1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 A plain ini-style text file that encodes network configuration for
13 matching network interfaces, used by systemd-networkd(8). See
14 systemd.syntax(7) for a general description of the syntax.
15 The main network file must have the extension .network; other
17 extensions are ignored. Networks are applied to links whenever the
18 links appear.
19 The .network files are read from the files located in the system
21 network directories /usr/lib/systemd/network and
22 /usr/local/lib/systemd/network, the volatile runtime network directory
23 /run/systemd/network and the local administration network directory
24 /etc/systemd/network. All configuration files are collectively sorted
25 and processed in alphanumeric order, regardless of the directories in
26 which they live. However, files with identical filenames replace each
27 other. It is recommended that each filename is prefixed with a number
28 (e.g. 10-eth0.network). Otherwise, the default .network files or those
29 generated by systemd-network-generator.service(8) may take precedence
30 over user configured files. Files in /etc/ have the highest priority,
31 files in /run/ take precedence over files with the same name under
32 /usr/. This can be used to override a system-supplied configuration
33 file with a local file if needed. As a special case, an empty file
34 (file size 0) or symlink with the same name pointing to /dev/null
35 disables the configuration file entirely (it is "masked").
36 Along with the network file foo.network, a "drop-in" directory
38 foo.network.d/ may exist. All files with the suffix ".conf" from this
39 directory will be merged in the alphanumeric order and parsed after the
40 main file itself has been parsed. This is useful to alter or add
41 configuration settings, without having to modify the main configuration
42 file. Each drop-in file must have appropriate section headers.
43 In addition to /etc/systemd/network, drop-in ".d" directories can be
45 placed in /usr/lib/systemd/network or /run/systemd/network directories.
46 Drop-in files in /etc/ take precedence over those in /run/ which in
47 turn take precedence over those in /usr/lib/. Drop-in files under any
48 of these directories take precedence over the main network file
49 wherever located.
50
52 The network file contains a [Match] section, which determines if a
53 given network file may be applied to a given interface; and a [Network]
54 section specifying how the interface should be configured. The first
55 (in alphanumeric order) of the network files that matches a given
56 interface is applied, all later files are ignored, even if they match
57 as well.
58 A network file is said to match a network interface if all matches
60 specified by the [Match] section are satisfied. When a network file
61 does not contain valid settings in [Match] section, then the file will
62 match all interfaces and systemd-networkd warns about that. Hint: to
63 avoid the warning and to make it clear that all interfaces shall be
64 matched, add the following:
65 Name=*
67 The following keys are accepted:
69 MACAddress=
71 A whitespace-separated list of hardware addresses. The acceptable
72 formats are:
73 colon-delimited hexadecimal
75 Each field must be one byte. E.g. "12:34:56:78:90:ab" or
76 "AA:BB:CC:DD:EE:FF".
77 hyphen-delimited hexadecimal
79 Each field must be one byte. E.g. "12-34-56-78-90-ab" or
80 "AA-BB-CC-DD-EE-FF".
81 dot-delimited hexadecimal
83 Each field must be two bytes. E.g. "1234.5678.90ab" or
84 "AABB.CCDD.EEFF".
85 IPv4 address format
87 E.g. "127.0.0.1" or "192.168.0.1".
88 IPv6 address format
90 E.g. "2001:0db8:85a3::8a2e:0370:7334" or "::1".
91 The total length of each MAC address must be 4 (for IPv4 tunnel), 6
93 (for Ethernet), 16 (for IPv6 tunnel), or 20 (for InfiniBand). This
94 option may appear more than once, in which case the lists are
95 merged. If the empty string is assigned to this option, the list of
96 hardware addresses defined prior to this is reset. Defaults to
97 unset.
98 PermanentMACAddress=
100 A whitespace-separated list of hardware's permanent addresses.
101 While MACAddress= matches the device's current MAC address, this
102 matches the device's permanent MAC address, which may be different
103 from the current one. Use full colon-, hyphen- or dot-delimited
104 hexadecimal, or IPv4 or IPv6 address format. This option may appear
105 more than once, in which case the lists are merged. If the empty
106 string is assigned to this option, the list of hardware addresses
107 defined prior to this is reset. Defaults to unset.
108 Path=
110 A whitespace-separated list of shell-style globs matching the
111 persistent path, as exposed by the udev property ID_PATH.
112 Driver=
114 A whitespace-separated list of shell-style globs matching the
115 driver currently bound to the device, as exposed by the udev
116 property ID_NET_DRIVER of its parent device, or if that is not set,
117 the driver as exposed by ethtool -i of the device itself. If the
118 list is prefixed with a "!", the test is inverted.
119 Type=
121 A whitespace-separated list of shell-style globs matching the
122 device type, as exposed by networkctl list. If the list is prefixed
123 with a "!", the test is inverted. Some valid values are "ether",
124 "loopback", "wlan", "wwan". Valid types are named either from the
125 udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
126 this is not comprehensive.
127 Kind=
129 A whitespace-separated list of shell-style globs matching the
130 device kind, as exposed by networkctl status INTERFACE or ip -d
131 link show INTERFACE. If the list is prefixed with a "!", the test
132 is inverted. Some valid values are "bond", "bridge", "gre", "tun",
133 "veth". Valid kinds are given by netlink's "IFLA_INFO_KIND"
134 attribute, so this is not comprehensive.
135 Property=
137 A whitespace-separated list of udev property names with their
138 values after equals sign ("="). If multiple properties are
139 specified, the test results are ANDed. If the list is prefixed with
140 a "!", the test is inverted. If a value contains white spaces, then
141 please quote whole key and value pair. If a value contains
142 quotation, then please escape the quotation with "\".
143 Example: if a .link file has the following:
145 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
147 then, the .link file matches only when an interface has all the
149 above three properties.
150 Name=
152 A whitespace-separated list of shell-style globs matching the
153 device name, as exposed by the udev property "INTERFACE", or
154 device's alternative names. If the list is prefixed with a "!", the
155 test is inverted.
156 WLANInterfaceType=
158 A whitespace-separated list of wireless network type. Supported
159 values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
160 "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
161 "nan". If the list is prefixed with a "!", the test is inverted.
162 SSID=
164 A whitespace-separated list of shell-style globs matching the SSID
165 of the currently connected wireless LAN. If the list is prefixed
166 with a "!", the test is inverted.
167 BSSID=
169 A whitespace-separated list of hardware address of the currently
170 connected wireless LAN. Use full colon-, hyphen- or dot-delimited
171 hexadecimal. See the example in MACAddress=. This option may appear
172 more than once, in which case the lists are merged. If the empty
173 string is assigned to this option, the list is reset.
174 Host=
176 Matches against the hostname or machine ID of the host. See
177 ConditionHost= in systemd.unit(5) for details. When prefixed with
178 an exclamation mark ("!"), the result is negated. If an empty
179 string is assigned, the previously assigned value is cleared.
180 Virtualization=
182 Checks whether the system is executed in a virtualized environment
183 and optionally test whether it is a specific implementation. See
184 ConditionVirtualization= in systemd.unit(5) for details. When
185 prefixed with an exclamation mark ("!"), the result is negated. If
186 an empty string is assigned, the previously assigned value is
187 cleared.
188 KernelCommandLine=
190 Checks whether a specific kernel command line option is set. See
191 ConditionKernelCommandLine= in systemd.unit(5) for details. When
192 prefixed with an exclamation mark ("!"), the result is negated. If
193 an empty string is assigned, the previously assigned value is
194 cleared.
195 KernelVersion=
197 Checks whether the kernel version (as reported by uname -r) matches
198 a certain expression. See ConditionKernelVersion= in
199 systemd.unit(5) for details. When prefixed with an exclamation mark
200 ("!"), the result is negated. If an empty string is assigned, the
201 previously assigned value is cleared.
202 Credential=
204 Checks whether the specified credential was passed to the
205 systemd-udevd.service service. See System and Service
206 Credentials[1] for details. When prefixed with an exclamation mark
207 ("!"), the result is negated. If an empty string is assigned, the
208 previously assigned value is cleared.
209 Architecture=
211 Checks whether the system is running on a specific architecture.
212 See ConditionArchitecture= in systemd.unit(5) for details. When
213 prefixed with an exclamation mark ("!"), the result is negated. If
214 an empty string is assigned, the previously assigned value is
215 cleared.
216 Firmware=
218 Checks whether the system is running on a machine with the
219 specified firmware. See ConditionFirmware= in systemd.unit(5) for
220 details. When prefixed with an exclamation mark ("!"), the result
221 is negated. If an empty string is assigned, the previously assigned
222 value is cleared.
223
225 The [Link] section accepts the following keys:
226 MACAddress=
228 The hardware address to set for the device.
229 MTUBytes=
231 The maximum transmission unit in bytes to set for the device. The
232 usual suffixes K, M, G, are supported and are understood to the
233 base of 1024.
234 Note that if IPv6 is enabled on the interface, and the MTU is
236 chosen below 1280 (the minimum MTU for IPv6) it will automatically
237 be increased to this value.
238 ARP=
240 Takes a boolean. If set to true, the ARP (low-level Address
241 Resolution Protocol) for this interface is enabled. When unset, the
242 kernel's default will be used.
243 For example, disabling ARP is useful when creating multiple MACVLAN
245 or VLAN virtual interfaces atop a single lower-level physical
246 interface, which will then only serve as a link/"bridge" device
247 aggregating traffic to the same physical link and not participate
248 in the network otherwise. Defaults to unset.
249 Multicast=
251 Takes a boolean. If set to true, the multicast flag on the device
252 is enabled. Defaults to unset.
253 AllMulticast=
255 Takes a boolean. If set to true, the driver retrieves all multicast
256 packets from the network. This happens when multicast routing is
257 enabled. Defaults to unset.
258 Promiscuous=
260 Takes a boolean. If set to true, promiscuous mode of the interface
261 is enabled. Defaults to unset.
262 If this is set to false for the underlying link of a "passthru"
264 mode MACVLAN/MACVTAP, the virtual interface will be created with
265 the "nopromisc" flag set.
266 Unmanaged=
268 Takes a boolean. When "yes", no attempts are made to bring up or
269 configure matching links, equivalent to when there are no matching
270 network files. Defaults to "no".
271 This is useful for preventing later matching network files from
273 interfering with certain interfaces that are fully controlled by
274 other applications.
275 Group=
277 Link groups are similar to port ranges found in managed switches.
278 When network interfaces are added to a numbered group, operations
279 on all the interfaces from that group can be performed at once.
280 Takes an unsigned integer in the range 0...2147483647. Defaults to
281 unset.
282 RequiredForOnline=
284 Takes a boolean or a minimum operational state and an optional
285 maximum operational state. Please see networkctl(1) for possible
286 operational states. When "yes", the network is deemed required when
287 determining whether the system is online (including when running
288 systemd-networkd-wait-online). When "no", the network is ignored
289 when determining the online state. When a minimum operational state
290 and an optional maximum operational state are set, "yes" is
291 implied, and this controls the minimum and maximum operational
292 state required for the network interface to be considered online.
293 Defaults to "yes" when ActivationPolicy= is not set, or set to
295 "up", "always-up", or "bound". Defaults to "no" when
296 ActivationPolicy= is set to "manual" or "down". This is forced to
297 "no" when ActivationPolicy= is set to "always-down".
298 The network will be brought up normally (as configured by
300 ActivationPolicy=), but in the event that there is no address being
301 assigned by DHCP or the cable is not plugged in, the link will
302 simply remain offline and be skipped automatically by
303 systemd-networkd-wait-online if "RequiredForOnline=no".
304 RequiredFamilyForOnline=
306 Takes an address family. When specified, an IP address in the given
307 family is deemed required when determining whether the link is
308 online (including when running systemd-networkd-wait-online). Takes
309 one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
310 that this option has no effect if "RequiredForOnline=no", or if
311 "RequiredForOnline=" specifies a minimum operational state below
312 "degraded".
313 ActivationPolicy=
315 Specifies the policy for systemd-networkd managing the link
316 administrative state. Specifically, this controls how
317 systemd-networkd changes the network device's "IFF_UP" flag, which
318 is sometimes controlled by system administrators by running e.g.,
319 ip link set dev eth0 up or ip link set dev eth0 down, and can also
320 be changed with networkctl up eth0 or networkctl down eth0.
321 Takes one of "up", "always-up", "manual", "always-down", "down", or
323 "bound". When "manual", systemd-networkd will not change the link's
324 admin state automatically; the system administrator must bring the
325 interface up or down manually, as desired. When "up" (the default)
326 or "always-up", or "down" or "always-down", systemd-networkd will
327 set the link up or down, respectively, when the interface is
328 (re)configured. When "always-up" or "always-down", systemd-networkd
329 will set the link up or down, respectively, any time
330 systemd-networkd detects a change in the administrative state. When
331 BindCarrier= is also set, this is automatically set to "bound" and
332 any other value is ignored.
333 When the policy is set to "down" or "manual", the default value of
335 RequiredForOnline= is "no". When the policy is set to
336 "always-down", the value of RequiredForOnline= forced to "no".
337 The administrative state is not the same as the carrier state, so
339 using "always-up" does not mean the link will never lose carrier.
340 The link carrier depends on both the administrative state as well
341 as the network device's physical connection. However, to avoid
342 reconfiguration failures, when using "always-up",
343 IgnoreCarrierLoss= is forced to true.
344
346 The [SR-IOV] section accepts the following keys. Specify several
347 [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
348 ability to partition a single physical PCI resource into virtual PCI
349 functions which can then be injected into a VM. In the case of network
350 VFs, SR-IOV improves north-south network performance (that is, traffic
351 with endpoints outside the host machine) by allowing traffic to bypass
352 the host machine’s network stack.
353 VirtualFunction=
355 Specifies a Virtual Function (VF), lightweight PCIe function
356 designed solely to move data in and out. Takes an integer in the
357 range 0...2147483646. This option is compulsory.
358 VLANId=
360 Specifies VLAN ID of the virtual function. Takes an integer in the
361 range 1...4095.
362 QualityOfService=
364 Specifies quality of service of the virtual function. Takes an
365 integer in the range 1...4294967294.
366 VLANProtocol=
368 Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
369 "802.1ad".
370 MACSpoofCheck=
372 Takes a boolean. Controls the MAC spoof checking. When unset, the
373 kernel's default will be used.
374 QueryReceiveSideScaling=
376 Takes a boolean. Toggle the ability of querying the receive side
377 scaling (RSS) configuration of the virtual function (VF). The VF
378 RSS information like RSS hash key may be considered sensitive on
379 some devices where this information is shared between VF and the
380 physical function (PF). When unset, the kernel's default will be
381 used.
382 Trust=
384 Takes a boolean. Allows one to set trust mode of the virtual
385 function (VF). When set, VF users can set a specific feature which
386 may impact security and/or performance. When unset, the kernel's
387 default will be used.
388 LinkState=
390 Allows one to set the link state of the virtual function (VF).
391 Takes a boolean or a special value "auto". Setting to "auto" means
392 a reflection of the physical function (PF) link state, "yes" lets
393 the VF to communicate with other VFs on this host even if the PF
394 link state is down, "no" causes the hardware to drop any packets
395 sent by the VF. When unset, the kernel's default will be used.
396 MACAddress=
398 Specifies the MAC address for the virtual function.
399
401 The [Network] section accepts the following keys:
402 Description=
404 A description of the device. This is only used for presentation
405 purposes.
406 DHCP=
408 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
409 "ipv4", or "ipv6". Defaults to "no".
410 Note that DHCPv6 will by default be triggered by Router
412 Advertisements, if reception is enabled, regardless of this
413 parameter. By explicitly enabling DHCPv6 support here, the DHCPv6
414 client will be started in the mode specified by the WithoutRA=
415 setting in the [DHCPv6] section, regardless of the presence of
416 routers on the link, or what flags the routers pass. See
417 IPv6AcceptRA=.
418 Furthermore, note that by default the domain name specified through
420 DHCP is not used for name resolution. See option UseDomains= below.
421 See the [DHCPv4] or [DHCPv6] sections below for further
423 configuration options for the DHCP client support.
424 DHCPServer=
426 Takes a boolean. If set to "yes", DHCPv4 server will be started.
427 Defaults to "no". Further settings for the DHCP server may be set
428 in the [DHCPServer] section described below.
429 LinkLocalAddressing=
431 Enables link-local address autoconfiguration. Accepts yes, no,
432 ipv4, and ipv6. An IPv6 link-local address is configured when yes
433 or ipv6. An IPv4 link-local address is configured when yes or ipv4
434 and when DHCPv4 autoconfiguration has been unsuccessful for some
435 time. (IPv4 link-local address autoconfiguration will usually
436 happen in parallel with repeated attempts to acquire a DHCPv4
437 lease).
438 Defaults to no when KeepMaster= or Bridge= is set or when the
440 specified MACVLAN=/MACVTAP= has Mode=passthru, or ipv6 otherwise.
441 IPv6LinkLocalAddressGenerationMode=
443 Specifies how IPv6 link-local address is generated. Takes one of
444 "eui64", "none", "stable-privacy" and "random". When unset,
445 "stable-privacy" is used if IPv6StableSecretAddress= is specified,
446 and if not, "eui64" is used. Note that if LinkLocalAddressing= is
447 "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
448 ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
449 setting IPv6LinkLocalAddressGenerationMode=none disables to
450 configure an IPv6 link-local address.
451 IPv6StableSecretAddress=
453 Takes an IPv6 address. The specified address will be used as a
454 stable secret for generating IPv6 link-local address. If this
455 setting is specified, and IPv6LinkLocalAddressGenerationMode= is
456 unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
457 implied. If this setting is not specified, and "stable-privacy" is
458 set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
459 address will be generated from the local machine ID and the
460 interface name.
461 IPv4LLStartAddress=
463 Specifies the first IPv4 link-local address to try. Takes an IPv4
464 address for example 169.254.1.2, from the link-local address range:
465 169.254.0.0/16 except for 169.254.0.0/24 and 169.254.255.0/24. This
466 setting may be useful if the device should always have the same
467 address as long as there is no address conflict. When unset, a
468 random address will be automatically selected. Defaults to unset.
469 IPv4LLRoute=
471 Takes a boolean. If set to true, sets up the route needed for
472 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
473 false.
474 DefaultRouteOnDevice=
476 Takes a boolean. If set to true, sets up the IPv4 default route
477 bound to the interface. Defaults to false. This is useful when
478 creating routes on point-to-point interfaces. This is equivalent to
479 e.g. the following,
480 ip route add default dev veth99
482 or,
484 [Route]
486 Gateway=0.0.0.0
487 Currently, there are no way to specify e.g., the table for the
489 route configured by this setting. To configure the default route
490 with such an additional property, please use the following instead:
491 [Route]
493 Gateway=0.0.0.0
494 Table=1234
495 If you'd like to create an IPv6 default route bound to the
497 interface, please use the following:
498 [Route]
500 Gateway=::
501 Table=1234
502 LLMNR=
504 Takes a boolean or "resolve". When true, enables Link-Local
505 Multicast Name Resolution[2] on the link. When set to "resolve",
506 only resolution is enabled, but not host registration and
507 announcement. Defaults to true. This setting is read by systemd-
508 resolved.service(8).
