1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 A plain ini-style text file that encodes network configuration for
13 matching network interfaces, used by systemd-networkd(8). See
14 systemd.syntax(7) for a general description of the syntax.
15 The main network file must have the extension .network; other
17 extensions are ignored. Networks are applied to links whenever the
18 links appear.
19 The .network files are read from the files located in the system
21 network directories /usr/lib/systemd/network and
22 /usr/local/lib/systemd/network, the volatile runtime network directory
23 /run/systemd/network and the local administration network directory
24 /etc/systemd/network. All configuration files are collectively sorted
25 and processed in alphanumeric order, regardless of the directories in
26 which they live. However, files with identical filenames replace each
27 other. It is recommended that each filename is prefixed with a number
28 (e.g. 10-eth0.network). Otherwise, the default .network files or those
29 generated by systemd-network-generator.service(8) may take precedence
30 over user configured files. Files in /etc/ have the highest priority,
31 files in /run/ take precedence over files with the same name under
32 /usr/. This can be used to override a system-supplied configuration
33 file with a local file if needed. As a special case, an empty file
34 (file size 0) or symlink with the same name pointing to /dev/null
35 disables the configuration file entirely (it is "masked").
36 Along with the network file foo.network, a "drop-in" directory
38 foo.network.d/ may exist. All files with the suffix ".conf" from this
39 directory will be merged in the alphanumeric order and parsed after the
40 main file itself has been parsed. This is useful to alter or add
41 configuration settings, without having to modify the main configuration
42 file. Each drop-in file must have appropriate section headers.
43 In addition to /etc/systemd/network, drop-in ".d" directories can be
45 placed in /usr/lib/systemd/network or /run/systemd/network directories.
46 Drop-in files in /etc/ take precedence over those in /run/ which in
47 turn take precedence over those in /usr/lib/. Drop-in files under any
48 of these directories take precedence over the main network file
49 wherever located.
50
52 The network file contains a [Match] section, which determines if a
53 given network file may be applied to a given interface; and a [Network]
54 section specifying how the interface should be configured. The first
55 (in alphanumeric order) of the network files that matches a given
56 interface is applied, all later files are ignored, even if they match
57 as well.
58 A network file is said to match a network interface if all matches
60 specified by the [Match] section are satisfied. When a network file
61 does not contain valid settings in [Match] section, then the file will
62 match all interfaces and systemd-networkd warns about that. Hint: to
63 avoid the warning and to make it clear that all interfaces shall be
64 matched, add the following:
65 Name=*
67 The following keys are accepted:
69 MACAddress=
71 A whitespace-separated list of hardware addresses. The acceptable
72 formats are:
73 colon-delimited hexadecimal
75 Each field must be one byte. E.g. "12:34:56:78:90:ab" or
76 "AA:BB:CC:DD:EE:FF".
77 hyphen-delimited hexadecimal
79 Each field must be one byte. E.g. "12-34-56-78-90-ab" or
80 "AA-BB-CC-DD-EE-FF".
81 dot-delimited hexadecimal
83 Each field must be two bytes. E.g. "1234.5678.90ab" or
84 "AABB.CCDD.EEFF".
85 IPv4 address format
87 E.g. "127.0.0.1" or "192.168.0.1".
88 IPv6 address format
90 E.g. "2001:0db8:85a3::8a2e:0370:7334" or "::1".
91 The total length of each MAC address must be 4 (for IPv4 tunnel), 6
93 (for Ethernet), 16 (for IPv6 tunnel), or 20 (for InfiniBand). This
94 option may appear more than once, in which case the lists are
95 merged. If the empty string is assigned to this option, the list of
96 hardware addresses defined prior to this is reset. Defaults to
97 unset.
98 PermanentMACAddress=
100 A whitespace-separated list of hardware's permanent addresses.
101 While MACAddress= matches the device's current MAC address, this
102 matches the device's permanent MAC address, which may be different
103 from the current one. Use full colon-, hyphen- or dot-delimited
104 hexadecimal, or IPv4 or IPv6 address format. This option may appear
105 more than once, in which case the lists are merged. If the empty
106 string is assigned to this option, the list of hardware addresses
107 defined prior to this is reset. Defaults to unset.
108 Path=
110 A whitespace-separated list of shell-style globs matching the
111 persistent path, as exposed by the udev property ID_PATH.
112 Driver=
114 A whitespace-separated list of shell-style globs matching the
115 driver currently bound to the device, as exposed by the udev
116 property ID_NET_DRIVER of its parent device, or if that is not set,
117 the driver as exposed by ethtool -i of the device itself. If the
118 list is prefixed with a "!", the test is inverted.
119 Type=
121 A whitespace-separated list of shell-style globs matching the
122 device type, as exposed by networkctl list. If the list is prefixed
123 with a "!", the test is inverted. Some valid values are "ether",
124 "loopback", "wlan", "wwan". Valid types are named either from the
125 udev "DEVTYPE" attribute, or "ARPHRD_" macros in linux/if_arp.h, so
126 this is not comprehensive.
127 Kind=
129 A whitespace-separated list of shell-style globs matching the
130 device kind, as exposed by networkctl status INTERFACE or ip -d
131 link show INTERFACE. If the list is prefixed with a "!", the test
132 is inverted. Some valid values are "bond", "bridge", "gre", "tun",
133 "veth". Valid kinds are given by netlink's "IFLA_INFO_KIND"
134 attribute, so this is not comprehensive.
135 Property=
137 A whitespace-separated list of udev property names with their
138 values after equals sign ("="). If multiple properties are
139 specified, the test results are ANDed. If the list is prefixed with
140 a "!", the test is inverted. If a value contains white spaces, then
141 please quote whole key and value pair. If a value contains
142 quotation, then please escape the quotation with "\".
143 Example: if a .link file has the following:
145 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
147 then, the .link file matches only when an interface has all the
149 above three properties.
150 Name=
152 A whitespace-separated list of shell-style globs matching the
153 device name, as exposed by the udev property "INTERFACE", or
154 device's alternative names. If the list is prefixed with a "!", the
155 test is inverted.
156 WLANInterfaceType=
158 A whitespace-separated list of wireless network type. Supported
159 values are "ad-hoc", "station", "ap", "ap-vlan", "wds", "monitor",
160 "mesh-point", "p2p-client", "p2p-go", "p2p-device", "ocb", and
161 "nan". If the list is prefixed with a "!", the test is inverted.
162 SSID=
164 A whitespace-separated list of shell-style globs matching the SSID
165 of the currently connected wireless LAN. If the list is prefixed
166 with a "!", the test is inverted.
167 BSSID=
169 A whitespace-separated list of hardware address of the currently
170 connected wireless LAN. Use full colon-, hyphen- or dot-delimited
171 hexadecimal. See the example in MACAddress=. This option may appear
172 more than once, in which case the lists are merged. If the empty
173 string is assigned to this option, the list is reset.
174 Host=
176 Matches against the hostname or machine ID of the host. See
177 ConditionHost= in systemd.unit(5) for details. When prefixed with
178 an exclamation mark ("!"), the result is negated. If an empty
179 string is assigned, the previously assigned value is cleared.
180 Virtualization=
182 Checks whether the system is executed in a virtualized environment
183 and optionally test whether it is a specific implementation. See
184 ConditionVirtualization= in systemd.unit(5) for details. When
185 prefixed with an exclamation mark ("!"), the result is negated. If
186 an empty string is assigned, the previously assigned value is
187 cleared.
188 KernelCommandLine=
190 Checks whether a specific kernel command line option is set. See
191 ConditionKernelCommandLine= in systemd.unit(5) for details. When
192 prefixed with an exclamation mark ("!"), the result is negated. If
193 an empty string is assigned, the previously assigned value is
194 cleared.
195 KernelVersion=
197 Checks whether the kernel version (as reported by uname -r) matches
198 a certain expression. See ConditionKernelVersion= in
199 systemd.unit(5) for details. When prefixed with an exclamation mark
200 ("!"), the result is negated. If an empty string is assigned, the
201 previously assigned value is cleared.
202 Credential=
204 Checks whether the specified credential was passed to the
205 systemd-udevd.service service. See System and Service
206 Credentials[1] for details. When prefixed with an exclamation mark
207 ("!"), the result is negated. If an empty string is assigned, the
208 previously assigned value is cleared.
209 Architecture=
211 Checks whether the system is running on a specific architecture.
212 See ConditionArchitecture= in systemd.unit(5) for details. When
213 prefixed with an exclamation mark ("!"), the result is negated. If
214 an empty string is assigned, the previously assigned value is
215 cleared.
216 Firmware=
218 Checks whether the system is running on a machine with the
219 specified firmware. See ConditionFirmware= in systemd.unit(5) for
220 details. When prefixed with an exclamation mark ("!"), the result
221 is negated. If an empty string is assigned, the previously assigned
222 value is cleared.
223
225 The [Link] section accepts the following keys:
226 MACAddress=
228 The hardware address to set for the device.
229 MTUBytes=
231 The maximum transmission unit in bytes to set for the device. The
232 usual suffixes K, M, G, are supported and are understood to the
233 base of 1024.
234 Note that if IPv6 is enabled on the interface, and the MTU is
236 chosen below 1280 (the minimum MTU for IPv6) it will automatically
237 be increased to this value.
238 ARP=
240 Takes a boolean. If set to true, the ARP (low-level Address
241 Resolution Protocol) for this interface is enabled. When unset, the
242 kernel's default will be used.
243 For example, disabling ARP is useful when creating multiple MACVLAN
245 or VLAN virtual interfaces atop a single lower-level physical
246 interface, which will then only serve as a link/"bridge" device
247 aggregating traffic to the same physical link and not participate
248 in the network otherwise. Defaults to unset.
249 Multicast=
251 Takes a boolean. If set to true, the multicast flag on the device
252 is enabled. Defaults to unset.
253 AllMulticast=
255 Takes a boolean. If set to true, the driver retrieves all multicast
256 packets from the network. This happens when multicast routing is
257 enabled. Defaults to unset.
258 Promiscuous=
260 Takes a boolean. If set to true, promiscuous mode of the interface
261 is enabled. Defaults to unset.
262 If this is set to false for the underlying link of a "passthru"
264 mode MACVLAN/MACVTAP, the virtual interface will be created with
265 the "nopromisc" flag set.
266 Unmanaged=
268 Takes a boolean. When "yes", no attempts are made to bring up or
269 configure matching links, equivalent to when there are no matching
270 network files. Defaults to "no".
271 This is useful for preventing later matching network files from
273 interfering with certain interfaces that are fully controlled by
274 other applications.
275 Group=
277 Link groups are similar to port ranges found in managed switches.
278 When network interfaces are added to a numbered group, operations
279 on all the interfaces from that group can be performed at once.
280 Takes an unsigned integer in the range 0...2147483647. Defaults to
281 unset.
282 RequiredForOnline=
284 Takes a boolean or a minimum operational state and an optional
285 maximum operational state. Please see networkctl(1) for possible
286 operational states. When "yes", the network is deemed required when
287 determining whether the system is online (including when running
288 systemd-networkd-wait-online). When "no", the network is ignored
289 when determining the online state. When a minimum operational state
290 and an optional maximum operational state are set, "yes" is
291 implied, and this controls the minimum and maximum operational
292 state required for the network interface to be considered online.
293 Defaults to "yes" when ActivationPolicy= is not set, or set to
295 "up", "always-up", or "bound". Defaults to "no" when
296 ActivationPolicy= is set to "manual" or "down". This is forced to
297 "no" when ActivationPolicy= is set to "always-down".
298 The network will be brought up normally (as configured by
300 ActivationPolicy=), but in the event that there is no address being
301 assigned by DHCP or the cable is not plugged in, the link will
302 simply remain offline and be skipped automatically by
303 systemd-networkd-wait-online if "RequiredForOnline=no".
304 RequiredFamilyForOnline=
306 Takes an address family. When specified, an IP address in the given
307 family is deemed required when determining whether the link is
308 online (including when running systemd-networkd-wait-online). Takes
309 one of "ipv4", "ipv6", "both", or "any". Defaults to "any". Note
310 that this option has no effect if "RequiredForOnline=no", or if
311 "RequiredForOnline=" specifies a minimum operational state below
312 "degraded".
313 ActivationPolicy=
315 Specifies the policy for systemd-networkd managing the link
316 administrative state. Specifically, this controls how
317 systemd-networkd changes the network device's "IFF_UP" flag, which
318 is sometimes controlled by system administrators by running e.g.,
319 ip link set dev eth0 up or ip link set dev eth0 down, and can also
320 be changed with networkctl up eth0 or networkctl down eth0.
321 Takes one of "up", "always-up", "manual", "always-down", "down", or
323 "bound". When "manual", systemd-networkd will not change the link's
324 admin state automatically; the system administrator must bring the
325 interface up or down manually, as desired. When "up" (the default)
326 or "always-up", or "down" or "always-down", systemd-networkd will
327 set the link up or down, respectively, when the interface is
328 (re)configured. When "always-up" or "always-down", systemd-networkd
329 will set the link up or down, respectively, any time
330 systemd-networkd detects a change in the administrative state. When
331 BindCarrier= is also set, this is automatically set to "bound" and
332 any other value is ignored.
333 When the policy is set to "down" or "manual", the default value of
335 RequiredForOnline= is "no". When the policy is set to
336 "always-down", the value of RequiredForOnline= forced to "no".
337 The administrative state is not the same as the carrier state, so
339 using "always-up" does not mean the link will never lose carrier.
340 The link carrier depends on both the administrative state as well
341 as the network device's physical connection. However, to avoid
342 reconfiguration failures, when using "always-up",
343 IgnoreCarrierLoss= is forced to true.
344
346 The [SR-IOV] section accepts the following keys. Specify several
347 [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the
348 ability to partition a single physical PCI resource into virtual PCI
349 functions which can then be injected into a VM. In the case of network
350 VFs, SR-IOV improves north-south network performance (that is, traffic
351 with endpoints outside the host machine) by allowing traffic to bypass
352 the host machine’s network stack.
353 VirtualFunction=
355 Specifies a Virtual Function (VF), lightweight PCIe function
356 designed solely to move data in and out. Takes an integer in the
357 range 0...2147483646. This option is compulsory.
358 VLANId=
360 Specifies VLAN ID of the virtual function. Takes an integer in the
361 range 1...4095.
362 QualityOfService=
364 Specifies quality of service of the virtual function. Takes an
365 integer in the range 1...4294967294.
366 VLANProtocol=
368 Specifies VLAN protocol of the virtual function. Takes "802.1Q" or
369 "802.1ad".
370 MACSpoofCheck=
372 Takes a boolean. Controls the MAC spoof checking. When unset, the
373 kernel's default will be used.
