy" and "random". When unset,
445 "stable-privacy" is used if IPv6StableSecretAddress= is specified,
446 and if not, "eui64" is used. Note that if LinkLocalAddressing= is
447 "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
448 ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
449 setting IPv6LinkLocalAddressGenerationMode=none disables to
450 configure an IPv6 link-local address.
451
452 IPv6StableSecretAddress=
453 Takes an IPv6 address. The specified address will be used as a
454 stable secret for generating IPv6 link-local address. If this
455 setting is specified, and IPv6LinkLocalAddressGenerationMode= is
456 unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
457 implied. If this setting is not specified, and "stable-privacy" is
458 set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
459 address will be generated from the local machine ID and the
460 interface name.
461
462 IPv4LLStartAddress=
463 Specifies the first IPv4 link-local address to try. Takes an IPv4
464 address for example 169.254.1.2, from the link-local address range:
465 169.254.0.0/16 except for 169.254.0.0/24 and 169.254.255.0/24. This
466 setting may be useful if the device should always have the same
467 address as long as there is no address conflict. When unset, a
468 random address will be automatically selected. Defaults to unset.
469
470 IPv4LLRoute=
471 Takes a boolean. If set to true, sets up the route needed for
472 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
473 false.
474
475 DefaultRouteOnDevice=
476 Takes a boolean. If set to true, sets up the IPv4 default route
477 bound to the interface. Defaults to false. This is useful when
478 creating routes on point-to-point interfaces. This is equivalent to
479 e.g. the following,
480
481 ip route add default dev veth99
482
483 or,
484
485 [Route]
486 Gateway=0.0.0.0
487
488 Currently, there are no way to specify e.g., the table for the
489 route configured by this setting. To configure the default route
490 with such an additional property, please use the following instead:
491
492 [Route]
493 Gateway=0.0.0.0
494 Table=1234
495
496 If you'd like to create an IPv6 default route bound to the
497 interface, please use the following:
498
499 [Route]
500 Gateway=::
501 Table=1234
502
503 LLMNR=
504 Takes a boolean or "resolve". When true, enables Link-Local
505 Multicast Name Resolution[2] on the link. When set to "resolve",
506 only resolution is enabled, but not host registration and
507 announcement. Defaults to true. This setting is read by systemd-
508 resolved.service(8).
509
510 MulticastDNS=
511 Takes a boolean or "resolve". When true, enables Multicast DNS[3]
512 support on the link. When set to "resolve", only resolution is
513 enabled, but not host or service registration and announcement.
514 Defaults to false. This setting is read by systemd-
515 resolved.service(8).
516
517 DNSOverTLS=
518 Takes a boolean or "opportunistic". When true, enables
519 DNS-over-TLS[4] support on the link. When set to "opportunistic",
520 compatibility with non-DNS-over-TLS servers is increased, by
521 automatically turning off DNS-over-TLS servers in this case. This
522 option defines a per-interface setting for resolved.conf(5)'s
523 global DNSOverTLS= option. Defaults to unset, and the global
524 setting will be used. This setting is read by systemd-
525 resolved.service(8).
526
527 DNSSEC=
528 Takes a boolean or "allow-downgrade". When true, enables DNSSEC[5]
529 DNS validation support on the link. When set to "allow-downgrade",
530 compatibility with non-DNSSEC capable networks is increased, by
531 automatically turning off DNSSEC in this case. This option defines
532 a per-interface setting for resolved.conf(5)'s global DNSSEC=
533 option. Defaults to unset, and the global setting will be used.
534 This setting is read by systemd-resolved.service(8).
535
536 DNSSECNegativeTrustAnchors=
537 A space-separated list of DNSSEC negative trust anchor domains. If
538 specified and DNSSEC is enabled, look-ups done via the interface's
539 DNS server will be subject to the list of negative trust anchors,
540 and not require authentication for the specified domains, or
541 anything below it. Use this to disable DNSSEC authentication for
542 specific private domains, that cannot be proven valid using the
543 Internet DNS hierarchy. Defaults to the empty list. This setting is
544 read by systemd-resolved.service(8).
545
546 LLDP=
547 Controls support for Ethernet LLDP packet reception. LLDP is a
548 link-layer protocol commonly implemented on professional routers
549 and bridges which announces which physical port a system is
550 connected to, as well as other related data. Accepts a boolean or
551 the special value "routers-only". When true, incoming LLDP packets
552 are accepted and a database of all LLDP neighbors maintained. If
553 "routers-only" is set only LLDP data of various types of routers is
554 collected and LLDP data about other types of devices ignored (such
555 as stations, telephones and others). If false, LLDP reception is
556 disabled. Defaults to "routers-only". Use networkctl(1) to query
557 the collected neighbor data. LLDP is only available on Ethernet
558 links. See EmitLLDP= below for enabling LLDP packet emission from
559 the local system.
560
561 EmitLLDP=
562 Controls support for Ethernet LLDP packet emission. Accepts a
563 boolean parameter or the special values "nearest-bridge",
564 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
565 turns off LLDP packet emission. If not false, a short LLDP packet
566 with information about the local system is sent out in regular
567 intervals on the link. The LLDP packet will contain information
568 about the local hostname, the local machine ID (as stored in
569 machine-id(5)) and the local interface name, as well as the pretty
570 hostname of the system (as set in machine-info(5)). LLDP emission
571 is only available on Ethernet links. Note that this setting passes
572 data suitable for identification of host to the network and should
573 thus not be enabled on untrusted networks, where such
574 identification data should not be made available. Use this option
575 to permit other systems to identify on which interfaces they are
576 connected to this system. The three special values control
577 propagation of the LLDP packets. The "nearest-bridge" setting
578 permits propagation only to the nearest connected bridge,
579 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
580 but not any other bridges, and "customer-bridge" permits
581 propagation until a customer bridge is reached. For details about
582 these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
583 this setting to true is equivalent to "nearest-bridge", the
584 recommended and most restricted level of propagation. See LLDP=
585 above for an option to enable LLDP reception.
586
587 BindCarrier=
588 A link name or a list of link names. When set, controls the
589 behavior of the current link. When all links in the list are in an
590 operational down state, the current link is brought down. When at
591 least one link has carrier, the current interface is brought up.
592
593 This forces ActivationPolicy= to be set to "bound".
594
595 Address=
596 A static IPv4 or IPv6 address and its prefix length, separated by a
597 "/" character. Specify this key more than once to configure several
598 addresses. The format of the address must be as described in
599 inet_pton(3). This is a short-hand for an [Address] section only
600 containing an Address key (see below). This option may be specified
601 more than once.
602
603 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
604 IPv6), a new address range of the requested size is automatically
605 allocated from a system-wide pool of unused ranges. Note that the
606 prefix length must be equal or larger than 8 for IPv4, and 64 for
607 IPv6. The allocated range is checked against all current network
608 interfaces and all known network configuration files to avoid
609 address range conflicts. The default system-wide pool consists of
610 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
611 for IPv6. This functionality is useful to manage a large number of
612 dynamically created network interfaces with the same network
613 configuration and automatic address range assignment.
614
615 Gateway=
616 The gateway address, which must be in the format described in
617 inet_pton(3). This is a short-hand for a [Route] section only
618 containing a Gateway= key. This option may be specified more than
619 once.
620
621 DNS=
622 A DNS server address, which must be in the format described in
623 inet_pton(3). This option may be specified more than once. Each
624 address can optionally take a port number separated with ":", a
625 network interface name or index separated with "%", and a Server
626 Name Indication (SNI) separated with "#". When IPv6 address is
627 specified with a port number, then the address must be in the
628 square brackets. That is, the acceptable full formats are
629 "111.222.333.444:9953%ifname#example.com" for IPv4 and
630 "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
631 string is assigned, then the all previous assignments are cleared.
632 This setting is read by systemd-resolved.service(8).
633
634 Domains=
635 A whitespace-separated list of domains which should be resolved
636 using the DNS servers on this link. Each item in the list should be
637 a domain name, optionally prefixed with a tilde ("~"). The domains
638 with the prefix are called "routing-only domains". The domains
639 without the prefix are called "search domains" and are first used
640 as search suffixes for extending single-label hostnames (hostnames
641 containing no dots) to become fully qualified domain names (FQDNs).
642 If a single-label hostname is resolved on this interface, each of
643 the specified search domains are appended to it in turn, converting
644 it into a fully qualified domain name, until one of them may be
645 successfully resolved.
646
647 Both "search" and "routing-only" domains are used for routing of
648 DNS queries: look-ups for hostnames ending in those domains (hence
649 also single label names, if any "search domains" are listed), are
650 routed to the DNS servers configured for this interface. The domain
651 routing logic is particularly useful on multi-homed hosts with DNS
652 servers serving particular private DNS zones on each interface.
653
654 The "routing-only" domain "~." (the tilde indicating definition of
655 a routing domain, the dot referring to the DNS root domain which is
656 the implied suffix of all valid DNS names) has special effect. It
657 causes all DNS traffic which does not match another configured
658 domain routing entry to be routed to DNS servers specified for this
659 interface. This setting is useful to prefer a certain set of DNS
660 servers if a link on which they are connected is available.
661
662 This setting is read by systemd-resolved.service(8). "Search
663 domains" correspond to the domain and search entries in
664 resolv.conf(5). Domain name routing has no equivalent in the
665 traditional glibc API, which has no concept of domain name servers
666 limited to a specific link.
667
668 DNSDefaultRoute=
669 Takes a boolean argument. If true, this link's configured DNS
670 servers are used for resolving domain names that do not match any
671 link's configured Domains= setting. If false, this link's
672 configured DNS servers are never used for such domains, and are
673 exclusively used for resolving names that match at least one of the
674 domains configured on this link. If not specified defaults to an
675 automatic mode: queries not matching any link's configured domains
676 will be routed to this link if it has no routing-only domains
677 configured.
678
679 NTP=
680 An NTP server address (either an IP address, or a hostname). This
681 option may be specified more than once. This setting is read by
682 systemd-timesyncd.service(8).
683
684 IPForward=
685 Configures IP packet forwarding for the system. If enabled,
686 incoming packets on any network interface will be forwarded to any
687 other interfaces according to the routing table. Takes a boolean,
688 or the values "ipv4" or "ipv6", which only enable IP packet
689 forwarding for the specified address family. This controls the
690 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
691 of the network interface (see IP Sysctl[7] for details about sysctl
692 options). Defaults to "no".
693
694 Note: this setting controls a global kernel option, and does so one
695 way only: if a network that has this setting enabled is set up the
696 global setting is turned on. However, it is never turned off again,
697 even after all networks with this setting enabled are shut down
698 again.
699
700 To allow IP packet forwarding only between specific network
701 interfaces use a firewall.
702
703 IPMasquerade=
704 Configures IP masquerading for the network interface. If enabled,
705 packets forwarded from the network interface will be appear as
706 coming from the local host. Takes one of "ipv4", "ipv6", "both", or
707 "no". Defaults to "no". If enabled, this automatically sets
708 IPForward= to one of "ipv4", "ipv6" or "yes".
709
710 Note. Any positive boolean values such as "yes" or "true" are now
711 deprecated. Please use one of the values in the above.
712
713 IPv6PrivacyExtensions=
714 Configures use of stateless temporary addresses that change over
715 time (see RFC 4941[8], Privacy Extensions for Stateless Address
716 Autoconfiguration in IPv6). Takes a boolean or the special values
717 "prefer-public" and "kernel". When true, enables the privacy
718 extensions and prefers temporary addresses over public addresses.
719 When "prefer-public", enables the privacy extensions, but prefers
720 public addresses over temporary addresses. When false, the privacy
721 extensions remain disabled. When "kernel", the kernel's default
722 setting will be left in place. Defaults to "no".
723
724 IPv6AcceptRA=
725 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
726 support for the interface. If true, RAs are accepted; if false, RAs
727 are ignored. When RAs are accepted, they may trigger the start of
728 the DHCPv6 client if the relevant flags are set in the RA data, or
729 if no routers are found on the link. The default is to disable RA
730 reception for bridge devices or when IP forwarding is enabled, and
731 to enable it otherwise. Cannot be enabled on devices aggregated in
732 a bond device or when link-local addressing is disabled.
733
734 Further settings for the IPv6 RA support may be configured in the
735 [IPv6AcceptRA] section, see below.
736
737 Also see IP Sysctl[7] in the kernel documentation regarding
738 "accept_ra", but note that systemd's setting of 1 (i.e. true)
739 corresponds to kernel's setting of 2.
740
741 Note that kernel's implementation of the IPv6 RA protocol is always
742 disabled, regardless of this setting. If this option is enabled, a
743 userspace implementation of the IPv6 RA protocol is used, and the
744 kernel's own implementation remains disabled, since
745 systemd-networkd needs to know all details supplied in the
746 advertisements, and these are not available from the kernel if the
747 kernel's own implementation is used.
748
749 IPv6DuplicateAddressDetection=
750 Configures the amount of IPv6 Duplicate Address Detection (DAD)
751 probes to send. When unset, the kernel's default will be used.
752
753 IPv6HopLimit=
754 Configures IPv6 Hop Limit. For each router that forwards the
755 packet, the hop limit is decremented by 1. When the hop limit field
756 reaches zero, the packet is discarded. When unset, the kernel's
757 default will be used.
758
759 IPv4AcceptLocal=
760 Takes a boolean. Accept packets with local source addresses. In
761 combination with suitable routing, this can be used to direct
762 packets between two local interfaces over the wire and have them
763 accepted properly. When unset, the kernel's default will be used.
764
765 IPv4RouteLocalnet=
766 Takes a boolean. When true, the kernel does not consider loopback
767 addresses as martian source or destination while routing. This
768 enables the use of 127.0.0.0/8 for local routing purposes. When
769 unset, the kernel's default will be used.
770
771 IPv4ProxyARP=
772 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
773 technique in which one host, usually a router, answers ARP requests
774 intended for another machine. By "faking" its identity, the router
775 accepts responsibility for routing packets to the "real"
776 destination. See RFC 1027[9]. When unset, the kernel's default will
777 be used.
778
779 IPv6ProxyNDP=
780 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
781 Discovery Protocol) is a technique for IPv6 to allow routing of
782 addresses to a different destination when peers expect them to be
783 present on a certain physical link. In this case a router answers
784 Neighbour Advertisement messages intended for another machine by
785 offering its own MAC address as destination. Unlike proxy ARP for
786 IPv4, it is not enabled globally, but will only send Neighbour
787 Advertisement messages for addresses in the IPv6 neighbor proxy
788 table, which can also be shown by ip -6 neighbour show proxy.
789 systemd-networkd will control the per-interface `proxy_ndp` switch
790 for each configured interface depending on this option. When unset,
791 the kernel's default will be used.
792
793 IPv6ProxyNDPAddress=
794 An IPv6 address, for which Neighbour Advertisement messages will be
795 proxied. This option may be specified more than once.
796 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
797 kernel's IPv6 neighbor proxy table. This setting implies
798 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP= has been set to
799 false. When unset, the kernel's default will be used.
800
801 IPv6SendRA=
802 Whether to enable or disable Router Advertisement sending on a
803 link. Takes a boolean value. When enabled, prefixes configured in
804 [IPv6Prefix] sections and routes configured in the
805 [IPv6RoutePrefix] sections are distributed as defined in the
806 [IPv6SendRA] section. If DHCPPrefixDelegation= is enabled, then the
807 delegated prefixes are also distributed. See DCHPPrefixDelegation=
808 setting and the [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
809 [DHCPPrefixDelegation] sections for more configuration options.
810
811 DHCPPrefixDelegation=
812 Takes a boolean value. When enabled, requests subnet prefixes on
813 another link via the DHCPv6 protocol or via the 6RD option in the
814 DHCPv4 protocol. An address within each delegated prefix will be
815 assigned, and the prefixes will be announced through IPv6 Router
816 Advertisement if IPv6SendRA= is enabled. This behaviour can be
817 configured in the [DHCPPrefixDelegation] section. Defaults to
818 disabled.
819
820 IPv6MTUBytes=
821 Configures IPv6 maximum transmission unit (MTU). An integer greater
822 than or equal to 1280 bytes. When unset, the kernel's default will
823 be used.
824
825 KeepMaster=
826 Takes a boolean value. When enabled, the current master interface
827 index will not be changed, and BatmanAdvanced=, Bond=, Bridge=, and
828 VRF= settings are ignored. This may be useful when a netdev with a
829 master interface is created by another program, e.g. systemd-
830 nspawn(1). Defaults to false.
831
832 BatmanAdvanced=, Bond=, Bridge=, VRF=
833 The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
834 interface to add the link to. See systemd.netdev(5).
835
836 IPoIB=, IPVLAN=, IPVTAP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=,
837 VXLAN=, Xfrm=
838 The name of an IPoIB, IPVLAN, IPVTAP, MACsec, MACVLAN, MACVTAP,
839 tunnel, VLAN, VXLAN, or Xfrm to be created on the link. See
840 systemd.netdev(5). This option may be specified more than once.
841
842 ActiveSlave=
843 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
844 option is only valid for following modes: "active-backup",
845 "balance-alb", and "balance-tlb". Defaults to false.