509 MulticastDNS=
511 Takes a boolean or "resolve". When true, enables Multicast DNS[3]
512 support on the link. When set to "resolve", only resolution is
513 enabled, but not host or service registration and announcement.
514 Defaults to false. This setting is read by systemd-
515 resolved.service(8).
516 DNSOverTLS=
518 Takes a boolean or "opportunistic". When true, enables
519 DNS-over-TLS[4] support on the link. When set to "opportunistic",
520 compatibility with non-DNS-over-TLS servers is increased, by
521 automatically turning off DNS-over-TLS servers in this case. This
522 option defines a per-interface setting for resolved.conf(5)'s
523 global DNSOverTLS= option. Defaults to unset, and the global
524 setting will be used. This setting is read by systemd-
525 resolved.service(8).
526 DNSSEC=
528 Takes a boolean or "allow-downgrade". When true, enables DNSSEC[5]
529 DNS validation support on the link. When set to "allow-downgrade",
530 compatibility with non-DNSSEC capable networks is increased, by
531 automatically turning off DNSSEC in this case. This option defines
532 a per-interface setting for resolved.conf(5)'s global DNSSEC=
533 option. Defaults to unset, and the global setting will be used.
534 This setting is read by systemd-resolved.service(8).
535 DNSSECNegativeTrustAnchors=
537 A space-separated list of DNSSEC negative trust anchor domains. If
538 specified and DNSSEC is enabled, look-ups done via the interface's
539 DNS server will be subject to the list of negative trust anchors,
540 and not require authentication for the specified domains, or
541 anything below it. Use this to disable DNSSEC authentication for
542 specific private domains, that cannot be proven valid using the
543 Internet DNS hierarchy. Defaults to the empty list. This setting is
544 read by systemd-resolved.service(8).
545 LLDP=
547 Controls support for Ethernet LLDP packet reception. LLDP is a
548 link-layer protocol commonly implemented on professional routers
549 and bridges which announces which physical port a system is
550 connected to, as well as other related data. Accepts a boolean or
551 the special value "routers-only". When true, incoming LLDP packets
552 are accepted and a database of all LLDP neighbors maintained. If
553 "routers-only" is set only LLDP data of various types of routers is
554 collected and LLDP data about other types of devices ignored (such
555 as stations, telephones and others). If false, LLDP reception is
556 disabled. Defaults to "routers-only". Use networkctl(1) to query
557 the collected neighbor data. LLDP is only available on Ethernet
558 links. See EmitLLDP= below for enabling LLDP packet emission from
559 the local system.
560 EmitLLDP=
562 Controls support for Ethernet LLDP packet emission. Accepts a
563 boolean parameter or the special values "nearest-bridge",
564 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
565 turns off LLDP packet emission. If not false, a short LLDP packet
566 with information about the local system is sent out in regular
567 intervals on the link. The LLDP packet will contain information
568 about the local hostname, the local machine ID (as stored in
569 machine-id(5)) and the local interface name, as well as the pretty
570 hostname of the system (as set in machine-info(5)). LLDP emission
571 is only available on Ethernet links. Note that this setting passes
572 data suitable for identification of host to the network and should
573 thus not be enabled on untrusted networks, where such
574 identification data should not be made available. Use this option
575 to permit other systems to identify on which interfaces they are
576 connected to this system. The three special values control
577 propagation of the LLDP packets. The "nearest-bridge" setting
578 permits propagation only to the nearest connected bridge,
579 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
580 but not any other bridges, and "customer-bridge" permits
581 propagation until a customer bridge is reached. For details about
582 these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
583 this setting to true is equivalent to "nearest-bridge", the
584 recommended and most restricted level of propagation. See LLDP=
585 above for an option to enable LLDP reception.
586 BindCarrier=
588 A link name or a list of link names. When set, controls the
589 behavior of the current link. When all links in the list are in an
590 operational down state, the current link is brought down. When at
591 least one link has carrier, the current interface is brought up.
592 This forces ActivationPolicy= to be set to "bound".
594 Address=
596 A static IPv4 or IPv6 address and its prefix length, separated by a
597 "/" character. Specify this key more than once to configure several
598 addresses. The format of the address must be as described in
599 inet_pton(3). This is a short-hand for an [Address] section only
600 containing an Address key (see below). This option may be specified
601 more than once.
602 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
604 IPv6), a new address range of the requested size is automatically
605 allocated from a system-wide pool of unused ranges. Note that the
606 prefix length must be equal or larger than 8 for IPv4, and 64 for
607 IPv6. The allocated range is checked against all current network
608 interfaces and all known network configuration files to avoid
609 address range conflicts. The default system-wide pool consists of
610 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
611 for IPv6. This functionality is useful to manage a large number of
612 dynamically created network interfaces with the same network
613 configuration and automatic address range assignment.
614 Gateway=
616 The gateway address, which must be in the format described in
617 inet_pton(3). This is a short-hand for a [Route] section only
618 containing a Gateway= key. This option may be specified more than
619 once.
620 DNS=
622 A DNS server address, which must be in the format described in
623 inet_pton(3). This option may be specified more than once. Each
624 address can optionally take a port number separated with ":", a
625 network interface name or index separated with "%", and a Server
626 Name Indication (SNI) separated with "#". When IPv6 address is
627 specified with a port number, then the address must be in the
628 square brackets. That is, the acceptable full formats are
629 "111.222.333.444:9953%ifname#example.com" for IPv4 and
630 "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
631 string is assigned, then the all previous assignments are cleared.
632 This setting is read by systemd-resolved.service(8).
633 Domains=
635 A whitespace-separated list of domains which should be resolved
636 using the DNS servers on this link. Each item in the list should be
637 a domain name, optionally prefixed with a tilde ("~"). The domains
638 with the prefix are called "routing-only domains". The domains
639 without the prefix are called "search domains" and are first used
640 as search suffixes for extending single-label hostnames (hostnames
641 containing no dots) to become fully qualified domain names (FQDNs).
642 If a single-label hostname is resolved on this interface, each of
643 the specified search domains are appended to it in turn, converting
644 it into a fully qualified domain name, until one of them may be
645 successfully resolved.
646 Both "search" and "routing-only" domains are used for routing of
648 DNS queries: look-ups for hostnames ending in those domains (hence
649 also single label names, if any "search domains" are listed), are
650 routed to the DNS servers configured for this interface. The domain
651 routing logic is particularly useful on multi-homed hosts with DNS
652 servers serving particular private DNS zones on each interface.
653 The "routing-only" domain "~." (the tilde indicating definition of
655 a routing domain, the dot referring to the DNS root domain which is
656 the implied suffix of all valid DNS names) has special effect. It
657 causes all DNS traffic which does not match another configured
658 domain routing entry to be routed to DNS servers specified for this
659 interface. This setting is useful to prefer a certain set of DNS
660 servers if a link on which they are connected is available.
661 This setting is read by systemd-resolved.service(8). "Search
663 domains" correspond to the domain and search entries in
664 resolv.conf(5). Domain name routing has no equivalent in the
665 traditional glibc API, which has no concept of domain name servers
666 limited to a specific link.
667 DNSDefaultRoute=
669 Takes a boolean argument. If true, this link's configured DNS
670 servers are used for resolving domain names that do not match any
671 link's configured Domains= setting. If false, this link's
672 configured DNS servers are never used for such domains, and are
673 exclusively used for resolving names that match at least one of the
674 domains configured on this link. If not specified defaults to an
675 automatic mode: queries not matching any link's configured domains
676 will be routed to this link if it has no routing-only domains
677 configured.
678 NTP=
680 An NTP server address (either an IP address, or a hostname). This
681 option may be specified more than once. This setting is read by
682 systemd-timesyncd.service(8).
683 IPForward=
685 Configures IP packet forwarding for the system. If enabled,
686 incoming packets on any network interface will be forwarded to any
687 other interfaces according to the routing table. Takes a boolean,
688 or the values "ipv4" or "ipv6", which only enable IP packet
689 forwarding for the specified address family. This controls the
690 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
691 of the network interface (see IP Sysctl[7] for details about sysctl
692 options). Defaults to "no".
693 Note: this setting controls a global kernel option, and does so one
695 way only: if a network that has this setting enabled is set up the
696 global setting is turned on. However, it is never turned off again,
697 even after all networks with this setting enabled are shut down
698 again.
699 To allow IP packet forwarding only between specific network
701 interfaces use a firewall.
702 IPMasquerade=
704 Configures IP masquerading for the network interface. If enabled,
705 packets forwarded from the network interface will be appear as
706 coming from the local host. Takes one of "ipv4", "ipv6", "both", or
707 "no". Defaults to "no". If enabled, this automatically sets
708 IPForward= to one of "ipv4", "ipv6" or "yes".
709 Note. Any positive boolean values such as "yes" or "true" are now
711 deprecated. Please use one of the values in the above.
712 IPv6PrivacyExtensions=
714 Configures use of stateless temporary addresses that change over
715 time (see RFC 4941[8], Privacy Extensions for Stateless Address
716 Autoconfiguration in IPv6). Takes a boolean or the special values
717 "prefer-public" and "kernel". When true, enables the privacy
718 extensions and prefers temporary addresses over public addresses.
719 When "prefer-public", enables the privacy extensions, but prefers
720 public addresses over temporary addresses. When false, the privacy
721 extensions remain disabled. When "kernel", the kernel's default
722 setting will be left in place. Defaults to "no".
723 IPv6AcceptRA=
725 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
726 support for the interface. If true, RAs are accepted; if false, RAs
727 are ignored. When RAs are accepted, they may trigger the start of
728 the DHCPv6 client if the relevant flags are set in the RA data, or
729 if no routers are found on the link. The default is to disable RA
730 reception for bridge devices or when IP forwarding is enabled, and
731 to enable it otherwise. Cannot be enabled on devices aggregated in
732 a bond device or when link-local addressing is disabled.
733 Further settings for the IPv6 RA support may be configured in the
735 [IPv6AcceptRA] section, see below.
736 Also see IP Sysctl[7] in the kernel documentation regarding
738 "accept_ra", but note that systemd's setting of 1 (i.e. true)
739 corresponds to kernel's setting of 2.
740 Note that kernel's implementation of the IPv6 RA protocol is always
742 disabled, regardless of this setting. If this option is enabled, a
743 userspace implementation of the IPv6 RA protocol is used, and the
744 kernel's own implementation remains disabled, since
745 systemd-networkd needs to know all details supplied in the
746 advertisements, and these are not available from the kernel if the
747 kernel's own implementation is used.
748 IPv6DuplicateAddressDetection=
750 Configures the amount of IPv6 Duplicate Address Detection (DAD)
751 probes to send. When unset, the kernel's default will be used.
752 IPv6HopLimit=
754 Configures IPv6 Hop Limit. For each router that forwards the
755 packet, the hop limit is decremented by 1. When the hop limit field
756 reaches zero, the packet is discarded. When unset, the kernel's
757 default will be used.
758 IPv4AcceptLocal=
760 Takes a boolean. Accept packets with local source addresses. In
761 combination with suitable routing, this can be used to direct
762 packets between two local interfaces over the wire and have them
763 accepted properly. When unset, the kernel's default will be used.
764 IPv4RouteLocalnet=
766 Takes a boolean. When true, the kernel does not consider loopback
767 addresses as martian source or destination while routing. This
768 enables the use of 127.0.0.0/8 for local routing purposes. When
769 unset, the kernel's default will be used.
770 IPv4ProxyARP=
772 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
773 technique in which one host, usually a router, answers ARP requests
774 intended for another machine. By "faking" its identity, the router
775 accepts responsibility for routing packets to the "real"
776 destination. See RFC 1027[9]. When unset, the kernel's default will
777 be used.
778 IPv6ProxyNDP=
780 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
781 Discovery Protocol) is a technique for IPv6 to allow routing of
782 addresses to a different destination when peers expect them to be
783 present on a certain physical link. In this case a router answers
784 Neighbour Advertisement messages intended for another machine by
785 offering its own MAC address as destination. Unlike proxy ARP for
786 IPv4, it is not enabled globally, but will only send Neighbour
787 Advertisement messages for addresses in the IPv6 neighbor proxy
788 table, which can also be shown by ip -6 neighbour show proxy.
789 systemd-networkd will control the per-interface `proxy_ndp` switch
790 for each configured interface depending on this option. When unset,
791 the kernel's default will be used.
792 IPv6ProxyNDPAddress=
794 An IPv6 address, for which Neighbour Advertisement messages will be
795 proxied. This option may be specified more than once.
796 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
797 kernel's IPv6 neighbor proxy table. This setting implies
798 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP= has been set to
799 false. When unset, the kernel's default will be used.
800 IPv6SendRA=
802 Whether to enable or disable Router Advertisement sending on a
803 link. Takes a boolean value. When enabled, prefixes configured in
804 [IPv6Prefix] sections and routes configured in the
805 [IPv6RoutePrefix] sections are distributed as defined in the
806 [IPv6SendRA] section. If DHCPPrefixDelegation= is enabled, then the
807 delegated prefixes are also distributed. See DCHPPrefixDelegation=
808 setting and the [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
809 [DHCPPrefixDelegation] sections for more configuration options.
810 DHCPPrefixDelegation=
812 Takes a boolean value. When enabled, requests subnet prefixes on
813 another link via the DHCPv6 protocol or via the 6RD option in the
814 DHCPv4 protocol. An address within each delegated prefix will be
815 assigned, and the prefixes will be announced through IPv6 Router
816 Advertisement if IPv6SendRA= is enabled. This behaviour can be
817 configured in the [DHCPPrefixDelegation] section. Defaults to
818 disabled.
819 IPv6MTUBytes=
821 Configures IPv6 maximum transmission unit (MTU). An integer greater
822 than or equal to 1280 bytes. When unset, the kernel's default will
823 be used.
824 KeepMaster=
826 Takes a boolean value. When enabled, the current master interface
827 index will not be changed, and BatmanAdvanced=, Bond=, Bridge=, and
828 VRF= settings are ignored. This may be useful when a netdev with a
829 master interface is created by another program, e.g. systemd-
830 nspawn(1). Defaults to false.
831 BatmanAdvanced=, Bond=, Bridge=, VRF=
833 The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
834 interface to add the link to. See systemd.netdev(5).
835 IPoIB=, IPVLAN=, IPVTAP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=,
837 VXLAN=, Xfrm=
838 The name of an IPoIB, IPVLAN, IPVTAP, MACsec, MACVLAN, MACVTAP,
839 tunnel, VLAN, VXLAN, or Xfrm to be created on the link. See
840 systemd.netdev(5). This option may be specified more than once.
841 ActiveSlave=
843 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
844 option is only valid for following modes: "active-backup",
845 "balance-alb", and "balance-tlb". Defaults to false.
846 PrimarySlave=
848 Takes a boolean. Specifies which slave is the primary device. The
849 specified device will always be the active slave while it is
850 available. Only when the primary is off-line will alternate devices
851 be used. This is useful when one slave is preferred over another,
852 e.g. when one slave has higher throughput than another. The
853 "PrimarySlave=" option is only valid for following modes:
854 "active-backup", "balance-alb", and "balance-tlb". Defaults to
855 false.
856 ConfigureWithoutCarrier=
858 Takes a boolean. Allows networkd to configure a specific link even
859 if it has no carrier. Defaults to false. If enabled, and the
860 IgnoreCarrierLoss= setting is not explicitly set, then it is
861 enabled as well.
862 IgnoreCarrierLoss=
864 Takes a boolean or a timespan. When true, systemd-networkd retains
865 both the static and dynamic configuration of the interface even if
866 its carrier is lost. When false, systemd-networkd drops both the
867 static and dynamic configuration of the interface. When a timespan
868 is specified, systemd-networkd waits for the specified timespan,
869 and ignores the carrier loss if the link regain its carrier within
870 the timespan. Setting 0 seconds is equivalent to "no", and
871 "infinite" is equivalent to "yes".
872 Setting a finite timespan may be useful when e.g. in the following
874 cases:
875 • A wireless interface connecting to a network which has multiple
877 access points with the same SSID.
878 • Enslaving a wireless interface to a bond interface, which may
880 disconnect from the connected access point and causes its
881 carrier to be lost.
882 • The driver of the interface resets when the MTU is changed.
884 When Bond= is specified to a wireless interface, defaults to 3
886 seconds. When the DHCPv4 client is enabled and UseMTU= in the
887 [DHCPv4] section enabled, defaults to 5 seconds. Otherwise,
888 defaults to the value specified with ConfigureWithoutCarrier=. When
889 ActivationPolicy= is set to "always-up", this is forced to "yes",
890 and ignored any user specified values.
891 KeepConfiguration=
893 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
894 "static", systemd-networkd will not drop static addresses and
895 routes on starting up process. When set to "dhcp-on-stop",
896 systemd-networkd will not drop addresses and routes on stopping the
897 daemon. When "dhcp", the addresses and routes provided by a DHCP
898 server will never be dropped even if the DHCP lease expires. This
899 is contrary to the DHCP specification, but may be the best choice
900 if, e.g., the root filesystem relies on this connection. The
901 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
902 "static". Defaults to "dhcp-on-stop" when systemd-networkd is
903 running in initrd, "yes" when the root filesystem is a network
904 filesystem, and "no" otherwise.
905
907 An [Address] section accepts the following keys. Specify several
908 [Address] sections to configure several addresses.
909 Address=
911 As in the [Network] section. This setting is mandatory. Each
912 [Address] section can contain one Address= setting.
913 Peer=
915 The peer address in a point-to-point connection. Accepts the same
916 format as the Address= setting.
917 Broadcast=
919 Takes an IPv4 address or boolean value. The address must be in the
920 format described in inet_pton(3). If set to true, then the IPv4
921 broadcast address will be derived from the Address= setting. If set
922 to false, then the broadcast address will not be set. Defaults to
923 true, except for wireguard interfaces, where it default to false.
924 Label=
926 Specifies the label for the IPv4 address. The label must be a 7-bit
927 ASCII string with a length of 1...15 characters. Defaults to unset.
928 PreferredLifetime=
930 Allows the default "preferred lifetime" of the address to be
931 overridden. Only three settings are accepted: "forever",
932 "infinity", which is the default and means that the address never
933 expires, and "0", which means that the address is considered
934 immediately "expired" and will not be used, unless explicitly
935 requested. A setting of PreferredLifetime=0 is useful for addresses
936 which are added to be used only by a specific application, which is
937 then configured to use them explicitly.