374 QueryReceiveSideScaling=
376 Takes a boolean. Toggle the ability of querying the receive side
377 scaling (RSS) configuration of the virtual function (VF). The VF
378 RSS information like RSS hash key may be considered sensitive on
379 some devices where this information is shared between VF and the
380 physical function (PF). When unset, the kernel's default will be
381 used.
382 Trust=
384 Takes a boolean. Allows one to set trust mode of the virtual
385 function (VF). When set, VF users can set a specific feature which
386 may impact security and/or performance. When unset, the kernel's
387 default will be used.
388 LinkState=
390 Allows one to set the link state of the virtual function (VF).
391 Takes a boolean or a special value "auto". Setting to "auto" means
392 a reflection of the physical function (PF) link state, "yes" lets
393 the VF to communicate with other VFs on this host even if the PF
394 link state is down, "no" causes the hardware to drop any packets
395 sent by the VF. When unset, the kernel's default will be used.
396 MACAddress=
398 Specifies the MAC address for the virtual function.
399
401 The [Network] section accepts the following keys:
402 Description=
404 A description of the device. This is only used for presentation
405 purposes.
406 DHCP=
408 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
409 "ipv4", or "ipv6". Defaults to "no".
410 Note that DHCPv6 will by default be triggered by Router
412 Advertisements, if reception is enabled, regardless of this
413 parameter. By explicitly enabling DHCPv6 support here, the DHCPv6
414 client will be started in the mode specified by the WithoutRA=
415 setting in the [DHCPv6] section, regardless of the presence of
416 routers on the link, or what flags the routers pass. See
417 IPv6AcceptRA=.
418 Furthermore, note that by default the domain name specified through
420 DHCP is not used for name resolution. See option UseDomains= below.
421 See the [DHCPv4] or [DHCPv6] sections below for further
423 configuration options for the DHCP client support.
424 DHCPServer=
426 Takes a boolean. If set to "yes", DHCPv4 server will be started.
427 Defaults to "no". Further settings for the DHCP server may be set
428 in the [DHCPServer] section described below.
429 LinkLocalAddressing=
431 Enables link-local address autoconfiguration. Accepts yes, no,
432 ipv4, and ipv6. An IPv6 link-local address is configured when yes
433 or ipv6. An IPv4 link-local address is configured when yes or ipv4
434 and when DHCPv4 autoconfiguration has been unsuccessful for some
435 time. (IPv4 link-local address autoconfiguration will usually
436 happen in parallel with repeated attempts to acquire a DHCPv4
437 lease).
438 Defaults to no when KeepMaster= or Bridge= is set or when the
440 specified MACVLAN=/MACVTAP= has Mode=passthru, or ipv6 otherwise.
441 IPv6LinkLocalAddressGenerationMode=
443 Specifies how IPv6 link-local address is generated. Takes one of
444 "eui64", "none", "stable-privacy" and "random". When unset,
445 "stable-privacy" is used if IPv6StableSecretAddress= is specified,
446 and if not, "eui64" is used. Note that if LinkLocalAddressing= is
447 "no" or "ipv4", then IPv6LinkLocalAddressGenerationMode= will be
448 ignored. Also, even if LinkLocalAddressing= is "yes" or "ipv6",
449 setting IPv6LinkLocalAddressGenerationMode=none disables to
450 configure an IPv6 link-local address.
451 IPv6StableSecretAddress=
453 Takes an IPv6 address. The specified address will be used as a
454 stable secret for generating IPv6 link-local address. If this
455 setting is specified, and IPv6LinkLocalAddressGenerationMode= is
456 unset, then IPv6LinkLocalAddressGenerationMode=stable-privacy is
457 implied. If this setting is not specified, and "stable-privacy" is
458 set to IPv6LinkLocalAddressGenerationMode=, then a stable secret
459 address will be generated from the local machine ID and the
460 interface name.
461 IPv4LLStartAddress=
463 Specifies the first IPv4 link-local address to try. Takes an IPv4
464 address for example 169.254.1.2, from the link-local address range:
465 169.254.0.0/16 except for 169.254.0.0/24 and 169.254.255.0/24. This
466 setting may be useful if the device should always have the same
467 address as long as there is no address conflict. When unset, a
468 random address will be automatically selected. Defaults to unset.
469 IPv4LLRoute=
471 Takes a boolean. If set to true, sets up the route needed for
472 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
473 false.
474 DefaultRouteOnDevice=
476 Takes a boolean. If set to true, sets up the IPv4 default route
477 bound to the interface. Defaults to false. This is useful when
478 creating routes on point-to-point interfaces. This is equivalent to
479 e.g. the following,
480 ip route add default dev veth99
482 or,
484 [Route]
486 Gateway=0.0.0.0
487 Currently, there are no way to specify e.g., the table for the
489 route configured by this setting. To configure the default route
490 with such an additional property, please use the following instead:
491 [Route]
493 Gateway=0.0.0.0
494 Table=1234
495 If you'd like to create an IPv6 default route bound to the
497 interface, please use the following:
498 [Route]
500 Gateway=::
501 Table=1234
502 LLMNR=
504 Takes a boolean or "resolve". When true, enables Link-Local
505 Multicast Name Resolution[2] on the link. When set to "resolve",
506 only resolution is enabled, but not host registration and
507 announcement. Defaults to true. This setting is read by systemd-
508 resolved.service(8).
509 MulticastDNS=
511 Takes a boolean or "resolve". When true, enables Multicast DNS[3]
512 support on the link. When set to "resolve", only resolution is
513 enabled, but not host or service registration and announcement.
514 Defaults to false. This setting is read by systemd-
515 resolved.service(8).
516 DNSOverTLS=
518 Takes a boolean or "opportunistic". When true, enables
519 DNS-over-TLS[4] support on the link. When set to "opportunistic",
520 compatibility with non-DNS-over-TLS servers is increased, by
521 automatically turning off DNS-over-TLS servers in this case. This
522 option defines a per-interface setting for resolved.conf(5)'s
523 global DNSOverTLS= option. Defaults to unset, and the global
524 setting will be used. This setting is read by systemd-
525 resolved.service(8).
526 DNSSEC=
528 Takes a boolean or "allow-downgrade". When true, enables DNSSEC[5]
529 DNS validation support on the link. When set to "allow-downgrade",
530 compatibility with non-DNSSEC capable networks is increased, by
531 automatically turning off DNSSEC in this case. This option defines
532 a per-interface setting for resolved.conf(5)'s global DNSSEC=
533 option. Defaults to unset, and the global setting will be used.
534 This setting is read by systemd-resolved.service(8).
535 DNSSECNegativeTrustAnchors=
537 A space-separated list of DNSSEC negative trust anchor domains. If
538 specified and DNSSEC is enabled, look-ups done via the interface's
539 DNS server will be subject to the list of negative trust anchors,
540 and not require authentication for the specified domains, or
541 anything below it. Use this to disable DNSSEC authentication for
542 specific private domains, that cannot be proven valid using the
543 Internet DNS hierarchy. Defaults to the empty list. This setting is
544 read by systemd-resolved.service(8).
545 LLDP=
547 Controls support for Ethernet LLDP packet reception. LLDP is a
548 link-layer protocol commonly implemented on professional routers
549 and bridges which announces which physical port a system is
550 connected to, as well as other related data. Accepts a boolean or
551 the special value "routers-only". When true, incoming LLDP packets
552 are accepted and a database of all LLDP neighbors maintained. If
553 "routers-only" is set only LLDP data of various types of routers is
554 collected and LLDP data about other types of devices ignored (such
555 as stations, telephones and others). If false, LLDP reception is
556 disabled. Defaults to "routers-only". Use networkctl(1) to query
557 the collected neighbor data. LLDP is only available on Ethernet
558 links. See EmitLLDP= below for enabling LLDP packet emission from
559 the local system.
560 EmitLLDP=
562 Controls support for Ethernet LLDP packet emission. Accepts a
563 boolean parameter or the special values "nearest-bridge",
564 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
565 turns off LLDP packet emission. If not false, a short LLDP packet
566 with information about the local system is sent out in regular
567 intervals on the link. The LLDP packet will contain information
568 about the local hostname, the local machine ID (as stored in
569 machine-id(5)) and the local interface name, as well as the pretty
570 hostname of the system (as set in machine-info(5)). LLDP emission
571 is only available on Ethernet links. Note that this setting passes
572 data suitable for identification of host to the network and should
573 thus not be enabled on untrusted networks, where such
574 identification data should not be made available. Use this option
575 to permit other systems to identify on which interfaces they are
576 connected to this system. The three special values control
577 propagation of the LLDP packets. The "nearest-bridge" setting
578 permits propagation only to the nearest connected bridge,
579 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
580 but not any other bridges, and "customer-bridge" permits
581 propagation until a customer bridge is reached. For details about
582 these concepts, see IEEE 802.1AB-2016[6]. Note that configuring
583 this setting to true is equivalent to "nearest-bridge", the
584 recommended and most restricted level of propagation. See LLDP=
585 above for an option to enable LLDP reception.
586 BindCarrier=
588 A link name or a list of link names. When set, controls the
589 behavior of the current link. When all links in the list are in an
590 operational down state, the current link is brought down. When at
591 least one link has carrier, the current interface is brought up.
592 This forces ActivationPolicy= to be set to "bound".
594 Address=
596 A static IPv4 or IPv6 address and its prefix length, separated by a
597 "/" character. Specify this key more than once to configure several
598 addresses. The format of the address must be as described in
599 inet_pton(3). This is a short-hand for an [Address] section only
600 containing an Address key (see below). This option may be specified
601 more than once.
602 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
604 IPv6), a new address range of the requested size is automatically
605 allocated from a system-wide pool of unused ranges. Note that the
606 prefix length must be equal or larger than 8 for IPv4, and 64 for
607 IPv6. The allocated range is checked against all current network
608 interfaces and all known network configuration files to avoid
609 address range conflicts. The default system-wide pool consists of
610 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
611 for IPv6. This functionality is useful to manage a large number of
612 dynamically created network interfaces with the same network
613 configuration and automatic address range assignment.
614 Gateway=
616 The gateway address, which must be in the format described in
617 inet_pton(3). This is a short-hand for a [Route] section only
618 containing a Gateway= key. This option may be specified more than
619 once.
620 DNS=
622 A DNS server address, which must be in the format described in
623 inet_pton(3). This option may be specified more than once. Each
624 address can optionally take a port number separated with ":", a
625 network interface name or index separated with "%", and a Server
626 Name Indication (SNI) separated with "#". When IPv6 address is
627 specified with a port number, then the address must be in the
628 square brackets. That is, the acceptable full formats are
629 "111.222.333.444:9953%ifname#example.com" for IPv4 and
630 "[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an empty
631 string is assigned, then the all previous assignments are cleared.
632 This setting is read by systemd-resolved.service(8).
633 Domains=
635 A whitespace-separated list of domains which should be resolved
636 using the DNS servers on this link. Each item in the list should be
637 a domain name, optionally prefixed with a tilde ("~"). The domains
638 with the prefix are called "routing-only domains". The domains
639 without the prefix are called "search domains" and are first used
640 as search suffixes for extending single-label hostnames (hostnames
641 containing no dots) to become fully qualified domain names (FQDNs).
642 If a single-label hostname is resolved on this interface, each of
643 the specified search domains are appended to it in turn, converting
644 it into a fully qualified domain name, until one of them may be
645 successfully resolved.
646 Both "search" and "routing-only" domains are used for routing of
648 DNS queries: look-ups for hostnames ending in those domains (hence
649 also single label names, if any "search domains" are listed), are
650 routed to the DNS servers configured for this interface. The domain
651 routing logic is particularly useful on multi-homed hosts with DNS
652 servers serving particular private DNS zones on each interface.
653 The "routing-only" domain "~." (the tilde indicating definition of
655 a routing domain, the dot referring to the DNS root domain which is
656 the implied suffix of all valid DNS names) has special effect. It
657 causes all DNS traffic which does not match another configured
658 domain routing entry to be routed to DNS servers specified for this
659 interface. This setting is useful to prefer a certain set of DNS
660 servers if a link on which they are connected is available.
661 This setting is read by systemd-resolved.service(8). "Search
663 domains" correspond to the domain and search entries in
664 resolv.conf(5). Domain name routing has no equivalent in the
665 traditional glibc API, which has no concept of domain name servers
666 limited to a specific link.
667 DNSDefaultRoute=
669 Takes a boolean argument. If true, this link's configured DNS
670 servers are used for resolving domain names that do not match any
671 link's configured Domains= setting. If false, this link's
672 configured DNS servers are never used for such domains, and are
673 exclusively used for resolving names that match at least one of the
674 domains configured on this link. If not specified defaults to an
675 automatic mode: queries not matching any link's configured domains
676 will be routed to this link if it has no routing-only domains
677 configured.
678 NTP=
680 An NTP server address (either an IP address, or a hostname). This
681 option may be specified more than once. This setting is read by
682 systemd-timesyncd.service(8).
683 IPForward=
685 Configures IP packet forwarding for the system. If enabled,
686 incoming packets on any network interface will be forwarded to any
687 other interfaces according to the routing table. Takes a boolean,
688 or the values "ipv4" or "ipv6", which only enable IP packet
689 forwarding for the specified address family. This controls the
690 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
691 of the network interface (see IP Sysctl[7] for details about sysctl
692 options). Defaults to "no".
693 Note: this setting controls a global kernel option, and does so one
695 way only: if a network that has this setting enabled is set up the
696 global setting is turned on. However, it is never turned off again,
697 even after all networks with this setting enabled are shut down
698 again.
699 To allow IP packet forwarding only between specific network
701 interfaces use a firewall.
702 IPMasquerade=
704 Configures IP masquerading for the network interface. If enabled,
705 packets forwarded from the network interface will be appear as
706 coming from the local host. Takes one of "ipv4", "ipv6", "both", or
707 "no". Defaults to "no". If enabled, this automatically sets
708 IPForward= to one of "ipv4", "ipv6" or "yes".
709 Note. Any positive boolean values such as "yes" or "true" are now
711 deprecated. Please use one of the values in the above.
712 IPv6PrivacyExtensions=
714 Configures use of stateless temporary addresses that change over
715 time (see RFC 4941[8], Privacy Extensions for Stateless Address
716 Autoconfiguration in IPv6). Takes a boolean or the special values
717 "prefer-public" and "kernel". When true, enables the privacy
718 extensions and prefers temporary addresses over public addresses.