846
847 PrimarySlave=
848 Takes a boolean. Specifies which slave is the primary device. The
849 specified device will always be the active slave while it is
850 available. Only when the primary is off-line will alternate devices
851 be used. This is useful when one slave is preferred over another,
852 e.g. when one slave has higher throughput than another. The
853 "PrimarySlave=" option is only valid for following modes:
854 "active-backup", "balance-alb", and "balance-tlb". Defaults to
855 false.
856
857 ConfigureWithoutCarrier=
858 Takes a boolean. Allows networkd to configure a specific link even
859 if it has no carrier. Defaults to false. If enabled, and the
860 IgnoreCarrierLoss= setting is not explicitly set, then it is
861 enabled as well.
862
863 IgnoreCarrierLoss=
864 Takes a boolean or a timespan. When true, systemd-networkd retains
865 both the static and dynamic configuration of the interface even if
866 its carrier is lost. When false, systemd-networkd drops both the
867 static and dynamic configuration of the interface. When a timespan
868 is specified, systemd-networkd waits for the specified timespan,
869 and ignores the carrier loss if the link regain its carrier within
870 the timespan. Setting 0 seconds is equivalent to "no", and
871 "infinite" is equivalent to "yes".
872
873 Setting a finite timespan may be useful when e.g. in the following
874 cases:
875
876 • A wireless interface connecting to a network which has multiple
877 access points with the same SSID.
878
879 • Enslaving a wireless interface to a bond interface, which may
880 disconnect from the connected access point and causes its
881 carrier to be lost.
882
883 • The driver of the interface resets when the MTU is changed.
884
885 When Bond= is specified to a wireless interface, defaults to 3
886 seconds. When the DHCPv4 client is enabled and UseMTU= in the
887 [DHCPv4] section enabled, defaults to 5 seconds. Otherwise,
888 defaults to the value specified with ConfigureWithoutCarrier=. When
889 ActivationPolicy= is set to "always-up", this is forced to "yes",
890 and ignored any user specified values.
891
892 KeepConfiguration=
893 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
894 "static", systemd-networkd will not drop static addresses and
895 routes on starting up process. When set to "dhcp-on-stop",
896 systemd-networkd will not drop addresses and routes on stopping the
897 daemon. When "dhcp", the addresses and routes provided by a DHCP
898 server will never be dropped even if the DHCP lease expires. This
899 is contrary to the DHCP specification, but may be the best choice
900 if, e.g., the root filesystem relies on this connection. The
901 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
902 "static". Defaults to "dhcp-on-stop" when systemd-networkd is
903 running in initrd, "yes" when the root filesystem is a network
904 filesystem, and "no" otherwise.
905
907 An [Address] section accepts the following keys. Specify several
908 [Address] sections to configure several addresses.
909
910 Address=
911 As in the [Network] section. This setting is mandatory. Each
912 [Address] section can contain one Address= setting.
913
914 Peer=
915 The peer address in a point-to-point connection. Accepts the same
916 format as the Address= setting.
917
918 Broadcast=
919 Takes an IPv4 address or boolean value. The address must be in the
920 format described in inet_pton(3). If set to true, then the IPv4
921 broadcast address will be derived from the Address= setting. If set
922 to false, then the broadcast address will not be set. Defaults to
923 true, except for wireguard interfaces, where it default to false.
924
925 Label=
926 Specifies the label for the IPv4 address. The label must be a 7-bit
927 ASCII string with a length of 1...15 characters. Defaults to unset.
928
929 PreferredLifetime=
930 Allows the default "preferred lifetime" of the address to be
931 overridden. Only three settings are accepted: "forever",
932 "infinity", which is the default and means that the address never
933 expires, and "0", which means that the address is considered
934 immediately "expired" and will not be used, unless explicitly
935 requested. A setting of PreferredLifetime=0 is useful for addresses
936 which are added to be used only by a specific application, which is
937 then configured to use them explicitly.
938
939 Scope=
940 The scope of the address, which can be "global" (valid everywhere
941 on the network, even through a gateway), "link" (only valid on this
942 device, will not traverse a gateway) or "host" (only valid within
943 the device itself, e.g. 127.0.0.1) or an integer in the range
944 0...255. Defaults to "global".
945
946 RouteMetric=
947 The metric of the prefix route, which is pointing to the subnet of
948 the configured IP address, taking the configured prefix length into
949 account. Takes an unsigned integer in the range 0...4294967295.
950 When unset or set to 0, the kernel's default value is used. This
951 setting will be ignored when AddPrefixRoute= is false.
952
953 HomeAddress=
954 Takes a boolean. Designates this address the "home address" as
955 defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
956
957 DuplicateAddressDetection=
958 Takes one of "ipv4", "ipv6", "both", or "none". When "ipv4",
959 performs IPv4 Address Conflict Detection. See RFC 5227[11]. When
960 "ipv6", performs IPv6 Duplicate Address Detection. See RFC
961 4862[12]. Defaults to "ipv4" for IPv4 link-local addresses, "ipv6"
962 for IPv6 addresses, and "none" otherwise.
963
964 ManageTemporaryAddress=
965 Takes a boolean. If true the kernel manage temporary addresses
966 created from this one as template on behalf of Privacy Extensions
967 RFC 3041[13]. For this to become active, the use_tempaddr sysctl
968 setting has to be set to a value greater than zero. The given
969 address needs to have a prefix length of 64. This flag allows using
970 privacy extensions in a manually configured network, just like if
971 stateless auto-configuration was active. Defaults to false.
972
973 AddPrefixRoute=
974 Takes a boolean. When true, the prefix route for the address is
975 automatically added. Defaults to true.
976
977 AutoJoin=
978 Takes a boolean. Joining multicast group on ethernet level via ip
979 maddr command would not work if we have an Ethernet switch that
980 does IGMP snooping since the switch would not replicate multicast
981 packets on ports that did not have IGMP reports for the multicast
982 addresses. Linux vxlan interfaces created via ip link add vxlan or
983 networkd's netdev kind vxlan have the group option that enables
984 them to do the required join. By extending ip address command with
985 option "autojoin" we can get similar functionality for openvswitch
986 (OVS) vxlan interfaces as well as other tunneling mechanisms that
987 need to receive multicast traffic. Defaults to "no".
988
989 NetLabel=label
990 This setting provides a method for integrating static and dynamic
991 network configuration into Linux NetLabel[14] subsystem rules, used
992 by Linux Security Modules (LSMs)[15] for network access control.
993 The label, with suitable LSM rules, can be used to control
994 connectivity of (for example) a service with peers in the local
995 network. At least with SELinux, only the ingress can be controlled
996 but not egress. The benefit of using this setting is that it may be
997 possible to apply interface independent part of NetLabel
998 configuration at very early stage of system boot sequence, at the
999 time when the network interfaces are not available yet, with
1000 netlabelctl(8), and the per-interface configuration with
1001 systemd-networkd once the interfaces appear later. Currently this
1002 feature is only implemented for SELinux.
1003
1004 The option expects a single NetLabel label. The label must conform
1005 to lexical restrictions of LSM labels. When an interface is
1006 configured with IP addresses, the addresses and subnetwork masks
1007 will be appended to the NetLabel Fallback Peer Labeling[16] rules.
1008 They will be removed when the interface is deconfigured. Failures
1009 to manage the labels will be ignored.
1010
1011 Warning: Once labeling is enabled for network traffic, a lot of LSM
1012 access control points in Linux networking stack go from dormant to
1013 active. Care should be taken to avoid getting into a situation
1014 where for example remote connectivity is broken, when the security
1015 policy hasn't been updated to consider LSM per-packet access
1016 controls and no rules would allow any network traffic. Also note
1017 that additional configuration with netlabelctl(8) is needed.
1018
1019 Example:
1020
1021 [Address]
1022 NetLabel=system_u:object_r:localnet_peer_t:s0
1023
1024 With the example rules applying for interface "eth0", when the
1025 interface is configured with an IPv4 address of 10.0.0.123/8,
1026 systemd-networkd performs the equivalent of netlabelctl operation
1027
1028 netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
1029
1030 and the reverse operation when the IPv4 address is deconfigured.
1031 The configuration can be used with LSM rules; in case of SELinux to
1032 allow a SELinux domain to receive data from objects of SELinux
1033 "peer" class. For example:
1034
1035 type localnet_peer_t;
1036 allow my_server_t localnet_peer_t:peer recv;
1037
1038 The effect of the above configuration and rules (in absence of
1039 other rules as may be the case) is to only allow "my_server_t" (and
1040 nothing else) to receive data from local subnet 10.0.0.0/8 of
1041 interface "eth0".
1042
1044 A [Neighbor] section accepts the following keys. The neighbor section
1045 adds a permanent, static entry to the neighbor table (IPv6) or ARP
1046 table (IPv4) for the given hardware address on the links matched for
1047 the network. Specify several [Neighbor] sections to configure several
1048 static neighbors.
1049
1050 Address=
1051 The IP address of the neighbor.
1052
1053 LinkLayerAddress=
1054 The link layer address (MAC address or IP address) of the neighbor.
1055
1057 An [IPv6AddressLabel] section accepts the following keys. Specify
1058 several [IPv6AddressLabel] sections to configure several address
1059 labels. IPv6 address labels are used for address selection. See RFC
1060 3484[17]. Precedence is managed by userspace, and only the label itself
1061 is stored in the kernel.
1062
1063 Label=
1064 The label for the prefix, an unsigned integer in the range
1065 0...4294967294. 0xffffffff is reserved. This setting is mandatory.
1066
1067 Prefix=
1068 IPv6 prefix is an address with a prefix length, separated by a
1069 slash "/" character. This setting is mandatory.
1070
1072 An [RoutingPolicyRule] section accepts the following settings. Specify
1073 several [RoutingPolicyRule] sections to configure several rules.
1074
1075 TypeOfService=
1076 Takes a number between 0 and 255 that specifies the type of service
1077 to match.
1078
1079 From=
1080 Specifies the source address prefix to match. Possibly followed by
1081 a slash and the prefix length.
1082
1083 To=
1084 Specifies the destination address prefix to match. Possibly
1085 followed by a slash and the prefix length.
1086
1087 FirewallMark=
1088 Specifies the iptables firewall mark value to match (a number in
1089 the range 1...4294967295). Optionally, the firewall mask (also a
1090 number between 1...4294967295) can be suffixed with a slash ("/"),
1091 e.g., "7/255".
1092
1093 Table=
1094 Specifies the routing table identifier to look up if the rule
1095 selector matches. Takes one of predefined names "default", "main",
1096 and "local", and names defined in RouteTable= in networkd.conf(5),
1097 or a number between 1 and 4294967295. Defaults to "main".
1098
1099 Priority=
1100 Specifies the priority of this rule. Priority= is an integer in
1101 the range 0...4294967295. Higher number means lower priority, and
1102 rules get processed in order of increasing number. Defaults to
1103 unset, and the kernel will pick a value dynamically.
1104
1105 IncomingInterface=
1106 Specifies incoming device to match. If the interface is loopback,
1107 the rule only matches packets originating from this host.
1108
1109 OutgoingInterface=
1110 Specifies the outgoing device to match. The outgoing interface is
1111 only available for packets originating from local sockets that are
1112 bound to a device.
1113
1114 SourcePort=
1115 Specifies the source IP port or IP port range match in forwarding
1116 information base (FIB) rules. A port range is specified by the
1117 lower and upper port separated by a dash. Defaults to unset.
1118
1119 DestinationPort=
1120 Specifies the destination IP port or IP port range match in
1121 forwarding information base (FIB) rules. A port range is specified
1122 by the lower and upper port separated by a dash. Defaults to unset.
1123
1124 IPProtocol=
1125 Specifies the IP protocol to match in forwarding information base
1126 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1127 or IP protocol number such as "6" for "tcp" or "17" for "udp".
1128 Defaults to unset.
1129
1130 InvertRule=
1131 A boolean. Specifies whether the rule is to be inverted. Defaults
1132 to false.
1133
1134 Family=
1135 Takes a special value "ipv4", "ipv6", or "both". By default, the
1136 address family is determined by the address specified in To= or
1137 From=. If neither To= nor From= are specified, then defaults to
1138 "ipv4".
1139
1140 User=
1141 Takes a username, a user ID, or a range of user IDs separated by a
1142 dash. Defaults to unset.
1143
1144 SuppressPrefixLength=
1145 Takes a number N in the range 0...128 and rejects routing decisions
1146 that have a prefix length of N or less. Defaults to unset.
1147
1148 SuppressInterfaceGroup=
1149 Takes an integer in the range 0...2147483647 and rejects routing
1150 decisions that have an interface with the same group id. It has the
1151 same meaning as suppress_ifgroup in ip rule. Defaults to unset.
1152
1153 Type=
1154 Specifies Routing Policy Database (RPDB) rule type. Takes one of
1155 "blackhole", "unreachable" or "prohibit".
1156
1158 The [NextHop] section is used to manipulate entries in the kernel's
1159 "nexthop" tables. The [NextHop] section accepts the following settings.
1160 Specify several [NextHop] sections to configure several hops.
1161
1162 Id=
1163 The id of the next hop. Takes an integer in the range
1164 1...4294967295. If unspecified, then automatically chosen by
1165 kernel.
1166
1167 Gateway=
1168 As in the [Network] section.
1169
1170 Family=
1171 Takes one of the special values "ipv4" or "ipv6". By default, the
1172 family is determined by the address specified in Gateway=. If
1173 Gateway= is not specified, then defaults to "ipv4".
1174
1175 OnLink=
1176 Takes a boolean. If set to true, the kernel does not have to check
1177 if the gateway is reachable directly by the current machine (i.e.,
1178 attached to the local network), so that we can insert the nexthop
1179 in the kernel table without it being complained about. Defaults to
1180 "no".
1181
1182 Blackhole=
1183 Takes a boolean. If enabled, packets to the corresponding routes
1184 are discarded silently, and Gateway= cannot be specified. Defaults
1185 to "no".
1186
1187 Group=
1188 Takes a whitespace separated list of nexthop IDs. Each ID must be
1189 in the range 1...4294967295. Optionally, each nexthop ID can take a
1190 weight after a colon ("id[:weight]"). The weight must be in the
1191 range 1...255. If the weight is not specified, then it is assumed
1192 that the weight is 1. This setting cannot be specified with
1193 Gateway=, Family=, Blackhole=. This setting can be specified
1194 multiple times. If an empty string is assigned, then the all
1195 previous assignments are cleared. Defaults to unset.
1196
1198 The [Route] section accepts the following settings. Specify several
1199 [Route] sections to configure several routes.
1200
1201 Gateway=
1202 Takes the gateway address or the special values "_dhcp4" and
1203 "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1204 address provided by DHCPv4 or IPv6 RA is used.
1205
1206 GatewayOnLink=
1207 Takes a boolean. If set to true, the kernel does not have to check
1208 if the gateway is reachable directly by the current machine (i.e.,
1209 attached to the local network), so that we can insert the route in
1210 the kernel table without it being complained about. Defaults to
1211 "no".
1212
1213 Destination=
1214 The destination prefix of the route. Possibly followed by a slash
1215 and the prefix length. If omitted, a full-length host route is
1216 assumed.
1217
1218 Source=
1219 The source prefix of the route. Possibly followed by a slash and
1220 the prefix length. If omitted, a full-length host route is assumed.
1221
1222 Metric=
1223 The metric of the route. Takes an unsigned integer in the range
1224 0...4294967295. Defaults to unset, and the kernel's default will be
1225 used.
1226
1227 IPv6Preference=
1228 Specifies the route preference as defined in RFC 4191[18] for
1229 Router Discovery messages. Which can be one of "low" the route has
1230 a lowest priority, "medium" the route has a default priority or
1231 "high" the route has a highest priority.
1232
1233 Scope=
1234 The scope of the IPv4 route, which can be "global", "site", "link",
1235 "host", or "nowhere":
1236
1237 • "global" means the route can reach hosts more than one hop
1238 away.
1239
1240 • "site" means an interior route in the local autonomous system.
1241
1242 • "link" means the route can only reach hosts on the local
1243 network (one hop away).
1244
1245 • "host" means the route will not leave the local machine (used
1246 for internal addresses like 127.0.0.1).
1247
1248 • "nowhere" means the destination doesn't exist.
1249
1250 For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1251 and "link" if Type= is "broadcast", "multicast", "anycast", or
1252 "unicast". In other cases, defaults to "global". The value is not
1253 used for IPv6.
1254
1255 PreferredSource=
1256 The preferred source address of the route. The address must be in
1257 the format described in inet_pton(3).
1258
1259 Table=
1260 The table identifier for the route. Takes one of predefined names
1261 "default", "main", and "local", and names defined in RouteTable= in
1262 networkd.conf(5), or a number between 1 and 4294967295. The table
1263 can be retrieved using ip route show table num. If unset and Type=
1264 is "local", "broadcast", "anycast", or "nat", then "local" is used.
1265 In other cases, defaults to "main".
1266
1267 Protocol=
1268 The protocol identifier for the route. Takes a number between 0 and
1269 255 or the special values "kernel", "boot", "static", "ra" and
1270 "dhcp". Defaults to "static".