938 Scope=
940 The scope of the address, which can be "global" (valid everywhere
941 on the network, even through a gateway), "link" (only valid on this
942 device, will not traverse a gateway) or "host" (only valid within
943 the device itself, e.g. 127.0.0.1) or an integer in the range
944 0...255. Defaults to "global".
945 RouteMetric=
947 The metric of the prefix route, which is pointing to the subnet of
948 the configured IP address, taking the configured prefix length into
949 account. Takes an unsigned integer in the range 0...4294967295.
950 When unset or set to 0, the kernel's default value is used. This
951 setting will be ignored when AddPrefixRoute= is false.
952 HomeAddress=
954 Takes a boolean. Designates this address the "home address" as
955 defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
956 DuplicateAddressDetection=
958 Takes one of "ipv4", "ipv6", "both", or "none". When "ipv4",
959 performs IPv4 Address Conflict Detection. See RFC 5227[11]. When
960 "ipv6", performs IPv6 Duplicate Address Detection. See RFC
961 4862[12]. Defaults to "ipv4" for IPv4 link-local addresses, "ipv6"
962 for IPv6 addresses, and "none" otherwise.
963 ManageTemporaryAddress=
965 Takes a boolean. If true the kernel manage temporary addresses
966 created from this one as template on behalf of Privacy Extensions
967 RFC 3041[13]. For this to become active, the use_tempaddr sysctl
968 setting has to be set to a value greater than zero. The given
969 address needs to have a prefix length of 64. This flag allows using
970 privacy extensions in a manually configured network, just like if
971 stateless auto-configuration was active. Defaults to false.
972 AddPrefixRoute=
974 Takes a boolean. When true, the prefix route for the address is
975 automatically added. Defaults to true.
976 AutoJoin=
978 Takes a boolean. Joining multicast group on ethernet level via ip
979 maddr command would not work if we have an Ethernet switch that
980 does IGMP snooping since the switch would not replicate multicast
981 packets on ports that did not have IGMP reports for the multicast
982 addresses. Linux vxlan interfaces created via ip link add vxlan or
983 networkd's netdev kind vxlan have the group option that enables
984 them to do the required join. By extending ip address command with
985 option "autojoin" we can get similar functionality for openvswitch
986 (OVS) vxlan interfaces as well as other tunneling mechanisms that
987 need to receive multicast traffic. Defaults to "no".
988 NetLabel=label
990 This setting provides a method for integrating static and dynamic
991 network configuration into Linux NetLabel[14] subsystem rules, used
992 by Linux Security Modules (LSMs)[15] for network access control.
993 The label, with suitable LSM rules, can be used to control
994 connectivity of (for example) a service with peers in the local
995 network. At least with SELinux, only the ingress can be controlled
996 but not egress. The benefit of using this setting is that it may be
997 possible to apply interface independent part of NetLabel
998 configuration at very early stage of system boot sequence, at the
999 time when the network interfaces are not available yet, with
1000 netlabelctl(8), and the per-interface configuration with
1001 systemd-networkd once the interfaces appear later. Currently this
1002 feature is only implemented for SELinux.
1003 The option expects a single NetLabel label. The label must conform
1005 to lexical restrictions of LSM labels. When an interface is
1006 configured with IP addresses, the addresses and subnetwork masks
1007 will be appended to the NetLabel Fallback Peer Labeling[16] rules.
1008 They will be removed when the interface is deconfigured. Failures
1009 to manage the labels will be ignored.
1010 Warning: Once labeling is enabled for network traffic, a lot of LSM
1012 access control points in Linux networking stack go from dormant to
1013 active. Care should be taken to avoid getting into a situation
1014 where for example remote connectivity is broken, when the security
1015 policy hasn't been updated to consider LSM per-packet access
1016 controls and no rules would allow any network traffic. Also note
1017 that additional configuration with netlabelctl(8) is needed.
1018 Example:
1020 [Address]
1022 NetLabel=system_u:object_r:localnet_peer_t:s0
1023 With the example rules applying for interface "eth0", when the
1025 interface is configured with an IPv4 address of 10.0.0.123/8,
1026 systemd-networkd performs the equivalent of netlabelctl operation
1027 netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
1029 and the reverse operation when the IPv4 address is deconfigured.
1031 The configuration can be used with LSM rules; in case of SELinux to
1032 allow a SELinux domain to receive data from objects of SELinux
1033 "peer" class. For example:
1034 type localnet_peer_t;
1036 allow my_server_t localnet_peer_t:peer recv;
1037 The effect of the above configuration and rules (in absence of
1039 other rules as may be the case) is to only allow "my_server_t" (and
1040 nothing else) to receive data from local subnet 10.0.0.0/8 of
1041 interface "eth0".
1042
1044 A [Neighbor] section accepts the following keys. The neighbor section
1045 adds a permanent, static entry to the neighbor table (IPv6) or ARP
1046 table (IPv4) for the given hardware address on the links matched for
1047 the network. Specify several [Neighbor] sections to configure several
1048 static neighbors.
1049 Address=
1051 The IP address of the neighbor.
1052 LinkLayerAddress=
1054 The link layer address (MAC address or IP address) of the neighbor.
1055
1057 An [IPv6AddressLabel] section accepts the following keys. Specify
1058 several [IPv6AddressLabel] sections to configure several address
1059 labels. IPv6 address labels are used for address selection. See RFC
1060 3484[17]. Precedence is managed by userspace, and only the label itself
1061 is stored in the kernel.
1062 Label=
1064 The label for the prefix, an unsigned integer in the range
1065 0...4294967294. 0xffffffff is reserved. This setting is mandatory.
1066 Prefix=
1068 IPv6 prefix is an address with a prefix length, separated by a
1069 slash "/" character. This setting is mandatory.
1070
1072 An [RoutingPolicyRule] section accepts the following settings. Specify
1073 several [RoutingPolicyRule] sections to configure several rules.
1074 TypeOfService=
1076 Takes a number between 0 and 255 that specifies the type of service
1077 to match.
1078 From=
1080 Specifies the source address prefix to match. Possibly followed by
1081 a slash and the prefix length.
1082 To=
1084 Specifies the destination address prefix to match. Possibly
1085 followed by a slash and the prefix length.
1086 FirewallMark=
1088 Specifies the iptables firewall mark value to match (a number in
1089 the range 1...4294967295). Optionally, the firewall mask (also a
1090 number between 1...4294967295) can be suffixed with a slash ("/"),
1091 e.g., "7/255".
1092 Table=
1094 Specifies the routing table identifier to look up if the rule
1095 selector matches. Takes one of predefined names "default", "main",
1096 and "local", and names defined in RouteTable= in networkd.conf(5),
1097 or a number between 1 and 4294967295. Defaults to "main".
1098 Priority=
1100 Specifies the priority of this rule. Priority= is an integer in
1101 the range 0...4294967295. Higher number means lower priority, and
1102 rules get processed in order of increasing number. Defaults to
1103 unset, and the kernel will pick a value dynamically.
1104 IncomingInterface=
1106 Specifies incoming device to match. If the interface is loopback,
1107 the rule only matches packets originating from this host.
1108 OutgoingInterface=
1110 Specifies the outgoing device to match. The outgoing interface is
1111 only available for packets originating from local sockets that are
1112 bound to a device.
1113 SourcePort=
1115 Specifies the source IP port or IP port range match in forwarding
1116 information base (FIB) rules. A port range is specified by the
1117 lower and upper port separated by a dash. Defaults to unset.
1118 DestinationPort=
1120 Specifies the destination IP port or IP port range match in
1121 forwarding information base (FIB) rules. A port range is specified
1122 by the lower and upper port separated by a dash. Defaults to unset.
1123 IPProtocol=
1125 Specifies the IP protocol to match in forwarding information base
1126 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1127 or IP protocol number such as "6" for "tcp" or "17" for "udp".
1128 Defaults to unset.
1129 InvertRule=
1131 A boolean. Specifies whether the rule is to be inverted. Defaults
1132 to false.
1133 Family=
1135 Takes a special value "ipv4", "ipv6", or "both". By default, the
1136 address family is determined by the address specified in To= or
1137 From=. If neither To= nor From= are specified, then defaults to
1138 "ipv4".
1139 User=
1141 Takes a username, a user ID, or a range of user IDs separated by a
1142 dash. Defaults to unset.
1143 SuppressPrefixLength=
1145 Takes a number N in the range 0...128 and rejects routing decisions
1146 that have a prefix length of N or less. Defaults to unset.
1147 SuppressInterfaceGroup=
1149 Takes an integer in the range 0...2147483647 and rejects routing
1150 decisions that have an interface with the same group id. It has the
1151 same meaning as suppress_ifgroup in ip rule. Defaults to unset.
1152 Type=
1154 Specifies Routing Policy Database (RPDB) rule type. Takes one of
1155 "blackhole", "unreachable" or "prohibit".
1156
1158 The [NextHop] section is used to manipulate entries in the kernel's
1159 "nexthop" tables. The [NextHop] section accepts the following settings.
1160 Specify several [NextHop] sections to configure several hops.
1161 Id=
1163 The id of the next hop. Takes an integer in the range
1164 1...4294967295. If unspecified, then automatically chosen by
1165 kernel.
1166 Gateway=
1168 As in the [Network] section.
1169 Family=
1171 Takes one of the special values "ipv4" or "ipv6". By default, the
1172 family is determined by the address specified in Gateway=. If
1173 Gateway= is not specified, then defaults to "ipv4".
1174 OnLink=
1176 Takes a boolean. If set to true, the kernel does not have to check
1177 if the gateway is reachable directly by the current machine (i.e.,
1178 attached to the local network), so that we can insert the nexthop
1179 in the kernel table without it being complained about. Defaults to
1180 "no".
1181 Blackhole=
1183 Takes a boolean. If enabled, packets to the corresponding routes
1184 are discarded silently, and Gateway= cannot be specified. Defaults
1185 to "no".
1186 Group=
1188 Takes a whitespace separated list of nexthop IDs. Each ID must be
1189 in the range 1...4294967295. Optionally, each nexthop ID can take a
1190 weight after a colon ("id[:weight]"). The weight must be in the
1191 range 1...255. If the weight is not specified, then it is assumed
1192 that the weight is 1. This setting cannot be specified with
1193 Gateway=, Family=, Blackhole=. This setting can be specified
1194 multiple times. If an empty string is assigned, then the all
1195 previous assignments are cleared. Defaults to unset.
1196
1198 The [Route] section accepts the following settings. Specify several
1199 [Route] sections to configure several routes.
1200 Gateway=
1202 Takes the gateway address or the special values "_dhcp4" and
1203 "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1204 address provided by DHCPv4 or IPv6 RA is used.
1205 GatewayOnLink=
1207 Takes a boolean. If set to true, the kernel does not have to check
1208 if the gateway is reachable directly by the current machine (i.e.,
1209 attached to the local network), so that we can insert the route in
1210 the kernel table without it being complained about. Defaults to
1211 "no".
1212 Destination=
1214 The destination prefix of the route. Possibly followed by a slash
1215 and the prefix length. If omitted, a full-length host route is
1216 assumed.
1217 Source=
1219 The source prefix of the route. Possibly followed by a slash and
1220 the prefix length. If omitted, a full-length host route is assumed.
1221 Metric=
1223 The metric of the route. Takes an unsigned integer in the range
1224 0...4294967295. Defaults to unset, and the kernel's default will be
1225 used.
1226 IPv6Preference=
1228 Specifies the route preference as defined in RFC 4191[18] for
1229 Router Discovery messages. Which can be one of "low" the route has
1230 a lowest priority, "medium" the route has a default priority or
1231 "high" the route has a highest priority.
1232 Scope=
1234 The scope of the IPv4 route, which can be "global", "site", "link",
1235 "host", or "nowhere":
1236 • "global" means the route can reach hosts more than one hop
1238 away.
1239 • "site" means an interior route in the local autonomous system.
1241 • "link" means the route can only reach hosts on the local
1243 network (one hop away).
1244 • "host" means the route will not leave the local machine (used
1246 for internal addresses like 127.0.0.1).
1247 • "nowhere" means the destination doesn't exist.
1249 For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1251 and "link" if Type= is "broadcast", "multicast", "anycast", or
1252 "unicast". In other cases, defaults to "global". The value is not
1253 used for IPv6.
1254 PreferredSource=
1256 The preferred source address of the route. The address must be in
1257 the format described in inet_pton(3).
1258 Table=
1260 The table identifier for the route. Takes one of predefined names
1261 "default", "main", and "local", and names defined in RouteTable= in
1262 networkd.conf(5), or a number between 1 and 4294967295. The table
1263 can be retrieved using ip route show table num. If unset and Type=
1264 is "local", "broadcast", "anycast", or "nat", then "local" is used.
1265 In other cases, defaults to "main".
1266 Protocol=
1268 The protocol identifier for the route. Takes a number between 0 and
1269 255 or the special values "kernel", "boot", "static", "ra" and
1270 "dhcp". Defaults to "static".
1271 Type=
1273 Specifies the type for the route. Takes one of "unicast", "local",
1274 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1275 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1276 route is defined, i.e. a route indicating the path to take to a
1277 destination network address. If "blackhole", packets to the defined
1278 route are discarded silently. If "unreachable", packets to the
1279 defined route are discarded and the ICMP message "Host Unreachable"
1280 is generated. If "prohibit", packets to the defined route are
1281 discarded and the ICMP message "Communication Administratively
1282 Prohibited" is generated. If "throw", route lookup in the current
1283 routing table will fail and the route selection process will return
1284 to Routing Policy Database (RPDB). Defaults to "unicast".
1285 InitialCongestionWindow=
1287 The TCP initial congestion window is used during the start of a TCP
1288 connection. During the start of a TCP session, when a client
1289 requests a resource, the server's initial congestion window
1290 determines how many packets will be sent during the initial burst
1291 of data without waiting for acknowledgement. Takes a number between
1292 1 and 1023. Note that 100 is considered an extremely large value
1293 for this option. When unset, the kernel's default (typically 10)
1294 will be used.
1295 InitialAdvertisedReceiveWindow=
1297 The TCP initial advertised receive window is the amount of receive
1298 data (in bytes) that can initially be buffered at one time on a
1299 connection. The sending host can send only that amount of data
1300 before waiting for an acknowledgment and window update from the
1301 receiving host. Takes a number between 1 and 1023. Note that 100 is
1302 considered an extremely large value for this option. When unset,
1303 the kernel's default will be used.
1304 QuickAck=
1306 Takes a boolean. When true, the TCP quick ACK mode for the route is
1307 enabled. When unset, the kernel's default will be used.
1308 FastOpenNoCookie=
1310 Takes a boolean. When true enables TCP fastopen without a cookie on
1311 a per-route basis. When unset, the kernel's default will be used.
1312 TTLPropagate=
1314 Takes a boolean. When true enables TTL propagation at Label
1315 Switched Path (LSP) egress. When unset, the kernel's default will
1316 be used.
1317 MTUBytes=
1319 The maximum transmission unit in bytes to set for the route. The
1320 usual suffixes K, M, G, are supported and are understood to the
1321 base of 1024.
1322 TCPAdvertisedMaximumSegmentSize=
1324 Specifies the Path MSS (in bytes) hints given on TCP layer. The
1325 usual suffixes K, M, G, are supported and are understood to the
1326 base of 1024. An unsigned integer in the range 1...4294967294. When
1327 unset, the kernel's default will be used.
1328 TCPCongestionControlAlgorithm=
1330 Specifies the TCP congestion control algorithm for the route. Takes
1331 a name of the algorithm, e.g. "bbr", "dctcp", or "vegas". When
1332 unset, the kernel's default will be used.
1333 MultiPathRoute=address[@name] [weight]
1335 Configures multipath route. Multipath routing is the technique of
1336 using multiple alternative paths through a network. Takes gateway
1337 address. Optionally, takes a network interface name or index
1338 separated with "@", and a weight in 1..256 for this multipath route
1339 separated with whitespace. This setting can be specified multiple
1340 times. If an empty string is assigned, then the all previous
1341 assignments are cleared.
1342 NextHop=
1344 Specifies the nexthop id. Takes an unsigned integer in the range
1345 1...4294967295. If set, the corresponding [NextHop] section must be
1346 configured. Defaults to unset.
1347
1349 The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1350 with the DHCP= setting described above:
1351 SendHostname=
1353 When true (the default), the machine's hostname (or the value
1354 specified with Hostname=, described below) will be sent to the DHCP
1355 server. Note that the hostname must consist only of 7-bit ASCII
1356 lower-case characters and no spaces or dots, and be formatted as a
1357 valid DNS domain name. Otherwise, the hostname is not sent even if
1358 this option is true.
1359 Hostname=
1361 Use this value for the hostname which is sent to the DHCP server,
1362 instead of machine's hostname. Note that the specified hostname
1363 must consist only of 7-bit ASCII lower-case characters and no
1364 spaces or dots, and be formatted as a valid DNS domain name.
1365 MUDURL=
1367 When configured, the specified Manufacturer Usage Description (MUD)
1368 URL will be sent to the DHCPv4 server. Takes a URL of length up to
1369 255 characters. A superficial verification that the string is a
1370 valid URL will be performed. DHCPv4 clients are intended to have at
1371 most one MUD URL associated with them. See RFC 8520[19].
1372 MUD is an embedded software standard defined by the IETF that
1374 allows IoT device makers to advertise device specifications,
1375 including the intended communication patterns for their device when
1376 it connects to the network. The network can then use this to author
1377 a context-specific access policy, so the device functions only
1378 within those parameters.
1379 ClientIdentifier=
1381 The DHCPv4 client identifier to use. Takes one of mac, duid or
1382 duid-only. If set to mac, the MAC address of the link is used. If
1383 set to duid, an RFC4361-compliant Client ID, which is the
1384 combination of IAID and DUID (see below), is used. If set to
1385 duid-only, only DUID is used, this may not be RFC compliant, but
1386 some setups may require to use this. Defaults to duid.
1387 VendorClassIdentifier=
1389 The vendor class identifier used to identify vendor type and
1390 configuration.
1391 UserClass=
1393 A DHCPv4 client can use UserClass option to identify the type or
1394 category of user or applications it represents. The information
1395 contained in this option is a string that represents the user class
1396 of which the client is a member. Each class sets an identifying
1397 string of information to be used by the DHCP service to classify
1398 clients. Takes a whitespace-separated list of strings.
1399 DUIDType=
1401 Override the global DUIDType= setting for this network. See
1402 networkd.conf(5) for a description of possible values.
1403 DUIDRawData=
1405 Override the global DUIDRawData= setting for this network. See
1406 networkd.conf(5) for a description of possible values.
1407 IAID=
1409 The DHCP Identity Association Identifier (IAID) for the interface,
1410 a 32-bit unsigned integer.
1411 Anonymize=
1413 Takes a boolean. When true, the options sent to the DHCP server
1414 will follow the RFC 7844[20] (Anonymity Profiles for DHCP Clients)
1415 to minimize disclosure of identifying information. Defaults to
1416 false.