719 When "prefer-public", enables the privacy extensions, but prefers
720 public addresses over temporary addresses. When false, the privacy
721 extensions remain disabled. When "kernel", the kernel's default
722 setting will be left in place. When unspecified, the value
723 specified in the same setting in networkd.conf(5), which defaults
724 to "no", will be used.
725 IPv6AcceptRA=
727 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
728 support for the interface. If true, RAs are accepted; if false, RAs
729 are ignored. When RAs are accepted, they may trigger the start of
730 the DHCPv6 client if the relevant flags are set in the RA data, or
731 if no routers are found on the link. The default is to disable RA
732 reception for bridge devices or when IP forwarding is enabled, and
733 to enable it otherwise. Cannot be enabled on devices aggregated in
734 a bond device or when link-local addressing is disabled.
735 Further settings for the IPv6 RA support may be configured in the
737 [IPv6AcceptRA] section, see below.
738 Also see IP Sysctl[7] in the kernel documentation regarding
740 "accept_ra", but note that systemd's setting of 1 (i.e. true)
741 corresponds to kernel's setting of 2.
742 Note that kernel's implementation of the IPv6 RA protocol is always
744 disabled, regardless of this setting. If this option is enabled, a
745 userspace implementation of the IPv6 RA protocol is used, and the
746 kernel's own implementation remains disabled, since
747 systemd-networkd needs to know all details supplied in the
748 advertisements, and these are not available from the kernel if the
749 kernel's own implementation is used.
750 IPv6DuplicateAddressDetection=
752 Configures the amount of IPv6 Duplicate Address Detection (DAD)
753 probes to send. When unset, the kernel's default will be used.
754 IPv6HopLimit=
756 Configures IPv6 Hop Limit. For each router that forwards the
757 packet, the hop limit is decremented by 1. When the hop limit field
758 reaches zero, the packet is discarded. When unset, the kernel's
759 default will be used.
760 IPv4AcceptLocal=
762 Takes a boolean. Accept packets with local source addresses. In
763 combination with suitable routing, this can be used to direct
764 packets between two local interfaces over the wire and have them
765 accepted properly. When unset, the kernel's default will be used.
766 IPv4RouteLocalnet=
768 Takes a boolean. When true, the kernel does not consider loopback
769 addresses as martian source or destination while routing. This
770 enables the use of 127.0.0.0/8 for local routing purposes. When
771 unset, the kernel's default will be used.
772 IPv4ProxyARP=
774 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
775 technique in which one host, usually a router, answers ARP requests
776 intended for another machine. By "faking" its identity, the router
777 accepts responsibility for routing packets to the "real"
778 destination. See RFC 1027[9]. When unset, the kernel's default will
779 be used.
780 IPv6ProxyNDP=
782 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
783 Discovery Protocol) is a technique for IPv6 to allow routing of
784 addresses to a different destination when peers expect them to be
785 present on a certain physical link. In this case a router answers
786 Neighbour Advertisement messages intended for another machine by
787 offering its own MAC address as destination. Unlike proxy ARP for
788 IPv4, it is not enabled globally, but will only send Neighbour
789 Advertisement messages for addresses in the IPv6 neighbor proxy
790 table, which can also be shown by ip -6 neighbour show proxy.
791 systemd-networkd will control the per-interface `proxy_ndp` switch
792 for each configured interface depending on this option. When unset,
793 the kernel's default will be used.
794 IPv6ProxyNDPAddress=
796 An IPv6 address, for which Neighbour Advertisement messages will be
797 proxied. This option may be specified more than once.
798 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
799 kernel's IPv6 neighbor proxy table. This setting implies
800 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP= has been set to
801 false. When unset, the kernel's default will be used.
802 IPv6SendRA=
804 Whether to enable or disable Router Advertisement sending on a
805 link. Takes a boolean value. When enabled, prefixes configured in
806 [IPv6Prefix] sections and routes configured in the
807 [IPv6RoutePrefix] sections are distributed as defined in the
808 [IPv6SendRA] section. If DHCPPrefixDelegation= is enabled, then the
809 delegated prefixes are also distributed. See DHCPPrefixDelegation=
810 setting and the [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and
811 [DHCPPrefixDelegation] sections for more configuration options.
812 DHCPPrefixDelegation=
814 Takes a boolean value. When enabled, requests subnet prefixes on
815 another link via the DHCPv6 protocol or via the 6RD option in the
816 DHCPv4 protocol. An address within each delegated prefix will be
817 assigned, and the prefixes will be announced through IPv6 Router
818 Advertisement if IPv6SendRA= is enabled. This behaviour can be
819 configured in the [DHCPPrefixDelegation] section. Defaults to
820 disabled.
821 IPv6MTUBytes=
823 Configures IPv6 maximum transmission unit (MTU). An integer greater
824 than or equal to 1280 bytes. When unset, the kernel's default will
825 be used.
826 KeepMaster=
828 Takes a boolean value. When enabled, the current master interface
829 index will not be changed, and BatmanAdvanced=, Bond=, Bridge=, and
830 VRF= settings are ignored. This may be useful when a netdev with a
831 master interface is created by another program, e.g. systemd-
832 nspawn(1). Defaults to false.
833 BatmanAdvanced=, Bond=, Bridge=, VRF=
835 The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
836 interface to add the link to. See systemd.netdev(5).
837 IPoIB=, IPVLAN=, IPVTAP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=,
839 VXLAN=, Xfrm=
840 The name of an IPoIB, IPVLAN, IPVTAP, MACsec, MACVLAN, MACVTAP,
841 tunnel, VLAN, VXLAN, or Xfrm to be created on the link. See
842 systemd.netdev(5). This option may be specified more than once.
843 ActiveSlave=
845 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
846 option is only valid for following modes: "active-backup",
847 "balance-alb", and "balance-tlb". Defaults to false.
848 PrimarySlave=
850 Takes a boolean. Specifies which slave is the primary device. The
851 specified device will always be the active slave while it is
852 available. Only when the primary is off-line will alternate devices
853 be used. This is useful when one slave is preferred over another,
854 e.g. when one slave has higher throughput than another. The
855 "PrimarySlave=" option is only valid for following modes:
856 "active-backup", "balance-alb", and "balance-tlb". Defaults to
857 false.
858 ConfigureWithoutCarrier=
860 Takes a boolean. Allows networkd to configure a specific link even
861 if it has no carrier. Defaults to false. If enabled, and the
862 IgnoreCarrierLoss= setting is not explicitly set, then it is
863 enabled as well.
864 IgnoreCarrierLoss=
866 Takes a boolean or a timespan. When true, systemd-networkd retains
867 both the static and dynamic configuration of the interface even if
868 its carrier is lost. When false, systemd-networkd drops both the
869 static and dynamic configuration of the interface. When a timespan
870 is specified, systemd-networkd waits for the specified timespan,
871 and ignores the carrier loss if the link regain its carrier within
872 the timespan. Setting 0 seconds is equivalent to "no", and
873 "infinite" is equivalent to "yes".
874 Setting a finite timespan may be useful when e.g. in the following
876 cases:
877 • A wireless interface connecting to a network which has multiple
879 access points with the same SSID.
880 • Enslaving a wireless interface to a bond interface, which may
882 disconnect from the connected access point and causes its
883 carrier to be lost.
884 • The driver of the interface resets when the MTU is changed.
886 When Bond= is specified to a wireless interface, defaults to 3
888 seconds. When the DHCPv4 client is enabled and UseMTU= in the
889 [DHCPv4] section enabled, defaults to 5 seconds. Otherwise,
890 defaults to the value specified with ConfigureWithoutCarrier=. When
891 ActivationPolicy= is set to "always-up", this is forced to "yes",
892 and ignored any user specified values.
893 KeepConfiguration=
895 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
896 "static", systemd-networkd will not drop static addresses and
897 routes on starting up process. When set to "dhcp-on-stop",
898 systemd-networkd will not drop addresses and routes on stopping the
899 daemon. When "dhcp", the addresses and routes provided by a DHCP
900 server will never be dropped even if the DHCP lease expires. This
901 is contrary to the DHCP specification, but may be the best choice
902 if, e.g., the root filesystem relies on this connection. The
903 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
904 "static". Defaults to "dhcp-on-stop" when systemd-networkd is
905 running in initrd, "yes" when the root filesystem is a network
906 filesystem, and "no" otherwise.
907
909 An [Address] section accepts the following keys. Specify several
910 [Address] sections to configure several addresses.
911 Address=
913 As in the [Network] section. This setting is mandatory. Each
914 [Address] section can contain one Address= setting.
915 Peer=
917 The peer address in a point-to-point connection. Accepts the same
918 format as the Address= setting.
919 Broadcast=
921 Takes an IPv4 address or boolean value. The address must be in the
922 format described in inet_pton(3). If set to true, then the IPv4
923 broadcast address will be derived from the Address= setting. If set
924 to false, then the broadcast address will not be set. Defaults to
925 true, except for wireguard interfaces, where it default to false.
926 Label=
928 Specifies the label for the IPv4 address. The label must be a 7-bit
929 ASCII string with a length of 1...15 characters. Defaults to unset.
930 PreferredLifetime=
932 Allows the default "preferred lifetime" of the address to be
933 overridden. Only three settings are accepted: "forever",
934 "infinity", which is the default and means that the address never
935 expires, and "0", which means that the address is considered
936 immediately "expired" and will not be used, unless explicitly
937 requested. A setting of PreferredLifetime=0 is useful for addresses
938 which are added to be used only by a specific application, which is
939 then configured to use them explicitly.
940 Scope=
942 The scope of the address, which can be "global" (valid everywhere
943 on the network, even through a gateway), "link" (only valid on this
944 device, will not traverse a gateway) or "host" (only valid within
945 the device itself, e.g. 127.0.0.1) or an integer in the range
946 0...255. Defaults to "global".
947 RouteMetric=
949 The metric of the prefix route, which is pointing to the subnet of
950 the configured IP address, taking the configured prefix length into
951 account. Takes an unsigned integer in the range 0...4294967295.
952 When unset or set to 0, the kernel's default value is used. This
953 setting will be ignored when AddPrefixRoute= is false.
954 HomeAddress=
956 Takes a boolean. Designates this address the "home address" as
957 defined in RFC 6275[10]. Supported only on IPv6. Defaults to false.
958 DuplicateAddressDetection=
960 Takes one of "ipv4", "ipv6", "both", or "none". When "ipv4",
961 performs IPv4 Address Conflict Detection. See RFC 5227[11]. When
962 "ipv6", performs IPv6 Duplicate Address Detection. See RFC
963 4862[12]. Defaults to "ipv4" for IPv4 link-local addresses, "ipv6"
964 for IPv6 addresses, and "none" otherwise.
965 ManageTemporaryAddress=
967 Takes a boolean. If true the kernel manage temporary addresses
968 created from this one as template on behalf of Privacy Extensions
969 RFC 3041[13]. For this to become active, the use_tempaddr sysctl
970 setting has to be set to a value greater than zero. The given
971 address needs to have a prefix length of 64. This flag allows using
972 privacy extensions in a manually configured network, just like if
973 stateless auto-configuration was active. Defaults to false.
974 AddPrefixRoute=
976 Takes a boolean. When true, the prefix route for the address is
977 automatically added. Defaults to true.
978 AutoJoin=
980 Takes a boolean. Joining multicast group on ethernet level via ip
981 maddr command would not work if we have an Ethernet switch that
982 does IGMP snooping since the switch would not replicate multicast
983 packets on ports that did not have IGMP reports for the multicast
984 addresses. Linux vxlan interfaces created via ip link add vxlan or
985 networkd's netdev kind vxlan have the group option that enables
986 them to do the required join. By extending ip address command with
987 option "autojoin" we can get similar functionality for openvswitch
988 (OVS) vxlan interfaces as well as other tunneling mechanisms that
989 need to receive multicast traffic. Defaults to "no".
990 NetLabel=label
992 This setting provides a method for integrating static and dynamic
993 network configuration into Linux NetLabel[14] subsystem rules, used
994 by Linux Security Modules (LSMs)[15] for network access control.
995 The label, with suitable LSM rules, can be used to control
996 connectivity of (for example) a service with peers in the local
997 network. At least with SELinux, only the ingress can be controlled
998 but not egress. The benefit of using this setting is that it may be
999 possible to apply interface independent part of NetLabel
1000 configuration at very early stage of system boot sequence, at the
1001 time when the network interfaces are not available yet, with
1002 netlabelctl(8), and the per-interface configuration with
1003 systemd-networkd once the interfaces appear later. Currently this
1004 feature is only implemented for SELinux.
1005 The option expects a single NetLabel label. The label must conform
1007 to lexical restrictions of LSM labels. When an interface is
1008 configured with IP addresses, the addresses and subnetwork masks
1009 will be appended to the NetLabel Fallback Peer Labeling[16] rules.
1010 They will be removed when the interface is deconfigured. Failures
1011 to manage the labels will be ignored.
1012 Warning: Once labeling is enabled for network traffic, a lot of LSM
1014 access control points in Linux networking stack go from dormant to
1015 active. Care should be taken to avoid getting into a situation
1016 where for example remote connectivity is broken, when the security
1017 policy hasn't been updated to consider LSM per-packet access
1018 controls and no rules would allow any network traffic. Also note
1019 that additional configuration with netlabelctl(8) is needed.
1020 Example:
1022 [Address]
1024 NetLabel=system_u:object_r:localnet_peer_t:s0
1025 With the example rules applying for interface "eth0", when the
1027 interface is configured with an IPv4 address of 10.0.0.123/8,
1028 systemd-networkd performs the equivalent of netlabelctl operation
1029 netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
1031 and the reverse operation when the IPv4 address is deconfigured.
1033 The configuration can be used with LSM rules; in case of SELinux to
1034 allow a SELinux domain to receive data from objects of SELinux
1035 "peer" class. For example:
1036 type localnet_peer_t;
1038 allow my_server_t localnet_peer_t:peer recv;
1039 The effect of the above configuration and rules (in absence of
1041 other rules as may be the case) is to only allow "my_server_t" (and
1042 nothing else) to receive data from local subnet 10.0.0.0/8 of
1043 interface "eth0".
1044
1046 A [Neighbor] section accepts the following keys. The neighbor section
1047 adds a permanent, static entry to the neighbor table (IPv6) or ARP
1048 table (IPv4) for the given hardware address on the links matched for
1049 the network. Specify several [Neighbor] sections to configure several
1050 static neighbors.
1051 Address=
1053 The IP address of the neighbor.
1054 LinkLayerAddress=
1056 The link layer address (MAC address or IP address) of the neighbor.
1057
1059 An [IPv6AddressLabel] section accepts the following keys. Specify
1060 several [IPv6AddressLabel] sections to configure several address
1061 labels. IPv6 address labels are used for address selection. See RFC
1062 3484[17]. Precedence is managed by userspace, and only the label itself
1063 is stored in the kernel.