1271
1272 Type=
1273 Specifies the type for the route. Takes one of "unicast", "local",
1274 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1275 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1276 route is defined, i.e. a route indicating the path to take to a
1277 destination network address. If "blackhole", packets to the defined
1278 route are discarded silently. If "unreachable", packets to the
1279 defined route are discarded and the ICMP message "Host Unreachable"
1280 is generated. If "prohibit", packets to the defined route are
1281 discarded and the ICMP message "Communication Administratively
1282 Prohibited" is generated. If "throw", route lookup in the current
1283 routing table will fail and the route selection process will return
1284 to Routing Policy Database (RPDB). Defaults to "unicast".
1285
1286 InitialCongestionWindow=
1287 The TCP initial congestion window is used during the start of a TCP
1288 connection. During the start of a TCP session, when a client
1289 requests a resource, the server's initial congestion window
1290 determines how many packets will be sent during the initial burst
1291 of data without waiting for acknowledgement. Takes a number between
1292 1 and 1023. Note that 100 is considered an extremely large value
1293 for this option. When unset, the kernel's default (typically 10)
1294 will be used.
1295
1296 InitialAdvertisedReceiveWindow=
1297 The TCP initial advertised receive window is the amount of receive
1298 data (in bytes) that can initially be buffered at one time on a
1299 connection. The sending host can send only that amount of data
1300 before waiting for an acknowledgment and window update from the
1301 receiving host. Takes a number between 1 and 1023. Note that 100 is
1302 considered an extremely large value for this option. When unset,
1303 the kernel's default will be used.
1304
1305 QuickAck=
1306 Takes a boolean. When true, the TCP quick ACK mode for the route is
1307 enabled. When unset, the kernel's default will be used.
1308
1309 FastOpenNoCookie=
1310 Takes a boolean. When true enables TCP fastopen without a cookie on
1311 a per-route basis. When unset, the kernel's default will be used.
1312
1313 TTLPropagate=
1314 Takes a boolean. When true enables TTL propagation at Label
1315 Switched Path (LSP) egress. When unset, the kernel's default will
1316 be used.
1317
1318 MTUBytes=
1319 The maximum transmission unit in bytes to set for the route. The
1320 usual suffixes K, M, G, are supported and are understood to the
1321 base of 1024.
1322
1323 TCPAdvertisedMaximumSegmentSize=
1324 Specifies the Path MSS (in bytes) hints given on TCP layer. The
1325 usual suffixes K, M, G, are supported and are understood to the
1326 base of 1024. An unsigned integer in the range 1...4294967294. When
1327 unset, the kernel's default will be used.
1328
1329 TCPCongestionControlAlgorithm=
1330 Specifies the TCP congestion control algorithm for the route. Takes
1331 a name of the algorithm, e.g. "bbr", "dctcp", or "vegas". When
1332 unset, the kernel's default will be used.
1333
1334 MultiPathRoute=address[@name] [weight]
1335 Configures multipath route. Multipath routing is the technique of
1336 using multiple alternative paths through a network. Takes gateway
1337 address. Optionally, takes a network interface name or index
1338 separated with "@", and a weight in 1..256 for this multipath route
1339 separated with whitespace. This setting can be specified multiple
1340 times. If an empty string is assigned, then the all previous
1341 assignments are cleared.
1342
1343 NextHop=
1344 Specifies the nexthop id. Takes an unsigned integer in the range
1345 1...4294967295. If set, the corresponding [NextHop] section must be
1346 configured. Defaults to unset.
1347
1349 The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1350 with the DHCP= setting described above:
1351
1352 SendHostname=
1353 When true (the default), the machine's hostname (or the value
1354 specified with Hostname=, described below) will be sent to the DHCP
1355 server. Note that the hostname must consist only of 7-bit ASCII
1356 lower-case characters and no spaces or dots, and be formatted as a
1357 valid DNS domain name. Otherwise, the hostname is not sent even if
1358 this option is true.
1359
1360 Hostname=
1361 Use this value for the hostname which is sent to the DHCP server,
1362 instead of machine's hostname. Note that the specified hostname
1363 must consist only of 7-bit ASCII lower-case characters and no
1364 spaces or dots, and be formatted as a valid DNS domain name.
1365
1366 MUDURL=
1367 When configured, the specified Manufacturer Usage Description (MUD)
1368 URL will be sent to the DHCPv4 server. Takes a URL of length up to
1369 255 characters. A superficial verification that the string is a
1370 valid URL will be performed. DHCPv4 clients are intended to have at
1371 most one MUD URL associated with them. See RFC 8520[19].
1372
1373 MUD is an embedded software standard defined by the IETF that
1374 allows IoT device makers to advertise device specifications,
1375 including the intended communication patterns for their device when
1376 it connects to the network. The network can then use this to author
1377 a context-specific access policy, so the device functions only
1378 within those parameters.
1379
1380 ClientIdentifier=
1381 The DHCPv4 client identifier to use. Takes one of mac, duid or
1382 duid-only. If set to mac, the MAC address of the link is used. If
1383 set to duid, an RFC4361-compliant Client ID, which is the
1384 combination of IAID and DUID (see below), is used. If set to
1385 duid-only, only DUID is used, this may not be RFC compliant, but
1386 some setups may require to use this. Defaults to duid.
1387
1388 VendorClassIdentifier=
1389 The vendor class identifier used to identify vendor type and
1390 configuration.
1391
1392 UserClass=
1393 A DHCPv4 client can use UserClass option to identify the type or
1394 category of user or applications it represents. The information
1395 contained in this option is a string that represents the user class
1396 of which the client is a member. Each class sets an identifying
1397 string of information to be used by the DHCP service to classify
1398 clients. Takes a whitespace-separated list of strings.
1399
1400 DUIDType=
1401 Override the global DUIDType= setting for this network. See
1402 networkd.conf(5) for a description of possible values.
1403
1404 DUIDRawData=
1405 Override the global DUIDRawData= setting for this network. See
1406 networkd.conf(5) for a description of possible values.
1407
1408 IAID=
1409 The DHCP Identity Association Identifier (IAID) for the interface,
1410 a 32-bit unsigned integer.
1411
1412 Anonymize=
1413 Takes a boolean. When true, the options sent to the DHCP server
1414 will follow the RFC 7844[20] (Anonymity Profiles for DHCP Clients)
1415 to minimize disclosure of identifying information. Defaults to
1416 false.
1417
1418 This option should only be set to true when MACAddressPolicy= is
1419 set to random (see systemd.link(5)).
1420
1421 When true, ClientIdentifier=mac, SendHostname=no, Use6RD=no,
1422 UseCaptivePortal=no, UseMTU=no, UseNTP=no, UseSIP=no, and
1423 UseTimezone=no are implied and these settings in the .network file
1424 are silently ignored. Also, Hostname=, MUDURL=, RequestOptions=,
1425 SendOption=, SendVendorOption=, UserClass=, and
1426 VendorClassIdentifier= are silently ignored.
1427
1428 With this option enabled DHCP requests will mimic those generated
1429 by Microsoft Windows, in order to reduce the ability to fingerprint
1430 and recognize installations. This means DHCP request sizes will
1431 grow and lease data will be more comprehensive than normally,
1432 though most of the requested data is not actually used.
1433
1434 RequestOptions=
1435 Sets request options to be sent to the server in the DHCPv4 request
1436 options list. A whitespace-separated list of integers in the range
1437 1...254. Defaults to unset.
1438
1439 SendOption=
1440 Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1441 option number, data type and data separated with a colon
1442 ("option:type:value"). The option number must be an integer in the
1443 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1444 "ipv4address", or "string". Special characters in the data string
1445 may be escaped using C-style escapes[21]. This setting can be
1446 specified multiple times. If an empty string is specified, then all
1447 options specified earlier are cleared. Defaults to unset.
1448
1449 SendVendorOption=
1450 Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1451 option number, data type and data separated with a colon
1452 ("option:type:value"). The option number must be an integer in the
1453 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1454 "ipv4address", or "string". Special characters in the data string
1455 may be escaped using C-style escapes[21]. This setting can be
1456 specified multiple times. If an empty string is specified, then all
1457 options specified earlier are cleared. Defaults to unset.
1458
1459 IPServiceType=
1460 Takes one of the special values "none", "CS6", or "CS4". When
1461 "none" no IP service type is set to the packet sent from the DHCPv4
1462 client. When "CS6" (network control) or "CS4" (realtime), the
1463 corresponding service type will be set. Defaults to "CS6".
1464
1465 SocketPriority=
1466 The Linux socket option SO_PRIORITY applied to the raw IP socket
1467 used for initial DHCPv4 messages. Unset by default. Usual values
1468 range from 0 to 6. More details about SO_PRIORITY socket option in
1469 socket(7). Can be used in conjunction with [VLAN] section
1470 EgressQOSMaps= setting of .netdev file to set the 802.1Q VLAN
1471 ethernet tagged header priority, see systemd.netdev(5).
1472
1473 Label=
1474 Specifies the label for the IPv4 address received from the DHCP
1475 server. The label must be a 7-bit ASCII string with a length of
1476 1...15 characters. Defaults to unset.
1477
1478 UseDNS=
1479 When true (the default), the DNS servers received from the DHCP
1480 server will be used.
1481
1482 This corresponds to the nameserver option in resolv.conf(5).
1483
1484 RoutesToDNS=
1485 When true, the routes to the DNS servers received from the DHCP
1486 server will be configured. When UseDNS= is disabled, this setting
1487 is ignored. Defaults to true.
1488
1489 UseNTP=
1490 When true (the default), the NTP servers received from the DHCP
1491 server will be used by systemd-timesyncd.service.
1492
1493 RoutesToNTP=
1494 When true, the routes to the NTP servers received from the DHCP
1495 server will be configured. When UseNTP= is disabled, this setting
1496 is ignored. Defaults to true.
1497
1498 UseSIP=
1499 When true (the default), the SIP servers received from the DHCP
1500 server will be collected and made available to client programs.
1501
1502 UseMTU=
1503 When true, the interface maximum transmission unit from the DHCP
1504 server will be used on the current link. If MTUBytes= is set, then
1505 this setting is ignored. Defaults to false.
1506
1507 Note, some drivers will reset the interfaces if the MTU is changed.
1508 For such interfaces, please try to use IgnoreCarrierLoss= with a
1509 short timespan, e.g. "3 seconds".
1510
1511 UseHostname=
1512 When true (the default), the hostname received from the DHCP server
1513 will be set as the transient hostname of the system.
1514
1515 UseDomains=
1516 Takes a boolean, or the special value route. When true, the domain
1517 name received from the DHCP server will be used as DNS search
1518 domain over this link, similarly to the effect of the Domains=
1519 setting. If set to route, the domain name received from the DHCP
1520 server will be used for routing DNS queries only, but not for
1521 searching, similarly to the effect of the Domains= setting when the
1522 argument is prefixed with "~". Defaults to false.
1523
1524 It is recommended to enable this option only on trusted networks,
1525 as setting this affects resolution of all hostnames, in particular
1526 of single-label names. It is generally safer to use the supplied
1527 domain only as routing domain, rather than as search domain, in
1528 order to not have it affect local resolution of single-label names.
1529
1530 When set to true, this setting corresponds to the domain option in
1531 resolv.conf(5).
1532
1533 UseRoutes=
1534 When true (the default), the static routes will be requested from
1535 the DHCP server and added to the routing table with a metric of
1536 1024, and a scope of global, link or host, depending on the route's
1537 destination and gateway. If the destination is on the local host,
1538 e.g., 127.x.x.x, or the same as the link's own address, the scope
1539 will be set to host. Otherwise if the gateway is null (a direct
1540 route), a link scope will be used. For anything else, scope
1541 defaults to global.
1542
1543 RouteMetric=
1544 Set the routing metric for routes specified by the DHCP server
1545 (including the prefix route added for the specified prefix). Takes
1546 an unsigned integer in the range 0...4294967295. Defaults to 1024.
1547
1548 RouteTable=num
1549 The table identifier for DHCP routes. Takes one of predefined names
1550 "default", "main", and "local", and names defined in RouteTable= in
1551 networkd.conf(5), or a number between 1...4294967295.
1552
1553 When used in combination with VRF=, the VRF's routing table is used
1554 when this parameter is not specified.
1555
1556 RouteMTUBytes=
1557 Specifies the MTU for the DHCP routes. Please see the [Route]
1558 section for further details.
1559
1560 QuickAck=
1561 Takes a boolean. When true, the TCP quick ACK mode is enabled for
1562 the routes configured by the acquired DHCPv4 lease. When unset, the
1563 kernel's default will be used.
1564
1565 UseGateway=
1566 When true, the gateway will be requested from the DHCP server and
1567 added to the routing table with a metric of 1024, and a scope of
1568 link. When unset, the value specified with UseRoutes= is used.
1569
1570 UseTimezone=
1571 When true, the timezone received from the DHCP server will be set
1572 as timezone of the local system. Defaults to false.
1573
1574 Use6RD=
1575 When true, subnets of the received IPv6 prefix are assigned to
1576 downstream interfaces which enables DHCPPrefixDelegation=. See also
1577 DHCPPrefixDelegation= in the [Network] section, the
1578 [DHCPPrefixDelegation] section, and RFC 5969[22]. Defaults to
1579 false.
1580
1581 FallbackLeaseLifetimeSec=
1582 Allows one to set DHCPv4 lease lifetime when DHCPv4 server does not
1583 send the lease lifetime. Takes one of "forever" or "infinity". If
1584 specified, the acquired address never expires. Defaults to unset.
1585
1586 RequestBroadcast=
1587 Request the server to use broadcast messages before the IP address
1588 has been configured. This is necessary for devices that cannot
1589 receive RAW packets, or that cannot receive packets at all before
1590 an IP address has been configured. On the other hand, this must not
1591 be enabled on networks where broadcasts are filtered out.
1592
1593 MaxAttempts=
1594 Specifies how many times the DHCPv4 client configuration should be
1595 attempted. Takes a number or "infinity". Defaults to "infinity".
1596 Note that the time between retries is increased exponentially, up
1597 to approximately one per minute, so the network will not be
1598 overloaded even if this number is high. The default is suitable in
1599 most circumstances.
1600
1601 ListenPort=
1602 Set the port from which the DHCP client packets originate.
1603
1604 DenyList=
1605 A whitespace-separated list of IPv4 addresses. Each address can
1606 optionally take a prefix length after "/". DHCP offers from servers
1607 in the list are rejected. Note that if AllowList= is configured
1608 then DenyList= is ignored.
1609
1610 AllowList=
1611 A whitespace-separated list of IPv4 addresses. Each address can
1612 optionally take a prefix length after "/". DHCP offers from servers
1613 in the list are accepted.
1614
1615 SendRelease=
1616 When true, the DHCPv4 client sends a DHCP release packet when it
1617 stops. Defaults to true.
1618
1619 SendDecline=
1620 A boolean. When true, systemd-networkd performs IPv4 Duplicate
1621 Address Detection to the acquired address by the DHCPv4 client. If
1622 duplicate is detected, the DHCPv4 client rejects the address by
1623 sending a DHCPDECLINE packet to the DHCP server, and tries to
1624 obtain an IP address again. See RFC 5227[11]. Defaults to false.
1625
1626 NetLabel=
1627 This applies the NetLabel for the addresses received with DHCP,
1628 like NetLabel= in [Address] section applies it to statically
1629 configured addresses. See NetLabel= in [Address] section for more
1630 details.
1631
1633 The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1634 with the DHCP= setting described above, or invoked by the IPv6 Router
1635 Advertisement:
1636
1637 MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1638 As in the [DHCPv4] section.
1639
1640 SendOption=
1641 As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1642 fields to store option numbers, the option number is an integer in
1643 the range 1...65536.
1644
1645 SendVendorOption=
1646 Send an arbitrary vendor option in the DHCPv6 request. Takes an
1647 enterprise identifier, DHCP option number, data type, and data
1648 separated with a colon ("enterprise identifier:option:type:value").
1649 Enterprise identifier is an unsigned integer in the range
1650 1...4294967294. The option number must be an integer in the range
1651 1...254. Data type takes one of "uint8", "uint16", "uint32",
1652 "ipv4address", "ipv6address", or "string". Special characters in
1653 the data string may be escaped using C-style escapes[21]. This
1654 setting can be specified multiple times. If an empty string is
1655 specified, then all options specified earlier are cleared. Defaults
1656 to unset.
1657
1658 UserClass=
1659 A DHCPv6 client can use User Class option to identify the type or
1660 category of user or applications it represents. The information
1661 contained in this option is a string that represents the user class
1662 of which the client is a member. Each class sets an identifying
1663 string of information to be used by the DHCP service to classify
1664 clients. Special characters in the data string may be escaped using
1665 C-style escapes[21]. This setting can be specified multiple times.
1666 If an empty string is specified, then all options specified earlier
1667 are cleared. Takes a whitespace-separated list of strings. Note
1668 that currently NUL bytes are not allowed.
1669
1670 VendorClass=
1671 A DHCPv6 client can use VendorClass option to identify the vendor
1672 that manufactured the hardware on which the client is running. The
1673 information contained in the data area of this option is contained
1674 in one or more opaque fields that identify details of the hardware
1675 configuration. Takes a whitespace-separated list of strings.
1676
1677 PrefixDelegationHint=
1678 Takes an IPv6 address with prefix length in the same format as the
1679 Address= in the [Network] section. The DHCPv6 client will include a
1680 prefix hint in the DHCPv6 solicitation sent to the server. The
1681 prefix length must be in the range 1...128. Defaults to unset.