1417 This option should only be set to true when MACAddressPolicy= is
1419 set to random (see systemd.link(5)).
1420 When true, ClientIdentifier=mac, SendHostname=no, Use6RD=no,
1422 UseCaptivePortal=no, UseMTU=no, UseNTP=no, UseSIP=no, and
1423 UseTimezone=no are implied and these settings in the .network file
1424 are silently ignored. Also, Hostname=, MUDURL=, RequestOptions=,
1425 SendOption=, SendVendorOption=, UserClass=, and
1426 VendorClassIdentifier= are silently ignored.
1427 With this option enabled DHCP requests will mimic those generated
1429 by Microsoft Windows, in order to reduce the ability to fingerprint
1430 and recognize installations. This means DHCP request sizes will
1431 grow and lease data will be more comprehensive than normally,
1432 though most of the requested data is not actually used.
1433 RequestOptions=
1435 Sets request options to be sent to the server in the DHCPv4 request
1436 options list. A whitespace-separated list of integers in the range
1437 1...254. Defaults to unset.
1438 SendOption=
1440 Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1441 option number, data type and data separated with a colon
1442 ("option:type:value"). The option number must be an integer in the
1443 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1444 "ipv4address", or "string". Special characters in the data string
1445 may be escaped using C-style escapes[21]. This setting can be
1446 specified multiple times. If an empty string is specified, then all
1447 options specified earlier are cleared. Defaults to unset.
1448 SendVendorOption=
1450 Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1451 option number, data type and data separated with a colon
1452 ("option:type:value"). The option number must be an integer in the
1453 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1454 "ipv4address", or "string". Special characters in the data string
1455 may be escaped using C-style escapes[21]. This setting can be
1456 specified multiple times. If an empty string is specified, then all
1457 options specified earlier are cleared. Defaults to unset.
1458 IPServiceType=
1460 Takes one of the special values "none", "CS6", or "CS4". When
1461 "none" no IP service type is set to the packet sent from the DHCPv4
1462 client. When "CS6" (network control) or "CS4" (realtime), the
1463 corresponding service type will be set. Defaults to "CS6".
1464 SocketPriority=
1466 The Linux socket option SO_PRIORITY applied to the raw IP socket
1467 used for initial DHCPv4 messages. Unset by default. Usual values
1468 range from 0 to 6. More details about SO_PRIORITY socket option in
1469 socket(7). Can be used in conjunction with [VLAN] section
1470 EgressQOSMaps= setting of .netdev file to set the 802.1Q VLAN
1471 ethernet tagged header priority, see systemd.netdev(5).
1472 Label=
1474 Specifies the label for the IPv4 address received from the DHCP
1475 server. The label must be a 7-bit ASCII string with a length of
1476 1...15 characters. Defaults to unset.
1477 UseDNS=
1479 When true (the default), the DNS servers received from the DHCP
1480 server will be used.
1481 This corresponds to the nameserver option in resolv.conf(5).
1483 RoutesToDNS=
1485 When true, the routes to the DNS servers received from the DHCP
1486 server will be configured. When UseDNS= is disabled, this setting
1487 is ignored. Defaults to true.
1488 UseNTP=
1490 When true (the default), the NTP servers received from the DHCP
1491 server will be used by systemd-timesyncd.service.
1492 RoutesToNTP=
1494 When true, the routes to the NTP servers received from the DHCP
1495 server will be configured. When UseNTP= is disabled, this setting
1496 is ignored. Defaults to true.
1497 UseSIP=
1499 When true (the default), the SIP servers received from the DHCP
1500 server will be collected and made available to client programs.
1501 UseMTU=
1503 When true, the interface maximum transmission unit from the DHCP
1504 server will be used on the current link. If MTUBytes= is set, then
1505 this setting is ignored. Defaults to false.
1506 Note, some drivers will reset the interfaces if the MTU is changed.
1508 For such interfaces, please try to use IgnoreCarrierLoss= with a
1509 short timespan, e.g. "3 seconds".
1510 UseHostname=
1512 When true (the default), the hostname received from the DHCP server
1513 will be set as the transient hostname of the system.
1514 UseDomains=
1516 Takes a boolean, or the special value route. When true, the domain
1517 name received from the DHCP server will be used as DNS search
1518 domain over this link, similarly to the effect of the Domains=
1519 setting. If set to route, the domain name received from the DHCP
1520 server will be used for routing DNS queries only, but not for
1521 searching, similarly to the effect of the Domains= setting when the
1522 argument is prefixed with "~". Defaults to false.
1523 It is recommended to enable this option only on trusted networks,
1525 as setting this affects resolution of all hostnames, in particular
1526 of single-label names. It is generally safer to use the supplied
1527 domain only as routing domain, rather than as search domain, in
1528 order to not have it affect local resolution of single-label names.
1529 When set to true, this setting corresponds to the domain option in
1531 resolv.conf(5).
1532 UseRoutes=
1534 When true (the default), the static routes will be requested from
1535 the DHCP server and added to the routing table with a metric of
1536 1024, and a scope of global, link or host, depending on the route's
1537 destination and gateway. If the destination is on the local host,
1538 e.g., 127.x.x.x, or the same as the link's own address, the scope
1539 will be set to host. Otherwise if the gateway is null (a direct
1540 route), a link scope will be used. For anything else, scope
1541 defaults to global.
1542 RouteMetric=
1544 Set the routing metric for routes specified by the DHCP server
1545 (including the prefix route added for the specified prefix). Takes
1546 an unsigned integer in the range 0...4294967295. Defaults to 1024.
1547 RouteTable=num
1549 The table identifier for DHCP routes. Takes one of predefined names
1550 "default", "main", and "local", and names defined in RouteTable= in
1551 networkd.conf(5), or a number between 1...4294967295.
1552 When used in combination with VRF=, the VRF's routing table is used
1554 when this parameter is not specified.
1555 RouteMTUBytes=
1557 Specifies the MTU for the DHCP routes. Please see the [Route]
1558 section for further details.
1559 QuickAck=
1561 Takes a boolean. When true, the TCP quick ACK mode is enabled for
1562 the routes configured by the acquired DHCPv4 lease. When unset, the
1563 kernel's default will be used.
1564 UseGateway=
1566 When true, the gateway will be requested from the DHCP server and
1567 added to the routing table with a metric of 1024, and a scope of
1568 link. When unset, the value specified with UseRoutes= is used.
1569 UseTimezone=
1571 When true, the timezone received from the DHCP server will be set
1572 as timezone of the local system. Defaults to false.
1573 Use6RD=
1575 When true, subnets of the received IPv6 prefix are assigned to
1576 downstream interfaces which enables DHCPPrefixDelegation=. See also
1577 DHCPPrefixDelegation= in the [Network] section, the
1578 [DHCPPrefixDelegation] section, and RFC 5969[22]. Defaults to
1579 false.
1580 FallbackLeaseLifetimeSec=
1582 Allows one to set DHCPv4 lease lifetime when DHCPv4 server does not
1583 send the lease lifetime. Takes one of "forever" or "infinity". If
1584 specified, the acquired address never expires. Defaults to unset.
1585 RequestBroadcast=
1587 Request the server to use broadcast messages before the IP address
1588 has been configured. This is necessary for devices that cannot
1589 receive RAW packets, or that cannot receive packets at all before
1590 an IP address has been configured. On the other hand, this must not
1591 be enabled on networks where broadcasts are filtered out.
1592 MaxAttempts=
1594 Specifies how many times the DHCPv4 client configuration should be
1595 attempted. Takes a number or "infinity". Defaults to "infinity".
1596 Note that the time between retries is increased exponentially, up
1597 to approximately one per minute, so the network will not be
1598 overloaded even if this number is high. The default is suitable in
1599 most circumstances.
1600 ListenPort=
1602 Set the port from which the DHCP client packets originate.
1603 DenyList=
1605 A whitespace-separated list of IPv4 addresses. Each address can
1606 optionally take a prefix length after "/". DHCP offers from servers
1607 in the list are rejected. Note that if AllowList= is configured
1608 then DenyList= is ignored.
1609 AllowList=
1611 A whitespace-separated list of IPv4 addresses. Each address can
1612 optionally take a prefix length after "/". DHCP offers from servers
1613 in the list are accepted.
1614 SendRelease=
1616 When true, the DHCPv4 client sends a DHCP release packet when it
1617 stops. Defaults to true.
1618 SendDecline=
1620 A boolean. When true, systemd-networkd performs IPv4 Duplicate
1621 Address Detection to the acquired address by the DHCPv4 client. If
1622 duplicate is detected, the DHCPv4 client rejects the address by
1623 sending a DHCPDECLINE packet to the DHCP server, and tries to
1624 obtain an IP address again. See RFC 5227[11]. Defaults to false.
1625 NetLabel=
1627 This applies the NetLabel for the addresses received with DHCP,
1628 like NetLabel= in [Address] section applies it to statically
1629 configured addresses. See NetLabel= in [Address] section for more
1630 details.
1631
1633 The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1634 with the DHCP= setting described above, or invoked by the IPv6 Router
1635 Advertisement:
1636 MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1638 As in the [DHCPv4] section.
1639 SendOption=
1641 As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1642 fields to store option numbers, the option number is an integer in
1643 the range 1...65536.
1644 SendVendorOption=
1646 Send an arbitrary vendor option in the DHCPv6 request. Takes an
1647 enterprise identifier, DHCP option number, data type, and data
1648 separated with a colon ("enterprise identifier:option:type:value").
1649 Enterprise identifier is an unsigned integer in the range
1650 1...4294967294. The option number must be an integer in the range
1651 1...254. Data type takes one of "uint8", "uint16", "uint32",
1652 "ipv4address", "ipv6address", or "string". Special characters in
1653 the data string may be escaped using C-style escapes[21]. This
1654 setting can be specified multiple times. If an empty string is
1655 specified, then all options specified earlier are cleared. Defaults
1656 to unset.
1657 UserClass=
1659 A DHCPv6 client can use User Class option to identify the type or
1660 category of user or applications it represents. The information
1661 contained in this option is a string that represents the user class
1662 of which the client is a member. Each class sets an identifying
1663 string of information to be used by the DHCP service to classify
1664 clients. Special characters in the data string may be escaped using
1665 C-style escapes[21]. This setting can be specified multiple times.
1666 If an empty string is specified, then all options specified earlier
1667 are cleared. Takes a whitespace-separated list of strings. Note
1668 that currently NUL bytes are not allowed.
1669 VendorClass=
1671 A DHCPv6 client can use VendorClass option to identify the vendor
1672 that manufactured the hardware on which the client is running. The
1673 information contained in the data area of this option is contained
1674 in one or more opaque fields that identify details of the hardware
1675 configuration. Takes a whitespace-separated list of strings.
1676 PrefixDelegationHint=
1678 Takes an IPv6 address with prefix length in the same format as the
1679 Address= in the [Network] section. The DHCPv6 client will include a
1680 prefix hint in the DHCPv6 solicitation sent to the server. The
1681 prefix length must be in the range 1...128. Defaults to unset.
1682 RapidCommit=
1684 Takes a boolean. The DHCPv6 client can obtain configuration
1685 parameters from a DHCPv6 server through a rapid two-message
1686 exchange (solicit and reply). When the rapid commit option is set
1687 by both the DHCPv6 client and the DHCPv6 server, the two-message
1688 exchange is used. Otherwise, the four-message exchange (solicit,
1689 advertise, request, and reply) is used. The two-message exchange
1690 provides faster client configuration. See RFC 3315[23] for details.
1691 Defaults to true, and the two-message exchange will be used if the
1692 server support it.
1693 UseAddress=
1695 When true (the default), the IP addresses provided by the DHCPv6
1696 server will be assigned.
1697 UseDelegatedPrefix=
1699 When true (the default), the client will request the DHCPv6 server
1700 to delegate prefixes. If the server provides prefixes to be
1701 delegated, then subnets of the prefixes are assigned to the
1702 interfaces that have DHCPPrefixDelegation=yes. See also the
1703 DHCPPrefixDelegation= setting in the [Network] section, settings in
1704 the [DHCPPrefixDelegation] section, and RFC 8415[24].
1705 UseDNS=, UseNTP=, UseHostname=, UseDomains=, NetLabel=, SendRelease=
1707 As in the [DHCPv4] section.
1708 WithoutRA=
1710 Allows DHCPv6 client to start without router advertisements's
1711 "managed" or "other configuration" flag. Takes one of "no",
1712 "solicit", or "information-request". If this is not specified,
1713 "solicit" is used when DHCPPrefixDelegation= is enabled and
1714 UplinkInterface=:self is specified in the [DHCPPrefixDelegation]
1715 section. Otherwise, defaults to "no", and the DHCPv6 client will be
1716 started when an RA is received. See also the DHCPv6Client= setting
1717 in the [IPv6AcceptRA] section.
1718
1720 The [DHCPPrefixDelegation] section configures subnet prefixes of the
1721 delegated prefixes acquired by a DHCPv6 client or by a DHCPv4 client
1722 through the 6RD option on another interface. The settings in this
1723 section are used only when the DHCPPrefixDelegation= setting in the
1724 [Network] section is enabled.
1725 UplinkInterface=
1727 Specifies the name or the index of the uplink interface, or one of
1728 the special values ":self" and ":auto". When ":self", the interface
1729 itself is considered the uplink interface, and WithoutRA=solicit is
1730 implied if the setting is not explicitly specified. When ":auto",
1731 the first link which acquired prefixes to be delegated from the
1732 DHCPv6 or DHCPv4 server is selected. Defaults to ":auto".
1733 SubnetId=
1735 Configure a specific subnet ID on the interface from a (previously)
1736 received prefix delegation. You can either set "auto" (the default)
1737 or a specific subnet ID (as defined in RFC 4291[25], section
1738 2.5.4), in which case the allowed value is hexadecimal, from 0 to
1739 0x7fffffffffffffff inclusive.
1740 Announce=
1742 Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1743 is enabled, the delegated prefixes are distributed through the IPv6
1744 Router Advertisement. This setting will be ignored when the
1745 DHCPPrefixDelegation= setting is enabled on the upstream interface.
1746 Defaults to yes.
1747 Assign=
1749 Takes a boolean. Specifies whether to add an address from the
1750 delegated prefixes which are received from the WAN interface by the
1751 DHCPv6 Prefix Delegation. When true (on LAN interface), the EUI-64
1752 algorithm will be used by default to form an interface identifier
1753 from the delegated prefixes. See also Token= setting below.
1754 Defaults to yes.
1755 Token=
1757 Specifies an optional address generation mode for assigning an
1758 address in each delegated prefix. This accepts the same syntax as
1759 Token= in the [IPv6AcceptRA] section. If Assign= is set to false,
1760 then this setting will be ignored. Defaults to unset, which means
1761 the EUI-64 algorithm will be used.
1762 ManageTemporaryAddress=
1764 As in the [Address] section, but defaults to true.
1765 RouteMetric=
1767 The metric of the route to the delegated prefix subnet. Takes an
1768 unsigned integer in the range 0...4294967295. When set to 0, the
1769 kernel's default value is used. Defaults to 256.
1770 NetLabel=
1772 This applies the NetLabel for the addresses received with DHCP,
1773 like NetLabel= in [Address] section applies it to statically
1774 configured addresses. See NetLabel= in [Address] section for more
1775 details.
1776
1778 The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1779 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1780 above:
1781 Token=
1783 Specifies an optional address generation mode for the Stateless
1784 Address Autoconfiguration (SLAAC). The following values are
1785 supported:
1786 eui64
1788 The EUI-64 algorithm will be used to generate an address for
1789 that prefix. Only supported by Ethernet or InfiniBand
1790 interfaces.
1791 static:ADDRESS
1793 An IPv6 address must be specified after a colon (":"), and the
1794 lower bits of the supplied address are combined with the upper
1795 bits of a prefix received in a Router Advertisement (RA)
1796 message to form a complete address. Note that if multiple
1797 prefixes are received in an RA message, or in multiple RA
1798 messages, addresses will be formed from each of them using the
1799 supplied address. This mode implements SLAAC but uses a static
1800 interface identifier instead of an identifier generated by
1801 using the EUI-64 algorithm. Because the interface identifier is
1802 static, if Duplicate Address Detection detects that the
1803 computed address is a duplicate (in use by another node on the
1804 link), then this mode will fail to provide an address for that
1805 prefix. If an IPv6 address without mode is specified, then
1806 "static" mode is assumed.
1807 prefixstable[:ADDRESS][,UUID]
1809 The algorithm specified in RFC 7217[26] will be used to
1810 generate interface identifiers. This mode can optionally take
1811 an IPv6 address separated with a colon (":"). If an IPv6
1812 address is specified, then an interface identifier is generated
1813 only when a prefix received in an RA message matches the
1814 supplied address.
1815 This mode can also optionally take a non-null UUID in the
1817 format which sd_id128_from_string() accepts, e.g.
1818 "86b123b969ba4b7eb8b3d8605123525a" or
1819 "86b123b9-69ba-4b7e-b8b3-d8605123525a". If a UUID is specified,
1820 the value is used as the secret key to generate interface
1821 identifiers. If not specified, then an application specific ID
1822 generated with the system's machine-ID will be used as the
1823 secret key. See sd-id128(3), sd_id128_from_string(3), and
1824 sd_id128_get_machine(3).
1825 Note that the "prefixstable" algorithm uses both the interface
1827 name and MAC address as input to the hash to compute the
1828 interface identifier, so if either of those are changed the
1829 resulting interface identifier (and address) will be changed,
1830 even if the prefix received in the RA message has not been
1831 changed.
1832 If no address generation mode is specified (which is the default),
1834 or a received prefix does not match any of the addresses provided
1835 in "prefixstable" mode, then the EUI-64 algorithm will be used for
1836 Ethernet or InfiniBand interfaces, otherwise "prefixstable" will be
1837 used to form an interface identifier for that prefix.
1838 This setting can be specified multiple times. If an empty string is
1840 assigned, then the all previous assignments are cleared.
1841 Examples:
1843 Token=eui64
1845 Token=::1a:2b:3c:4d
1846 Token=static:::1a:2b:3c:4d
1847 Token=prefixstable
1848 Token=prefixstable:2002:da8:1::
1849 UseDNS=
1851 When true (the default), the DNS servers received in the Router
1852 Advertisement will be used.
1853 This corresponds to the nameserver option in resolv.conf(5).
1855 UseDomains=
1857 Takes a boolean, or the special value "route". When true, the
1858 domain name received via IPv6 Router Advertisement (RA) will be
1859 used as DNS search domain over this link, similarly to the effect
1860 of the Domains= setting. If set to "route", the domain name
1861 received via IPv6 RA will be used for routing DNS queries only, but
1862 not for searching, similarly to the effect of the Domains= setting
1863 when the argument is prefixed with "~". Defaults to false.