1064 Label=
1066 The label for the prefix, an unsigned integer in the range
1067 0...4294967294. 0xffffffff is reserved. This setting is mandatory.
1068 Prefix=
1070 IPv6 prefix is an address with a prefix length, separated by a
1071 slash "/" character. This setting is mandatory.
1072
1074 An [RoutingPolicyRule] section accepts the following settings. Specify
1075 several [RoutingPolicyRule] sections to configure several rules.
1076 TypeOfService=
1078 This specifies the Type of Service (ToS) field of packets to match;
1079 it takes an unsigned integer in the range 0...255. The field can be
1080 used to specify precedence (the first 3 bits) and ToS (the next 3
1081 bits). The field can be also used to specify Differentiated
1082 Services Code Point (DSCP) (the first 6 bits) and Explicit
1083 Congestion Notification (ECN) (the last 2 bits). See Type of
1084 Service[18] and Differentiated services[19] for more details.
1085 From=
1087 Specifies the source address prefix to match. Possibly followed by
1088 a slash and the prefix length.
1089 To=
1091 Specifies the destination address prefix to match. Possibly
1092 followed by a slash and the prefix length.
1093 FirewallMark=
1095 Specifies the iptables firewall mark value to match (a number in
1096 the range 1...4294967295). Optionally, the firewall mask (also a
1097 number between 1...4294967295) can be suffixed with a slash ("/"),
1098 e.g., "7/255".
1099 Table=
1101 Specifies the routing table identifier to look up if the rule
1102 selector matches. Takes one of predefined names "default", "main",
1103 and "local", and names defined in RouteTable= in networkd.conf(5),
1104 or a number between 1 and 4294967295. Defaults to "main".
1105 Priority=
1107 Specifies the priority of this rule. Priority= is an integer in
1108 the range 0...4294967295. Higher number means lower priority, and
1109 rules get processed in order of increasing number. Defaults to
1110 unset, and the kernel will pick a value dynamically.
1111 IncomingInterface=
1113 Specifies incoming device to match. If the interface is loopback,
1114 the rule only matches packets originating from this host.
1115 OutgoingInterface=
1117 Specifies the outgoing device to match. The outgoing interface is
1118 only available for packets originating from local sockets that are
1119 bound to a device.
1120 SourcePort=
1122 Specifies the source IP port or IP port range match in forwarding
1123 information base (FIB) rules. A port range is specified by the
1124 lower and upper port separated by a dash. Defaults to unset.
1125 DestinationPort=
1127 Specifies the destination IP port or IP port range match in
1128 forwarding information base (FIB) rules. A port range is specified
1129 by the lower and upper port separated by a dash. Defaults to unset.
1130 IPProtocol=
1132 Specifies the IP protocol to match in forwarding information base
1133 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
1134 or IP protocol number such as "6" for "tcp" or "17" for "udp".
1135 Defaults to unset.
1136 InvertRule=
1138 A boolean. Specifies whether the rule is to be inverted. Defaults
1139 to false.
1140 Family=
1142 Takes a special value "ipv4", "ipv6", or "both". By default, the
1143 address family is determined by the address specified in To= or
1144 From=. If neither To= nor From= are specified, then defaults to
1145 "ipv4".
1146 User=
1148 Takes a username, a user ID, or a range of user IDs separated by a
1149 dash. Defaults to unset.
1150 SuppressPrefixLength=
1152 Takes a number N in the range 0...128 and rejects routing decisions
1153 that have a prefix length of N or less. Defaults to unset.
1154 SuppressInterfaceGroup=
1156 Takes an integer in the range 0...2147483647 and rejects routing
1157 decisions that have an interface with the same group id. It has the
1158 same meaning as suppress_ifgroup in ip rule. Defaults to unset.
1159 Type=
1161 Specifies Routing Policy Database (RPDB) rule type. Takes one of
1162 "blackhole", "unreachable" or "prohibit".
1163
1165 The [NextHop] section is used to manipulate entries in the kernel's
1166 "nexthop" tables. The [NextHop] section accepts the following settings.
1167 Specify several [NextHop] sections to configure several hops.
1168 Id=
1170 The id of the next hop. Takes an integer in the range
1171 1...4294967295. If unspecified, then automatically chosen by
1172 kernel.
1173 Gateway=
1175 As in the [Network] section.
1176 Family=
1178 Takes one of the special values "ipv4" or "ipv6". By default, the
1179 family is determined by the address specified in Gateway=. If
1180 Gateway= is not specified, then defaults to "ipv4".
1181 OnLink=
1183 Takes a boolean. If set to true, the kernel does not have to check
1184 if the gateway is reachable directly by the current machine (i.e.,
1185 attached to the local network), so that we can insert the nexthop
1186 in the kernel table without it being complained about. Defaults to
1187 "no".
1188 Blackhole=
1190 Takes a boolean. If enabled, packets to the corresponding routes
1191 are discarded silently, and Gateway= cannot be specified. Defaults
1192 to "no".
1193 Group=
1195 Takes a whitespace separated list of nexthop IDs. Each ID must be
1196 in the range 1...4294967295. Optionally, each nexthop ID can take a
1197 weight after a colon ("id[:weight]"). The weight must be in the
1198 range 1...255. If the weight is not specified, then it is assumed
1199 that the weight is 1. This setting cannot be specified with
1200 Gateway=, Family=, Blackhole=. This setting can be specified
1201 multiple times. If an empty string is assigned, then the all
1202 previous assignments are cleared. Defaults to unset.
1203
1205 The [Route] section accepts the following settings. Specify several
1206 [Route] sections to configure several routes.
1207 Gateway=
1209 Takes the gateway address or the special values "_dhcp4" and
1210 "_ipv6ra". If "_dhcp4" or "_ipv6ra" is set, then the gateway
1211 address provided by DHCPv4 or IPv6 RA is used.
1212 GatewayOnLink=
1214 Takes a boolean. If set to true, the kernel does not have to check
1215 if the gateway is reachable directly by the current machine (i.e.,
1216 attached to the local network), so that we can insert the route in
1217 the kernel table without it being complained about. Defaults to
1218 "no".
1219 Destination=
1221 The destination prefix of the route. Possibly followed by a slash
1222 and the prefix length. If omitted, a full-length host route is
1223 assumed.
1224 Source=
1226 The source prefix of the route. Possibly followed by a slash and
1227 the prefix length. If omitted, a full-length host route is assumed.
1228 Metric=
1230 The metric of the route. Takes an unsigned integer in the range
1231 0...4294967295. Defaults to unset, and the kernel's default will be
1232 used.
1233 IPv6Preference=
1235 Specifies the route preference as defined in RFC 4191[20] for
1236 Router Discovery messages. Which can be one of "low" the route has
1237 a lowest priority, "medium" the route has a default priority or
1238 "high" the route has a highest priority.
1239 Scope=
1241 The scope of the IPv4 route, which can be "global", "site", "link",
1242 "host", or "nowhere":
1243 • "global" means the route can reach hosts more than one hop
1245 away.
1246 • "site" means an interior route in the local autonomous system.
1248 • "link" means the route can only reach hosts on the local
1250 network (one hop away).
1251 • "host" means the route will not leave the local machine (used
1253 for internal addresses like 127.0.0.1).
1254 • "nowhere" means the destination doesn't exist.
1256 For IPv4 route, defaults to "host" if Type= is "local" or "nat",
1258 and "link" if Type= is "broadcast", "multicast", "anycast", or
1259 "unicast". In other cases, defaults to "global". The value is not
1260 used for IPv6.
1261 PreferredSource=
1263 The preferred source address of the route. The address must be in
1264 the format described in inet_pton(3).
1265 Table=
1267 The table identifier for the route. Takes one of predefined names
1268 "default", "main", and "local", and names defined in RouteTable= in
1269 networkd.conf(5), or a number between 1 and 4294967295. The table
1270 can be retrieved using ip route show table num. If unset and Type=
1271 is "local", "broadcast", "anycast", or "nat", then "local" is used.
1272 In other cases, defaults to "main".
1273 Protocol=
1275 The protocol identifier for the route. Takes a number between 0 and
1276 255 or the special values "kernel", "boot", "static", "ra" and
1277 "dhcp". Defaults to "static".
1278 Type=
1280 Specifies the type for the route. Takes one of "unicast", "local",
1281 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
1282 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
1283 route is defined, i.e. a route indicating the path to take to a
1284 destination network address. If "blackhole", packets to the defined
1285 route are discarded silently. If "unreachable", packets to the
1286 defined route are discarded and the ICMP message "Host Unreachable"
1287 is generated. If "prohibit", packets to the defined route are
1288 discarded and the ICMP message "Communication Administratively
1289 Prohibited" is generated. If "throw", route lookup in the current
1290 routing table will fail and the route selection process will return
1291 to Routing Policy Database (RPDB). Defaults to "unicast".
1292 InitialCongestionWindow=
1294 The TCP initial congestion window is used during the start of a TCP
1295 connection. During the start of a TCP session, when a client
1296 requests a resource, the server's initial congestion window
1297 determines how many packets will be sent during the initial burst
1298 of data without waiting for acknowledgement. Takes a number between
1299 1 and 1023. Note that 100 is considered an extremely large value
1300 for this option. When unset, the kernel's default (typically 10)
1301 will be used.
1302 InitialAdvertisedReceiveWindow=
1304 The TCP initial advertised receive window is the amount of receive
1305 data (in bytes) that can initially be buffered at one time on a
1306 connection. The sending host can send only that amount of data
1307 before waiting for an acknowledgment and window update from the
1308 receiving host. Takes a number between 1 and 1023. Note that 100 is
1309 considered an extremely large value for this option. When unset,
1310 the kernel's default will be used.
1311 QuickAck=
1313 Takes a boolean. When true, the TCP quick ACK mode for the route is
1314 enabled. When unset, the kernel's default will be used.
1315 FastOpenNoCookie=
1317 Takes a boolean. When true enables TCP fastopen without a cookie on
1318 a per-route basis. When unset, the kernel's default will be used.
1319 TTLPropagate=
1321 Takes a boolean. When true enables TTL propagation at Label
1322 Switched Path (LSP) egress. When unset, the kernel's default will
1323 be used.
1324 MTUBytes=
1326 The maximum transmission unit in bytes to set for the route. The
1327 usual suffixes K, M, G, are supported and are understood to the
1328 base of 1024.
1329 TCPAdvertisedMaximumSegmentSize=
1331 Specifies the Path MSS (in bytes) hints given on TCP layer. The
1332 usual suffixes K, M, G, are supported and are understood to the
1333 base of 1024. An unsigned integer in the range 1...4294967294. When
1334 unset, the kernel's default will be used.
1335 TCPCongestionControlAlgorithm=
1337 Specifies the TCP congestion control algorithm for the route. Takes
1338 a name of the algorithm, e.g. "bbr", "dctcp", or "vegas". When
1339 unset, the kernel's default will be used.
1340 MultiPathRoute=address[@name] [weight]
1342 Configures multipath route. Multipath routing is the technique of
1343 using multiple alternative paths through a network. Takes gateway
1344 address. Optionally, takes a network interface name or index
1345 separated with "@", and a weight in 1..256 for this multipath route
1346 separated with whitespace. This setting can be specified multiple
1347 times. If an empty string is assigned, then the all previous
1348 assignments are cleared.
1349 NextHop=
1351 Specifies the nexthop id. Takes an unsigned integer in the range
1352 1...4294967295. If set, the corresponding [NextHop] section must be
1353 configured. Defaults to unset.
1354
1356 The [DHCPv4] section configures the DHCPv4 client, if it is enabled
1357 with the DHCP= setting described above:
1358 SendHostname=
1360 When true (the default), the machine's hostname (or the value
1361 specified with Hostname=, described below) will be sent to the DHCP
1362 server. Note that the hostname must consist only of 7-bit ASCII
1363 lower-case characters and no spaces or dots, and be formatted as a
1364 valid DNS domain name. Otherwise, the hostname is not sent even if
1365 this option is true.
1366 Hostname=
1368 Use this value for the hostname which is sent to the DHCP server,
1369 instead of machine's hostname. Note that the specified hostname
1370 must consist only of 7-bit ASCII lower-case characters and no
1371 spaces or dots, and be formatted as a valid DNS domain name.
1372 MUDURL=
1374 When configured, the specified Manufacturer Usage Description (MUD)
1375 URL will be sent to the DHCPv4 server. Takes a URL of length up to
1376 255 characters. A superficial verification that the string is a
1377 valid URL will be performed. DHCPv4 clients are intended to have at
1378 most one MUD URL associated with them. See RFC 8520[21].
1379 MUD is an embedded software standard defined by the IETF that
1381 allows IoT device makers to advertise device specifications,
1382 including the intended communication patterns for their device when
1383 it connects to the network. The network can then use this to author
1384 a context-specific access policy, so the device functions only
1385 within those parameters.
1386 ClientIdentifier=
1388 The DHCPv4 client identifier to use. Takes one of mac, duid or
1389 duid-only. If set to mac, the MAC address of the link is used. If
1390 set to duid, an RFC4361-compliant Client ID, which is the
1391 combination of IAID and DUID (see below), is used. If set to
1392 duid-only, only DUID is used, this may not be RFC compliant, but
1393 some setups may require to use this. Defaults to duid.
1394 VendorClassIdentifier=
1396 The vendor class identifier used to identify vendor type and
1397 configuration.
1398 UserClass=
1400 A DHCPv4 client can use UserClass option to identify the type or
1401 category of user or applications it represents. The information
1402 contained in this option is a string that represents the user class
1403 of which the client is a member. Each class sets an identifying
1404 string of information to be used by the DHCP service to classify
1405 clients. Takes a whitespace-separated list of strings.
1406 DUIDType=
1408 Override the global DUIDType= setting for this network. See
1409 networkd.conf(5) for a description of possible values.
1410 DUIDRawData=
1412 Override the global DUIDRawData= setting for this network. See
1413 networkd.conf(5) for a description of possible values.
1414 IAID=
1416 The DHCP Identity Association Identifier (IAID) for the interface,
1417 a 32-bit unsigned integer.
1418 Anonymize=
1420 Takes a boolean. When true, the options sent to the DHCP server
1421 will follow the RFC 7844[22] (Anonymity Profiles for DHCP Clients)
1422 to minimize disclosure of identifying information. Defaults to
1423 false.
1424 This option should only be set to true when MACAddressPolicy= is
1426 set to random (see systemd.link(5)).