1682
1683 RapidCommit=
1684 Takes a boolean. The DHCPv6 client can obtain configuration
1685 parameters from a DHCPv6 server through a rapid two-message
1686 exchange (solicit and reply). When the rapid commit option is set
1687 by both the DHCPv6 client and the DHCPv6 server, the two-message
1688 exchange is used. Otherwise, the four-message exchange (solicit,
1689 advertise, request, and reply) is used. The two-message exchange
1690 provides faster client configuration. See RFC 3315[23] for details.
1691 Defaults to true, and the two-message exchange will be used if the
1692 server support it.
1693
1694 UseAddress=
1695 When true (the default), the IP addresses provided by the DHCPv6
1696 server will be assigned.
1697
1698 UseDelegatedPrefix=
1699 When true (the default), the client will request the DHCPv6 server
1700 to delegate prefixes. If the server provides prefixes to be
1701 delegated, then subnets of the prefixes are assigned to the
1702 interfaces that have DHCPPrefixDelegation=yes. See also the
1703 DHCPPrefixDelegation= setting in the [Network] section, settings in
1704 the [DHCPPrefixDelegation] section, and RFC 8415[24].
1705
1706 UseDNS=, UseNTP=, UseHostname=, UseDomains=, NetLabel=, SendRelease=
1707 As in the [DHCPv4] section.
1708
1709 WithoutRA=
1710 Allows DHCPv6 client to start without router advertisements's
1711 "managed" or "other configuration" flag. Takes one of "no",
1712 "solicit", or "information-request". If this is not specified,
1713 "solicit" is used when DHCPPrefixDelegation= is enabled and
1714 UplinkInterface=:self is specified in the [DHCPPrefixDelegation]
1715 section. Otherwise, defaults to "no", and the DHCPv6 client will be
1716 started when an RA is received. See also the DHCPv6Client= setting
1717 in the [IPv6AcceptRA] section.
1718
1720 The [DHCPPrefixDelegation] section configures subnet prefixes of the
1721 delegated prefixes acquired by a DHCPv6 client or by a DHCPv4 client
1722 through the 6RD option on another interface. The settings in this
1723 section are used only when the DHCPPrefixDelegation= setting in the
1724 [Network] section is enabled.
1725
1726 UplinkInterface=
1727 Specifies the name or the index of the uplink interface, or one of
1728 the special values ":self" and ":auto". When ":self", the interface
1729 itself is considered the uplink interface, and WithoutRA=solicit is
1730 implied if the setting is not explicitly specified. When ":auto",
1731 the first link which acquired prefixes to be delegated from the
1732 DHCPv6 or DHCPv4 server is selected. Defaults to ":auto".
1733
1734 SubnetId=
1735 Configure a specific subnet ID on the interface from a (previously)
1736 received prefix delegation. You can either set "auto" (the default)
1737 or a specific subnet ID (as defined in RFC 4291[25], section
1738 2.5.4), in which case the allowed value is hexadecimal, from 0 to
1739 0x7fffffffffffffff inclusive.
1740
1741 Announce=
1742 Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1743 is enabled, the delegated prefixes are distributed through the IPv6
1744 Router Advertisement. This setting will be ignored when the
1745 DHCPPrefixDelegation= setting is enabled on the upstream interface.
1746 Defaults to yes.
1747
1748 Assign=
1749 Takes a boolean. Specifies whether to add an address from the
1750 delegated prefixes which are received from the WAN interface by the
1751 DHCPv6 Prefix Delegation. When true (on LAN interface), the EUI-64
1752 algorithm will be used by default to form an interface identifier
1753 from the delegated prefixes. See also Token= setting below.
1754 Defaults to yes.
1755
1756 Token=
1757 Specifies an optional address generation mode for assigning an
1758 address in each delegated prefix. This accepts the same syntax as
1759 Token= in the [IPv6AcceptRA] section. If Assign= is set to false,
1760 then this setting will be ignored. Defaults to unset, which means
1761 the EUI-64 algorithm will be used.
1762
1763 ManageTemporaryAddress=
1764 As in the [Address] section, but defaults to true.
1765
1766 RouteMetric=
1767 The metric of the route to the delegated prefix subnet. Takes an
1768 unsigned integer in the range 0...4294967295. When set to 0, the
1769 kernel's default value is used. Defaults to 256.
1770
1771 NetLabel=
1772 This applies the NetLabel for the addresses received with DHCP,
1773 like NetLabel= in [Address] section applies it to statically
1774 configured addresses. See NetLabel= in [Address] section for more
1775 details.
1776
1778 The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1779 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1780 above:
1781
1782 Token=
1783 Specifies an optional address generation mode for the Stateless
1784 Address Autoconfiguration (SLAAC). The following values are
1785 supported:
1786
1787 eui64
1788 The EUI-64 algorithm will be used to generate an address for
1789 that prefix. Only supported by Ethernet or InfiniBand
1790 interfaces.
1791
1792 static:ADDRESS
1793 An IPv6 address must be specified after a colon (":"), and the
1794 lower bits of the supplied address are combined with the upper
1795 bits of a prefix received in a Router Advertisement (RA)
1796 message to form a complete address. Note that if multiple
1797 prefixes are received in an RA message, or in multiple RA
1798 messages, addresses will be formed from each of them using the
1799 supplied address. This mode implements SLAAC but uses a static
1800 interface identifier instead of an identifier generated by
1801 using the EUI-64 algorithm. Because the interface identifier is
1802 static, if Duplicate Address Detection detects that the
1803 computed address is a duplicate (in use by another node on the
1804 link), then this mode will fail to provide an address for that
1805 prefix. If an IPv6 address without mode is specified, then
1806 "static" mode is assumed.
1807
1808 prefixstable[:ADDRESS][,UUID]
1809 The algorithm specified in RFC 7217[26] will be used to
1810 generate interface identifiers. This mode can optionally take
1811 an IPv6 address separated with a colon (":"). If an IPv6
1812 address is specified, then an interface identifier is generated
1813 only when a prefix received in an RA message matches the
1814 supplied address.
1815
1816 This mode can also optionally take a non-null UUID in the
1817 format which sd_id128_from_string() accepts, e.g.
1818 "86b123b969ba4b7eb8b3d8605123525a" or
1819 "86b123b9-69ba-4b7e-b8b3-d8605123525a". If a UUID is specified,
1820 the value is used as the secret key to generate interface
1821 identifiers. If not specified, then an application specific ID
1822 generated with the system's machine-ID will be used as the
1823 secret key. See sd-id128(3), sd_id128_from_string(3), and
1824 sd_id128_get_machine(3).
1825
1826 Note that the "prefixstable" algorithm uses both the interface
1827 name and MAC address as input to the hash to compute the
1828 interface identifier, so if either of those are changed the
1829 resulting interface identifier (and address) will be changed,
1830 even if the prefix received in the RA message has not been
1831 changed.
1832
1833 If no address generation mode is specified (which is the default),
1834 or a received prefix does not match any of the addresses provided
1835 in "prefixstable" mode, then the EUI-64 algorithm will be used for
1836 Ethernet or InfiniBand interfaces, otherwise "prefixstable" will be
1837 used to form an interface identifier for that prefix.
1838
1839 This setting can be specified multiple times. If an empty string is
1840 assigned, then the all previous assignments are cleared.
1841
1842 Examples:
1843
1844 Token=eui64
1845 Token=::1a:2b:3c:4d
1846 Token=static:::1a:2b:3c:4d
1847 Token=prefixstable
1848 Token=prefixstable:2002:da8:1::
1849
1850 UseDNS=
1851 When true (the default), the DNS servers received in the Router
1852 Advertisement will be used.
1853
1854 This corresponds to the nameserver option in resolv.conf(5).
1855
1856 UseDomains=
1857 Takes a boolean, or the special value "route". When true, the
1858 domain name received via IPv6 Router Advertisement (RA) will be
1859 used as DNS search domain over this link, similarly to the effect
1860 of the Domains= setting. If set to "route", the domain name
1861 received via IPv6 RA will be used for routing DNS queries only, but
1862 not for searching, similarly to the effect of the Domains= setting
1863 when the argument is prefixed with "~". Defaults to false.
1864
1865 It is recommended to enable this option only on trusted networks,
1866 as setting this affects resolution of all hostnames, in particular
1867 of single-label names. It is generally safer to use the supplied
1868 domain only as routing domain, rather than as search domain, in
1869 order to not have it affect local resolution of single-label names.
1870
1871 When set to true, this setting corresponds to the domain option in
1872 resolv.conf(5).
1873
1874 RouteTable=num
1875 The table identifier for the routes received in the Router
1876 Advertisement. Takes one of predefined names "default", "main", and
1877 "local", and names defined in RouteTable= in networkd.conf(5), or a
1878 number between 1...4294967295.
1879
1880 When used in combination with VRF=, the VRF's routing table is used
1881 when this parameter is not specified.
1882
1883 RouteMetric=
1884 Set the routing metric for the routes received in the Router
1885 Advertisement. Takes an unsigned integer in the range
1886 0...4294967295, or three unsigned integer separated with ":", in
1887 that case the first one is used when the router preference is high,
1888 the second is for medium preference, and the last is for low
1889 preference ("high:medium:low"). Defaults to "512:1024:2048".
1890
1891 QuickAck=
1892 Takes a boolean. When true, the TCP quick ACK mode is enabled for
1893 the routes configured by the received RAs. When unset, the kernel's
1894 default will be used.
1895
1896 UseMTU=
1897 Takes a boolean. When true, the MTU received in the Router
1898 Advertisement will be used. Defaults to true.
1899
1900 UseGateway=
1901 When true (the default), the router address will be configured as
1902 the default gateway.
1903
1904 UseRoutePrefix=
1905 When true (the default), the routes corresponding to the route
1906 prefixes received in the Router Advertisement will be configured.
1907
1908 UseAutonomousPrefix=
1909 When true (the default), the autonomous prefix received in the
1910 Router Advertisement will be used and take precedence over any
1911 statically configured ones.
1912
1913 UseOnLinkPrefix=
1914 When true (the default), the onlink prefix received in the Router
1915 Advertisement will be used and takes precedence over any statically
1916 configured ones.
1917
1918 RouterDenyList=
1919 A whitespace-separated list of IPv6 router addresses. Each address
1920 can optionally take a prefix length after "/". Any information
1921 advertised by the listed router is ignored.
1922
1923 RouterAllowList=
1924 A whitespace-separated list of IPv6 router addresses. Each address
1925 can optionally take a prefix length after "/". Only information
1926 advertised by the listed router is accepted. Note that if
1927 RouterAllowList= is configured then RouterDenyList= is ignored.
1928
1929 PrefixDenyList=
1930 A whitespace-separated list of IPv6 prefixes. Each prefix can
1931 optionally take its prefix length after "/". IPv6 prefixes supplied
1932 via router advertisements in the list are ignored.
1933
1934 PrefixAllowList=
1935 A whitespace-separated list of IPv6 prefixes. Each prefix can
1936 optionally take its prefix length after "/". IPv6 prefixes supplied
1937 via router advertisements in the list are allowed. Note that if
1938 PrefixAllowList= is configured then PrefixDenyList= is ignored.
1939
1940 RouteDenyList=
1941 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1942 optionally take its prefix length after "/". IPv6 route prefixes
1943 supplied via router advertisements in the list are ignored.
1944
1945 RouteAllowList=
1946 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1947 optionally take its prefix length after "/". IPv6 route prefixes
1948 supplied via router advertisements in the list are allowed. Note
1949 that if RouteAllowList= is configured then RouteDenyList= is
1950 ignored.
1951
1952 DHCPv6Client=
1953 Takes a boolean, or the special value "always". When true, the
1954 DHCPv6 client will be started in "solicit" mode if the RA has the
1955 "managed" flag or "information-request" mode if the RA lacks the
1956 "managed" flag but has the "other configuration" flag. If set to
1957 "always", the DHCPv6 client will be started in "solicit" mode when
1958 an RA is received, even if neither the "managed" nor the "other
1959 configuration" flag is set in the RA. This will be ignored when
1960 WithoutRA= in the [DHCPv6] section is enabled, or
1961 UplinkInterface=:self in the [DHCPPrefixDelegation] section is
1962 specified. Defaults to true.
1963
1964 NetLabel=
1965 This applies the NetLabel for the addresses received with RA, like
1966 NetLabel= in [Address] section applies it to statically configured
1967 addresses. See NetLabel= in [Address] section for more details.
1968
1970 The [DHCPServer] section contains settings for the DHCP server, if
1971 enabled via the DHCPServer= option described above:
1972
1973 ServerAddress=
1974 Specifies server address for the DHCP server. Takes an IPv4 address
1975 with prefix length, for example 192.168.0.1/24. This setting may be
1976 useful when the link on which the DHCP server is running has
1977 multiple static addresses. When unset, one of static addresses in
1978 the link will be automatically selected. Defaults to unset.
1979
1980 PoolOffset=, PoolSize=
1981 Configures the pool of addresses to hand out. The pool is a
1982 contiguous sequence of IP addresses in the subnet configured for
1983 the server address, which does not include the subnet nor the
1984 broadcast address. PoolOffset= takes the offset of the pool from
1985 the start of subnet, or zero to use the default value. PoolSize=
1986 takes the number of IP addresses in the pool or zero to use the
1987 default value. By default, the pool starts at the first address
1988 after the subnet address and takes up the rest of the subnet,
1989 excluding the broadcast address. If the pool includes the server
1990 address (the default), this is reserved and not handed out to
1991 clients.
1992
1993 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1994 Control the default and maximum DHCP lease time to pass to clients.
1995 These settings take time values in seconds or another common time
1996 unit, depending on the suffix. The default lease time is used for
1997 clients that did not ask for a specific lease time. If a client
1998 asks for a lease time longer than the maximum lease time, it is
1999 automatically shortened to the specified time. The default lease
2000 time defaults to 1h, the maximum lease time to 12h. Shorter lease
2001 times are beneficial if the configuration data in DHCP leases
2002 changes frequently and clients shall learn the new settings with
2003 shorter latencies. Longer lease times reduce the generated DHCP
2004 network traffic.
2005
2006 UplinkInterface=
2007 Specifies the name or the index of the uplink interface, or one of
2008 the special values ":none" and ":auto". When emitting DNS, NTP, or
2009 SIP servers is enabled but no servers are specified, the servers
2010 configured in the uplink interface will be emitted. When ":auto",
2011 the link which has a default gateway with the highest priority will
2012 be automatically selected. When ":none", no uplink interface will
2013 be selected. Defaults to ":auto".
2014
2015 EmitDNS=, DNS=
2016 EmitDNS= takes a boolean. Configures whether the DHCP leases handed
2017 out to clients shall contain DNS server information. Defaults to
2018 "yes". The DNS servers to pass to clients may be configured with
2019 the DNS= option, which takes a list of IPv4 addresses, or special
2020 value "_server_address" which will be converted to the address used
2021 by the DHCP server.
2022
2023 If the EmitDNS= option is enabled but no servers configured, the
2024 servers are automatically propagated from an "uplink" interface
2025 that has appropriate servers set. The "uplink" interface is
2026 determined by the default route of the system with the highest
2027 priority. Note that this information is acquired at the time the
2028 lease is handed out, and does not take uplink interfaces into
2029 account that acquire DNS server information at a later point. If no
2030 suitable uplink interface is found the DNS server data from
2031 /etc/resolv.conf is used. Also, note that the leases are not
2032 refreshed if the uplink network configuration changes. To ensure
2033 clients regularly acquire the most current uplink DNS server
2034 information, it is thus advisable to shorten the DHCP lease time
2035 via MaxLeaseTimeSec= described above.
2036
2037 This setting can be specified multiple times. If an empty string is
2038 specified, then all DNS servers specified earlier are cleared.
2039
2040 EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
2041 EmitLPR=, LPR=
2042 Similar to the EmitDNS= and DNS= settings described above, these
2043 settings configure whether and what server information for the
2044 indicate protocol shall be emitted as part of the DHCP lease. The
2045 same syntax, propagation semantics and defaults apply as for
2046 EmitDNS= and DNS=.
2047
2048 EmitRouter=, Router=
2049 The EmitRouter= setting takes a boolean value, and configures
2050 whether the DHCP lease should contain the router option. The
2051 Router= setting takes an IPv4 address, and configures the router
2052 address to be emitted. When the Router= setting is not specified,
2053 then the server address will be used for the router option. When
2054 the EmitRouter= setting is disabled, the Router= setting will be
2055 ignored. The EmitRouter= setting defaults to true, and the Router=
2056 setting defaults to unset.
2057
2058 EmitTimezone=, Timezone=
2059 Takes a boolean. Configures whether the DHCP leases handed out to
2060 clients shall contain timezone information. Defaults to "yes". The
2061 Timezone= setting takes a timezone string (such as "Europe/Berlin"
2062 or "UTC") to pass to clients. If no explicit timezone is set, the
2063 system timezone of the local host is propagated, as determined by
2064 the /etc/localtime symlink.
2065
2066 BootServerAddress=
2067 Takes an IPv4 address of the boot server used by e.g. PXE boot
2068 systems. When specified, this address is sent in the siaddr field
2069 of the DHCP message header. See RFC 2131[27] for more details.