1864 It is recommended to enable this option only on trusted networks,
1866 as setting this affects resolution of all hostnames, in particular
1867 of single-label names. It is generally safer to use the supplied
1868 domain only as routing domain, rather than as search domain, in
1869 order to not have it affect local resolution of single-label names.
1870 When set to true, this setting corresponds to the domain option in
1872 resolv.conf(5).
1873 RouteTable=num
1875 The table identifier for the routes received in the Router
1876 Advertisement. Takes one of predefined names "default", "main", and
1877 "local", and names defined in RouteTable= in networkd.conf(5), or a
1878 number between 1...4294967295.
1879 When used in combination with VRF=, the VRF's routing table is used
1881 when this parameter is not specified.
1882 RouteMetric=
1884 Set the routing metric for the routes received in the Router
1885 Advertisement. Takes an unsigned integer in the range
1886 0...4294967295, or three unsigned integer separated with ":", in
1887 that case the first one is used when the router preference is high,
1888 the second is for medium preference, and the last is for low
1889 preference ("high:medium:low"). Defaults to "512:1024:2048".
1890 QuickAck=
1892 Takes a boolean. When true, the TCP quick ACK mode is enabled for
1893 the routes configured by the received RAs. When unset, the kernel's
1894 default will be used.
1895 UseMTU=
1897 Takes a boolean. When true, the MTU received in the Router
1898 Advertisement will be used. Defaults to true.
1899 UseGateway=
1901 When true (the default), the router address will be configured as
1902 the default gateway.
1903 UseRoutePrefix=
1905 When true (the default), the routes corresponding to the route
1906 prefixes received in the Router Advertisement will be configured.
1907 UseAutonomousPrefix=
1909 When true (the default), the autonomous prefix received in the
1910 Router Advertisement will be used and take precedence over any
1911 statically configured ones.
1912 UseOnLinkPrefix=
1914 When true (the default), the onlink prefix received in the Router
1915 Advertisement will be used and takes precedence over any statically
1916 configured ones.
1917 RouterDenyList=
1919 A whitespace-separated list of IPv6 router addresses. Each address
1920 can optionally take a prefix length after "/". Any information
1921 advertised by the listed router is ignored.
1922 RouterAllowList=
1924 A whitespace-separated list of IPv6 router addresses. Each address
1925 can optionally take a prefix length after "/". Only information
1926 advertised by the listed router is accepted. Note that if
1927 RouterAllowList= is configured then RouterDenyList= is ignored.
1928 PrefixDenyList=
1930 A whitespace-separated list of IPv6 prefixes. Each prefix can
1931 optionally take its prefix length after "/". IPv6 prefixes supplied
1932 via router advertisements in the list are ignored.
1933 PrefixAllowList=
1935 A whitespace-separated list of IPv6 prefixes. Each prefix can
1936 optionally take its prefix length after "/". IPv6 prefixes supplied
1937 via router advertisements in the list are allowed. Note that if
1938 PrefixAllowList= is configured then PrefixDenyList= is ignored.
1939 RouteDenyList=
1941 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1942 optionally take its prefix length after "/". IPv6 route prefixes
1943 supplied via router advertisements in the list are ignored.
1944 RouteAllowList=
1946 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1947 optionally take its prefix length after "/". IPv6 route prefixes
1948 supplied via router advertisements in the list are allowed. Note
1949 that if RouteAllowList= is configured then RouteDenyList= is
1950 ignored.
1951 DHCPv6Client=
1953 Takes a boolean, or the special value "always". When true, the
1954 DHCPv6 client will be started in "solicit" mode if the RA has the
1955 "managed" flag or "information-request" mode if the RA lacks the
1956 "managed" flag but has the "other configuration" flag. If set to
1957 "always", the DHCPv6 client will be started in "solicit" mode when
1958 an RA is received, even if neither the "managed" nor the "other
1959 configuration" flag is set in the RA. This will be ignored when
1960 WithoutRA= in the [DHCPv6] section is enabled, or
1961 UplinkInterface=:self in the [DHCPPrefixDelegation] section is
1962 specified. Defaults to true.
1963 NetLabel=
1965 This applies the NetLabel for the addresses received with RA, like
1966 NetLabel= in [Address] section applies it to statically configured
1967 addresses. See NetLabel= in [Address] section for more details.
1968
1970 The [DHCPServer] section contains settings for the DHCP server, if
1971 enabled via the DHCPServer= option described above:
1972 ServerAddress=
1974 Specifies server address for the DHCP server. Takes an IPv4 address
1975 with prefix length, for example 192.168.0.1/24. This setting may be
1976 useful when the link on which the DHCP server is running has
1977 multiple static addresses. When unset, one of static addresses in
1978 the link will be automatically selected. Defaults to unset.
1979 PoolOffset=, PoolSize=
1981 Configures the pool of addresses to hand out. The pool is a
1982 contiguous sequence of IP addresses in the subnet configured for
1983 the server address, which does not include the subnet nor the
1984 broadcast address. PoolOffset= takes the offset of the pool from
1985 the start of subnet, or zero to use the default value. PoolSize=
1986 takes the number of IP addresses in the pool or zero to use the
1987 default value. By default, the pool starts at the first address
1988 after the subnet address and takes up the rest of the subnet,
1989 excluding the broadcast address. If the pool includes the server
1990 address (the default), this is reserved and not handed out to
1991 clients.
1992 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1994 Control the default and maximum DHCP lease time to pass to clients.
1995 These settings take time values in seconds or another common time
1996 unit, depending on the suffix. The default lease time is used for
1997 clients that did not ask for a specific lease time. If a client
1998 asks for a lease time longer than the maximum lease time, it is
1999 automatically shortened to the specified time. The default lease
2000 time defaults to 1h, the maximum lease time to 12h. Shorter lease
2001 times are beneficial if the configuration data in DHCP leases
2002 changes frequently and clients shall learn the new settings with
2003 shorter latencies. Longer lease times reduce the generated DHCP
2004 network traffic.
2005 UplinkInterface=
2007 Specifies the name or the index of the uplink interface, or one of
2008 the special values ":none" and ":auto". When emitting DNS, NTP, or
2009 SIP servers is enabled but no servers are specified, the servers
2010 configured in the uplink interface will be emitted. When ":auto",
2011 the link which has a default gateway with the highest priority will
2012 be automatically selected. When ":none", no uplink interface will
2013 be selected. Defaults to ":auto".
2014 EmitDNS=, DNS=
2016 EmitDNS= takes a boolean. Configures whether the DHCP leases handed
2017 out to clients shall contain DNS server information. Defaults to
2018 "yes". The DNS servers to pass to clients may be configured with
2019 the DNS= option, which takes a list of IPv4 addresses, or special
2020 value "_server_address" which will be converted to the address used
2021 by the DHCP server.
2022 If the EmitDNS= option is enabled but no servers configured, the
2024 servers are automatically propagated from an "uplink" interface
2025 that has appropriate servers set. The "uplink" interface is
2026 determined by the default route of the system with the highest
2027 priority. Note that this information is acquired at the time the
2028 lease is handed out, and does not take uplink interfaces into
2029 account that acquire DNS server information at a later point. If no
2030 suitable uplink interface is found the DNS server data from
2031 /etc/resolv.conf is used. Also, note that the leases are not
2032 refreshed if the uplink network configuration changes. To ensure
2033 clients regularly acquire the most current uplink DNS server
2034 information, it is thus advisable to shorten the DHCP lease time
2035 via MaxLeaseTimeSec= described above.
2036 This setting can be specified multiple times. If an empty string is
2038 specified, then all DNS servers specified earlier are cleared.
2039 EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
2041 EmitLPR=, LPR=
2042 Similar to the EmitDNS= and DNS= settings described above, these
2043 settings configure whether and what server information for the
2044 indicate protocol shall be emitted as part of the DHCP lease. The
2045 same syntax, propagation semantics and defaults apply as for
2046 EmitDNS= and DNS=.
2047 EmitRouter=, Router=
2049 The EmitRouter= setting takes a boolean value, and configures
2050 whether the DHCP lease should contain the router option. The
2051 Router= setting takes an IPv4 address, and configures the router
2052 address to be emitted. When the Router= setting is not specified,
2053 then the server address will be used for the router option. When
2054 the EmitRouter= setting is disabled, the Router= setting will be
2055 ignored. The EmitRouter= setting defaults to true, and the Router=
2056 setting defaults to unset.
2057 EmitTimezone=, Timezone=
2059 Takes a boolean. Configures whether the DHCP leases handed out to
2060 clients shall contain timezone information. Defaults to "yes". The
2061 Timezone= setting takes a timezone string (such as "Europe/Berlin"
2062 or "UTC") to pass to clients. If no explicit timezone is set, the
2063 system timezone of the local host is propagated, as determined by
2064 the /etc/localtime symlink.
2065 BootServerAddress=
2067 Takes an IPv4 address of the boot server used by e.g. PXE boot
2068 systems. When specified, this address is sent in the siaddr field
2069 of the DHCP message header. See RFC 2131[27] for more details.
2070 Defaults to unset.
2071 BootServerName=
2073 Takes a name of the boot server used by e.g. PXE boot systems. When
2074 specified, this name is sent in the DHCP option 66 ("TFTP server
2075 name"). See RFC 2132[28] for more details. Defaults to unset.
2076 Note that typically setting one of BootServerName= or
2078 BootServerAddress= is sufficient, but both can be set too, if
2079 desired.
2080 BootFilename=
2082 Takes a path or URL to a file loaded by e.g. a PXE boot loader.
2083 When specified, this path is sent in the DHCP option 67 ("Bootfile
2084 name"). See RFC 2132[28] for more details. Defaults to unset.
2085 SendOption=
2087 Send a raw option with value via DHCPv4 server. Takes a DHCP option
2088 number, data type and data ("option:type:value"). The option number
2089 is an integer in the range 1...254. The type takes one of "uint8",
2090 "uint16", "uint32", "ipv4address", "ipv6address", or "string".
2091 Special characters in the data string may be escaped using C-style
2092 escapes[21]. This setting can be specified multiple times. If an
2093 empty string is specified, then all options specified earlier are
2094 cleared. Defaults to unset.
2095 SendVendorOption=
2097 Send a vendor option with value via DHCPv4 server. Takes a DHCP
2098 option number, data type and data ("option:type:value"). The option
2099 number is an integer in the range 1...254. The type takes one of
2100 "uint8", "uint16", "uint32", "ipv4address", or "string". Special
2101 characters in the data string may be escaped using C-style
2102 escapes[21]. This setting can be specified multiple times. If an
2103 empty string is specified, then all options specified earlier are
2104 cleared. Defaults to unset.
2105 BindToInterface=
2107 Takes a boolean value. When "yes", DHCP server socket will be bound
2108 to its network interface and all socket communication will be
2109 restricted to this interface. Defaults to "yes", except if
2110 RelayTarget= is used (see below), in which case it defaults to
2111 "no".
2112 RelayTarget=
2114 Takes an IPv4 address, which must be in the format described in
2115 inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
2116 RFC 1542[29]. The address is the address of DHCP server or another
2117 relay agent to forward DHCP messages to and from.
2118 RelayAgentCircuitId=
2120 Specifies value for Agent Circuit ID suboption of Relay Agent
2121 Information option. Takes a string, which must be in the format
2122 "string:value", where "value" should be replaced with the value of
2123 the suboption. Defaults to unset (means no Agent Circuit ID
2124 suboption is generated). Ignored if RelayTarget= is not specified.
2125 RelayAgentRemoteId=
2127 Specifies value for Agent Remote ID suboption of Relay Agent
2128 Information option. Takes a string, which must be in the format
2129 "string:value", where "value" should be replaced with the value of
2130 the suboption. Defaults to unset (means no Agent Remote ID
2131 suboption is generated). Ignored if RelayTarget= is not specified.
2132
2134 The "[DHCPServerStaticLease]" section configures a static DHCP lease to
2135 assign a fixed IPv4 address to a specific device based on its MAC
2136 address. This section can be specified multiple times.
2137 MACAddress=
2139 The hardware address of a device to match. This key is mandatory.
2140 Address=
2142 The IPv4 address that should be assigned to the device that was
2143 matched with MACAddress=. This key is mandatory.
2144
2146 The [IPv6SendRA] section contains settings for sending IPv6 Router
2147 Advertisements and whether to act as a router, if enabled via the
2148 IPv6SendRA= option described above. IPv6 network prefixes or routes are
2149 defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
2150 Managed=, OtherInformation=
2152 Takes a boolean. Controls whether a DHCPv6 server is used to
2153 acquire IPv6 addresses on the network link when Managed= is set to
2154 "true" or if only additional network information can be obtained
2155 via DHCPv6 for the network link when OtherInformation= is set to
2156 "true". Both settings default to "false", which means that a DHCPv6
2157 server is not being used.
2158 RouterLifetimeSec=
2160 Takes a timespan. Configures the IPv6 router lifetime in seconds.
2161 The value must be 0 seconds, or between 4 seconds and 9000 seconds.
2162 When set to 0, the host is not acting as a router. Defaults to 1800
2163 seconds (30 minutes).
2164 RouterPreference=
2166 Configures IPv6 router preference if RouterLifetimeSec= is
2167 non-zero. Valid values are "high", "medium" and "low", with
2168 "normal" and "default" added as synonyms for "medium" just to make
2169 configuration easier. See RFC 4191[18] for details. Defaults to
2170 "medium".
2171 UplinkInterface=
2173 Specifies the name or the index of the uplink interface, or one of
2174 the special values ":none" and ":auto". When emitting DNS servers
2175 or search domains is enabled but no servers are specified, the
2176 servers configured in the uplink interface will be emitted. When
2177 ":auto", the value specified to the same setting in the
2178 [DHCPPrefixDelegation] section will be used if
2179 DHCPPrefixDelegation= is enabled, otherwise the link which has a
2180 default gateway with the highest priority will be automatically
2181 selected. When ":none", no uplink interface will be selected.
2182 Defaults to ":auto".
2183 EmitDNS=, DNS=
2185 DNS= specifies a list of recursive DNS server IPv6 addresses that
2186 are distributed via Router Advertisement messages when EmitDNS= is
2187 true. DNS= also takes special value "_link_local"; in that case
2188 the IPv6 link-local address is distributed. If DNS= is empty, DNS
2189 servers are read from the [Network] section. If the [Network]
2190 section does not contain any DNS servers either, DNS servers from
2191 the uplink interface specified in UplinkInterface= will be used.
2192 When EmitDNS= is false, no DNS server information is sent in Router
2193 Advertisement messages. EmitDNS= defaults to true.
2194 EmitDomains=, Domains=
2196 A list of DNS search domains distributed via Router Advertisement
2197 messages when EmitDomains= is true. If Domains= is empty, DNS
2198 search domains are read from the [Network] section. If the
2199 [Network] section does not contain any DNS search domains either,
2200 DNS search domains from the uplink interface specified in
2201 UplinkInterface= will be used. When EmitDomains= is false, no DNS
2202 search domain information is sent in Router Advertisement messages.
2203 EmitDomains= defaults to true.
2204 DNSLifetimeSec=
2206 Lifetime in seconds for the DNS server addresses listed in DNS= and
2207 search domains listed in Domains=. Defaults to 3600 seconds (one
2208 hour).
2209
2211 One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
2212 announced via Router Advertisements. See RFC 4861[30] for further
2213 details.
2214 AddressAutoconfiguration=, OnLink=
2216 Takes a boolean to specify whether IPv6 addresses can be
2217 autoconfigured with this prefix and whether the prefix can be used
2218 for onlink determination. Both settings default to "true" in order
2219 to ease configuration.
2220 Prefix=
2222 The IPv6 prefix that is to be distributed to hosts. Similarly to
2223 configuring static IPv6 addresses, the setting is configured as an
2224 IPv6 prefix and its prefix length, separated by a "/" character.
2225 Use multiple [IPv6Prefix] sections to configure multiple IPv6
2226 prefixes since prefix lifetimes, address autoconfiguration and
2227 onlink status may differ from one prefix to another.
2228 PreferredLifetimeSec=, ValidLifetimeSec=
2230 Preferred and valid lifetimes for the prefix measured in seconds.
2231 PreferredLifetimeSec= defaults to 1800 seconds (30 minutes) and
2232 ValidLifetimeSec= defaults to 3600 seconds (one hour).
2233 Assign=
2235 Takes a boolean. When true, adds an address from the prefix.
2236 Default to false.
2237 Token=
2239 Specifies an optional address generation mode for assigning an
2240 address in each prefix. This accepts the same syntax as Token= in
2241 the [IPv6AcceptRA] section. If Assign= is set to false, then this
2242 setting will be ignored. Defaults to unset, which means the EUI-64
2243 algorithm will be used.
2244 RouteMetric=
2246 The metric of the prefix route. Takes an unsigned integer in the
2247 range 0...4294967295. When unset or set to 0, the kernel's default
2248 value is used. This setting is ignored when Assign= is false.
2249
2251 One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
2252 that are announced via Router Advertisements. See RFC 4191[18] for
2253 further details.
2254 Route=
2256 The IPv6 route that is to be distributed to hosts. Similarly to
2257 configuring static IPv6 routes, the setting is configured as an
2258 IPv6 prefix routes and its prefix route length, separated by a "/"
2259 character. Use multiple [IPv6RoutePrefix] sections to configure
2260 multiple IPv6 prefix routes.
2261 LifetimeSec=
2263 Lifetime for the route prefix measured in seconds. LifetimeSec=
2264 defaults to 3600 seconds (one hour).
2265
2267 The [Bridge] section accepts the following keys:
2268 UnicastFlood=
2270 Takes a boolean. Controls whether the bridge should flood traffic
2271 for which an FDB entry is missing and the destination is unknown
2272 through this port. When unset, the kernel's default will be used.
2273 MulticastFlood=
2275 Takes a boolean. Controls whether the bridge should flood traffic
2276 for which an MDB entry is missing and the destination is unknown
2277 through this port. When unset, the kernel's default will be used.
2278 MulticastToUnicast=
2280 Takes a boolean. Multicast to unicast works on top of the multicast
2281 snooping feature of the bridge. Which means unicast copies are only
2282 delivered to hosts which are interested in it. When unset, the
2283 kernel's default will be used.
2284 NeighborSuppression=
2286 Takes a boolean. Configures whether ARP and ND neighbor suppression
2287 is enabled for this port. When unset, the kernel's default will be
2288 used.
2289 Learning=
2291 Takes a boolean. Configures whether MAC address learning is enabled
2292 for this port. When unset, the kernel's default will be used.
2293 HairPin=
2295 Takes a boolean. Configures whether traffic may be sent back out of
2296 the port on which it was received. When this flag is false, then
2297 the bridge will not forward traffic back out of the receiving port.
2298 When unset, the kernel's default will be used.
2299 Isolated=
2301 Takes a boolean. Configures whether this port is isolated or not.
2302 Within a bridge, isolated ports can only communicate with
2303 non-isolated ports. When set to true, this port can only
2304 communicate with other ports whose Isolated setting is false. When
2305 set to false, this port can communicate with any other ports. When
2306 unset, the kernel's default will be used.