1427 When true, ClientIdentifier=mac, SendHostname=no, Use6RD=no,
1429 UseCaptivePortal=no, UseMTU=no, UseNTP=no, UseSIP=no, and
1430 UseTimezone=no are implied and these settings in the .network file
1431 are silently ignored. Also, Hostname=, MUDURL=, RequestOptions=,
1432 SendOption=, SendVendorOption=, UserClass=, and
1433 VendorClassIdentifier= are silently ignored.
1434 With this option enabled DHCP requests will mimic those generated
1436 by Microsoft Windows, in order to reduce the ability to fingerprint
1437 and recognize installations. This means DHCP request sizes will
1438 grow and lease data will be more comprehensive than normally,
1439 though most of the requested data is not actually used.
1440 RequestOptions=
1442 Sets request options to be sent to the server in the DHCPv4 request
1443 options list. A whitespace-separated list of integers in the range
1444 1...254. Defaults to unset.
1445 SendOption=
1447 Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP
1448 option number, data type and data separated with a colon
1449 ("option:type:value"). The option number must be an integer in the
1450 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1451 "ipv4address", or "string". Special characters in the data string
1452 may be escaped using C-style escapes[23]. This setting can be
1453 specified multiple times. If an empty string is specified, then all
1454 options specified earlier are cleared. Defaults to unset.
1455 SendVendorOption=
1457 Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP
1458 option number, data type and data separated with a colon
1459 ("option:type:value"). The option number must be an integer in the
1460 range 1...254. The type takes one of "uint8", "uint16", "uint32",
1461 "ipv4address", or "string". Special characters in the data string
1462 may be escaped using C-style escapes[23]. This setting can be
1463 specified multiple times. If an empty string is specified, then all
1464 options specified earlier are cleared. Defaults to unset.
1465 IPServiceType=
1467 Takes one of the special values "none", "CS6", or "CS4". When
1468 "none" no IP service type is set to the packet sent from the DHCPv4
1469 client. When "CS6" (network control) or "CS4" (realtime), the
1470 corresponding service type will be set. Defaults to "CS6".
1471 SocketPriority=
1473 The Linux socket option SO_PRIORITY applied to the raw IP socket
1474 used for initial DHCPv4 messages. Unset by default. Usual values
1475 range from 0 to 6. More details about SO_PRIORITY socket option in
1476 socket(7). Can be used in conjunction with [VLAN] section
1477 EgressQOSMaps= setting of .netdev file to set the 802.1Q VLAN
1478 ethernet tagged header priority, see systemd.netdev(5).
1479 Label=
1481 Specifies the label for the IPv4 address received from the DHCP
1482 server. The label must be a 7-bit ASCII string with a length of
1483 1...15 characters. Defaults to unset.
1484 UseDNS=
1486 When true (the default), the DNS servers received from the DHCP
1487 server will be used.
1488 This corresponds to the nameserver option in resolv.conf(5).
1490 RoutesToDNS=
1492 When true, the routes to the DNS servers received from the DHCP
1493 server will be configured. When UseDNS= is disabled, this setting
1494 is ignored. Defaults to true.
1495 UseNTP=
1497 When true (the default), the NTP servers received from the DHCP
1498 server will be used by systemd-timesyncd.service.
1499 RoutesToNTP=
1501 When true, the routes to the NTP servers received from the DHCP
1502 server will be configured. When UseNTP= is disabled, this setting
1503 is ignored. Defaults to true.
1504 UseSIP=
1506 When true (the default), the SIP servers received from the DHCP
1507 server will be collected and made available to client programs.
1508 UseCaptivePortal=
1510 When true (the default), the captive portal advertised by the DHCP
1511 server will be recorded and made available to client programs and
1512 displayed in the networkctl status output per-link.
1513 UseMTU=
1515 When true, the interface maximum transmission unit from the DHCP
1516 server will be used on the current link. If MTUBytes= is set, then
1517 this setting is ignored. Defaults to false.
1518 Note, some drivers will reset the interfaces if the MTU is changed.
1520 For such interfaces, please try to use IgnoreCarrierLoss= with a
1521 short timespan, e.g. "3 seconds".
1522 UseHostname=
1524 When true (the default), the hostname received from the DHCP server
1525 will be set as the transient hostname of the system.
1526 UseDomains=
1528 Takes a boolean, or the special value route. When true, the domain
1529 name received from the DHCP server will be used as DNS search
1530 domain over this link, similarly to the effect of the Domains=
1531 setting. If set to route, the domain name received from the DHCP
1532 server will be used for routing DNS queries only, but not for
1533 searching, similarly to the effect of the Domains= setting when the
1534 argument is prefixed with "~". Defaults to false.
1535 It is recommended to enable this option only on trusted networks,
1537 as setting this affects resolution of all hostnames, in particular
1538 of single-label names. It is generally safer to use the supplied
1539 domain only as routing domain, rather than as search domain, in
1540 order to not have it affect local resolution of single-label names.
1541 When set to true, this setting corresponds to the domain option in
1543 resolv.conf(5).
1544 UseRoutes=
1546 When true (the default), the static routes will be requested from
1547 the DHCP server and added to the routing table with a metric of
1548 1024, and a scope of global, link or host, depending on the route's
1549 destination and gateway. If the destination is on the local host,
1550 e.g., 127.x.x.x, or the same as the link's own address, the scope
1551 will be set to host. Otherwise if the gateway is null (a direct
1552 route), a link scope will be used. For anything else, scope
1553 defaults to global.
1554 RouteMetric=
1556 Set the routing metric for routes specified by the DHCP server
1557 (including the prefix route added for the specified prefix). Takes
1558 an unsigned integer in the range 0...4294967295. Defaults to 1024.
1559 RouteTable=num
1561 The table identifier for DHCP routes. Takes one of predefined names
1562 "default", "main", and "local", and names defined in RouteTable= in
1563 networkd.conf(5), or a number between 1...4294967295.
1564 When used in combination with VRF=, the VRF's routing table is used
1566 when this parameter is not specified.
1567 RouteMTUBytes=
1569 Specifies the MTU for the DHCP routes. Please see the [Route]
1570 section for further details.
1571 QuickAck=
1573 Takes a boolean. When true, the TCP quick ACK mode is enabled for
1574 the routes configured by the acquired DHCPv4 lease. When unset, the
1575 kernel's default will be used.
1576 UseGateway=
1578 When true, the gateway will be requested from the DHCP server and
1579 added to the routing table with a metric of 1024, and a scope of
1580 link. When unset, the value specified with UseRoutes= is used.
1581 UseTimezone=
1583 When true, the timezone received from the DHCP server will be set
1584 as timezone of the local system. Defaults to false.
1585 Use6RD=
1587 When true, subnets of the received IPv6 prefix are assigned to
1588 downstream interfaces which enables DHCPPrefixDelegation=. See also
1589 DHCPPrefixDelegation= in the [Network] section, the
1590 [DHCPPrefixDelegation] section, and RFC 5969[24]. Defaults to
1591 false.
1592 FallbackLeaseLifetimeSec=
1594 Allows one to set DHCPv4 lease lifetime when DHCPv4 server does not
1595 send the lease lifetime. Takes one of "forever" or "infinity". If
1596 specified, the acquired address never expires. Defaults to unset.
1597 RequestBroadcast=
1599 Request the server to use broadcast messages before the IP address
1600 has been configured. This is necessary for devices that cannot
1601 receive RAW packets, or that cannot receive packets at all before
1602 an IP address has been configured. On the other hand, this must not
1603 be enabled on networks where broadcasts are filtered out.
1604 MaxAttempts=
1606 Specifies how many times the DHCPv4 client configuration should be
1607 attempted. Takes a number or "infinity". Defaults to "infinity".
1608 Note that the time between retries is increased exponentially, up
1609 to approximately one per minute, so the network will not be
1610 overloaded even if this number is high. The default is suitable in
1611 most circumstances.
1612 ListenPort=
1614 Set the port from which the DHCP client packets originate.
1615 DenyList=
1617 A whitespace-separated list of IPv4 addresses. Each address can
1618 optionally take a prefix length after "/". DHCP offers from servers
1619 in the list are rejected. Note that if AllowList= is configured
1620 then DenyList= is ignored.
1621 AllowList=
1623 A whitespace-separated list of IPv4 addresses. Each address can
1624 optionally take a prefix length after "/". DHCP offers from servers
1625 in the list are accepted.
1626 SendRelease=
1628 When true, the DHCPv4 client sends a DHCP release packet when it
1629 stops. Defaults to true.
1630 SendDecline=
1632 A boolean. When true, systemd-networkd performs IPv4 Duplicate
1633 Address Detection to the acquired address by the DHCPv4 client. If
1634 duplicate is detected, the DHCPv4 client rejects the address by
1635 sending a DHCPDECLINE packet to the DHCP server, and tries to
1636 obtain an IP address again. See RFC 5227[11]. Defaults to false.
1637 NetLabel=
1639 This applies the NetLabel for the addresses received with DHCP,
1640 like NetLabel= in [Address] section applies it to statically
1641 configured addresses. See NetLabel= in [Address] section for more
1642 details.
1643
1645 The [DHCPv6] section configures the DHCPv6 client, if it is enabled
1646 with the DHCP= setting described above, or invoked by the IPv6 Router
1647 Advertisement:
1648 MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
1650 As in the [DHCPv4] section.
1651 SendOption=
1653 As in the [DHCPv4] section, however because DHCPv6 uses 16-bit
1654 fields to store option numbers, the option number is an integer in
1655 the range 1...65536.
1656 SendVendorOption=
1658 Send an arbitrary vendor option in the DHCPv6 request. Takes an
1659 enterprise identifier, DHCP option number, data type, and data
1660 separated with a colon ("enterprise identifier:option:type:value").
1661 Enterprise identifier is an unsigned integer in the range
1662 1...4294967294. The option number must be an integer in the range
1663 1...254. Data type takes one of "uint8", "uint16", "uint32",
1664 "ipv4address", "ipv6address", or "string". Special characters in
1665 the data string may be escaped using C-style escapes[23]. This
1666 setting can be specified multiple times. If an empty string is
1667 specified, then all options specified earlier are cleared. Defaults
1668 to unset.
1669 UserClass=
1671 A DHCPv6 client can use User Class option to identify the type or
1672 category of user or applications it represents. The information
1673 contained in this option is a string that represents the user class
1674 of which the client is a member. Each class sets an identifying
1675 string of information to be used by the DHCP service to classify
1676 clients. Special characters in the data string may be escaped using
1677 C-style escapes[23]. This setting can be specified multiple times.
1678 If an empty string is specified, then all options specified earlier
1679 are cleared. Takes a whitespace-separated list of strings. Note
1680 that currently NUL bytes are not allowed.
1681 VendorClass=
1683 A DHCPv6 client can use VendorClass option to identify the vendor
1684 that manufactured the hardware on which the client is running. The
1685 information contained in the data area of this option is contained
1686 in one or more opaque fields that identify details of the hardware
1687 configuration. Takes a whitespace-separated list of strings.
1688 PrefixDelegationHint=
1690 Takes an IPv6 address with prefix length in the same format as the
1691 Address= in the [Network] section. The DHCPv6 client will include a
1692 prefix hint in the DHCPv6 solicitation sent to the server. The
1693 prefix length must be in the range 1...128. Defaults to unset.
1694 RapidCommit=
1696 Takes a boolean. The DHCPv6 client can obtain configuration
1697 parameters from a DHCPv6 server through a rapid two-message
1698 exchange (solicit and reply). When the rapid commit option is set
1699 by both the DHCPv6 client and the DHCPv6 server, the two-message
1700 exchange is used. Otherwise, the four-message exchange (solicit,
1701 advertise, request, and reply) is used. The two-message exchange
1702 provides faster client configuration. See RFC 3315[25] for details.
1703 Defaults to true, and the two-message exchange will be used if the
1704 server support it.
1705 UseAddress=
1707 When true (the default), the IP addresses provided by the DHCPv6
1708 server will be assigned.
1709 UseCaptivePortal=
1711 When true (the default), the captive portal advertised by the
1712 DHCPv6 server will be recorded and made available to client
1713 programs and displayed in the networkctl status output per-link.
1714 UseDelegatedPrefix=
1716 When true (the default), the client will request the DHCPv6 server
1717 to delegate prefixes. If the server provides prefixes to be
1718 delegated, then subnets of the prefixes are assigned to the
1719 interfaces that have DHCPPrefixDelegation=yes. See also the
1720 DHCPPrefixDelegation= setting in the [Network] section, settings in
1721 the [DHCPPrefixDelegation] section, and RFC 8415[26].
1722 UseDNS=, UseNTP=, UseHostname=, UseDomains=, NetLabel=, SendRelease=
1724 As in the [DHCPv4] section.
1725 WithoutRA=
1727 Allows DHCPv6 client to start without router advertisements's
1728 "managed" or "other configuration" flag. Takes one of "no",
1729 "solicit", or "information-request". If this is not specified,
1730 "solicit" is used when DHCPPrefixDelegation= is enabled and
1731 UplinkInterface=:self is specified in the [DHCPPrefixDelegation]
1732 section. Otherwise, defaults to "no", and the DHCPv6 client will be
1733 started when an RA is received. See also the DHCPv6Client= setting
1734 in the [IPv6AcceptRA] section.
1735
1737 The [DHCPPrefixDelegation] section configures subnet prefixes of the
1738 delegated prefixes acquired by a DHCPv6 client or by a DHCPv4 client
1739 through the 6RD option on another interface. The settings in this
1740 section are used only when the DHCPPrefixDelegation= setting in the
1741 [Network] section is enabled.
1742 UplinkInterface=
1744 Specifies the name or the index of the uplink interface, or one of
1745 the special values ":self" and ":auto". When ":self", the interface
1746 itself is considered the uplink interface, and WithoutRA=solicit is
1747 implied if the setting is not explicitly specified. When ":auto",
1748 the first link which acquired prefixes to be delegated from the
1749 DHCPv6 or DHCPv4 server is selected. Defaults to ":auto".
1750 SubnetId=
1752 Configure a specific subnet ID on the interface from a (previously)
1753 received prefix delegation. You can either set "auto" (the default)
1754 or a specific subnet ID (as defined in RFC 4291[27], section
1755 2.5.4), in which case the allowed value is hexadecimal, from 0 to
1756 0x7fffffffffffffff inclusive.
1757 Announce=
1759 Takes a boolean. When enabled, and IPv6SendRA= in [Network] section
1760 is enabled, the delegated prefixes are distributed through the IPv6
1761 Router Advertisement. This setting will be ignored when the
1762 DHCPPrefixDelegation= setting is enabled on the upstream interface.
1763 Defaults to yes.
1764 Assign=
1766 Takes a boolean. Specifies whether to add an address from the
1767 delegated prefixes which are received from the WAN interface by the
1768 DHCPv6 Prefix Delegation. When true (on LAN interface), the EUI-64
1769 algorithm will be used by default to form an interface identifier
1770 from the delegated prefixes. See also Token= setting below.