2070 Defaults to unset.
2071
2072 BootServerName=
2073 Takes a name of the boot server used by e.g. PXE boot systems. When
2074 specified, this name is sent in the DHCP option 66 ("TFTP server
2075 name"). See RFC 2132[28] for more details. Defaults to unset.
2076
2077 Note that typically setting one of BootServerName= or
2078 BootServerAddress= is sufficient, but both can be set too, if
2079 desired.
2080
2081 BootFilename=
2082 Takes a path or URL to a file loaded by e.g. a PXE boot loader.
2083 When specified, this path is sent in the DHCP option 67 ("Bootfile
2084 name"). See RFC 2132[28] for more details. Defaults to unset.
2085
2086 SendOption=
2087 Send a raw option with value via DHCPv4 server. Takes a DHCP option
2088 number, data type and data ("option:type:value"). The option number
2089 is an integer in the range 1...254. The type takes one of "uint8",
2090 "uint16", "uint32", "ipv4address", "ipv6address", or "string".
2091 Special characters in the data string may be escaped using C-style
2092 escapes[21]. This setting can be specified multiple times. If an
2093 empty string is specified, then all options specified earlier are
2094 cleared. Defaults to unset.
2095
2096 SendVendorOption=
2097 Send a vendor option with value via DHCPv4 server. Takes a DHCP
2098 option number, data type and data ("option:type:value"). The option
2099 number is an integer in the range 1...254. The type takes one of
2100 "uint8", "uint16", "uint32", "ipv4address", or "string". Special
2101 characters in the data string may be escaped using C-style
2102 escapes[21]. This setting can be specified multiple times. If an
2103 empty string is specified, then all options specified earlier are
2104 cleared. Defaults to unset.
2105
2106 BindToInterface=
2107 Takes a boolean value. When "yes", DHCP server socket will be bound
2108 to its network interface and all socket communication will be
2109 restricted to this interface. Defaults to "yes", except if
2110 RelayTarget= is used (see below), in which case it defaults to
2111 "no".
2112
2113 RelayTarget=
2114 Takes an IPv4 address, which must be in the format described in
2115 inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
2116 RFC 1542[29]. The address is the address of DHCP server or another
2117 relay agent to forward DHCP messages to and from.
2118
2119 RelayAgentCircuitId=
2120 Specifies value for Agent Circuit ID suboption of Relay Agent
2121 Information option. Takes a string, which must be in the format
2122 "string:value", where "value" should be replaced with the value of
2123 the suboption. Defaults to unset (means no Agent Circuit ID
2124 suboption is generated). Ignored if RelayTarget= is not specified.
2125
2126 RelayAgentRemoteId=
2127 Specifies value for Agent Remote ID suboption of Relay Agent
2128 Information option. Takes a string, which must be in the format
2129 "string:value", where "value" should be replaced with the value of
2130 the suboption. Defaults to unset (means no Agent Remote ID
2131 suboption is generated). Ignored if RelayTarget= is not specified.
2132
2134 The "[DHCPServerStaticLease]" section configures a static DHCP lease to
2135 assign a fixed IPv4 address to a specific device based on its MAC
2136 address. This section can be specified multiple times.
2137
2138 MACAddress=
2139 The hardware address of a device to match. This key is mandatory.
2140
2141 Address=
2142 The IPv4 address that should be assigned to the device that was
2143 matched with MACAddress=. This key is mandatory.
2144
2146 The [IPv6SendRA] section contains settings for sending IPv6 Router
2147 Advertisements and whether to act as a router, if enabled via the
2148 IPv6SendRA= option described above. IPv6 network prefixes or routes are
2149 defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
2150
2151 Managed=, OtherInformation=
2152 Takes a boolean. Controls whether a DHCPv6 server is used to
2153 acquire IPv6 addresses on the network link when Managed= is set to
2154 "true" or if only additional network information can be obtained
2155 via DHCPv6 for the network link when OtherInformation= is set to
2156 "true". Both settings default to "false", which means that a DHCPv6
2157 server is not being used.
2158
2159 RouterLifetimeSec=
2160 Takes a timespan. Configures the IPv6 router lifetime in seconds.
2161 The value must be 0 seconds, or between 4 seconds and 9000 seconds.
2162 When set to 0, the host is not acting as a router. Defaults to 1800
2163 seconds (30 minutes).
2164
2165 RouterPreference=
2166 Configures IPv6 router preference if RouterLifetimeSec= is
2167 non-zero. Valid values are "high", "medium" and "low", with
2168 "normal" and "default" added as synonyms for "medium" just to make
2169 configuration easier. See RFC 4191[18] for details. Defaults to
2170 "medium".
2171
2172 UplinkInterface=
2173 Specifies the name or the index of the uplink interface, or one of
2174 the special values ":none" and ":auto". When emitting DNS servers
2175 or search domains is enabled but no servers are specified, the
2176 servers configured in the uplink interface will be emitted. When
2177 ":auto", the value specified to the same setting in the
2178 [DHCPPrefixDelegation] section will be used if
2179 DHCPPrefixDelegation= is enabled, otherwise the link which has a
2180 default gateway with the highest priority will be automatically
2181 selected. When ":none", no uplink interface will be selected.
2182 Defaults to ":auto".
2183
2184 EmitDNS=, DNS=
2185 DNS= specifies a list of recursive DNS server IPv6 addresses that
2186 are distributed via Router Advertisement messages when EmitDNS= is
2187 true. DNS= also takes special value "_link_local"; in that case
2188 the IPv6 link-local address is distributed. If DNS= is empty, DNS
2189 servers are read from the [Network] section. If the [Network]
2190 section does not contain any DNS servers either, DNS servers from
2191 the uplink interface specified in UplinkInterface= will be used.
2192 When EmitDNS= is false, no DNS server information is sent in Router
2193 Advertisement messages. EmitDNS= defaults to true.
2194
2195 EmitDomains=, Domains=
2196 A list of DNS search domains distributed via Router Advertisement
2197 messages when EmitDomains= is true. If Domains= is empty, DNS
2198 search domains are read from the [Network] section. If the
2199 [Network] section does not contain any DNS search domains either,
2200 DNS search domains from the uplink interface specified in
2201 UplinkInterface= will be used. When EmitDomains= is false, no DNS
2202 search domain information is sent in Router Advertisement messages.
2203 EmitDomains= defaults to true.
2204
2205 DNSLifetimeSec=
2206 Lifetime in seconds for the DNS server addresses listed in DNS= and
2207 search domains listed in Domains=. Defaults to 3600 seconds (one
2208 hour).
2209
2211 One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
2212 announced via Router Advertisements. See RFC 4861[30] for further
2213 details.
2214
2215 AddressAutoconfiguration=, OnLink=
2216 Takes a boolean to specify whether IPv6 addresses can be
2217 autoconfigured with this prefix and whether the prefix can be used
2218 for onlink determination. Both settings default to "true" in order
2219 to ease configuration.
2220
2221 Prefix=
2222 The IPv6 prefix that is to be distributed to hosts. Similarly to
2223 configuring static IPv6 addresses, the setting is configured as an
2224 IPv6 prefix and its prefix length, separated by a "/" character.
2225 Use multiple [IPv6Prefix] sections to configure multiple IPv6
2226 prefixes since prefix lifetimes, address autoconfiguration and
2227 onlink status may differ from one prefix to another.
2228
2229 PreferredLifetimeSec=, ValidLifetimeSec=
2230 Preferred and valid lifetimes for the prefix measured in seconds.
2231 PreferredLifetimeSec= defaults to 1800 seconds (30 minutes) and
2232 ValidLifetimeSec= defaults to 3600 seconds (one hour).
2233
2234 Assign=
2235 Takes a boolean. When true, adds an address from the prefix.
2236 Default to false.
2237
2238 Token=
2239 Specifies an optional address generation mode for assigning an
2240 address in each prefix. This accepts the same syntax as Token= in
2241 the [IPv6AcceptRA] section. If Assign= is set to false, then this
2242 setting will be ignored. Defaults to unset, which means the EUI-64
2243 algorithm will be used.
2244
2245 RouteMetric=
2246 The metric of the prefix route. Takes an unsigned integer in the
2247 range 0...4294967295. When unset or set to 0, the kernel's default
2248 value is used. This setting is ignored when Assign= is false.
2249
2251 One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
2252 that are announced via Router Advertisements. See RFC 4191[18] for
2253 further details.
2254
2255 Route=
2256 The IPv6 route that is to be distributed to hosts. Similarly to
2257 configuring static IPv6 routes, the setting is configured as an
2258 IPv6 prefix routes and its prefix route length, separated by a "/"
2259 character. Use multiple [IPv6RoutePrefix] sections to configure
2260 multiple IPv6 prefix routes.
2261
2262 LifetimeSec=
2263 Lifetime for the route prefix measured in seconds. LifetimeSec=
2264 defaults to 3600 seconds (one hour).
2265
2267 The [Bridge] section accepts the following keys:
2268
2269 UnicastFlood=
2270 Takes a boolean. Controls whether the bridge should flood traffic
2271 for which an FDB entry is missing and the destination is unknown
2272 through this port. When unset, the kernel's default will be used.
2273
2274 MulticastFlood=
2275 Takes a boolean. Controls whether the bridge should flood traffic
2276 for which an MDB entry is missing and the destination is unknown
2277 through this port. When unset, the kernel's default will be used.
2278
2279 MulticastToUnicast=
2280 Takes a boolean. Multicast to unicast works on top of the multicast
2281 snooping feature of the bridge. Which means unicast copies are only
2282 delivered to hosts which are interested in it. When unset, the
2283 kernel's default will be used.
2284
2285 NeighborSuppression=
2286 Takes a boolean. Configures whether ARP and ND neighbor suppression
2287 is enabled for this port. When unset, the kernel's default will be
2288 used.
2289
2290 Learning=
2291 Takes a boolean. Configures whether MAC address learning is enabled
2292 for this port. When unset, the kernel's default will be used.
2293
2294 HairPin=
2295 Takes a boolean. Configures whether traffic may be sent back out of
2296 the port on which it was received. When this flag is false, then
2297 the bridge will not forward traffic back out of the receiving port.
2298 When unset, the kernel's default will be used.
2299
2300 Isolated=
2301 Takes a boolean. Configures whether this port is isolated or not.
2302 Within a bridge, isolated ports can only communicate with
2303 non-isolated ports. When set to true, this port can only
2304 communicate with other ports whose Isolated setting is false. When
2305 set to false, this port can communicate with any other ports. When
2306 unset, the kernel's default will be used.
2307
2308 UseBPDU=
2309 Takes a boolean. Configures whether STP Bridge Protocol Data Units
2310 will be processed by the bridge port. When unset, the kernel's
2311 default will be used.
2312
2313 FastLeave=
2314 Takes a boolean. This flag allows the bridge to immediately stop
2315 multicast traffic on a port that receives an IGMP Leave message. It
2316 is only used with IGMP snooping if enabled on the bridge. When
2317 unset, the kernel's default will be used.
2318
2319 AllowPortToBeRoot=
2320 Takes a boolean. Configures whether a given port is allowed to
2321 become a root port. Only used when STP is enabled on the bridge.
2322 When unset, the kernel's default will be used.
2323
2324 ProxyARP=
2325 Takes a boolean. Configures whether proxy ARP to be enabled on this
2326 port. When unset, the kernel's default will be used.
2327
2328 ProxyARPWiFi=
2329 Takes a boolean. Configures whether proxy ARP to be enabled on this
2330 port which meets extended requirements by IEEE 802.11 and Hotspot
2331 2.0 specifications. When unset, the kernel's default will be used.
2332
2333 MulticastRouter=
2334 Configures this port for having multicast routers attached. A port
2335 with a multicast router will receive all multicast traffic. Takes
2336 one of "no" to disable multicast routers on this port, "query" to
2337 let the system detect the presence of routers, "permanent" to
2338 permanently enable multicast traffic forwarding on this port, or
2339 "temporary" to enable multicast routers temporarily on this port,
2340 not depending on incoming queries. When unset, the kernel's default
2341 will be used.
2342
2343 Cost=
2344 Sets the "cost" of sending packets of this interface. Each port in
2345 a bridge may have a different speed and the cost is used to decide
2346 which link to use. Faster interfaces should have lower costs. It is
2347 an integer value between 1 and 65535.
2348
2349 Priority=
2350 Sets the "priority" of sending packets on this interface. Each port
2351 in a bridge may have a different priority which is used to decide
2352 which link to use. Lower value means higher priority. It is an
2353 integer value between 0 to 63. Networkd does not set any default,
2354 meaning the kernel default value of 32 is used.
2355
2357 The [BridgeFDB] section manages the forwarding database table of a port
2358 and accepts the following keys. Specify several [BridgeFDB] sections to
2359 configure several static MAC table entries.
2360
2361 MACAddress=
2362 As in the [Network] section. This key is mandatory.
2363
2364 Destination=
2365 Takes an IP address of the destination VXLAN tunnel endpoint.
2366
2367 VLANId=
2368 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2369 ID information is appended to the new static MAC table entry.
2370
2371 VNI=
2372 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2373 connect to the remote VXLAN tunnel endpoint. Takes a number in the
2374 range 1...16777215. Defaults to unset.
2375
2376 AssociatedWith=
2377 Specifies where the address is associated with. Takes one of "use",
2378 "self", "master" or "router". "use" means the address is in use.
2379 User space can use this option to indicate to the kernel that the
2380 fdb entry is in use. "self" means the address is associated with
2381 the port drivers fdb. Usually hardware. "master" means the address
2382 is associated with master devices fdb. "router" means the
2383 destination address is associated with a router. Note that it's
2384 valid if the referenced device is a VXLAN type device and has route
2385 shortcircuit enabled. Defaults to "self".
2386
2387 OutgoingInterface=
2388 Specifies the name or index of the outgoing interface for the VXLAN
2389 device driver to reach the remote VXLAN tunnel endpoint. Defaults
2390 to unset.
2391
2393 The [BridgeMDB] section manages the multicast membership entries
2394 forwarding database table of a port and accepts the following keys.
2395 Specify several [BridgeMDB] sections to configure several permanent
2396 multicast membership entries.
2397
2398 MulticastGroupAddress=
2399 Specifies the IPv4 or IPv6 multicast group address to add. This
2400 setting is mandatory.
2401
2402 VLANId=
2403 The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2404 4094. Optional, defaults to 0.
2405
2407 The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2408 accepts the following keys:
2409
2410 MUDURL=
2411 When configured, the specified Manufacturer Usage Descriptions
2412 (MUD) URL will be sent in LLDP packets. The syntax and semantics
2413 are the same as for MUDURL= in the [DHCPv4] section described
2414 above.
2415
2416 The MUD URLs received via LLDP packets are saved and can be read
2417 using the sd_lldp_neighbor_get_mud_url() function.
2418
2420 The [CAN] section manages the Controller Area Network (CAN bus) and
2421 accepts the following keys:
2422
2423 BitRate=
2424 The bitrate of CAN device in bits per second. The usual SI prefixes
2425 (K, M) with the base of 1000 can be used here. Takes a number in
2426 the range 1...4294967295.
2427
2428 SamplePoint=
2429 Optional sample point in percent with one decimal (e.g. "75%",
2430 "87.5%") or permille (e.g. "875‰"). This will be ignored when
2431 BitRate= is unspecified.
2432
2433 TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=,
2434 PhaseBufferSegment2=, SyncJumpWidth=
2435 Specifies the time quanta, propagation segment, phase buffer
2436 segment 1 and 2, and the synchronization jump width, which allow
2437 one to define the CAN bit-timing in a hardware independent format
2438 as proposed by the Bosch CAN 2.0 Specification. TimeQuantaNSec=
2439 takes a timespan in nanoseconds. PropagationSegment=,
2440 PhaseBufferSegment1=, PhaseBufferSegment2=, and SyncJumpWidth= take
2441 number of time quantum specified in TimeQuantaNSec= and must be an
2442 unsigned integer in the range 0...4294967295. These settings except
2443 for SyncJumpWidth= will be ignored when BitRate= is specified.
2444
2445 DataBitRate=, DataSamplePoint=
2446 The bitrate and sample point for the data phase, if CAN-FD is used.
2447 These settings are analogous to the BitRate= and SamplePoint= keys.
2448
2449 DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=,
2450 DataPhaseBufferSegment2=, DataSyncJumpWidth=
2451 Specifies the time quanta, propagation segment, phase buffer
2452 segment 1 and 2, and the synchronization jump width for the data
2453 phase, if CAN-FD is used. These settings are analogous to the
2454 TimeQuantaNSec= or related settings.
2455
2456 FDMode=
2457 Takes a boolean. When "yes", CAN-FD mode is enabled for the
2458 interface. Note, that a bitrate and optional sample point should
2459 also be set for the CAN-FD data phase using the DataBitRate= and
2460 DataSamplePoint= keys, or DataTimeQuanta= and related settings.
2461
2462 FDNonISO=
2463 Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2464 interface. When unset, the kernel's default will be used.
2465
2466 RestartSec=
2467 Automatic restart delay time. If set to a non-zero value, a restart
2468 of the CAN controller will be triggered automatically in case of a
2469 bus-off condition after the specified delay time. Subsecond delays
2470 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
2471 postfix. Using "infinity" or "0" will turn the automatic restart
2472 off. By default automatic restart is disabled.