2307 UseBPDU=
2309 Takes a boolean. Configures whether STP Bridge Protocol Data Units
2310 will be processed by the bridge port. When unset, the kernel's
2311 default will be used.
2312 FastLeave=
2314 Takes a boolean. This flag allows the bridge to immediately stop
2315 multicast traffic on a port that receives an IGMP Leave message. It
2316 is only used with IGMP snooping if enabled on the bridge. When
2317 unset, the kernel's default will be used.
2318 AllowPortToBeRoot=
2320 Takes a boolean. Configures whether a given port is allowed to
2321 become a root port. Only used when STP is enabled on the bridge.
2322 When unset, the kernel's default will be used.
2323 ProxyARP=
2325 Takes a boolean. Configures whether proxy ARP to be enabled on this
2326 port. When unset, the kernel's default will be used.
2327 ProxyARPWiFi=
2329 Takes a boolean. Configures whether proxy ARP to be enabled on this
2330 port which meets extended requirements by IEEE 802.11 and Hotspot
2331 2.0 specifications. When unset, the kernel's default will be used.
2332 MulticastRouter=
2334 Configures this port for having multicast routers attached. A port
2335 with a multicast router will receive all multicast traffic. Takes
2336 one of "no" to disable multicast routers on this port, "query" to
2337 let the system detect the presence of routers, "permanent" to
2338 permanently enable multicast traffic forwarding on this port, or
2339 "temporary" to enable multicast routers temporarily on this port,
2340 not depending on incoming queries. When unset, the kernel's default
2341 will be used.
2342 Cost=
2344 Sets the "cost" of sending packets of this interface. Each port in
2345 a bridge may have a different speed and the cost is used to decide
2346 which link to use. Faster interfaces should have lower costs. It is
2347 an integer value between 1 and 65535.
2348 Priority=
2350 Sets the "priority" of sending packets on this interface. Each port
2351 in a bridge may have a different priority which is used to decide
2352 which link to use. Lower value means higher priority. It is an
2353 integer value between 0 to 63. Networkd does not set any default,
2354 meaning the kernel default value of 32 is used.
2355
2357 The [BridgeFDB] section manages the forwarding database table of a port
2358 and accepts the following keys. Specify several [BridgeFDB] sections to
2359 configure several static MAC table entries.
2360 MACAddress=
2362 As in the [Network] section. This key is mandatory.
2363 Destination=
2365 Takes an IP address of the destination VXLAN tunnel endpoint.
2366 VLANId=
2368 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2369 ID information is appended to the new static MAC table entry.
2370 VNI=
2372 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2373 connect to the remote VXLAN tunnel endpoint. Takes a number in the
2374 range 1...16777215. Defaults to unset.
2375 AssociatedWith=
2377 Specifies where the address is associated with. Takes one of "use",
2378 "self", "master" or "router". "use" means the address is in use.
2379 User space can use this option to indicate to the kernel that the
2380 fdb entry is in use. "self" means the address is associated with
2381 the port drivers fdb. Usually hardware. "master" means the address
2382 is associated with master devices fdb. "router" means the
2383 destination address is associated with a router. Note that it's
2384 valid if the referenced device is a VXLAN type device and has route
2385 shortcircuit enabled. Defaults to "self".
2386 OutgoingInterface=
2388 Specifies the name or index of the outgoing interface for the VXLAN
2389 device driver to reach the remote VXLAN tunnel endpoint. Defaults
2390 to unset.
2391
2393 The [BridgeMDB] section manages the multicast membership entries
2394 forwarding database table of a port and accepts the following keys.
2395 Specify several [BridgeMDB] sections to configure several permanent
2396 multicast membership entries.
2397 MulticastGroupAddress=
2399 Specifies the IPv4 or IPv6 multicast group address to add. This
2400 setting is mandatory.
2401 VLANId=
2403 The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2404 4094. Optional, defaults to 0.
2405
2407 The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2408 accepts the following keys:
2409 MUDURL=
2411 When configured, the specified Manufacturer Usage Descriptions
2412 (MUD) URL will be sent in LLDP packets. The syntax and semantics
2413 are the same as for MUDURL= in the [DHCPv4] section described
2414 above.
2415 The MUD URLs received via LLDP packets are saved and can be read
2417 using the sd_lldp_neighbor_get_mud_url() function.
2418
2420 The [CAN] section manages the Controller Area Network (CAN bus) and
2421 accepts the following keys:
2422 BitRate=
2424 The bitrate of CAN device in bits per second. The usual SI prefixes
2425 (K, M) with the base of 1000 can be used here. Takes a number in
2426 the range 1...4294967295.
2427 SamplePoint=
2429 Optional sample point in percent with one decimal (e.g. "75%",
2430 "87.5%") or permille (e.g. "875‰"). This will be ignored when
2431 BitRate= is unspecified.
2432 TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=,
2434 PhaseBufferSegment2=, SyncJumpWidth=
2435 Specifies the time quanta, propagation segment, phase buffer
2436 segment 1 and 2, and the synchronization jump width, which allow
2437 one to define the CAN bit-timing in a hardware independent format
2438 as proposed by the Bosch CAN 2.0 Specification. TimeQuantaNSec=
2439 takes a timespan in nanoseconds. PropagationSegment=,
2440 PhaseBufferSegment1=, PhaseBufferSegment2=, and SyncJumpWidth= take
2441 number of time quantum specified in TimeQuantaNSec= and must be an
2442 unsigned integer in the range 0...4294967295. These settings except
2443 for SyncJumpWidth= will be ignored when BitRate= is specified.
2444 DataBitRate=, DataSamplePoint=
2446 The bitrate and sample point for the data phase, if CAN-FD is used.
2447 These settings are analogous to the BitRate= and SamplePoint= keys.
2448 DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=,
2450 DataPhaseBufferSegment2=, DataSyncJumpWidth=
2451 Specifies the time quanta, propagation segment, phase buffer
2452 segment 1 and 2, and the synchronization jump width for the data
2453 phase, if CAN-FD is used. These settings are analogous to the
2454 TimeQuantaNSec= or related settings.
2455 FDMode=
2457 Takes a boolean. When "yes", CAN-FD mode is enabled for the
2458 interface. Note, that a bitrate and optional sample point should
2459 also be set for the CAN-FD data phase using the DataBitRate= and
2460 DataSamplePoint= keys, or DataTimeQuanta= and related settings.
2461 FDNonISO=
2463 Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2464 interface. When unset, the kernel's default will be used.
2465 RestartSec=
2467 Automatic restart delay time. If set to a non-zero value, a restart
2468 of the CAN controller will be triggered automatically in case of a
2469 bus-off condition after the specified delay time. Subsecond delays
2470 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
2471 postfix. Using "infinity" or "0" will turn the automatic restart
2472 off. By default automatic restart is disabled.
2473 Termination=
2475 Takes a boolean or a termination resistor value in ohm in the range
2476 0...65535. When "yes", the termination resistor is set to 120 ohm.
2477 When "no" or "0" is set, the termination resistor is disabled. When
2478 unset, the kernel's default will be used.
2479 TripleSampling=
2481 Takes a boolean. When "yes", three samples (instead of one) are
2482 used to determine the value of a received bit by majority rule.
2483 When unset, the kernel's default will be used.
2484 BusErrorReporting=
2486 Takes a boolean. When "yes", reporting of CAN bus errors is
2487 activated (those include single bit, frame format, and bit stuffing
2488 errors, unable to send dominant bit, unable to send recessive bit,
2489 bus overload, active error announcement, error occurred on
2490 transmission). When unset, the kernel's default will be used. Note:
2491 in case of a CAN bus with a single CAN device, sending a CAN frame
2492 may result in a huge number of CAN bus errors.
2493 ListenOnly=
2495 Takes a boolean. When "yes", listen-only mode is enabled. When the
2496 interface is in listen-only mode, the interface neither transmit
2497 CAN frames nor send ACK bit. Listen-only mode is important to debug
2498 CAN networks without interfering with the communication or
2499 acknowledge the CAN frame. When unset, the kernel's default will be
2500 used.
2501 Loopback=
2503 Takes a boolean. When "yes", loopback mode is enabled. When the
2504 loopback mode is enabled, the interface treats messages transmitted
2505 by itself as received messages. The loopback mode is important to
2506 debug CAN networks. When unset, the kernel's default will be used.
2507 OneShot=
2509 Takes a boolean. When "yes", one-shot mode is enabled. When unset,
2510 the kernel's default will be used.
2511 PresumeAck=
2513 Takes a boolean. When "yes", the interface will ignore missing CAN
2514 ACKs. When unset, the kernel's default will be used.
2515 ClassicDataLengthCode=
2517 Takes a boolean. When "yes", the interface will handle the 4bit
2518 data length code (DLC). When unset, the kernel's default will be
2519 used.
2520
2522 The [IPoIB] section manages the IP over Infiniband and accepts the
2523 following keys:
2524 Mode=
2526 Takes one of the special values "datagram" or "connected". Defaults
2527 to unset, and the kernel's default is used.
2528 When "datagram", the Infiniband unreliable datagram (UD) transport
2530 is used, and so the interface MTU is equal to the IB L2 MTU minus
2531 the IPoIB encapsulation header (4 bytes). For example, in a typical
2532 IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
2533 bytes.
2534 When "connected", the Infiniband reliable connected (RC) transport
2536 is used. Connected mode takes advantage of the connected nature of
2537 the IB transport and allows an MTU up to the maximal IP packet size
2538 of 64K, which reduces the number of IP packets needed for handling
2539 large UDP datagrams, TCP segments, etc and increases the
2540 performance for large messages.
2541 IgnoreUserspaceMulticastGroup=
2543 Takes an boolean value. When true, the kernel ignores multicast
2544 groups handled by userspace. Defaults to unset, and the kernel's
2545 default is used.
2546
2548 The [QDisc] section manages the traffic control queueing discipline
2549 (qdisc).
2550 Parent=
2552 Specifies the parent Queueing Discipline (qdisc). Takes one of
2553 "clsact" or "ingress". This is mandatory.
2554 Handle=
2556 Configures the major number of unique identifier of the qdisc,
2557 known as the handle. Takes a hexadecimal number in the range
2558 0x1–0xffff. Defaults to unset.
2559
2561 The [NetworkEmulator] section manages the queueing discipline (qdisc)
2562 of the network emulator. It can be used to configure the kernel packet
2563 scheduler and simulate packet delay and loss for UDP or TCP
2564 applications, or limit the bandwidth usage of a particular service to
2565 simulate internet connections.
2566 Parent=
2568 Configures the parent Queueing Discipline (qdisc). Takes one of
2569 "root", "clsact", "ingress" or a class identifier. The class
2570 identifier is specified as the major and minor numbers in
2571 hexadecimal in the range 0x1–0xffff separated with a colon
2572 ("major:minor"). Defaults to "root".
2573 Handle=
2575 Configures the major number of unique identifier of the qdisc,
2576 known as the handle. Takes a hexadecimal number in the range
2577 0x1–0xffff. Defaults to unset.
2578 DelaySec=
2580 Specifies the fixed amount of delay to be added to all packets
2581 going out of the interface. Defaults to unset.
2582 DelayJitterSec=
2584 Specifies the chosen delay to be added to the packets outgoing to
2585 the network interface. Defaults to unset.
2586 PacketLimit=
2588 Specifies the maximum number of packets the qdisc may hold queued
2589 at a time. An unsigned integer in the range 0...4294967294.
2590 Defaults to 1000.
2591 LossRate=
2593 Specifies an independent loss probability to be added to the
2594 packets outgoing from the network interface. Takes a percentage
2595 value, suffixed with "%". Defaults to unset.
2596 DuplicateRate=
2598 Specifies that the chosen percent of packets is duplicated before
2599 queuing them. Takes a percentage value, suffixed with "%". Defaults
2600 to unset.
2601
2603 The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2604 of token bucket filter (tbf).
2605 Parent=
2607 Configures the parent Queueing Discipline (qdisc). Takes one of
2608 "root", "clsact", "ingress" or a class identifier. The class
2609 identifier is specified as the major and minor numbers in
2610 hexadecimal in the range 0x1–0xffff separated with a colon
2611 ("major:minor"). Defaults to "root".
2612 Handle=
2614 Configures the major number of unique identifier of the qdisc,
2615 known as the handle. Takes a hexadecimal number in the range
2616 0x1–0xffff. Defaults to unset.
2617 LatencySec=
2619 Specifies the latency parameter, which specifies the maximum amount
2620 of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2621 to unset.
2622 LimitBytes=
2624 Takes the number of bytes that can be queued waiting for tokens to
2625 become available. When the size is suffixed with K, M, or G, it is
2626 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2627 base of 1024. Defaults to unset.
2628 BurstBytes=
2630 Specifies the size of the bucket. This is the maximum amount of
2631 bytes that tokens can be available for instantaneous transfer. When
2632 the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2633 Megabytes, or Gigabytes, respectively, to the base of 1024.
2634 Defaults to unset.
2635 Rate=
2637 Specifies the device specific bandwidth. When suffixed with K, M,
2638 or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2639 Gigabits, respectively, to the base of 1000. Defaults to unset.
2640 MPUBytes=
2642 The Minimum Packet Unit (MPU) determines the minimal token usage
2643 (specified in bytes) for a packet. When suffixed with K, M, or G,
2644 the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2645 respectively, to the base of 1024. Defaults to zero.
2646 PeakRate=
2648 Takes the maximum depletion rate of the bucket. When suffixed with
2649 K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2650 Gigabits, respectively, to the base of 1000. Defaults to unset.
2651 MTUBytes=
2653 Specifies the size of the peakrate bucket. When suffixed with K, M,
2654 or G, the specified size is parsed as Kilobytes, Megabytes, or
2655 Gigabytes, respectively, to the base of 1024. Defaults to unset.
2656
2658 The [PIE] section manages the queueing discipline (qdisc) of
2659 Proportional Integral controller-Enhanced (PIE).
2660 Parent=
2662 Configures the parent Queueing Discipline (qdisc). Takes one of
2663 "root", "clsact", "ingress" or a class identifier. The class
2664 identifier is specified as the major and minor numbers in
2665 hexadecimal in the range 0x1–0xffff separated with a colon
2666 ("major:minor"). Defaults to "root".
2667 Handle=
2669 Configures the major number of unique identifier of the qdisc,
2670 known as the handle. Takes a hexadecimal number in the range
2671 0x1–0xffff. Defaults to unset.
2672 PacketLimit=
2674 Specifies the hard limit on the queue size in number of packets.
2675 When this limit is reached, incoming packets are dropped. An
2676 unsigned integer in the range 1...4294967294. Defaults to unset and
2677 kernel's default is used.
2678
2680 The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2681 Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2682 Parent=
2684 Configures the parent Queueing Discipline (qdisc). Takes one of
2685 "root", "clsact", "ingress" or a class identifier. The class
2686 identifier is specified as the major and minor numbers in
2687 hexadecimal in the range 0x1–0xffff separated with a colon
2688 ("major:minor"). Defaults to "root".
2689 Handle=
2691 Configures the major number of unique identifier of the qdisc,
2692 known as the handle. Takes a hexadecimal number in the range
2693 0x1–0xffff. Defaults to unset.
2694 PacketLimit=
2696 Specifies the hard limit on the queue size in number of packets.
2697 When this limit is reached, incoming packets are dropped. An
2698 unsigned integer ranges 1 to 4294967294. Defaults to unset and
2699 kernel's default is used.
2700
2702 The [StochasticFairBlue] section manages the queueing discipline
2703 (qdisc) of stochastic fair blue (sfb).
2704 Parent=
2706 Configures the parent Queueing Discipline (qdisc). Takes one of
2707 "root", "clsact", "ingress" or a class identifier. The class
2708 identifier is specified as the major and minor numbers in
2709 hexadecimal in the range 0x1–0xffff separated with a colon
2710 ("major:minor"). Defaults to "root".
2711 Handle=
2713 Configures the major number of unique identifier of the qdisc,
2714 known as the handle. Takes a hexadecimal number in the range
2715 0x1–0xffff. Defaults to unset.
2716 PacketLimit=
2718 Specifies the hard limit on the queue size in number of packets.
2719 When this limit is reached, incoming packets are dropped. An
2720 unsigned integer in the range 0...4294967294. Defaults to unset and
2721 kernel's default is used.
2722
2724 The [StochasticFairnessQueueing] section manages the queueing
2725 discipline (qdisc) of stochastic fairness queueing (sfq).
2726 Parent=
2728 Configures the parent Queueing Discipline (qdisc). Takes one of
2729 "root", "clsact", "ingress" or a class identifier. The class
2730 identifier is specified as the major and minor numbers in
2731 hexadecimal in the range 0x1–0xffff separated with a colon
2732 ("major:minor"). Defaults to "root".
2733 Handle=
2735 Configures the major number of unique identifier of the qdisc,
2736 known as the handle. Takes a hexadecimal number in the range
2737 0x1–0xffff. Defaults to unset.
2738 PerturbPeriodSec=
2740 Specifies the interval in seconds for queue algorithm perturbation.
2741 Defaults to unset.
2742
2744 The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2745 limited Packet First In First Out (bfifo).
2746 Parent=
2748 Configures the parent Queueing Discipline (qdisc). Takes one of
2749 "root", "clsact", "ingress" or a class identifier. The class
2750 identifier is specified as the major and minor numbers in
2751 hexadecimal in the range 0x1–0xffff separated with a colon
2752 ("major:minor"). Defaults to "root".
2753 Handle=
2755 Configures the major number of unique identifier of the qdisc,
2756 known as the handle. Takes a hexadecimal number in the range
2757 0x1–0xffff. Defaults to unset.
2758 LimitBytes=
2760 Specifies the hard limit in bytes on the FIFO buffer size. The size
2761 limit prevents overflow in case the kernel is unable to dequeue
2762 packets as quickly as it receives them. When this limit is reached,
2763 incoming packets are dropped. When suffixed with K, M, or G, the
2764 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2765 respectively, to the base of 1024. Defaults to unset and kernel
2766 default is used.
2767
2769 The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2770 First In First Out (pfifo).
2771 Parent=
2773 Configures the parent Queueing Discipline (qdisc). Takes one of
2774 "root", "clsact", "ingress" or a class identifier. The class
2775 identifier is specified as the major and minor numbers in
2776 hexadecimal in the range 0x1–0xffff separated with a colon
2777 ("major:minor"). Defaults to "root".
2778 Handle=
2780 Configures the major number of unique identifier of the qdisc,
2781 known as the handle. Takes a hexadecimal number in the range
2782 0x1–0xffff. Defaults to unset.