1771 Defaults to yes.
1772 Token=
1774 Specifies an optional address generation mode for assigning an
1775 address in each delegated prefix. This accepts the same syntax as
1776 Token= in the [IPv6AcceptRA] section. If Assign= is set to false,
1777 then this setting will be ignored. Defaults to unset, which means
1778 the EUI-64 algorithm will be used.
1779 ManageTemporaryAddress=
1781 As in the [Address] section, but defaults to true.
1782 RouteMetric=
1784 The metric of the route to the delegated prefix subnet. Takes an
1785 unsigned integer in the range 0...4294967295. When set to 0, the
1786 kernel's default value is used. Defaults to 256.
1787 NetLabel=
1789 This applies the NetLabel for the addresses received with DHCP,
1790 like NetLabel= in [Address] section applies it to statically
1791 configured addresses. See NetLabel= in [Address] section for more
1792 details.
1793
1795 The [IPv6AcceptRA] section configures the IPv6 Router Advertisement
1796 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1797 above:
1798 Token=
1800 Specifies an optional address generation mode for the Stateless
1801 Address Autoconfiguration (SLAAC). The following values are
1802 supported:
1803 eui64
1805 The EUI-64 algorithm will be used to generate an address for
1806 that prefix. Only supported by Ethernet or InfiniBand
1807 interfaces.
1808 static:ADDRESS
1810 An IPv6 address must be specified after a colon (":"), and the
1811 lower bits of the supplied address are combined with the upper
1812 bits of a prefix received in a Router Advertisement (RA)
1813 message to form a complete address. Note that if multiple
1814 prefixes are received in an RA message, or in multiple RA
1815 messages, addresses will be formed from each of them using the
1816 supplied address. This mode implements SLAAC but uses a static
1817 interface identifier instead of an identifier generated by
1818 using the EUI-64 algorithm. Because the interface identifier is
1819 static, if Duplicate Address Detection detects that the
1820 computed address is a duplicate (in use by another node on the
1821 link), then this mode will fail to provide an address for that
1822 prefix. If an IPv6 address without mode is specified, then
1823 "static" mode is assumed.
1824 prefixstable[:ADDRESS][,UUID]
1826 The algorithm specified in RFC 7217[28] will be used to
1827 generate interface identifiers. This mode can optionally take
1828 an IPv6 address separated with a colon (":"). If an IPv6
1829 address is specified, then an interface identifier is generated
1830 only when a prefix received in an RA message matches the
1831 supplied address.
1832 This mode can also optionally take a non-null UUID in the
1834 format which sd_id128_from_string() accepts, e.g.
1835 "86b123b969ba4b7eb8b3d8605123525a" or
1836 "86b123b9-69ba-4b7e-b8b3-d8605123525a". If a UUID is specified,
1837 the value is used as the secret key to generate interface
1838 identifiers. If not specified, then an application specific ID
1839 generated with the system's machine-ID will be used as the
1840 secret key. See sd-id128(3), sd_id128_from_string(3), and
1841 sd_id128_get_machine(3).
1842 Note that the "prefixstable" algorithm uses both the interface
1844 name and MAC address as input to the hash to compute the
1845 interface identifier, so if either of those are changed the
1846 resulting interface identifier (and address) will be changed,
1847 even if the prefix received in the RA message has not been
1848 changed.
1849 If no address generation mode is specified (which is the default),
1851 or a received prefix does not match any of the addresses provided
1852 in "prefixstable" mode, then the EUI-64 algorithm will be used for
1853 Ethernet or InfiniBand interfaces, otherwise "prefixstable" will be
1854 used to form an interface identifier for that prefix.
1855 This setting can be specified multiple times. If an empty string is
1857 assigned, then the all previous assignments are cleared.
1858 Examples:
1860 Token=eui64
1862 Token=::1a:2b:3c:4d
1863 Token=static:::1a:2b:3c:4d
1864 Token=prefixstable
1865 Token=prefixstable:2002:da8:1::
1866 UseDNS=
1868 When true (the default), the DNS servers received in the Router
1869 Advertisement will be used.
1870 This corresponds to the nameserver option in resolv.conf(5).
1872 UseDomains=
1874 Takes a boolean, or the special value "route". When true, the
1875 domain name received via IPv6 Router Advertisement (RA) will be
1876 used as DNS search domain over this link, similarly to the effect
1877 of the Domains= setting. If set to "route", the domain name
1878 received via IPv6 RA will be used for routing DNS queries only, but
1879 not for searching, similarly to the effect of the Domains= setting
1880 when the argument is prefixed with "~". Defaults to false.
1881 It is recommended to enable this option only on trusted networks,
1883 as setting this affects resolution of all hostnames, in particular
1884 of single-label names. It is generally safer to use the supplied
1885 domain only as routing domain, rather than as search domain, in
1886 order to not have it affect local resolution of single-label names.
1887 When set to true, this setting corresponds to the domain option in
1889 resolv.conf(5).
1890 RouteTable=num
1892 The table identifier for the routes received in the Router
1893 Advertisement. Takes one of predefined names "default", "main", and
1894 "local", and names defined in RouteTable= in networkd.conf(5), or a
1895 number between 1...4294967295.
1896 When used in combination with VRF=, the VRF's routing table is used
1898 when this parameter is not specified.
1899 RouteMetric=
1901 Set the routing metric for the routes received in the Router
1902 Advertisement. Takes an unsigned integer in the range
1903 0...4294967295, or three unsigned integer separated with ":", in
1904 that case the first one is used when the router preference is high,
1905 the second is for medium preference, and the last is for low
1906 preference ("high:medium:low"). Defaults to "512:1024:2048".
1907 QuickAck=
1909 Takes a boolean. When true, the TCP quick ACK mode is enabled for
1910 the routes configured by the received RAs. When unset, the kernel's
1911 default will be used.
1912 UseMTU=
1914 Takes a boolean. When true, the MTU received in the Router
1915 Advertisement will be used. Defaults to true.
1916 UseGateway=
1918 When true (the default), the router address will be configured as
1919 the default gateway.
1920 UseRoutePrefix=
1922 When true (the default), the routes corresponding to the route
1923 prefixes received in the Router Advertisement will be configured.
1924 UseCaptivePortal=
1926 When true (the default), the captive portal received in the Router
1927 Advertisement will be recorded and made available to client
1928 programs and displayed in the networkctl status output per-link.
1929 UseAutonomousPrefix=
1931 When true (the default), the autonomous prefix received in the
1932 Router Advertisement will be used and take precedence over any
1933 statically configured ones.
1934 UseOnLinkPrefix=
1936 When true (the default), the onlink prefix received in the Router
1937 Advertisement will be used and takes precedence over any statically
1938 configured ones.
1939 RouterDenyList=
1941 A whitespace-separated list of IPv6 router addresses. Each address
1942 can optionally take a prefix length after "/". Any information
1943 advertised by the listed router is ignored.
1944 RouterAllowList=
1946 A whitespace-separated list of IPv6 router addresses. Each address
1947 can optionally take a prefix length after "/". Only information
1948 advertised by the listed router is accepted. Note that if
1949 RouterAllowList= is configured then RouterDenyList= is ignored.
1950 PrefixDenyList=
1952 A whitespace-separated list of IPv6 prefixes. Each prefix can
1953 optionally take its prefix length after "/". IPv6 prefixes supplied
1954 via router advertisements in the list are ignored.
1955 PrefixAllowList=
1957 A whitespace-separated list of IPv6 prefixes. Each prefix can
1958 optionally take its prefix length after "/". IPv6 prefixes supplied
1959 via router advertisements in the list are allowed. Note that if
1960 PrefixAllowList= is configured then PrefixDenyList= is ignored.
1961 RouteDenyList=
1963 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1964 optionally take its prefix length after "/". IPv6 route prefixes
1965 supplied via router advertisements in the list are ignored.
1966 RouteAllowList=
1968 A whitespace-separated list of IPv6 route prefixes. Each prefix can
1969 optionally take its prefix length after "/". IPv6 route prefixes
1970 supplied via router advertisements in the list are allowed. Note
1971 that if RouteAllowList= is configured then RouteDenyList= is
1972 ignored.
1973 DHCPv6Client=
1975 Takes a boolean, or the special value "always". When true, the
1976 DHCPv6 client will be started in "solicit" mode if the RA has the
1977 "managed" flag or "information-request" mode if the RA lacks the
1978 "managed" flag but has the "other configuration" flag. If set to
1979 "always", the DHCPv6 client will be started in "solicit" mode when
1980 an RA is received, even if neither the "managed" nor the "other
1981 configuration" flag is set in the RA. This will be ignored when
1982 WithoutRA= in the [DHCPv6] section is enabled, or
1983 UplinkInterface=:self in the [DHCPPrefixDelegation] section is
1984 specified. Defaults to true.
1985 NetLabel=
1987 This applies the NetLabel for the addresses received with RA, like
1988 NetLabel= in [Address] section applies it to statically configured
1989 addresses. See NetLabel= in [Address] section for more details.
1990
1992 The [DHCPServer] section contains settings for the DHCP server, if
1993 enabled via the DHCPServer= option described above:
1994 ServerAddress=
1996 Specifies server address for the DHCP server. Takes an IPv4 address
1997 with prefix length, for example 192.168.0.1/24. This setting may be
1998 useful when the link on which the DHCP server is running has
1999 multiple static addresses. When unset, one of static addresses in
2000 the link will be automatically selected. Defaults to unset.
2001 PoolOffset=, PoolSize=
2003 Configures the pool of addresses to hand out. The pool is a
2004 contiguous sequence of IP addresses in the subnet configured for
2005 the server address, which does not include the subnet nor the
2006 broadcast address. PoolOffset= takes the offset of the pool from
2007 the start of subnet, or zero to use the default value. PoolSize=
2008 takes the number of IP addresses in the pool or zero to use the
2009 default value. By default, the pool starts at the first address
2010 after the subnet address and takes up the rest of the subnet,
2011 excluding the broadcast address. If the pool includes the server
2012 address (the default), this is reserved and not handed out to
2013 clients.
2014 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
2016 Control the default and maximum DHCP lease time to pass to clients.
2017 These settings take time values in seconds or another common time
2018 unit, depending on the suffix. The default lease time is used for
2019 clients that did not ask for a specific lease time. If a client
2020 asks for a lease time longer than the maximum lease time, it is
2021 automatically shortened to the specified time. The default lease
2022 time defaults to 1h, the maximum lease time to 12h. Shorter lease
2023 times are beneficial if the configuration data in DHCP leases
2024 changes frequently and clients shall learn the new settings with
2025 shorter latencies. Longer lease times reduce the generated DHCP
2026 network traffic.
2027 UplinkInterface=
2029 Specifies the name or the index of the uplink interface, or one of
2030 the special values ":none" and ":auto". When emitting DNS, NTP, or
2031 SIP servers is enabled but no servers are specified, the servers
2032 configured in the uplink interface will be emitted. When ":auto",
2033 the link which has a default gateway with the highest priority will
2034 be automatically selected. When ":none", no uplink interface will
2035 be selected. Defaults to ":auto".
2036 EmitDNS=, DNS=
2038 EmitDNS= takes a boolean. Configures whether the DHCP leases handed
2039 out to clients shall contain DNS server information. Defaults to
2040 "yes". The DNS servers to pass to clients may be configured with
2041 the DNS= option, which takes a list of IPv4 addresses, or special
2042 value "_server_address" which will be converted to the address used
2043 by the DHCP server.
2044 If the EmitDNS= option is enabled but no servers configured, the
2046 servers are automatically propagated from an "uplink" interface
2047 that has appropriate servers set. The "uplink" interface is
2048 determined by the default route of the system with the highest
2049 priority. Note that this information is acquired at the time the
2050 lease is handed out, and does not take uplink interfaces into
2051 account that acquire DNS server information at a later point. If no
2052 suitable uplink interface is found the DNS server data from
2053 /etc/resolv.conf is used. Also, note that the leases are not
2054 refreshed if the uplink network configuration changes. To ensure
2055 clients regularly acquire the most current uplink DNS server
2056 information, it is thus advisable to shorten the DHCP lease time
2057 via MaxLeaseTimeSec= described above.
2058 This setting can be specified multiple times. If an empty string is
2060 specified, then all DNS servers specified earlier are cleared.
2061 EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=,
2063 EmitLPR=, LPR=
2064 Similar to the EmitDNS= and DNS= settings described above, these
2065 settings configure whether and what server information for the
2066 indicate protocol shall be emitted as part of the DHCP lease. The
2067 same syntax, propagation semantics and defaults apply as for
2068 EmitDNS= and DNS=.
2069 EmitRouter=, Router=
2071 The EmitRouter= setting takes a boolean value, and configures
2072 whether the DHCP lease should contain the router option. The
2073 Router= setting takes an IPv4 address, and configures the router
2074 address to be emitted. When the Router= setting is not specified,
2075 then the server address will be used for the router option. When
2076 the EmitRouter= setting is disabled, the Router= setting will be
2077 ignored. The EmitRouter= setting defaults to true, and the Router=
2078 setting defaults to unset.
2079 EmitTimezone=, Timezone=
2081 Takes a boolean. Configures whether the DHCP leases handed out to
2082 clients shall contain timezone information. Defaults to "yes". The
2083 Timezone= setting takes a timezone string (such as "Europe/Berlin"
2084 or "UTC") to pass to clients. If no explicit timezone is set, the
2085 system timezone of the local host is propagated, as determined by
2086 the /etc/localtime symlink.
2087 BootServerAddress=
2089 Takes an IPv4 address of the boot server used by e.g. PXE boot
2090 systems. When specified, this address is sent in the siaddr field
2091 of the DHCP message header. See RFC 2131[29] for more details.
2092 Defaults to unset.
2093 BootServerName=
2095 Takes a name of the boot server used by e.g. PXE boot systems. When
2096 specified, this name is sent in the DHCP option 66 ("TFTP server
2097 name"). See RFC 2132[30] for more details. Defaults to unset.
2098 Note that typically setting one of BootServerName= or
2100 BootServerAddress= is sufficient, but both can be set too, if
2101 desired.
2102 BootFilename=
2104 Takes a path or URL to a file loaded by e.g. a PXE boot loader.
2105 When specified, this path is sent in the DHCP option 67 ("Bootfile
2106 name"). See RFC 2132[30] for more details. Defaults to unset.