2473
2474 Termination=
2475 Takes a boolean or a termination resistor value in ohm in the range
2476 0...65535. When "yes", the termination resistor is set to 120 ohm.
2477 When "no" or "0" is set, the termination resistor is disabled. When
2478 unset, the kernel's default will be used.
2479
2480 TripleSampling=
2481 Takes a boolean. When "yes", three samples (instead of one) are
2482 used to determine the value of a received bit by majority rule.
2483 When unset, the kernel's default will be used.
2484
2485 BusErrorReporting=
2486 Takes a boolean. When "yes", reporting of CAN bus errors is
2487 activated (those include single bit, frame format, and bit stuffing
2488 errors, unable to send dominant bit, unable to send recessive bit,
2489 bus overload, active error announcement, error occurred on
2490 transmission). When unset, the kernel's default will be used. Note:
2491 in case of a CAN bus with a single CAN device, sending a CAN frame
2492 may result in a huge number of CAN bus errors.
2493
2494 ListenOnly=
2495 Takes a boolean. When "yes", listen-only mode is enabled. When the
2496 interface is in listen-only mode, the interface neither transmit
2497 CAN frames nor send ACK bit. Listen-only mode is important to debug
2498 CAN networks without interfering with the communication or
2499 acknowledge the CAN frame. When unset, the kernel's default will be
2500 used.
2501
2502 Loopback=
2503 Takes a boolean. When "yes", loopback mode is enabled. When the
2504 loopback mode is enabled, the interface treats messages transmitted
2505 by itself as received messages. The loopback mode is important to
2506 debug CAN networks. When unset, the kernel's default will be used.
2507
2508 OneShot=
2509 Takes a boolean. When "yes", one-shot mode is enabled. When unset,
2510 the kernel's default will be used.
2511
2512 PresumeAck=
2513 Takes a boolean. When "yes", the interface will ignore missing CAN
2514 ACKs. When unset, the kernel's default will be used.
2515
2516 ClassicDataLengthCode=
2517 Takes a boolean. When "yes", the interface will handle the 4bit
2518 data length code (DLC). When unset, the kernel's default will be
2519 used.
2520
2522 The [IPoIB] section manages the IP over Infiniband and accepts the
2523 following keys:
2524
2525 Mode=
2526 Takes one of the special values "datagram" or "connected". Defaults
2527 to unset, and the kernel's default is used.
2528
2529 When "datagram", the Infiniband unreliable datagram (UD) transport
2530 is used, and so the interface MTU is equal to the IB L2 MTU minus
2531 the IPoIB encapsulation header (4 bytes). For example, in a typical
2532 IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
2533 bytes.
2534
2535 When "connected", the Infiniband reliable connected (RC) transport
2536 is used. Connected mode takes advantage of the connected nature of
2537 the IB transport and allows an MTU up to the maximal IP packet size
2538 of 64K, which reduces the number of IP packets needed for handling
2539 large UDP datagrams, TCP segments, etc and increases the
2540 performance for large messages.
2541
2542 IgnoreUserspaceMulticastGroup=
2543 Takes an boolean value. When true, the kernel ignores multicast
2544 groups handled by userspace. Defaults to unset, and the kernel's
2545 default is used.
2546
2548 The [QDisc] section manages the traffic control queueing discipline
2549 (qdisc).
2550
2551 Parent=
2552 Specifies the parent Queueing Discipline (qdisc). Takes one of
2553 "clsact" or "ingress". This is mandatory.
2554
2555 Handle=
2556 Configures the major number of unique identifier of the qdisc,
2557 known as the handle. Takes a hexadecimal number in the range
2558 0x1–0xffff. Defaults to unset.
2559
2561 The [NetworkEmulator] section manages the queueing discipline (qdisc)
2562 of the network emulator. It can be used to configure the kernel packet
2563 scheduler and simulate packet delay and loss for UDP or TCP
2564 applications, or limit the bandwidth usage of a particular service to
2565 simulate internet connections.
2566
2567 Parent=
2568 Configures the parent Queueing Discipline (qdisc). Takes one of
2569 "root", "clsact", "ingress" or a class identifier. The class
2570 identifier is specified as the major and minor numbers in
2571 hexadecimal in the range 0x1–0xffff separated with a colon
2572 ("major:minor"). Defaults to "root".
2573
2574 Handle=
2575 Configures the major number of unique identifier of the qdisc,
2576 known as the handle. Takes a hexadecimal number in the range
2577 0x1–0xffff. Defaults to unset.
2578
2579 DelaySec=
2580 Specifies the fixed amount of delay to be added to all packets
2581 going out of the interface. Defaults to unset.
2582
2583 DelayJitterSec=
2584 Specifies the chosen delay to be added to the packets outgoing to
2585 the network interface. Defaults to unset.
2586
2587 PacketLimit=
2588 Specifies the maximum number of packets the qdisc may hold queued
2589 at a time. An unsigned integer in the range 0...4294967294.
2590 Defaults to 1000.
2591
2592 LossRate=
2593 Specifies an independent loss probability to be added to the
2594 packets outgoing from the network interface. Takes a percentage
2595 value, suffixed with "%". Defaults to unset.
2596
2597 DuplicateRate=
2598 Specifies that the chosen percent of packets is duplicated before
2599 queuing them. Takes a percentage value, suffixed with "%". Defaults
2600 to unset.
2601
2603 The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2604 of token bucket filter (tbf).
2605
2606 Parent=
2607 Configures the parent Queueing Discipline (qdisc). Takes one of
2608 "root", "clsact", "ingress" or a class identifier. The class
2609 identifier is specified as the major and minor numbers in
2610 hexadecimal in the range 0x1–0xffff separated with a colon
2611 ("major:minor"). Defaults to "root".
2612
2613 Handle=
2614 Configures the major number of unique identifier of the qdisc,
2615 known as the handle. Takes a hexadecimal number in the range
2616 0x1–0xffff. Defaults to unset.
2617
2618 LatencySec=
2619 Specifies the latency parameter, which specifies the maximum amount
2620 of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2621 to unset.
2622
2623 LimitBytes=
2624 Takes the number of bytes that can be queued waiting for tokens to
2625 become available. When the size is suffixed with K, M, or G, it is
2626 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2627 base of 1024. Defaults to unset.
2628
2629 BurstBytes=
2630 Specifies the size of the bucket. This is the maximum amount of
2631 bytes that tokens can be available for instantaneous transfer. When
2632 the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2633 Megabytes, or Gigabytes, respectively, to the base of 1024.
2634 Defaults to unset.
2635
2636 Rate=
2637 Specifies the device specific bandwidth. When suffixed with K, M,
2638 or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2639 Gigabits, respectively, to the base of 1000. Defaults to unset.
2640
2641 MPUBytes=
2642 The Minimum Packet Unit (MPU) determines the minimal token usage
2643 (specified in bytes) for a packet. When suffixed with K, M, or G,
2644 the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2645 respectively, to the base of 1024. Defaults to zero.
2646
2647 PeakRate=
2648 Takes the maximum depletion rate of the bucket. When suffixed with
2649 K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2650 Gigabits, respectively, to the base of 1000. Defaults to unset.
2651
2652 MTUBytes=
2653 Specifies the size of the peakrate bucket. When suffixed with K, M,
2654 or G, the specified size is parsed as Kilobytes, Megabytes, or
2655 Gigabytes, respectively, to the base of 1024. Defaults to unset.
2656
2658 The [PIE] section manages the queueing discipline (qdisc) of
2659 Proportional Integral controller-Enhanced (PIE).
2660
2661 Parent=
2662 Configures the parent Queueing Discipline (qdisc). Takes one of
2663 "root", "clsact", "ingress" or a class identifier. The class
2664 identifier is specified as the major and minor numbers in
2665 hexadecimal in the range 0x1–0xffff separated with a colon
2666 ("major:minor"). Defaults to "root".
2667
2668 Handle=
2669 Configures the major number of unique identifier of the qdisc,
2670 known as the handle. Takes a hexadecimal number in the range
2671 0x1–0xffff. Defaults to unset.
2672
2673 PacketLimit=
2674 Specifies the hard limit on the queue size in number of packets.
2675 When this limit is reached, incoming packets are dropped. An
2676 unsigned integer in the range 1...4294967294. Defaults to unset and
2677 kernel's default is used.
2678
2680 The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2681 Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2682
2683 Parent=
2684 Configures the parent Queueing Discipline (qdisc). Takes one of
2685 "root", "clsact", "ingress" or a class identifier. The class
2686 identifier is specified as the major and minor numbers in
2687 hexadecimal in the range 0x1–0xffff separated with a colon
2688 ("major:minor"). Defaults to "root".
2689
2690 Handle=
2691 Configures the major number of unique identifier of the qdisc,
2692 known as the handle. Takes a hexadecimal number in the range
2693 0x1–0xffff. Defaults to unset.
2694
2695 PacketLimit=
2696 Specifies the hard limit on the queue size in number of packets.
2697 When this limit is reached, incoming packets are dropped. An
2698 unsigned integer ranges 1 to 4294967294. Defaults to unset and
2699 kernel's default is used.
2700
2702 The [StochasticFairBlue] section manages the queueing discipline
2703 (qdisc) of stochastic fair blue (sfb).
2704
2705 Parent=
2706 Configures the parent Queueing Discipline (qdisc). Takes one of
2707 "root", "clsact", "ingress" or a class identifier. The class
2708 identifier is specified as the major and minor numbers in
2709 hexadecimal in the range 0x1–0xffff separated with a colon
2710 ("major:minor"). Defaults to "root".
2711
2712 Handle=
2713 Configures the major number of unique identifier of the qdisc,
2714 known as the handle. Takes a hexadecimal number in the range
2715 0x1–0xffff. Defaults to unset.
2716
2717 PacketLimit=
2718 Specifies the hard limit on the queue size in number of packets.
2719 When this limit is reached, incoming packets are dropped. An
2720 unsigned integer in the range 0...4294967294. Defaults to unset and
2721 kernel's default is used.
2722
2724 The [StochasticFairnessQueueing] section manages the queueing
2725 discipline (qdisc) of stochastic fairness queueing (sfq).
2726
2727 Parent=
2728 Configures the parent Queueing Discipline (qdisc). Takes one of
2729 "root", "clsact", "ingress" or a class identifier. The class
2730 identifier is specified as the major and minor numbers in
2731 hexadecimal in the range 0x1–0xffff separated with a colon
2732 ("major:minor"). Defaults to "root".
2733
2734 Handle=
2735 Configures the major number of unique identifier of the qdisc,
2736 known as the handle. Takes a hexadecimal number in the range
2737 0x1–0xffff. Defaults to unset.
2738
2739 PerturbPeriodSec=
2740 Specifies the interval in seconds for queue algorithm perturbation.
2741 Defaults to unset.
2742
2744 The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2745 limited Packet First In First Out (bfifo).
2746
2747 Parent=
2748 Configures the parent Queueing Discipline (qdisc). Takes one of
2749 "root", "clsact", "ingress" or a class identifier. The class
2750 identifier is specified as the major and minor numbers in
2751 hexadecimal in the range 0x1–0xffff separated with a colon
2752 ("major:minor"). Defaults to "root".
2753
2754 Handle=
2755 Configures the major number of unique identifier of the qdisc,
2756 known as the handle. Takes a hexadecimal number in the range
2757 0x1–0xffff. Defaults to unset.
2758
2759 LimitBytes=
2760 Specifies the hard limit in bytes on the FIFO buffer size. The size
2761 limit prevents overflow in case the kernel is unable to dequeue
2762 packets as quickly as it receives them. When this limit is reached,
2763 incoming packets are dropped. When suffixed with K, M, or G, the
2764 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2765 respectively, to the base of 1024. Defaults to unset and kernel
2766 default is used.
2767
2769 The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2770 First In First Out (pfifo).
2771
2772 Parent=
2773 Configures the parent Queueing Discipline (qdisc). Takes one of
2774 "root", "clsact", "ingress" or a class identifier. The class
2775 identifier is specified as the major and minor numbers in
2776 hexadecimal in the range 0x1–0xffff separated with a colon
2777 ("major:minor"). Defaults to "root".
2778
2779 Handle=
2780 Configures the major number of unique identifier of the qdisc,
2781 known as the handle. Takes a hexadecimal number in the range
2782 0x1–0xffff. Defaults to unset.
2783
2784 PacketLimit=
2785 Specifies the hard limit on the number of packets in the FIFO
2786 queue. The size limit prevents overflow in case the kernel is
2787 unable to dequeue packets as quickly as it receives them. When this
2788 limit is reached, incoming packets are dropped. An unsigned integer
2789 in the range 0...4294967294. Defaults to unset and kernel's default
2790 is used.
2791
2793 The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2794 Packet First In First Out Head Drop (pfifo_head_drop).
2795
2796 Parent=
2797 Configures the parent Queueing Discipline (qdisc). Takes one of
2798 "root", "clsact", "ingress" or a class identifier. The class
2799 identifier is specified as the major and minor numbers in
2800 hexadecimal in the range 0x1–0xffff separated with a colon
2801 ("major:minor"). Defaults to "root".
2802
2803 Handle=
2804 Configures the major number of unique identifier of the qdisc,
2805 known as the handle. Takes a hexadecimal number in the range
2806 0x1–0xffff. Defaults to unset.
2807
2808 PacketLimit=
2809 As in [PFIFO] section.
2810
2812 The [PFIFOFast] section manages the queueing discipline (qdisc) of
2813 Packet First In First Out Fast (pfifo_fast).
2814
2815 Parent=
2816 Configures the parent Queueing Discipline (qdisc). Takes one of
2817 "root", "clsact", "ingress" or a class identifier. The class
2818 identifier is specified as the major and minor numbers in
2819 hexadecimal in the range 0x1–0xffff separated with a colon
2820 ("major:minor"). Defaults to "root".
2821
2822 Handle=
2823 Configures the major number of unique identifier of the qdisc,
2824 known as the handle. Takes a hexadecimal number in the range
2825 0x1–0xffff. Defaults to unset.
2826
2828 The [CAKE] section manages the queueing discipline (qdisc) of Common
2829 Applications Kept Enhanced (CAKE).
2830
2831 Parent=
2832 Configures the parent Queueing Discipline (qdisc). Takes one of
2833 "root", "clsact", "ingress" or a class identifier. The class
2834 identifier is specified as the major and minor numbers in
2835 hexadecimal in the range 0x1–0xffff separated with a colon
2836 ("major:minor"). Defaults to "root".
2837
2838 Handle=
2839 Configures the major number of unique identifier of the qdisc,
2840 known as the handle. Takes a hexadecimal number in the range
2841 0x1–0xffff. Defaults to unset.
2842
2843 Bandwidth=
2844 Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2845 specified size is parsed as Kilobits, Megabits, or Gigabits,
2846 respectively, to the base of 1000. Defaults to unset and kernel's
2847 default is used.
2848
2849 AutoRateIngress=
2850 Takes a boolean value. Enables automatic capacity estimation based
2851 on traffic arriving at this qdisc. This is most likely to be useful
2852 with cellular links, which tend to change quality randomly. If this
2853 setting is enabled, the Bandwidth= setting is used as an initial
2854 estimate. Defaults to unset, and the kernel's default is used.
2855
2856 OverheadBytes=
2857 Specifies that bytes to be addeded to the size of each packet.
2858 Bytes may be negative. Takes an integer in the range -64...256.
2859 Defaults to unset and kernel's default is used.
2860
2861 MPUBytes=
2862 Rounds each packet (including overhead) up to the specified bytes.
2863 Takes an integer in the range 1...256. Defaults to unset and
2864 kernel's default is used.
2865
2866 CompensationMode=
2867 Takes one of "none", "atm", or "ptm". Specifies the compensation
2868 mode for overhead calculation. When "none", no compensation is
2869 taken into account. When "atm", enables the compensation for ATM
2870 cell framing, which is normally found on ADSL links. When "ptm",
2871 enables the compensation for PTM encoding, which is normally found
2872 on VDSL2 links and uses a 64b/65b encoding scheme. Defaults to
2873 unset and the kernel's default is used.
2874
2875 UseRawPacketSize=
2876 Takes a boolean value. When true, the packet size reported by the
2877 Linux kernel will be used, instead of the underlying IP packet
2878 size. Defaults to unset, and the kernel's default is used.
2879
2880 FlowIsolationMode=
2881 CAKE places packets from different flows into different queues,
2882 then packets from each queue are delivered fairly. This specifies
2883 whether the fairness is based on source address, destination
2884 address, individual flows, or any combination of those. The
2885 available values are:
2886
2887 none
2888 The flow isolation is disabled, and all traffic passes through
2889 a single queue.
2890
2891 src-host
2892 Flows are defined only by source address. Equivalent to the
2893 "srchost" option for tc qdisc command. See also tc-cake(8).
2894
2895 dst-host
2896 Flows are defined only by destination address. Equivalent to
2897 the "dsthost" option for tc qdisc command. See also tc-cake(8).
2898
2899 hosts
2900 Flows are defined by source-destination host pairs. Equivalent
2901 to the same option for tc qdisc command. See also tc-cake(8).
2902
2903 flows
2904 Flows are defined by the entire 5-tuple of source address,
2905 destination address, transport protocol, source port and
2906 destination port. Equivalent to the same option for tc qdisc
2907 command. See also tc-cake(8).