2783 PacketLimit=
2785 Specifies the hard limit on the number of packets in the FIFO
2786 queue. The size limit prevents overflow in case the kernel is
2787 unable to dequeue packets as quickly as it receives them. When this
2788 limit is reached, incoming packets are dropped. An unsigned integer
2789 in the range 0...4294967294. Defaults to unset and kernel's default
2790 is used.
2791
2793 The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2794 Packet First In First Out Head Drop (pfifo_head_drop).
2795 Parent=
2797 Configures the parent Queueing Discipline (qdisc). Takes one of
2798 "root", "clsact", "ingress" or a class identifier. The class
2799 identifier is specified as the major and minor numbers in
2800 hexadecimal in the range 0x1–0xffff separated with a colon
2801 ("major:minor"). Defaults to "root".
2802 Handle=
2804 Configures the major number of unique identifier of the qdisc,
2805 known as the handle. Takes a hexadecimal number in the range
2806 0x1–0xffff. Defaults to unset.
2807 PacketLimit=
2809 As in [PFIFO] section.
2810
2812 The [PFIFOFast] section manages the queueing discipline (qdisc) of
2813 Packet First In First Out Fast (pfifo_fast).
2814 Parent=
2816 Configures the parent Queueing Discipline (qdisc). Takes one of
2817 "root", "clsact", "ingress" or a class identifier. The class
2818 identifier is specified as the major and minor numbers in
2819 hexadecimal in the range 0x1–0xffff separated with a colon
2820 ("major:minor"). Defaults to "root".
2821 Handle=
2823 Configures the major number of unique identifier of the qdisc,
2824 known as the handle. Takes a hexadecimal number in the range
2825 0x1–0xffff. Defaults to unset.
2826
2828 The [CAKE] section manages the queueing discipline (qdisc) of Common
2829 Applications Kept Enhanced (CAKE).
2830 Parent=
2832 Configures the parent Queueing Discipline (qdisc). Takes one of
2833 "root", "clsact", "ingress" or a class identifier. The class
2834 identifier is specified as the major and minor numbers in
2835 hexadecimal in the range 0x1–0xffff separated with a colon
2836 ("major:minor"). Defaults to "root".
2837 Handle=
2839 Configures the major number of unique identifier of the qdisc,
2840 known as the handle. Takes a hexadecimal number in the range
2841 0x1–0xffff. Defaults to unset.
2842 Bandwidth=
2844 Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2845 specified size is parsed as Kilobits, Megabits, or Gigabits,
2846 respectively, to the base of 1000. Defaults to unset and kernel's
2847 default is used.
2848 AutoRateIngress=
2850 Takes a boolean value. Enables automatic capacity estimation based
2851 on traffic arriving at this qdisc. This is most likely to be useful
2852 with cellular links, which tend to change quality randomly. If this
2853 setting is enabled, the Bandwidth= setting is used as an initial
2854 estimate. Defaults to unset, and the kernel's default is used.
2855 OverheadBytes=
2857 Specifies that bytes to be addeded to the size of each packet.
2858 Bytes may be negative. Takes an integer in the range -64...256.
2859 Defaults to unset and kernel's default is used.
2860 MPUBytes=
2862 Rounds each packet (including overhead) up to the specified bytes.
2863 Takes an integer in the range 1...256. Defaults to unset and
2864 kernel's default is used.
2865 CompensationMode=
2867 Takes one of "none", "atm", or "ptm". Specifies the compensation
2868 mode for overhead calculation. When "none", no compensation is
2869 taken into account. When "atm", enables the compensation for ATM
2870 cell framing, which is normally found on ADSL links. When "ptm",
2871 enables the compensation for PTM encoding, which is normally found
2872 on VDSL2 links and uses a 64b/65b encoding scheme. Defaults to
2873 unset and the kernel's default is used.
2874 UseRawPacketSize=
2876 Takes a boolean value. When true, the packet size reported by the
2877 Linux kernel will be used, instead of the underlying IP packet
2878 size. Defaults to unset, and the kernel's default is used.
2879 FlowIsolationMode=
2881 CAKE places packets from different flows into different queues,
2882 then packets from each queue are delivered fairly. This specifies
2883 whether the fairness is based on source address, destination
2884 address, individual flows, or any combination of those. The
2885 available values are:
2886 none
2888 The flow isolation is disabled, and all traffic passes through
2889 a single queue.
2890 src-host
2892 Flows are defined only by source address. Equivalent to the
2893 "srchost" option for tc qdisc command. See also tc-cake(8).
2894 dst-host
2896 Flows are defined only by destination address. Equivalent to
2897 the "dsthost" option for tc qdisc command. See also tc-cake(8).
2898 hosts
2900 Flows are defined by source-destination host pairs. Equivalent
2901 to the same option for tc qdisc command. See also tc-cake(8).
2902 flows
2904 Flows are defined by the entire 5-tuple of source address,
2905 destination address, transport protocol, source port and
2906 destination port. Equivalent to the same option for tc qdisc
2907 command. See also tc-cake(8).
2908 dual-src-host
2910 Flows are defined by the 5-tuple (see "flows" in the above),
2911 and fairness is applied first over source addresses, then over
2912 individual flows. Equivalent to the "dual-srchost" option for
2913 tc qdisc command. See also tc-cake(8).
2914 dual-dst-host
2916 Flows are defined by the 5-tuple (see "flows" in the above),
2917 and fairness is applied first over destination addresses, then
2918 over individual flows. Equivalent to the "dual-dsthost" option
2919 for tc qdisc command. See also tc-cake(8).
2920 triple
2922 Flows are defined by the 5-tuple (see "flows"), and fairness is
2923 applied over source and destination addresses, and also over
2924 individual flows. Equivalent to the "triple-isolate" option for
2925 tc qdisc command. See also tc-cake(8).
2926 Defaults to unset and the kernel's default is used.
2928 NAT=
2930 Takes a boolean value. When true, CAKE performs a NAT lookup before
2931 applying flow-isolation rules, to determine the true addresses and
2932 port numbers of the packet, to improve fairness between hosts
2933 inside the NAT. This has no practical effect when
2934 FlowIsolationMode= is "none" or "flows", or if NAT is performed on
2935 a different host. Defaults to unset, and the kernel's default is
2936 used.
2937 PriorityQueueingPreset=
2939 CAKE divides traffic into "tins", and each tin has its own
2940 independent set of flow-isolation queues, bandwidth threshold, and
2941 priority. This specifies the preset of tin profiles. The available
2942 values are:
2943 besteffort
2945 Disables priority queueing by placing all traffic in one tin.
2946 precedence
2948 Enables priority queueing based on the legacy interpretation of
2949 TOS "Precedence" field. Use of this preset on the modern
2950 Internet is firmly discouraged.
2951 diffserv8
2953 Enables priority queueing based on the Differentiated Service
2954 ("DiffServ") field with eight tins: Background Traffic, High
2955 Throughput, Best Effort, Video Streaming, Low Latency
2956 Transactions, Interactive Shell, Minimum Latency, and Network
2957 Control.
2958 diffserv4
2960 Enables priority queueing based on the Differentiated Service
2961 ("DiffServ") field with four tins: Background Traffic, Best
2962 Effort, Streaming Media, and Latency Sensitive.
2963 diffserv3
2965 Enables priority queueing based on the Differentiated Service
2966 ("DiffServ") field with three tins: Background Traffic, Best
2967 Effort, and Latency Sensitive.
2968 Defaults to unset, and the kernel's default is used.
2970 FirewallMark=
2972 Takes an integer in the range 1...4294967295. When specified,
2973 firewall-mark-based overriding of CAKE's tin selection is enabled.
2974 Defaults to unset, and the kernel's default is used.
2975 Wash=
2977 Takes a boolean value. When true, CAKE clears the DSCP fields,
2978 except for ECN bits, of any packet passing through CAKE. Defaults
2979 to unset, and the kernel's default is used.
2980 SplitGSO=
2982 Takes a boolean value. When true, CAKE will split General
2983 Segmentation Offload (GSO) super-packets into their on-the-wire
2984 components and dequeue them individually. Defaults to unset, and
2985 the kernel's default is used.
2986 RTTSec=
2988 Specifies the RTT for the filter. Takes a timespan. Typical values
2989 are e.g. 100us for extremely high-performance 10GigE+ networks like
2990 datacentre, 1ms for non-WiFi LAN connections, 100ms for typical
2991 internet connections. Defaults to unset, and the kernel's default
2992 will be used.
2993 AckFilter=
2995 Takes a boolean value, or special value "aggressive". If enabled,
2996 ACKs in each flow are queued and redundant ACKs to the upstream are
2997 dropped. If yes, the filter will always keep at least two redundant
2998 ACKs in the queue, while in "aggressive" mode, it will filter down
2999 to a single ACK. This may improve download throughput on links with
3000 very asymmetrical rate limits. Defaults to unset, and the kernel's
3001 default will be used.
3002
3004 The [ControlledDelay] section manages the queueing discipline (qdisc)
3005 of controlled delay (CoDel).
3006 Parent=
3008 Configures the parent Queueing Discipline (qdisc). Takes one of
3009 "root", "clsact", "ingress" or a class identifier. The class
3010 identifier is specified as the major and minor numbers in
3011 hexadecimal in the range 0x1–0xffff separated with a colon
3012 ("major:minor"). Defaults to "root".
3013 Handle=
3015 Configures the major number of unique identifier of the qdisc,
3016 known as the handle. Takes a hexadecimal number in the range
3017 0x1–0xffff. Defaults to unset.
3018 PacketLimit=
3020 Specifies the hard limit on the queue size in number of packets.
3021 When this limit is reached, incoming packets are dropped. An
3022 unsigned integer in the range 0...4294967294. Defaults to unset and
3023 kernel's default is used.
3024 TargetSec=
3026 Takes a timespan. Specifies the acceptable minimum
3027 standing/persistent queue delay. Defaults to unset and kernel's
3028 default is used.
3029 IntervalSec=
3031 Takes a timespan. This is used to ensure that the measured minimum
3032 delay does not become too stale. Defaults to unset and kernel's
3033 default is used.
3034 ECN=
3036 Takes a boolean. This can be used to mark packets instead of
3037 dropping them. Defaults to unset and kernel's default is used.
3038 CEThresholdSec=
3040 Takes a timespan. This sets a threshold above which all packets are
3041 marked with ECN Congestion Experienced (CE). Defaults to unset and
3042 kernel's default is used.
3043
3045 The [DeficitRoundRobinScheduler] section manages the queueing
3046 discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
3047 Parent=
3049 Configures the parent Queueing Discipline (qdisc). Takes one of
3050 "root", "clsact", "ingress" or a class identifier. The class
3051 identifier is specified as the major and minor numbers in
3052 hexadecimal in the range 0x1–0xffff separated with a colon
3053 ("major:minor"). Defaults to "root".
3054 Handle=
3056 Configures the major number of unique identifier of the qdisc,
3057 known as the handle. Takes a hexadecimal number in the range
3058 0x1–0xffff. Defaults to unset.
3059
3061 The [DeficitRoundRobinSchedulerClass] section manages the traffic
3062 control class of Deficit Round Robin Scheduler (DRR).
3063 Parent=
3065 Configures the parent Queueing Discipline (qdisc). Takes one of
3066 "root", or a qdisc identifier. The qdisc identifier is specified as
3067 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3068 separated with a colon ("major:minor"). Defaults to "root".
3069 ClassId=
3071 Configures the unique identifier of the class. It is specified as
3072 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3073 separated with a colon ("major:minor"). Defaults to unset.
3074 QuantumBytes=
3076 Specifies the amount of bytes a flow is allowed to dequeue before
3077 the scheduler moves to the next class. When suffixed with K, M, or
3078 G, the specified size is parsed as Kilobytes, Megabytes, or
3079 Gigabytes, respectively, to the base of 1024. Defaults to the MTU
3080 of the interface.
3081
3083 The [EnhancedTransmissionSelection] section manages the queueing
3084 discipline (qdisc) of Enhanced Transmission Selection (ETS).
3085 Parent=
3087 Configures the parent Queueing Discipline (qdisc). Takes one of
3088 "root", "clsact", "ingress" or a class identifier. The class
3089 identifier is specified as the major and minor numbers in
3090 hexadecimal in the range 0x1–0xffff separated with a colon
3091 ("major:minor"). Defaults to "root".
3092 Handle=
3094 Configures the major number of unique identifier of the qdisc,
3095 known as the handle. Takes a hexadecimal number in the range
3096 0x1–0xffff. Defaults to unset.
3097 Bands=
3099 Specifies the number of bands. An unsigned integer in the range
3100 1...16. This value has to be at least large enough to cover the
3101 strict bands specified through the StrictBands= and
3102 bandwidth-sharing bands specified in QuantumBytes=.
3103 StrictBands=
3105 Specifies the number of bands that should be created in strict
3106 mode. An unsigned integer in the range 1...16.
3107 QuantumBytes=
3109 Specifies the white-space separated list of quantum used in
3110 band-sharing bands. When suffixed with K, M, or G, the specified
3111 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3112 to the base of 1024. This setting can be specified multiple times.
3113 If an empty string is assigned, then the all previous assignments
3114 are cleared.
3115 PriorityMap=
3117 The priority map maps the priority of a packet to a band. The
3118 argument is a whitespace separated list of numbers. The first
3119 number indicates which band the packets with priority 0 should be
3120 put to, the second is for priority 1, and so on. There can be up to
3121 16 numbers in the list. If there are fewer, the default band that
3122 traffic with one of the unmentioned priorities goes to is the last
3123 one. Each band number must be in the range 0...255. This setting
3124 can be specified multiple times. If an empty string is assigned,
3125 then the all previous assignments are cleared.
3126
3128 The [GenericRandomEarlyDetection] section manages the queueing
3129 discipline (qdisc) of Generic Random Early Detection (GRED).
3130 Parent=
3132 Configures the parent Queueing Discipline (qdisc). Takes one of
3133 "root", "clsact", "ingress" or a class identifier. The class
3134 identifier is specified as the major and minor numbers in
3135 hexadecimal in the range 0x1–0xffff separated with a colon
3136 ("major:minor"). Defaults to "root".
3137 Handle=
3139 Configures the major number of unique identifier of the qdisc,
3140 known as the handle. Takes a hexadecimal number in the range
3141 0x1–0xffff. Defaults to unset.
3142 VirtualQueues=
3144 Specifies the number of virtual queues. Takes an integer in the
3145 range 1...16. Defaults to unset and kernel's default is used.
3146 DefaultVirtualQueue=
3148 Specifies the number of default virtual queue. This must be less
3149 than VirtualQueue=. Defaults to unset and kernel's default is used.
3150 GenericRIO=
3152 Takes a boolean. It turns on the RIO-like buffering scheme.
3153 Defaults to unset and kernel's default is used.
3154
3156 The [FairQueueingControlledDelay] section manages the queueing
3157 discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
3158 Parent=
3160 Configures the parent Queueing Discipline (qdisc). Takes one of
3161 "root", "clsact", "ingress" or a class identifier. The class
3162 identifier is specified as the major and minor numbers in
3163 hexadecimal in the range 0x1–0xffff separated with a colon
3164 ("major:minor"). Defaults to "root".
3165 Handle=
3167 Configures the major number of unique identifier of the qdisc,
3168 known as the handle. Takes a hexadecimal number in the range
3169 0x1–0xffff. Defaults to unset.
3170 PacketLimit=
3172 Specifies the hard limit on the real queue size. When this limit is
3173 reached, incoming packets are dropped. Defaults to unset and
3174 kernel's default is used.
3175 MemoryLimitBytes=
3177 Specifies the limit on the total number of bytes that can be queued
3178 in this FQ-CoDel instance. When suffixed with K, M, or G, the
3179 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3180 respectively, to the base of 1024. Defaults to unset and kernel's
3181 default is used.
3182 Flows=
3184 Specifies the number of flows into which the incoming packets are
3185 classified. Defaults to unset and kernel's default is used.
3186 TargetSec=
3188 Takes a timespan. Specifies the acceptable minimum
3189 standing/persistent queue delay. Defaults to unset and kernel's
3190 default is used.
3191 IntervalSec=
3193 Takes a timespan. This is used to ensure that the measured minimum
3194 delay does not become too stale. Defaults to unset and kernel's
3195 default is used.
3196 QuantumBytes=
3198 Specifies the number of bytes used as the "deficit" in the fair
3199 queuing algorithm timespan. When suffixed with K, M, or G, the
3200 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3201 respectively, to the base of 1024. Defaults to unset and kernel's
3202 default is used.
3203 ECN=
3205 Takes a boolean. This can be used to mark packets instead of
3206 dropping them. Defaults to unset and kernel's default is used.
3207 CEThresholdSec=
3209 Takes a timespan. This sets a threshold above which all packets are
3210 marked with ECN Congestion Experienced (CE). Defaults to unset and
3211 kernel's default is used.
3212
3214 The [FairQueueing] section manages the queueing discipline (qdisc) of
3215 fair queue traffic policing (FQ).
3216 Parent=
3218 Configures the parent Queueing Discipline (qdisc). Takes one of
3219 "root", "clsact", "ingress" or a class identifier. The class
3220 identifier is specified as the major and minor numbers in
3221 hexadecimal in the range 0x1–0xffff separated with a colon
3222 ("major:minor"). Defaults to "root".
3223 Handle=
3225 Configures the major number of unique identifier of the qdisc,
3226 known as the handle. Takes a hexadecimal number in the range
3227 0x1–0xffff. Defaults to unset.
3228 PacketLimit=
3230 Specifies the hard limit on the real queue size. When this limit is
3231 reached, incoming packets are dropped. Defaults to unset and
3232 kernel's default is used.
3233 FlowLimit=
3235 Specifies the hard limit on the maximum number of packets queued
3236 per flow. Defaults to unset and kernel's default is used.
3237 QuantumBytes=
3239 Specifies the credit per dequeue RR round, i.e. the amount of bytes
3240 a flow is allowed to dequeue at once. When suffixed with K, M, or
3241 G, the specified size is parsed as Kilobytes, Megabytes, or
3242 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3243 kernel's default is used.
3244 InitialQuantumBytes=
3246 Specifies the initial sending rate credit, i.e. the amount of bytes
3247 a new flow is allowed to dequeue initially. When suffixed with K,
3248 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3249 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3250 kernel's default is used.
3251 MaximumRate=
3253 Specifies the maximum sending rate of a flow. When suffixed with K,
3254 M, or G, the specified size is parsed as Kilobits, Megabits, or
3255 Gigabits, respectively, to the base of 1000. Defaults to unset and
3256 kernel's default is used.
3257 Buckets=
3259 Specifies the size of the hash table used for flow lookups.
3260 Defaults to unset and kernel's default is used.
3261 OrphanMask=
3263 Takes an unsigned integer. For packets not owned by a socket, fq is
3264 able to mask a part of hash and reduce number of buckets associated
3265 with the traffic. Defaults to unset and kernel's default is used.