2107 SendOption=
2109 Send a raw option with value via DHCPv4 server. Takes a DHCP option
2110 number, data type and data ("option:type:value"). The option number
2111 is an integer in the range 1...254. The type takes one of "uint8",
2112 "uint16", "uint32", "ipv4address", "ipv6address", or "string".
2113 Special characters in the data string may be escaped using C-style
2114 escapes[23]. This setting can be specified multiple times. If an
2115 empty string is specified, then all options specified earlier are
2116 cleared. Defaults to unset.
2117 SendVendorOption=
2119 Send a vendor option with value via DHCPv4 server. Takes a DHCP
2120 option number, data type and data ("option:type:value"). The option
2121 number is an integer in the range 1...254. The type takes one of
2122 "uint8", "uint16", "uint32", "ipv4address", or "string". Special
2123 characters in the data string may be escaped using C-style
2124 escapes[23]. This setting can be specified multiple times. If an
2125 empty string is specified, then all options specified earlier are
2126 cleared. Defaults to unset.
2127 BindToInterface=
2129 Takes a boolean value. When "yes", DHCP server socket will be bound
2130 to its network interface and all socket communication will be
2131 restricted to this interface. Defaults to "yes", except if
2132 RelayTarget= is used (see below), in which case it defaults to
2133 "no".
2134 RelayTarget=
2136 Takes an IPv4 address, which must be in the format described in
2137 inet_pton(3). Turns this DHCP server into a DHCP relay agent. See
2138 RFC 1542[31]. The address is the address of DHCP server or another
2139 relay agent to forward DHCP messages to and from.
2140 RelayAgentCircuitId=
2142 Specifies value for Agent Circuit ID suboption of Relay Agent
2143 Information option. Takes a string, which must be in the format
2144 "string:value", where "value" should be replaced with the value of
2145 the suboption. Defaults to unset (means no Agent Circuit ID
2146 suboption is generated). Ignored if RelayTarget= is not specified.
2147 RelayAgentRemoteId=
2149 Specifies value for Agent Remote ID suboption of Relay Agent
2150 Information option. Takes a string, which must be in the format
2151 "string:value", where "value" should be replaced with the value of
2152 the suboption. Defaults to unset (means no Agent Remote ID
2153 suboption is generated). Ignored if RelayTarget= is not specified.
2154
2156 The "[DHCPServerStaticLease]" section configures a static DHCP lease to
2157 assign a fixed IPv4 address to a specific device based on its MAC
2158 address. This section can be specified multiple times.
2159 MACAddress=
2161 The hardware address of a device to match. This key is mandatory.
2162 Address=
2164 The IPv4 address that should be assigned to the device that was
2165 matched with MACAddress=. This key is mandatory.
2166
2168 The [IPv6SendRA] section contains settings for sending IPv6 Router
2169 Advertisements and whether to act as a router, if enabled via the
2170 IPv6SendRA= option described above. IPv6 network prefixes or routes are
2171 defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
2172 Managed=, OtherInformation=
2174 Takes a boolean. Controls whether a DHCPv6 server is used to
2175 acquire IPv6 addresses on the network link when Managed= is set to
2176 "true" or if only additional network information can be obtained
2177 via DHCPv6 for the network link when OtherInformation= is set to
2178 "true". Both settings default to "false", which means that a DHCPv6
2179 server is not being used.
2180 RouterLifetimeSec=
2182 Takes a timespan. Configures the IPv6 router lifetime in seconds.
2183 The value must be 0 seconds, or between 4 seconds and 9000 seconds.
2184 When set to 0, the host is not acting as a router. Defaults to 1800
2185 seconds (30 minutes).
2186 RouterPreference=
2188 Configures IPv6 router preference if RouterLifetimeSec= is
2189 non-zero. Valid values are "high", "medium" and "low", with
2190 "normal" and "default" added as synonyms for "medium" just to make
2191 configuration easier. See RFC 4191[20] for details. Defaults to
2192 "medium".
2193 UplinkInterface=
2195 Specifies the name or the index of the uplink interface, or one of
2196 the special values ":none" and ":auto". When emitting DNS servers
2197 or search domains is enabled but no servers are specified, the
2198 servers configured in the uplink interface will be emitted. When
2199 ":auto", the value specified to the same setting in the
2200 [DHCPPrefixDelegation] section will be used if
2201 DHCPPrefixDelegation= is enabled, otherwise the link which has a
2202 default gateway with the highest priority will be automatically
2203 selected. When ":none", no uplink interface will be selected.
2204 Defaults to ":auto".
2205 EmitDNS=, DNS=
2207 DNS= specifies a list of recursive DNS server IPv6 addresses that
2208 are distributed via Router Advertisement messages when EmitDNS= is
2209 true. DNS= also takes special value "_link_local"; in that case
2210 the IPv6 link-local address is distributed. If DNS= is empty, DNS
2211 servers are read from the [Network] section. If the [Network]
2212 section does not contain any DNS servers either, DNS servers from
2213 the uplink interface specified in UplinkInterface= will be used.
2214 When EmitDNS= is false, no DNS server information is sent in Router
2215 Advertisement messages. EmitDNS= defaults to true.
2216 EmitDomains=, Domains=
2218 A list of DNS search domains distributed via Router Advertisement
2219 messages when EmitDomains= is true. If Domains= is empty, DNS
2220 search domains are read from the [Network] section. If the
2221 [Network] section does not contain any DNS search domains either,
2222 DNS search domains from the uplink interface specified in
2223 UplinkInterface= will be used. When EmitDomains= is false, no DNS
2224 search domain information is sent in Router Advertisement messages.
2225 EmitDomains= defaults to true.
2226 DNSLifetimeSec=
2228 Lifetime in seconds for the DNS server addresses listed in DNS= and
2229 search domains listed in Domains=. Defaults to 3600 seconds (one
2230 hour).
2231
2233 One or more [IPv6Prefix] sections contain the IPv6 prefixes that are
2234 announced via Router Advertisements. See RFC 4861[32] for further
2235 details.
2236 AddressAutoconfiguration=, OnLink=
2238 Takes a boolean to specify whether IPv6 addresses can be
2239 autoconfigured with this prefix and whether the prefix can be used
2240 for onlink determination. Both settings default to "true" in order
2241 to ease configuration.
2242 Prefix=
2244 The IPv6 prefix that is to be distributed to hosts. Similarly to
2245 configuring static IPv6 addresses, the setting is configured as an
2246 IPv6 prefix and its prefix length, separated by a "/" character.
2247 Use multiple [IPv6Prefix] sections to configure multiple IPv6
2248 prefixes since prefix lifetimes, address autoconfiguration and
2249 onlink status may differ from one prefix to another.
2250 PreferredLifetimeSec=, ValidLifetimeSec=
2252 Preferred and valid lifetimes for the prefix measured in seconds.
2253 PreferredLifetimeSec= defaults to 1800 seconds (30 minutes) and
2254 ValidLifetimeSec= defaults to 3600 seconds (one hour).
2255 Assign=
2257 Takes a boolean. When true, adds an address from the prefix.
2258 Default to false.
2259 Token=
2261 Specifies an optional address generation mode for assigning an
2262 address in each prefix. This accepts the same syntax as Token= in
2263 the [IPv6AcceptRA] section. If Assign= is set to false, then this
2264 setting will be ignored. Defaults to unset, which means the EUI-64
2265 algorithm will be used.
2266 RouteMetric=
2268 The metric of the prefix route. Takes an unsigned integer in the
2269 range 0...4294967295. When unset or set to 0, the kernel's default
2270 value is used. This setting is ignored when Assign= is false.
2271
2273 One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes
2274 that are announced via Router Advertisements. See RFC 4191[20] for
2275 further details.
2276 Route=
2278 The IPv6 route that is to be distributed to hosts. Similarly to
2279 configuring static IPv6 routes, the setting is configured as an
2280 IPv6 prefix routes and its prefix route length, separated by a "/"
2281 character. Use multiple [IPv6RoutePrefix] sections to configure
2282 multiple IPv6 prefix routes.
2283 LifetimeSec=
2285 Lifetime for the route prefix measured in seconds. LifetimeSec=
2286 defaults to 3600 seconds (one hour).
2287
2289 The [Bridge] section accepts the following keys:
2290 UnicastFlood=
2292 Takes a boolean. Controls whether the bridge should flood traffic
2293 for which an FDB entry is missing and the destination is unknown
2294 through this port. When unset, the kernel's default will be used.
2295 MulticastFlood=
2297 Takes a boolean. Controls whether the bridge should flood traffic
2298 for which an MDB entry is missing and the destination is unknown
2299 through this port. When unset, the kernel's default will be used.
2300 MulticastToUnicast=
2302 Takes a boolean. Multicast to unicast works on top of the multicast
2303 snooping feature of the bridge. Which means unicast copies are only
2304 delivered to hosts which are interested in it. When unset, the
2305 kernel's default will be used.
2306 NeighborSuppression=
2308 Takes a boolean. Configures whether ARP and ND neighbor suppression
2309 is enabled for this port. When unset, the kernel's default will be
2310 used.
2311 Learning=
2313 Takes a boolean. Configures whether MAC address learning is enabled
2314 for this port. When unset, the kernel's default will be used.
2315 HairPin=
2317 Takes a boolean. Configures whether traffic may be sent back out of
2318 the port on which it was received. When this flag is false, then
2319 the bridge will not forward traffic back out of the receiving port.
2320 When unset, the kernel's default will be used.
2321 Isolated=
2323 Takes a boolean. Configures whether this port is isolated or not.
2324 Within a bridge, isolated ports can only communicate with
2325 non-isolated ports. When set to true, this port can only
2326 communicate with other ports whose Isolated setting is false. When
2327 set to false, this port can communicate with any other ports. When
2328 unset, the kernel's default will be used.
2329 UseBPDU=
2331 Takes a boolean. Configures whether STP Bridge Protocol Data Units
2332 will be processed by the bridge port. When unset, the kernel's
2333 default will be used.
2334 FastLeave=
2336 Takes a boolean. This flag allows the bridge to immediately stop
2337 multicast traffic on a port that receives an IGMP Leave message. It
2338 is only used with IGMP snooping if enabled on the bridge. When
2339 unset, the kernel's default will be used.
2340 AllowPortToBeRoot=
2342 Takes a boolean. Configures whether a given port is allowed to
2343 become a root port. Only used when STP is enabled on the bridge.
2344 When unset, the kernel's default will be used.
2345 ProxyARP=
2347 Takes a boolean. Configures whether proxy ARP to be enabled on this
2348 port. When unset, the kernel's default will be used.
2349 ProxyARPWiFi=
2351 Takes a boolean. Configures whether proxy ARP to be enabled on this
2352 port which meets extended requirements by IEEE 802.11 and Hotspot
2353 2.0 specifications. When unset, the kernel's default will be used.
2354 MulticastRouter=
2356 Configures this port for having multicast routers attached. A port
2357 with a multicast router will receive all multicast traffic. Takes
2358 one of "no" to disable multicast routers on this port, "query" to
2359 let the system detect the presence of routers, "permanent" to
2360 permanently enable multicast traffic forwarding on this port, or
2361 "temporary" to enable multicast routers temporarily on this port,
2362 not depending on incoming queries. When unset, the kernel's default
2363 will be used.
2364 Cost=
2366 Sets the "cost" of sending packets of this interface. Each port in
2367 a bridge may have a different speed and the cost is used to decide
2368 which link to use. Faster interfaces should have lower costs. It is
2369 an integer value between 1 and 65535.
2370 Priority=
2372 Sets the "priority" of sending packets on this interface. Each port
2373 in a bridge may have a different priority which is used to decide
2374 which link to use. Lower value means higher priority. It is an
2375 integer value between 0 to 63. Networkd does not set any default,
2376 meaning the kernel default value of 32 is used.
2377
2379 The [BridgeFDB] section manages the forwarding database table of a port
2380 and accepts the following keys. Specify several [BridgeFDB] sections to
2381 configure several static MAC table entries.
2382 MACAddress=
2384 As in the [Network] section. This key is mandatory.
2385 Destination=
2387 Takes an IP address of the destination VXLAN tunnel endpoint.
2388 VLANId=
2390 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
2391 ID information is appended to the new static MAC table entry.
2392 VNI=
2394 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
2395 connect to the remote VXLAN tunnel endpoint. Takes a number in the
2396 range 1...16777215. Defaults to unset.
2397 AssociatedWith=
2399 Specifies where the address is associated with. Takes one of "use",
2400 "self", "master" or "router". "use" means the address is in use.
2401 User space can use this option to indicate to the kernel that the
2402 fdb entry is in use. "self" means the address is associated with
2403 the port drivers fdb. Usually hardware. "master" means the address
2404 is associated with master devices fdb. "router" means the
2405 destination address is associated with a router. Note that it's
2406 valid if the referenced device is a VXLAN type device and has route
2407 shortcircuit enabled. Defaults to "self".
2408 OutgoingInterface=
2410 Specifies the name or index of the outgoing interface for the VXLAN
2411 device driver to reach the remote VXLAN tunnel endpoint. Defaults
2412 to unset.
2413
2415 The [BridgeMDB] section manages the multicast membership entries
2416 forwarding database table of a port and accepts the following keys.
2417 Specify several [BridgeMDB] sections to configure several permanent
2418 multicast membership entries.
2419 MulticastGroupAddress=
2421 Specifies the IPv4 or IPv6 multicast group address to add. This
2422 setting is mandatory.
2423 VLANId=
2425 The VLAN ID for the new entry. Valid ranges are 0 (no VLAN) to
2426 4094. Optional, defaults to 0.
2427
2429 The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and
2430 accepts the following keys:
2431 MUDURL=
2433 When configured, the specified Manufacturer Usage Descriptions
2434 (MUD) URL will be sent in LLDP packets. The syntax and semantics
2435 are the same as for MUDURL= in the [DHCPv4] section described
2436 above.
2437 The MUD URLs received via LLDP packets are saved and can be read
2439 using the sd_lldp_neighbor_get_mud_url() function.
2440
2442 The [CAN] section manages the Controller Area Network (CAN bus) and
2443 accepts the following keys:
2444 BitRate=
2446 The bitrate of CAN device in bits per second. The usual SI prefixes
2447 (K, M) with the base of 1000 can be used here. Takes a number in
2448 the range 1...4294967295.