2908
2909 dual-src-host
2910 Flows are defined by the 5-tuple (see "flows" in the above),
2911 and fairness is applied first over source addresses, then over
2912 individual flows. Equivalent to the "dual-srchost" option for
2913 tc qdisc command. See also tc-cake(8).
2914
2915 dual-dst-host
2916 Flows are defined by the 5-tuple (see "flows" in the above),
2917 and fairness is applied first over destination addresses, then
2918 over individual flows. Equivalent to the "dual-dsthost" option
2919 for tc qdisc command. See also tc-cake(8).
2920
2921 triple
2922 Flows are defined by the 5-tuple (see "flows"), and fairness is
2923 applied over source and destination addresses, and also over
2924 individual flows. Equivalent to the "triple-isolate" option for
2925 tc qdisc command. See also tc-cake(8).
2926
2927 Defaults to unset and the kernel's default is used.
2928
2929 NAT=
2930 Takes a boolean value. When true, CAKE performs a NAT lookup before
2931 applying flow-isolation rules, to determine the true addresses and
2932 port numbers of the packet, to improve fairness between hosts
2933 inside the NAT. This has no practical effect when
2934 FlowIsolationMode= is "none" or "flows", or if NAT is performed on
2935 a different host. Defaults to unset, and the kernel's default is
2936 used.
2937
2938 PriorityQueueingPreset=
2939 CAKE divides traffic into "tins", and each tin has its own
2940 independent set of flow-isolation queues, bandwidth threshold, and
2941 priority. This specifies the preset of tin profiles. The available
2942 values are:
2943
2944 besteffort
2945 Disables priority queueing by placing all traffic in one tin.
2946
2947 precedence
2948 Enables priority queueing based on the legacy interpretation of
2949 TOS "Precedence" field. Use of this preset on the modern
2950 Internet is firmly discouraged.
2951
2952 diffserv8
2953 Enables priority queueing based on the Differentiated Service
2954 ("DiffServ") field with eight tins: Background Traffic, High
2955 Throughput, Best Effort, Video Streaming, Low Latency
2956 Transactions, Interactive Shell, Minimum Latency, and Network
2957 Control.
2958
2959 diffserv4
2960 Enables priority queueing based on the Differentiated Service
2961 ("DiffServ") field with four tins: Background Traffic, Best
2962 Effort, Streaming Media, and Latency Sensitive.
2963
2964 diffserv3
2965 Enables priority queueing based on the Differentiated Service
2966 ("DiffServ") field with three tins: Background Traffic, Best
2967 Effort, and Latency Sensitive.
2968
2969 Defaults to unset, and the kernel's default is used.
2970
2971 FirewallMark=
2972 Takes an integer in the range 1...4294967295. When specified,
2973 firewall-mark-based overriding of CAKE's tin selection is enabled.
2974 Defaults to unset, and the kernel's default is used.
2975
2976 Wash=
2977 Takes a boolean value. When true, CAKE clears the DSCP fields,
2978 except for ECN bits, of any packet passing through CAKE. Defaults
2979 to unset, and the kernel's default is used.
2980
2981 SplitGSO=
2982 Takes a boolean value. When true, CAKE will split General
2983 Segmentation Offload (GSO) super-packets into their on-the-wire
2984 components and dequeue them individually. Defaults to unset, and
2985 the kernel's default is used.
2986
2987 RTTSec=
2988 Specifies the RTT for the filter. Takes a timespan. Typical values
2989 are e.g. 100us for extremely high-performance 10GigE+ networks like
2990 datacentre, 1ms for non-WiFi LAN connections, 100ms for typical
2991 internet connections. Defaults to unset, and the kernel's default
2992 will be used.
2993
2994 AckFilter=
2995 Takes a boolean value, or special value "aggressive". If enabled,
2996 ACKs in each flow are queued and redundant ACKs to the upstream are
2997 dropped. If yes, the filter will always keep at least two redundant
2998 ACKs in the queue, while in "aggressive" mode, it will filter down
2999 to a single ACK. This may improve download throughput on links with
3000 very asymmetrical rate limits. Defaults to unset, and the kernel's
3001 default will be used.
3002
3004 The [ControlledDelay] section manages the queueing discipline (qdisc)
3005 of controlled delay (CoDel).
3006
3007 Parent=
3008 Configures the parent Queueing Discipline (qdisc). Takes one of
3009 "root", "clsact", "ingress" or a class identifier. The class
3010 identifier is specified as the major and minor numbers in
3011 hexadecimal in the range 0x1–0xffff separated with a colon
3012 ("major:minor"). Defaults to "root".
3013
3014 Handle=
3015 Configures the major number of unique identifier of the qdisc,
3016 known as the handle. Takes a hexadecimal number in the range
3017 0x1–0xffff. Defaults to unset.
3018
3019 PacketLimit=
3020 Specifies the hard limit on the queue size in number of packets.
3021 When this limit is reached, incoming packets are dropped. An
3022 unsigned integer in the range 0...4294967294. Defaults to unset and
3023 kernel's default is used.
3024
3025 TargetSec=
3026 Takes a timespan. Specifies the acceptable minimum
3027 standing/persistent queue delay. Defaults to unset and kernel's
3028 default is used.
3029
3030 IntervalSec=
3031 Takes a timespan. This is used to ensure that the measured minimum
3032 delay does not become too stale. Defaults to unset and kernel's
3033 default is used.
3034
3035 ECN=
3036 Takes a boolean. This can be used to mark packets instead of
3037 dropping them. Defaults to unset and kernel's default is used.
3038
3039 CEThresholdSec=
3040 Takes a timespan. This sets a threshold above which all packets are
3041 marked with ECN Congestion Experienced (CE). Defaults to unset and
3042 kernel's default is used.
3043
3045 The [DeficitRoundRobinScheduler] section manages the queueing
3046 discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
3047
3048 Parent=
3049 Configures the parent Queueing Discipline (qdisc). Takes one of
3050 "root", "clsact", "ingress" or a class identifier. The class
3051 identifier is specified as the major and minor numbers in
3052 hexadecimal in the range 0x1–0xffff separated with a colon
3053 ("major:minor"). Defaults to "root".
3054
3055 Handle=
3056 Configures the major number of unique identifier of the qdisc,
3057 known as the handle. Takes a hexadecimal number in the range
3058 0x1–0xffff. Defaults to unset.
3059
3061 The [DeficitRoundRobinSchedulerClass] section manages the traffic
3062 control class of Deficit Round Robin Scheduler (DRR).
3063
3064 Parent=
3065 Configures the parent Queueing Discipline (qdisc). Takes one of
3066 "root", or a qdisc identifier. The qdisc identifier is specified as
3067 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3068 separated with a colon ("major:minor"). Defaults to "root".
3069
3070 ClassId=
3071 Configures the unique identifier of the class. It is specified as
3072 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3073 separated with a colon ("major:minor"). Defaults to unset.
3074
3075 QuantumBytes=
3076 Specifies the amount of bytes a flow is allowed to dequeue before
3077 the scheduler moves to the next class. When suffixed with K, M, or
3078 G, the specified size is parsed as Kilobytes, Megabytes, or
3079 Gigabytes, respectively, to the base of 1024. Defaults to the MTU
3080 of the interface.
3081
3083 The [EnhancedTransmissionSelection] section manages the queueing
3084 discipline (qdisc) of Enhanced Transmission Selection (ETS).
3085
3086 Parent=
3087 Configures the parent Queueing Discipline (qdisc). Takes one of
3088 "root", "clsact", "ingress" or a class identifier. The class
3089 identifier is specified as the major and minor numbers in
3090 hexadecimal in the range 0x1–0xffff separated with a colon
3091 ("major:minor"). Defaults to "root".
3092
3093 Handle=
3094 Configures the major number of unique identifier of the qdisc,
3095 known as the handle. Takes a hexadecimal number in the range
3096 0x1–0xffff. Defaults to unset.
3097
3098 Bands=
3099 Specifies the number of bands. An unsigned integer in the range
3100 1...16. This value has to be at least large enough to cover the
3101 strict bands specified through the StrictBands= and
3102 bandwidth-sharing bands specified in QuantumBytes=.
3103
3104 StrictBands=
3105 Specifies the number of bands that should be created in strict
3106 mode. An unsigned integer in the range 1...16.
3107
3108 QuantumBytes=
3109 Specifies the white-space separated list of quantum used in
3110 band-sharing bands. When suffixed with K, M, or G, the specified
3111 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3112 to the base of 1024. This setting can be specified multiple times.
3113 If an empty string is assigned, then the all previous assignments
3114 are cleared.
3115
3116 PriorityMap=
3117 The priority map maps the priority of a packet to a band. The
3118 argument is a whitespace separated list of numbers. The first
3119 number indicates which band the packets with priority 0 should be
3120 put to, the second is for priority 1, and so on. There can be up to
3121 16 numbers in the list. If there are fewer, the default band that
3122 traffic with one of the unmentioned priorities goes to is the last
3123 one. Each band number must be in the range 0...255. This setting
3124 can be specified multiple times. If an empty string is assigned,
3125 then the all previous assignments are cleared.
3126
3128 The [GenericRandomEarlyDetection] section manages the queueing
3129 discipline (qdisc) of Generic Random Early Detection (GRED).
3130
3131 Parent=
3132 Configures the parent Queueing Discipline (qdisc). Takes one of
3133 "root", "clsact", "ingress" or a class identifier. The class
3134 identifier is specified as the major and minor numbers in
3135 hexadecimal in the range 0x1–0xffff separated with a colon
3136 ("major:minor"). Defaults to "root".
3137
3138 Handle=
3139 Configures the major number of unique identifier of the qdisc,
3140 known as the handle. Takes a hexadecimal number in the range
3141 0x1–0xffff. Defaults to unset.
3142
3143 VirtualQueues=
3144 Specifies the number of virtual queues. Takes an integer in the
3145 range 1...16. Defaults to unset and kernel's default is used.
3146
3147 DefaultVirtualQueue=
3148 Specifies the number of default virtual queue. This must be less
3149 than VirtualQueue=. Defaults to unset and kernel's default is used.
3150
3151 GenericRIO=
3152 Takes a boolean. It turns on the RIO-like buffering scheme.
3153 Defaults to unset and kernel's default is used.
3154
3156 The [FairQueueingControlledDelay] section manages the queueing
3157 discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
3158
3159 Parent=
3160 Configures the parent Queueing Discipline (qdisc). Takes one of
3161 "root", "clsact", "ingress" or a class identifier. The class
3162 identifier is specified as the major and minor numbers in
3163 hexadecimal in the range 0x1–0xffff separated with a colon
3164 ("major:minor"). Defaults to "root".
3165
3166 Handle=
3167 Configures the major number of unique identifier of the qdisc,
3168 known as the handle. Takes a hexadecimal number in the range
3169 0x1–0xffff. Defaults to unset.
3170
3171 PacketLimit=
3172 Specifies the hard limit on the real queue size. When this limit is
3173 reached, incoming packets are dropped. Defaults to unset and
3174 kernel's default is used.
3175
3176 MemoryLimitBytes=
3177 Specifies the limit on the total number of bytes that can be queued
3178 in this FQ-CoDel instance. When suffixed with K, M, or G, the
3179 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3180 respectively, to the base of 1024. Defaults to unset and kernel's
3181 default is used.
3182
3183 Flows=
3184 Specifies the number of flows into which the incoming packets are
3185 classified. Defaults to unset and kernel's default is used.
3186
3187 TargetSec=
3188 Takes a timespan. Specifies the acceptable minimum
3189 standing/persistent queue delay. Defaults to unset and kernel's
3190 default is used.
3191
3192 IntervalSec=
3193 Takes a timespan. This is used to ensure that the measured minimum
3194 delay does not become too stale. Defaults to unset and kernel's
3195 default is used.
3196
3197 QuantumBytes=
3198 Specifies the number of bytes used as the "deficit" in the fair
3199 queuing algorithm timespan. When suffixed with K, M, or G, the
3200 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3201 respectively, to the base of 1024. Defaults to unset and kernel's
3202 default is used.
3203
3204 ECN=
3205 Takes a boolean. This can be used to mark packets instead of
3206 dropping them. Defaults to unset and kernel's default is used.
3207
3208 CEThresholdSec=
3209 Takes a timespan. This sets a threshold above which all packets are
3210 marked with ECN Congestion Experienced (CE). Defaults to unset and
3211 kernel's default is used.
3212
3214 The [FairQueueing] section manages the queueing discipline (qdisc) of
3215 fair queue traffic policing (FQ).
3216
3217 Parent=
3218 Configures the parent Queueing Discipline (qdisc). Takes one of
3219 "root", "clsact", "ingress" or a class identifier. The class
3220 identifier is specified as the major and minor numbers in
3221 hexadecimal in the range 0x1–0xffff separated with a colon
3222 ("major:minor"). Defaults to "root".
3223
3224 Handle=
3225 Configures the major number of unique identifier of the qdisc,
3226 known as the handle. Takes a hexadecimal number in the range
3227 0x1–0xffff. Defaults to unset.
3228
3229 PacketLimit=
3230 Specifies the hard limit on the real queue size. When this limit is
3231 reached, incoming packets are dropped. Defaults to unset and
3232 kernel's default is used.
3233
3234 FlowLimit=
3235 Specifies the hard limit on the maximum number of packets queued
3236 per flow. Defaults to unset and kernel's default is used.
3237
3238 QuantumBytes=
3239 Specifies the credit per dequeue RR round, i.e. the amount of bytes
3240 a flow is allowed to dequeue at once. When suffixed with K, M, or
3241 G, the specified size is parsed as Kilobytes, Megabytes, or
3242 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3243 kernel's default is used.
3244
3245 InitialQuantumBytes=
3246 Specifies the initial sending rate credit, i.e. the amount of bytes
3247 a new flow is allowed to dequeue initially. When suffixed with K,
3248 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3249 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3250 kernel's default is used.
3251
3252 MaximumRate=
3253 Specifies the maximum sending rate of a flow. When suffixed with K,
3254 M, or G, the specified size is parsed as Kilobits, Megabits, or
3255 Gigabits, respectively, to the base of 1000. Defaults to unset and
3256 kernel's default is used.
3257
3258 Buckets=
3259 Specifies the size of the hash table used for flow lookups.
3260 Defaults to unset and kernel's default is used.
3261
3262 OrphanMask=
3263 Takes an unsigned integer. For packets not owned by a socket, fq is
3264 able to mask a part of hash and reduce number of buckets associated
3265 with the traffic. Defaults to unset and kernel's default is used.
3266
3267 Pacing=
3268 Takes a boolean, and enables or disables flow pacing. Defaults to
3269 unset and kernel's default is used.
3270
3271 CEThresholdSec=
3272 Takes a timespan. This sets a threshold above which all packets are
3273 marked with ECN Congestion Experienced (CE). Defaults to unset and
3274 kernel's default is used.
3275
3277 The [TrivialLinkEqualizer] section manages the queueing discipline
3278 (qdisc) of trivial link equalizer (teql).
3279
3280 Parent=
3281 Configures the parent Queueing Discipline (qdisc). Takes one of
3282 "root", "clsact", "ingress" or a class identifier. The class
3283 identifier is specified as the major and minor numbers in
3284 hexadecimal in the range 0x1–0xffff separated with a colon
3285 ("major:minor"). Defaults to "root".
3286
3287 Handle=
3288 Configures the major number of unique identifier of the qdisc,
3289 known as the handle. Takes a hexadecimal number in the range
3290 0x1–0xffff. Defaults to unset.
3291
3292 Id=
3293 Specifies the interface ID "N" of teql. Defaults to "0". Note that
3294 when teql is used, currently, the module sch_teql with
3295 max_equalizers=N+1 option must be loaded before systemd-networkd is
3296 started.
3297
3299 The [HierarchyTokenBucket] section manages the queueing discipline
3300 (qdisc) of hierarchy token bucket (htb).
3301
3302 Parent=
3303 Configures the parent Queueing Discipline (qdisc). Takes one of
3304 "root", "clsact", "ingress" or a class identifier. The class
3305 identifier is specified as the major and minor numbers in
3306 hexadecimal in the range 0x1–0xffff separated with a colon
3307 ("major:minor"). Defaults to "root".
3308
3309 Handle=
3310 Configures the major number of unique identifier of the qdisc,
3311 known as the handle. Takes a hexadecimal number in the range
3312 0x1–0xffff. Defaults to unset.
3313
3314 DefaultClass=
3315 Takes the minor id in hexadecimal of the default class.
3316 Unclassified traffic gets sent to the class. Defaults to unset.
3317
3318 RateToQuantum=
3319 Takes an unsigned integer. The DRR quantums are calculated by
3320 dividing the value configured in Rate= by RateToQuantum=.
3321
3323 The [HierarchyTokenBucketClass] section manages the traffic control
3324 class of hierarchy token bucket (htb).
3325
3326 Parent=
3327 Configures the parent Queueing Discipline (qdisc). Takes one of
3328 "root", or a qdisc identifier. The qdisc identifier is specified as
3329 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3330 separated with a colon ("major:minor"). Defaults to "root".
3331
3332 ClassId=
3333 Configures the unique identifier of the class. It is specified as
3334 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3335 separated with a colon ("major:minor"). Defaults to unset.