3266 Pacing=
3268 Takes a boolean, and enables or disables flow pacing. Defaults to
3269 unset and kernel's default is used.
3270 CEThresholdSec=
3272 Takes a timespan. This sets a threshold above which all packets are
3273 marked with ECN Congestion Experienced (CE). Defaults to unset and
3274 kernel's default is used.
3275
3277 The [TrivialLinkEqualizer] section manages the queueing discipline
3278 (qdisc) of trivial link equalizer (teql).
3279 Parent=
3281 Configures the parent Queueing Discipline (qdisc). Takes one of
3282 "root", "clsact", "ingress" or a class identifier. The class
3283 identifier is specified as the major and minor numbers in
3284 hexadecimal in the range 0x1–0xffff separated with a colon
3285 ("major:minor"). Defaults to "root".
3286 Handle=
3288 Configures the major number of unique identifier of the qdisc,
3289 known as the handle. Takes a hexadecimal number in the range
3290 0x1–0xffff. Defaults to unset.
3291 Id=
3293 Specifies the interface ID "N" of teql. Defaults to "0". Note that
3294 when teql is used, currently, the module sch_teql with
3295 max_equalizers=N+1 option must be loaded before systemd-networkd is
3296 started.
3297
3299 The [HierarchyTokenBucket] section manages the queueing discipline
3300 (qdisc) of hierarchy token bucket (htb).
3301 Parent=
3303 Configures the parent Queueing Discipline (qdisc). Takes one of
3304 "root", "clsact", "ingress" or a class identifier. The class
3305 identifier is specified as the major and minor numbers in
3306 hexadecimal in the range 0x1–0xffff separated with a colon
3307 ("major:minor"). Defaults to "root".
3308 Handle=
3310 Configures the major number of unique identifier of the qdisc,
3311 known as the handle. Takes a hexadecimal number in the range
3312 0x1–0xffff. Defaults to unset.
3313 DefaultClass=
3315 Takes the minor id in hexadecimal of the default class.
3316 Unclassified traffic gets sent to the class. Defaults to unset.
3317 RateToQuantum=
3319 Takes an unsigned integer. The DRR quantums are calculated by
3320 dividing the value configured in Rate= by RateToQuantum=.
3321
3323 The [HierarchyTokenBucketClass] section manages the traffic control
3324 class of hierarchy token bucket (htb).
3325 Parent=
3327 Configures the parent Queueing Discipline (qdisc). Takes one of
3328 "root", or a qdisc identifier. The qdisc identifier is specified as
3329 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3330 separated with a colon ("major:minor"). Defaults to "root".
3331 ClassId=
3333 Configures the unique identifier of the class. It is specified as
3334 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3335 separated with a colon ("major:minor"). Defaults to unset.
3336 Priority=
3338 Specifies the priority of the class. In the round-robin process,
3339 classes with the lowest priority field are tried for packets first.
3340 QuantumBytes=
3342 Specifies how many bytes to serve from leaf at once. When suffixed
3343 with K, M, or G, the specified size is parsed as Kilobytes,
3344 Megabytes, or Gigabytes, respectively, to the base of 1024.
3345 MTUBytes=
3347 Specifies the maximum packet size we create. When suffixed with K,
3348 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3349 Gigabytes, respectively, to the base of 1024.
3350 OverheadBytes=
3352 Takes an unsigned integer which specifies per-packet size overhead
3353 used in rate computations. When suffixed with K, M, or G, the
3354 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3355 respectively, to the base of 1024.
3356 Rate=
3358 Specifies the maximum rate this class and all its children are
3359 guaranteed. When suffixed with K, M, or G, the specified size is
3360 parsed as Kilobits, Megabits, or Gigabits, respectively, to the
3361 base of 1000. This setting is mandatory.
3362 CeilRate=
3364 Specifies the maximum rate at which a class can send, if its parent
3365 has bandwidth to spare. When suffixed with K, M, or G, the
3366 specified size is parsed as Kilobits, Megabits, or Gigabits,
3367 respectively, to the base of 1000. When unset, the value specified
3368 with Rate= is used.
3369 BufferBytes=
3371 Specifies the maximum bytes burst which can be accumulated during
3372 idle period. When suffixed with K, M, or G, the specified size is
3373 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
3374 base of 1024.
3375 CeilBufferBytes=
3377 Specifies the maximum bytes burst for ceil which can be accumulated
3378 during idle period. When suffixed with K, M, or G, the specified
3379 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3380 to the base of 1024.
3381
3383 The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
3384 of Heavy Hitter Filter (hhf).
3385 Parent=
3387 Configures the parent Queueing Discipline (qdisc). Takes one of
3388 "root", "clsact", "ingress" or a class identifier. The class
3389 identifier is specified as the major and minor numbers in
3390 hexadecimal in the range 0x1–0xffff separated with a colon
3391 ("major:minor"). Defaults to "root".
3392 Handle=
3394 Configures the major number of unique identifier of the qdisc,
3395 known as the handle. Takes a hexadecimal number in the range
3396 0x1–0xffff. Defaults to unset.
3397 PacketLimit=
3399 Specifies the hard limit on the queue size in number of packets.
3400 When this limit is reached, incoming packets are dropped. An
3401 unsigned integer in the range 0...4294967294. Defaults to unset and
3402 kernel's default is used.
3403
3405 The [QuickFairQueueing] section manages the queueing discipline (qdisc)
3406 of Quick Fair Queueing (QFQ).
3407 Parent=
3409 Configures the parent Queueing Discipline (qdisc). Takes one of
3410 "root", "clsact", "ingress" or a class identifier. The class
3411 identifier is specified as the major and minor numbers in
3412 hexadecimal in the range 0x1–0xffff separated with a colon
3413 ("major:minor"). Defaults to "root".
3414 Handle=
3416 Configures the major number of unique identifier of the qdisc,
3417 known as the handle. Takes a hexadecimal number in the range
3418 0x1–0xffff. Defaults to unset.
3419
3421 The [QuickFairQueueingClass] section manages the traffic control class
3422 of Quick Fair Queueing (qfq).
3423 Parent=
3425 Configures the parent Queueing Discipline (qdisc). Takes one of
3426 "root", or a qdisc identifier. The qdisc identifier is specified as
3427 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3428 separated with a colon ("major:minor"). Defaults to "root".
3429 ClassId=
3431 Configures the unique identifier of the class. It is specified as
3432 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3433 separated with a colon ("major:minor"). Defaults to unset.
3434 Weight=
3436 Specifies the weight of the class. Takes an integer in the range
3437 1...1023. Defaults to unset in which case the kernel default is
3438 used.
3439 MaxPacketBytes=
3441 Specifies the maximum packet size in bytes for the class. When
3442 suffixed with K, M, or G, the specified size is parsed as
3443 Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
3444 1024. When unset, the kernel default is used.
3445
3447 The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
3448 port and accepts the following keys. Specify several [BridgeVLAN]
3449 sections to configure several VLAN entries. The VLANFiltering= option
3450 has to be enabled, see the [Bridge] section in systemd.netdev(5).
3451 VLAN=
3453 The VLAN ID allowed on the port. This can be either a single ID or
3454 a range M-N. Takes an integer in the range 1...4094.
3455 EgressUntagged=
3457 The VLAN ID specified here will be used to untag frames on egress.
3458 Configuring EgressUntagged= implicates the use of VLAN= above and
3459 will enable the VLAN ID for ingress as well. This can be either a
3460 single ID or a range M-N.
3461 PVID=
3463 The Port VLAN ID specified here is assigned to all untagged frames
3464 at ingress. PVID= can be used only once. Configuring PVID=
3465 implicates the use of VLAN= above and will enable the VLAN ID for
3466 ingress as well.
3467
3469 Example 1. Static network configuration
3470 # /etc/systemd/network/50-static.network
3472 [Match]
3473 Name=enp2s0
3474 [Network]
3476 Address=192.168.0.15/24
3477 Gateway=192.168.0.1
3478 This brings interface "enp2s0" up with a static address. The specified
3480 gateway will be used for a default route.
3481 Example 2. DHCP on ethernet links
3483 # /etc/systemd/network/80-dhcp.network
3485 [Match]
3486 Name=en*
3487 [Network]
3489 DHCP=yes
3490 This will enable DHCPv4 and DHCPv6 on all interfaces with names
3492 starting with "en" (i.e. ethernet interfaces).
3493 Example 3. IPv6 Prefix Delegation (DHCPv6 PD)
3495 # /etc/systemd/network/55-dhcpv6-pd-upstream.network
3497 [Match]
3498 Name=enp1s0
3499 [Network]
3501 DHCP=ipv6
3502 # The below setting is optional, to also assign an address in the delegated prefix
3504 # to the upstream interface. If not necessary, then comment out the line below and
3505 # the [DHCPPrefixDelegation] section.
3506 DHCPPrefixDelegation=yes
3507 # If the upstream network provides Router Advertisement with Managed bit set,
3509 # then comment out the line below and WithoutRA= setting in the [DHCPv6] section.
3510 IPv6AcceptRA=no
3511 [DHCPv6]
3513 WithoutRA=solicit
3514 [DHCPPrefixDelegation]
3516 UplinkInterface=:self
3517 SubnetId=0
3518 Announce=no
3519 # /etc/systemd/network/55-dhcpv6-pd-downstream.network
3521 [Match]
3522 Name=enp2s0
3523 [Network]
3525 DHCPPrefixDelegation=yes
3526 IPv6SendRA=yes
3527 # It is expected that the host is acting as a router. So, usually it is not
3529 # necessary to receive Router Advertisement from other hosts in the downstream network.
3530 IPv6AcceptRA=no
3531 [DHCPPrefixDelegation]
3533 UplinkInterface=enp1s0
3534 SubnetId=1
3535 Announce=yes
3536 This will enable DHCPv6-PD on the interface enp1s0 as an upstream
3538 interface where the DHCPv6 client is running and enp2s0 as a downstream
3539 interface where the prefix is delegated to. The delegated prefixes are
3540 distributed by IPv6 Router Advertisement on the downstream network.
3541 Example 4. IPv6 Prefix Delegation (DHCPv4 6RD)
3543 # /etc/systemd/network/55-dhcpv4-6rd-upstream.network
3545 [Match]
3546 Name=enp1s0
3547 [Network]
3549 DHCP=ipv4
3550 # When DHCPv4-6RD is used, the upstream network does not support IPv6.
3552 # Hence, it is not necessary to wait for Router Advertisement, which is enabled by default.
3553 IPv6AcceptRA=no
3554 [DHCPv4]
3556 Use6RD=yes
3557 # /etc/systemd/network/55-dhcpv4-6rd-downstream.network
3559 [Match]
3560 Name=enp2s0
3561 [Network]
3563 DHCPPrefixDelegation=yes
3564 IPv6SendRA=yes
3565 # It is expected that the host is acting as a router. So, usually it is not
3567 # necessary to receive Router Advertisement from other hosts in the downstream network.
3568 IPv6AcceptRA=no
3569 [DHCPPrefixDelegation]
3571 UplinkInterface=enp1s0
3572 SubnetId=1
3573 Announce=yes
3574 This will enable DHCPv4-6RD on the interface enp1s0 as an upstream
3576 interface where the DHCPv4 client is running and enp2s0 as a downstream
3577 interface where the prefix is delegated to. The delegated prefixes are
3578 distributed by IPv6 Router Advertisement on the downstream network.
3579 Example 5. A bridge with two enslaved links
3581 # /etc/systemd/network/25-bridge-static.netdev
3583 [NetDev]
3584 Name=bridge0
3585 Kind=bridge
3586 # /etc/systemd/network/25-bridge-static.network
3588 [Match]
3589 Name=bridge0
3590 [Network]
3592 Address=192.168.0.15/24
3593 Gateway=192.168.0.1
3594 DNS=192.168.0.1
3595 # /etc/systemd/network/25-bridge-slave-interface-1.network
3597 [Match]
3598 Name=enp2s0
3599 [Network]
3601 Bridge=bridge0
3602 # /etc/systemd/network/25-bridge-slave-interface-2.network
3604 [Match]
3605 Name=wlp3s0
3606 [Network]
3608 Bridge=bridge0
3609 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3611 The bridge will have the specified static address and network assigned,
3612 and a default route via the specified gateway will be added. The
3613 specified DNS server will be added to the global list of DNS resolvers.
3614 Example 6. Bridge port with VLAN forwarding
3616 # /etc/systemd/network/25-bridge-slave-interface-1.network
3618 [Match]
3619 Name=enp2s0
3620 [Network]
3622 Bridge=bridge0
3623 [BridgeVLAN]
3625 VLAN=1-32
3626 PVID=42
3627 EgressUntagged=42
3628 [BridgeVLAN]
3630 VLAN=100-200
3631 [BridgeVLAN]
3633 EgressUntagged=300-400
3634 This overrides the configuration specified in the previous example for
3636 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3637 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3638 300-400 will be untagged when they leave on this interface. Untagged
3639 packets which arrive on this interface will be assigned VLAN ID 42.
3640 Example 7. Various tunnels
3642 /etc/systemd/network/25-tunnels.network
3644 [Match]
3645 Name=ens1
3646 [Network]
3648 Tunnel=ipip-tun
3649 Tunnel=sit-tun
3650 Tunnel=gre-tun
3651 Tunnel=vti-tun
3652 /etc/systemd/network/25-tunnel-ipip.netdev
3655 [NetDev]
3656 Name=ipip-tun
3657 Kind=ipip
3658 /etc/systemd/network/25-tunnel-sit.netdev
3661 [NetDev]
3662 Name=sit-tun
3663 Kind=sit
3664 /etc/systemd/network/25-tunnel-gre.netdev
3667 [NetDev]
3668 Name=gre-tun
3669 Kind=gre
3670 /etc/systemd/network/25-tunnel-vti.netdev
3673 [NetDev]
3674 Name=vti-tun
3675 Kind=vti
3676 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3679 tunnel, a GRE tunnel, and a VTI tunnel using it.
3680 Example 8. A bond device
3682 # /etc/systemd/network/30-bond1.network
3684 [Match]
3685 Name=bond1
3686 [Network]
3688 DHCP=ipv6
3689 # /etc/systemd/network/30-bond1.netdev
3691 [NetDev]
3692 Name=bond1
3693 Kind=bond
3694 # /etc/systemd/network/30-bond1-dev1.network
3696 [Match]
3697 MACAddress=52:54:00:e9:64:41
3698 [Network]
3700 Bond=bond1
3701 # /etc/systemd/network/30-bond1-dev2.network
3703 [Match]
3704 MACAddress=52:54:00:e9:64:42
3705 [Network]
3707 Bond=bond1
3708 This will create a bond device "bond1" and enslave the two devices with
3710 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3711 will be used to acquire an address.
3712 Example 9. Virtual Routing and Forwarding (VRF)
3714 Add the "bond1" interface to the VRF master interface "vrf1". This will
3716 redirect routes generated on this interface to be within the routing
3717 table defined during VRF creation. For kernels before 4.8 traffic won't
3718 be redirected towards the VRFs routing table unless specific ip-rules
3719 are added.
3720 # /etc/systemd/network/25-vrf.network
3722 [Match]
3723 Name=bond1
3724 [Network]
3726 VRF=vrf1
3727 Example 10. MacVTap
3729 This brings up a network interface "macvtap-test" and attaches it to
3731 "enp0s25".
3732 # /usr/lib/systemd/network/25-macvtap.network
3734 [Match]
3735 Name=enp0s25
3736 [Network]
3738 MACVTAP=macvtap-test
3739 Example 11. A Xfrm interface with physical underlying device.
3741 # /etc/systemd/network/27-xfrm.netdev
3743 [NetDev]
3744 Name=xfrm0
3745 Kind=xfrm
3746 [Xfrm]
3748 InterfaceId=7
3749 # /etc/systemd/network/27-eth0.network
3751 [Match]
3752 Name=eth0
3753 [Network]
3755 Xfrm=xfrm0
3756 This creates a "xfrm0" interface and binds it to the "eth0" device.
3758 This allows hardware based ipsec offloading to the "eth0" nic. If
3759 offloading is not needed, xfrm interfaces can be assigned to the "lo"
3760 device.
3761
3763 systemd(1), systemd-networkd.service(8), systemd.link(5),
3764 systemd.netdev(5), systemd-network-generator.service(8), systemd-
3765 resolved.service(8)
3766
3768 1. System and Service Credentials
3769 https://systemd.io/CREDENTIALS
3770 2. Link-Local Multicast Name Resolution
3772 https://tools.ietf.org/html/rfc4795
3773 3. Multicast DNS
3775 https://tools.ietf.org/html/rfc6762
3776 4. DNS-over-TLS
3778 https://tools.ietf.org/html/rfc7858
3779 5. DNSSEC
3781 https://tools.ietf.org/html/rfc4033
3782 6. IEEE 802.1AB-2016
3784 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3785 7. IP Sysctl
3787 https://docs.kernel.org/networking/ip-sysctl.html
3788 8. RFC 4941
3790 https://tools.ietf.org/html/rfc4941
3791 9. RFC 1027
3793 https://tools.ietf.org/html/rfc1027
3794 10. RFC 6275
3796 https://tools.ietf.org/html/rfc6275
3797 11. RFC 5227
3799 https://tools.ietf.org/html/rfc5227
3800 12. RFC 4862
3802 https://tools.ietf.org/html/rfc4862
3803 13. RFC 3041
3805 https://tools.ietf.org/html/rfc3041
3806 14. NetLabel
3808 https://docs.kernel.org/netlabel/index.html
3809 15. Linux Security Modules (LSMs)
3811 https://en.wikipedia.org/wiki/Linux_Security_Modules
3812 16. NetLabel Fallback Peer Labeling
3814 https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md
3815 17. RFC 3484
3817 https://tools.ietf.org/html/rfc3484
3818 18. RFC 4191
3820 https://tools.ietf.org/html/rfc4191
3821 19. RFC 8520
3823 https://tools.ietf.org/html/rfc8520
3824 20. RFC 7844
3826 https://tools.ietf.org/html/rfc7844
3827 21. C-style escapes
3829 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3830 22. RFC 5969
3832 https://tools.ietf.org/html/rfc5969
3833 23. RFC 3315
3835 https://tools.ietf.org/html/rfc3315#section-17.2.1
3836 24. RFC 8415
3838 https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3
3839 25. RFC 4291
3841 https://tools.ietf.org/html/rfc4291#section-2.5.4
3842 26. RFC 7217
3844 https://tools.ietf.org/html/rfc7217
3845 27. RFC 2131
3847 https://www.rfc-editor.org/rfc/rfc2131.html
3848 28. RFC 2132
3850 https://www.rfc-editor.org/rfc/rfc2132.html
3851 29. RFC 1542
3853 https://tools.ietf.org/html/rfc1542
3854 30. RFC 4861
3856 https://tools.ietf.org/html/rfc4861
3857systemd 253 SYSTEMD.NETWORK(5)