3336
3337 Priority=
3338 Specifies the priority of the class. In the round-robin process,
3339 classes with the lowest priority field are tried for packets first.
3340
3341 QuantumBytes=
3342 Specifies how many bytes to serve from leaf at once. When suffixed
3343 with K, M, or G, the specified size is parsed as Kilobytes,
3344 Megabytes, or Gigabytes, respectively, to the base of 1024.
3345
3346 MTUBytes=
3347 Specifies the maximum packet size we create. When suffixed with K,
3348 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3349 Gigabytes, respectively, to the base of 1024.
3350
3351 OverheadBytes=
3352 Takes an unsigned integer which specifies per-packet size overhead
3353 used in rate computations. When suffixed with K, M, or G, the
3354 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3355 respectively, to the base of 1024.
3356
3357 Rate=
3358 Specifies the maximum rate this class and all its children are
3359 guaranteed. When suffixed with K, M, or G, the specified size is
3360 parsed as Kilobits, Megabits, or Gigabits, respectively, to the
3361 base of 1000. This setting is mandatory.
3362
3363 CeilRate=
3364 Specifies the maximum rate at which a class can send, if its parent
3365 has bandwidth to spare. When suffixed with K, M, or G, the
3366 specified size is parsed as Kilobits, Megabits, or Gigabits,
3367 respectively, to the base of 1000. When unset, the value specified
3368 with Rate= is used.
3369
3370 BufferBytes=
3371 Specifies the maximum bytes burst which can be accumulated during
3372 idle period. When suffixed with K, M, or G, the specified size is
3373 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
3374 base of 1024.
3375
3376 CeilBufferBytes=
3377 Specifies the maximum bytes burst for ceil which can be accumulated
3378 during idle period. When suffixed with K, M, or G, the specified
3379 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3380 to the base of 1024.
3381
3383 The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
3384 of Heavy Hitter Filter (hhf).
3385
3386 Parent=
3387 Configures the parent Queueing Discipline (qdisc). Takes one of
3388 "root", "clsact", "ingress" or a class identifier. The class
3389 identifier is specified as the major and minor numbers in
3390 hexadecimal in the range 0x1–0xffff separated with a colon
3391 ("major:minor"). Defaults to "root".
3392
3393 Handle=
3394 Configures the major number of unique identifier of the qdisc,
3395 known as the handle. Takes a hexadecimal number in the range
3396 0x1–0xffff. Defaults to unset.
3397
3398 PacketLimit=
3399 Specifies the hard limit on the queue size in number of packets.
3400 When this limit is reached, incoming packets are dropped. An
3401 unsigned integer in the range 0...4294967294. Defaults to unset and
3402 kernel's default is used.
3403
3405 The [QuickFairQueueing] section manages the queueing discipline (qdisc)
3406 of Quick Fair Queueing (QFQ).
3407
3408 Parent=
3409 Configures the parent Queueing Discipline (qdisc). Takes one of
3410 "root", "clsact", "ingress" or a class identifier. The class
3411 identifier is specified as the major and minor numbers in
3412 hexadecimal in the range 0x1–0xffff separated with a colon
3413 ("major:minor"). Defaults to "root".
3414
3415 Handle=
3416 Configures the major number of unique identifier of the qdisc,
3417 known as the handle. Takes a hexadecimal number in the range
3418 0x1–0xffff. Defaults to unset.
3419
3421 The [QuickFairQueueingClass] section manages the traffic control class
3422 of Quick Fair Queueing (qfq).
3423
3424 Parent=
3425 Configures the parent Queueing Discipline (qdisc). Takes one of
3426 "root", or a qdisc identifier. The qdisc identifier is specified as
3427 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3428 separated with a colon ("major:minor"). Defaults to "root".
3429
3430 ClassId=
3431 Configures the unique identifier of the class. It is specified as
3432 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3433 separated with a colon ("major:minor"). Defaults to unset.
3434
3435 Weight=
3436 Specifies the weight of the class. Takes an integer in the range
3437 1...1023. Defaults to unset in which case the kernel default is
3438 used.
3439
3440 MaxPacketBytes=
3441 Specifies the maximum packet size in bytes for the class. When
3442 suffixed with K, M, or G, the specified size is parsed as
3443 Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
3444 1024. When unset, the kernel default is used.
3445
3447 The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
3448 port and accepts the following keys. Specify several [BridgeVLAN]
3449 sections to configure several VLAN entries. The VLANFiltering= option
3450 has to be enabled, see the [Bridge] section in systemd.netdev(5).
3451
3452 VLAN=
3453 The VLAN ID allowed on the port. This can be either a single ID or
3454 a range M-N. Takes an integer in the range 1...4094.
3455
3456 EgressUntagged=
3457 The VLAN ID specified here will be used to untag frames on egress.
3458 Configuring EgressUntagged= implicates the use of VLAN= above and
3459 will enable the VLAN ID for ingress as well. This can be either a
3460 single ID or a range M-N.
3461
3462 PVID=
3463 The Port VLAN ID specified here is assigned to all untagged frames
3464 at ingress. PVID= can be used only once. Configuring PVID=
3465 implicates the use of VLAN= above and will enable the VLAN ID for
3466 ingress as well.
3467
3469 Example 1. Static network configuration
3470
3471 # /etc/systemd/network/50-static.network
3472 [Match]
3473 Name=enp2s0
3474
3475 [Network]
3476 Address=192.168.0.15/24
3477 Gateway=192.168.0.1
3478
3479 This brings interface "enp2s0" up with a static address. The specified
3480 gateway will be used for a default route.
3481
3482 Example 2. DHCP on ethernet links
3483
3484 # /etc/systemd/network/80-dhcp.network
3485 [Match]
3486 Name=en*
3487
3488 [Network]
3489 DHCP=yes
3490
3491 This will enable DHCPv4 and DHCPv6 on all interfaces with names
3492 starting with "en" (i.e. ethernet interfaces).
3493
3494 Example 3. IPv6 Prefix Delegation (DHCPv6 PD)
3495
3496 # /etc/systemd/network/55-dhcpv6-pd-upstream.network
3497 [Match]
3498 Name=enp1s0
3499
3500 [Network]
3501 DHCP=ipv6
3502
3503 # The below setting is optional, to also assign an address in the delegated prefix
3504 # to the upstream interface. If not necessary, then comment out the line below and
3505 # the [DHCPPrefixDelegation] section.
3506 DHCPPrefixDelegation=yes
3507
3508 # If the upstream network provides Router Advertisement with Managed bit set,
3509 # then comment out the line below and WithoutRA= setting in the [DHCPv6] section.
3510 IPv6AcceptRA=no
3511
3512 [DHCPv6]
3513 WithoutRA=solicit
3514
3515 [DHCPPrefixDelegation]
3516 UplinkInterface=:self
3517 SubnetId=0
3518 Announce=no
3519
3520 # /etc/systemd/network/55-dhcpv6-pd-downstream.network
3521 [Match]
3522 Name=enp2s0
3523
3524 [Network]
3525 DHCPPrefixDelegation=yes
3526 IPv6SendRA=yes
3527
3528 # It is expected that the host is acting as a router. So, usually it is not
3529 # necessary to receive Router Advertisement from other hosts in the downstream network.
3530 IPv6AcceptRA=no
3531
3532 [DHCPPrefixDelegation]
3533 UplinkInterface=enp1s0
3534 SubnetId=1
3535 Announce=yes
3536
3537 This will enable DHCPv6-PD on the interface enp1s0 as an upstream
3538 interface where the DHCPv6 client is running and enp2s0 as a downstream
3539 interface where the prefix is delegated to. The delegated prefixes are
3540 distributed by IPv6 Router Advertisement on the downstream network.
3541
3542 Example 4. IPv6 Prefix Delegation (DHCPv4 6RD)
3543
3544 # /etc/systemd/network/55-dhcpv4-6rd-upstream.network
3545 [Match]
3546 Name=enp1s0
3547
3548 [Network]
3549 DHCP=ipv4
3550
3551 # When DHCPv4-6RD is used, the upstream network does not support IPv6.
3552 # Hence, it is not necessary to wait for Router Advertisement, which is enabled by default.
3553 IPv6AcceptRA=no
3554
3555 [DHCPv4]
3556 Use6RD=yes
3557
3558 # /etc/systemd/network/55-dhcpv4-6rd-downstream.network
3559 [Match]
3560 Name=enp2s0
3561
3562 [Network]
3563 DHCPPrefixDelegation=yes
3564 IPv6SendRA=yes
3565
3566 # It is expected that the host is acting as a router. So, usually it is not
3567 # necessary to receive Router Advertisement from other hosts in the downstream network.
3568 IPv6AcceptRA=no
3569
3570 [DHCPPrefixDelegation]
3571 UplinkInterface=enp1s0
3572 SubnetId=1
3573 Announce=yes
3574
3575 This will enable DHCPv4-6RD on the interface enp1s0 as an upstream
3576 interface where the DHCPv4 client is running and enp2s0 as a downstream
3577 interface where the prefix is delegated to. The delegated prefixes are
3578 distributed by IPv6 Router Advertisement on the downstream network.
3579
3580 Example 5. A bridge with two enslaved links
3581
3582 # /etc/systemd/network/25-bridge-static.netdev
3583 [NetDev]
3584 Name=bridge0
3585 Kind=bridge
3586
3587 # /etc/systemd/network/25-bridge-static.network
3588 [Match]
3589 Name=bridge0
3590
3591 [Network]
3592 Address=192.168.0.15/24
3593 Gateway=192.168.0.1
3594 DNS=192.168.0.1
3595
3596 # /etc/systemd/network/25-bridge-slave-interface-1.network
3597 [Match]
3598 Name=enp2s0
3599
3600 [Network]
3601 Bridge=bridge0
3602
3603 # /etc/systemd/network/25-bridge-slave-interface-2.network
3604 [Match]
3605 Name=wlp3s0
3606
3607 [Network]
3608 Bridge=bridge0
3609
3610 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3611 The bridge will have the specified static address and network assigned,
3612 and a default route via the specified gateway will be added. The
3613 specified DNS server will be added to the global list of DNS resolvers.
3614
3615 Example 6. Bridge port with VLAN forwarding
3616
3617 # /etc/systemd/network/25-bridge-slave-interface-1.network
3618 [Match]
3619 Name=enp2s0
3620
3621 [Network]
3622 Bridge=bridge0
3623
3624 [BridgeVLAN]
3625 VLAN=1-32
3626 PVID=42
3627 EgressUntagged=42
3628
3629 [BridgeVLAN]
3630 VLAN=100-200
3631
3632 [BridgeVLAN]
3633 EgressUntagged=300-400
3634
3635 This overrides the configuration specified in the previous example for
3636 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3637 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3638 300-400 will be untagged when they leave on this interface. Untagged
3639 packets which arrive on this interface will be assigned VLAN ID 42.
3640
3641 Example 7. Various tunnels
3642
3643 /etc/systemd/network/25-tunnels.network
3644 [Match]
3645 Name=ens1
3646
3647 [Network]
3648 Tunnel=ipip-tun
3649 Tunnel=sit-tun
3650 Tunnel=gre-tun
3651 Tunnel=vti-tun
3652
3653
3654 /etc/systemd/network/25-tunnel-ipip.netdev
3655 [NetDev]
3656 Name=ipip-tun
3657 Kind=ipip
3658
3659
3660 /etc/systemd/network/25-tunnel-sit.netdev
3661 [NetDev]
3662 Name=sit-tun
3663 Kind=sit
3664
3665
3666 /etc/systemd/network/25-tunnel-gre.netdev
3667 [NetDev]
3668 Name=gre-tun
3669 Kind=gre
3670
3671
3672 /etc/systemd/network/25-tunnel-vti.netdev
3673 [NetDev]
3674 Name=vti-tun
3675 Kind=vti
3676
3677
3678 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3679 tunnel, a GRE tunnel, and a VTI tunnel using it.
3680
3681 Example 8. A bond device
3682
3683 # /etc/systemd/network/30-bond1.network
3684 [Match]
3685 Name=bond1
3686
3687 [Network]
3688 DHCP=ipv6
3689
3690 # /etc/systemd/network/30-bond1.netdev
3691 [NetDev]
3692 Name=bond1
3693 Kind=bond
3694
3695 # /etc/systemd/network/30-bond1-dev1.network
3696 [Match]
3697 MACAddress=52:54:00:e9:64:41
3698
3699 [Network]
3700 Bond=bond1
3701
3702 # /etc/systemd/network/30-bond1-dev2.network
3703 [Match]
3704 MACAddress=52:54:00:e9:64:42
3705
3706 [Network]
3707 Bond=bond1
3708
3709 This will create a bond device "bond1" and enslave the two devices with
3710 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3711 will be used to acquire an address.
3712
3713 Example 9. Virtual Routing and Forwarding (VRF)
3714
3715 Add the "bond1" interface to the VRF master interface "vrf1". This will
3716 redirect routes generated on this interface to be within the routing
3717 table defined during VRF creation. For kernels before 4.8 traffic won't
3718 be redirected towards the VRFs routing table unless specific ip-rules
3719 are added.
3720
3721 # /etc/systemd/network/25-vrf.network
3722 [Match]
3723 Name=bond1
3724
3725 [Network]
3726 VRF=vrf1
3727
3728 Example 10. MacVTap
3729
3730 This brings up a network interface "macvtap-test" and attaches it to
3731 "enp0s25".
3732
3733 # /usr/lib/systemd/network/25-macvtap.network
3734 [Match]
3735 Name=enp0s25
3736
3737 [Network]
3738 MACVTAP=macvtap-test
3739
3740 Example 11. A Xfrm interface with physical underlying device.
3741
3742 # /etc/systemd/network/27-xfrm.netdev
3743 [NetDev]
3744 Name=xfrm0
3745 Kind=xfrm
3746
3747 [Xfrm]
3748 InterfaceId=7
3749
3750 # /etc/systemd/network/27-eth0.network
3751 [Match]
3752 Name=eth0
3753
3754 [Network]
3755 Xfrm=xfrm0
3756
3757 This creates a "xfrm0" interface and binds it to the "eth0" device.
3758 This allows hardware based ipsec offloading to the "eth0" nic. If
3759 offloading is not needed, xfrm interfaces can be assigned to the "lo"
3760 device.
3761
3763 systemd(1), systemd-networkd.service(8), systemd.link(5),
3764 systemd.netdev(5), systemd-network-generator.service(8), systemd-
3765 resolved.service(8)
3766
3768 1. System and Service Credentials
3769 https://systemd.io/CREDENTIALS
3770
3771 2. Link-Local Multicast Name Resolution
3772 https://tools.ietf.org/html/rfc4795
3773
3774 3. Multicast DNS
3775 https://tools.ietf.org/html/rfc6762
3776
3777 4. DNS-over-TLS
3778 https://tools.ietf.org/html/rfc7858
3779
3780 5. DNSSEC
3781 https://tools.ietf.org/html/rfc4033
3782
3783 6. IEEE 802.1AB-2016
3784 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3785
3786 7. IP Sysctl
3787 https://docs.kernel.org/networking/ip-sysctl.html
3788
3789 8. RFC 4941
3790 https://tools.ietf.org/html/rfc4941
3791
3792 9. RFC 1027
3793 https://tools.ietf.org/html/rfc1027
3794
3795 10. RFC 6275
3796 https://tools.ietf.org/html/rfc6275
3797
3798 11. RFC 5227
3799 https://tools.ietf.org/html/rfc5227
3800
3801 12. RFC 4862
3802 https://tools.ietf.org/html/rfc4862
3803
3804 13. RFC 3041
3805 https://tools.ietf.org/html/rfc3041
3806
3807 14. NetLabel
3808 https://docs.kernel.org/netlabel/index.html
3809
3810 15. Linux Security Modules (LSMs)
3811 https://en.wikipedia.org/wiki/Linux_Security_Modules
3812
3813 16. NetLabel Fallback Peer Labeling
3814 https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md
3815
3816 17. RFC 3484
3817 https://tools.ietf.org/html/rfc3484
3818
3819 18. RFC 4191
3820 https://tools.ietf.org/html/rfc4191
3821
3822 19. RFC 8520
3823 https://tools.ietf.org/html/rfc8520
3824
3825 20. RFC 7844
3826 https://tools.ietf.org/html/rfc7844
3827
3828 21. C-style escapes
3829 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3830
3831 22. RFC 5969
3832 https://tools.ietf.org/html/rfc5969
3833
3834 23. RFC 3315
3835 https://tools.ietf.org/html/rfc3315#section-17.2.1
3836
3837 24. RFC 8415
3838 https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3
3839
3840 25. RFC 4291
3841 https://tools.ietf.org/html/rfc4291#section-2.5.4
3842
3843 26. RFC 7217
3844 https://tools.ietf.org/html/rfc7217
3845
3846 27. RFC 2131
3847 https://www.rfc-editor.org/rfc/rfc2131.html
3848
3849 28. RFC 2132
3850 https://www.rfc-editor.org/rfc/rfc2132.html
3851
3852 29. RFC 1542
3853 https://tools.ietf.org/html/rfc1542
3854
3855 30. RFC 4861
3856 https://tools.ietf.org/html/rfc4861
3857
3858
3859
3860systemd 253 SYSTEMD.NETWORK(5)