2449 SamplePoint=
2451 Optional sample point in percent with one decimal (e.g. "75%",
2452 "87.5%") or permille (e.g. "875‰"). This will be ignored when
2453 BitRate= is unspecified.
2454 TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=,
2456 PhaseBufferSegment2=, SyncJumpWidth=
2457 Specifies the time quanta, propagation segment, phase buffer
2458 segment 1 and 2, and the synchronization jump width, which allow
2459 one to define the CAN bit-timing in a hardware independent format
2460 as proposed by the Bosch CAN 2.0 Specification. TimeQuantaNSec=
2461 takes a timespan in nanoseconds. PropagationSegment=,
2462 PhaseBufferSegment1=, PhaseBufferSegment2=, and SyncJumpWidth= take
2463 number of time quantum specified in TimeQuantaNSec= and must be an
2464 unsigned integer in the range 0...4294967295. These settings except
2465 for SyncJumpWidth= will be ignored when BitRate= is specified.
2466 DataBitRate=, DataSamplePoint=
2468 The bitrate and sample point for the data phase, if CAN-FD is used.
2469 These settings are analogous to the BitRate= and SamplePoint= keys.
2470 DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=,
2472 DataPhaseBufferSegment2=, DataSyncJumpWidth=
2473 Specifies the time quanta, propagation segment, phase buffer
2474 segment 1 and 2, and the synchronization jump width for the data
2475 phase, if CAN-FD is used. These settings are analogous to the
2476 TimeQuantaNSec= or related settings.
2477 FDMode=
2479 Takes a boolean. When "yes", CAN-FD mode is enabled for the
2480 interface. Note, that a bitrate and optional sample point should
2481 also be set for the CAN-FD data phase using the DataBitRate= and
2482 DataSamplePoint= keys, or DataTimeQuanta= and related settings.
2483 FDNonISO=
2485 Takes a boolean. When "yes", non-ISO CAN-FD mode is enabled for the
2486 interface. When unset, the kernel's default will be used.
2487 RestartSec=
2489 Automatic restart delay time. If set to a non-zero value, a restart
2490 of the CAN controller will be triggered automatically in case of a
2491 bus-off condition after the specified delay time. Subsecond delays
2492 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
2493 postfix. Using "infinity" or "0" will turn the automatic restart
2494 off. By default automatic restart is disabled.
2495 Termination=
2497 Takes a boolean or a termination resistor value in ohm in the range
2498 0...65535. When "yes", the termination resistor is set to 120 ohm.
2499 When "no" or "0" is set, the termination resistor is disabled. When
2500 unset, the kernel's default will be used.
2501 TripleSampling=
2503 Takes a boolean. When "yes", three samples (instead of one) are
2504 used to determine the value of a received bit by majority rule.
2505 When unset, the kernel's default will be used.
2506 BusErrorReporting=
2508 Takes a boolean. When "yes", reporting of CAN bus errors is
2509 activated (those include single bit, frame format, and bit stuffing
2510 errors, unable to send dominant bit, unable to send recessive bit,
2511 bus overload, active error announcement, error occurred on
2512 transmission). When unset, the kernel's default will be used. Note:
2513 in case of a CAN bus with a single CAN device, sending a CAN frame
2514 may result in a huge number of CAN bus errors.
2515 ListenOnly=
2517 Takes a boolean. When "yes", listen-only mode is enabled. When the
2518 interface is in listen-only mode, the interface neither transmit
2519 CAN frames nor send ACK bit. Listen-only mode is important to debug
2520 CAN networks without interfering with the communication or
2521 acknowledge the CAN frame. When unset, the kernel's default will be
2522 used.
2523 Loopback=
2525 Takes a boolean. When "yes", loopback mode is enabled. When the
2526 loopback mode is enabled, the interface treats messages transmitted
2527 by itself as received messages. The loopback mode is important to
2528 debug CAN networks. When unset, the kernel's default will be used.
2529 OneShot=
2531 Takes a boolean. When "yes", one-shot mode is enabled. When unset,
2532 the kernel's default will be used.
2533 PresumeAck=
2535 Takes a boolean. When "yes", the interface will ignore missing CAN
2536 ACKs. When unset, the kernel's default will be used.
2537 ClassicDataLengthCode=
2539 Takes a boolean. When "yes", the interface will handle the 4bit
2540 data length code (DLC). When unset, the kernel's default will be
2541 used.
2542
2544 The [IPoIB] section manages the IP over Infiniband and accepts the
2545 following keys:
2546 Mode=
2548 Takes one of the special values "datagram" or "connected". Defaults
2549 to unset, and the kernel's default is used.
2550 When "datagram", the Infiniband unreliable datagram (UD) transport
2552 is used, and so the interface MTU is equal to the IB L2 MTU minus
2553 the IPoIB encapsulation header (4 bytes). For example, in a typical
2554 IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
2555 bytes.
2556 When "connected", the Infiniband reliable connected (RC) transport
2558 is used. Connected mode takes advantage of the connected nature of
2559 the IB transport and allows an MTU up to the maximal IP packet size
2560 of 64K, which reduces the number of IP packets needed for handling
2561 large UDP datagrams, TCP segments, etc and increases the
2562 performance for large messages.
2563 IgnoreUserspaceMulticastGroup=
2565 Takes an boolean value. When true, the kernel ignores multicast
2566 groups handled by userspace. Defaults to unset, and the kernel's
2567 default is used.
2568
2570 The [QDisc] section manages the traffic control queueing discipline
2571 (qdisc).
2572 Parent=
2574 Specifies the parent Queueing Discipline (qdisc). Takes one of
2575 "clsact" or "ingress". This is mandatory.
2576 Handle=
2578 Configures the major number of unique identifier of the qdisc,
2579 known as the handle. Takes a hexadecimal number in the range
2580 0x1–0xffff. Defaults to unset.
2581
2583 The [NetworkEmulator] section manages the queueing discipline (qdisc)
2584 of the network emulator. It can be used to configure the kernel packet
2585 scheduler and simulate packet delay and loss for UDP or TCP
2586 applications, or limit the bandwidth usage of a particular service to
2587 simulate internet connections.
2588 Parent=
2590 Configures the parent Queueing Discipline (qdisc). Takes one of
2591 "root", "clsact", "ingress" or a class identifier. The class
2592 identifier is specified as the major and minor numbers in
2593 hexadecimal in the range 0x1–0xffff separated with a colon
2594 ("major:minor"). Defaults to "root".
2595 Handle=
2597 Configures the major number of unique identifier of the qdisc,
2598 known as the handle. Takes a hexadecimal number in the range
2599 0x1–0xffff. Defaults to unset.
2600 DelaySec=
2602 Specifies the fixed amount of delay to be added to all packets
2603 going out of the interface. Defaults to unset.
2604 DelayJitterSec=
2606 Specifies the chosen delay to be added to the packets outgoing to
2607 the network interface. Defaults to unset.
2608 PacketLimit=
2610 Specifies the maximum number of packets the qdisc may hold queued
2611 at a time. An unsigned integer in the range 0...4294967294.
2612 Defaults to 1000.
2613 LossRate=
2615 Specifies an independent loss probability to be added to the
2616 packets outgoing from the network interface. Takes a percentage
2617 value, suffixed with "%". Defaults to unset.
2618 DuplicateRate=
2620 Specifies that the chosen percent of packets is duplicated before
2621 queuing them. Takes a percentage value, suffixed with "%". Defaults
2622 to unset.
2623
2625 The [TokenBucketFilter] section manages the queueing discipline (qdisc)
2626 of token bucket filter (tbf).
2627 Parent=
2629 Configures the parent Queueing Discipline (qdisc). Takes one of
2630 "root", "clsact", "ingress" or a class identifier. The class
2631 identifier is specified as the major and minor numbers in
2632 hexadecimal in the range 0x1–0xffff separated with a colon
2633 ("major:minor"). Defaults to "root".
2634 Handle=
2636 Configures the major number of unique identifier of the qdisc,
2637 known as the handle. Takes a hexadecimal number in the range
2638 0x1–0xffff. Defaults to unset.
2639 LatencySec=
2641 Specifies the latency parameter, which specifies the maximum amount
2642 of time a packet can sit in the Token Bucket Filter (TBF). Defaults
2643 to unset.
2644 LimitBytes=
2646 Takes the number of bytes that can be queued waiting for tokens to
2647 become available. When the size is suffixed with K, M, or G, it is
2648 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
2649 base of 1024. Defaults to unset.
2650 BurstBytes=
2652 Specifies the size of the bucket. This is the maximum amount of
2653 bytes that tokens can be available for instantaneous transfer. When
2654 the size is suffixed with K, M, or G, it is parsed as Kilobytes,
2655 Megabytes, or Gigabytes, respectively, to the base of 1024.
2656 Defaults to unset.
2657 Rate=
2659 Specifies the device specific bandwidth. When suffixed with K, M,
2660 or G, the specified bandwidth is parsed as Kilobits, Megabits, or
2661 Gigabits, respectively, to the base of 1000. Defaults to unset.
2662 MPUBytes=
2664 The Minimum Packet Unit (MPU) determines the minimal token usage
2665 (specified in bytes) for a packet. When suffixed with K, M, or G,
2666 the specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2667 respectively, to the base of 1024. Defaults to zero.
2668 PeakRate=
2670 Takes the maximum depletion rate of the bucket. When suffixed with
2671 K, M, or G, the specified size is parsed as Kilobits, Megabits, or
2672 Gigabits, respectively, to the base of 1000. Defaults to unset.
2673 MTUBytes=
2675 Specifies the size of the peakrate bucket. When suffixed with K, M,
2676 or G, the specified size is parsed as Kilobytes, Megabytes, or
2677 Gigabytes, respectively, to the base of 1024. Defaults to unset.
2678
2680 The [PIE] section manages the queueing discipline (qdisc) of
2681 Proportional Integral controller-Enhanced (PIE).
2682 Parent=
2684 Configures the parent Queueing Discipline (qdisc). Takes one of
2685 "root", "clsact", "ingress" or a class identifier. The class
2686 identifier is specified as the major and minor numbers in
2687 hexadecimal in the range 0x1–0xffff separated with a colon
2688 ("major:minor"). Defaults to "root".
2689 Handle=
2691 Configures the major number of unique identifier of the qdisc,
2692 known as the handle. Takes a hexadecimal number in the range
2693 0x1–0xffff. Defaults to unset.
2694 PacketLimit=
2696 Specifies the hard limit on the queue size in number of packets.
2697 When this limit is reached, incoming packets are dropped. An
2698 unsigned integer in the range 1...4294967294. Defaults to unset and
2699 kernel's default is used.
2700
2702 The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of
2703 Flow Queue Proportional Integral controller-Enhanced (fq_pie).
2704 Parent=
2706 Configures the parent Queueing Discipline (qdisc). Takes one of
2707 "root", "clsact", "ingress" or a class identifier. The class
2708 identifier is specified as the major and minor numbers in
2709 hexadecimal in the range 0x1–0xffff separated with a colon
2710 ("major:minor"). Defaults to "root".
2711 Handle=
2713 Configures the major number of unique identifier of the qdisc,
2714 known as the handle. Takes a hexadecimal number in the range
2715 0x1–0xffff. Defaults to unset.
2716 PacketLimit=
2718 Specifies the hard limit on the queue size in number of packets.
2719 When this limit is reached, incoming packets are dropped. An
2720 unsigned integer ranges 1 to 4294967294. Defaults to unset and
2721 kernel's default is used.
2722
2724 The [StochasticFairBlue] section manages the queueing discipline
2725 (qdisc) of stochastic fair blue (sfb).
2726 Parent=
2728 Configures the parent Queueing Discipline (qdisc). Takes one of
2729 "root", "clsact", "ingress" or a class identifier. The class
2730 identifier is specified as the major and minor numbers in
2731 hexadecimal in the range 0x1–0xffff separated with a colon
2732 ("major:minor"). Defaults to "root".
2733 Handle=
2735 Configures the major number of unique identifier of the qdisc,
2736 known as the handle. Takes a hexadecimal number in the range
2737 0x1–0xffff. Defaults to unset.
2738 PacketLimit=
2740 Specifies the hard limit on the queue size in number of packets.
2741 When this limit is reached, incoming packets are dropped. An
2742 unsigned integer in the range 0...4294967294. Defaults to unset and
2743 kernel's default is used.
2744
2746 The [StochasticFairnessQueueing] section manages the queueing
2747 discipline (qdisc) of stochastic fairness queueing (sfq).
2748 Parent=
2750 Configures the parent Queueing Discipline (qdisc). Takes one of
2751 "root", "clsact", "ingress" or a class identifier. The class
2752 identifier is specified as the major and minor numbers in
2753 hexadecimal in the range 0x1–0xffff separated with a colon
2754 ("major:minor"). Defaults to "root".
2755 Handle=
2757 Configures the major number of unique identifier of the qdisc,
2758 known as the handle. Takes a hexadecimal number in the range
2759 0x1–0xffff. Defaults to unset.
2760 PerturbPeriodSec=
2762 Specifies the interval in seconds for queue algorithm perturbation.
2763 Defaults to unset.
2764
2766 The [BFIFO] section manages the queueing discipline (qdisc) of Byte
2767 limited Packet First In First Out (bfifo).
2768 Parent=
2770 Configures the parent Queueing Discipline (qdisc). Takes one of
2771 "root", "clsact", "ingress" or a class identifier. The class
2772 identifier is specified as the major and minor numbers in
2773 hexadecimal in the range 0x1–0xffff separated with a colon
2774 ("major:minor"). Defaults to "root".
2775 Handle=
2777 Configures the major number of unique identifier of the qdisc,
2778 known as the handle. Takes a hexadecimal number in the range
2779 0x1–0xffff. Defaults to unset.
2780 LimitBytes=
2782 Specifies the hard limit in bytes on the FIFO buffer size. The size
2783 limit prevents overflow in case the kernel is unable to dequeue
2784 packets as quickly as it receives them. When this limit is reached,
2785 incoming packets are dropped. When suffixed with K, M, or G, the
2786 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
2787 respectively, to the base of 1024. Defaults to unset and kernel
2788 default is used.
2789
2791 The [PFIFO] section manages the queueing discipline (qdisc) of Packet
2792 First In First Out (pfifo).
2793 Parent=
2795 Configures the parent Queueing Discipline (qdisc). Takes one of
2796 "root", "clsact", "ingress" or a class identifier. The class
2797 identifier is specified as the major and minor numbers in
2798 hexadecimal in the range 0x1–0xffff separated with a colon
2799 ("major:minor"). Defaults to "root".
2800 Handle=
2802 Configures the major number of unique identifier of the qdisc,
2803 known as the handle. Takes a hexadecimal number in the range
2804 0x1–0xffff. Defaults to unset.
2805 PacketLimit=
2807 Specifies the hard limit on the number of packets in the FIFO
2808 queue. The size limit prevents overflow in case the kernel is
2809 unable to dequeue packets as quickly as it receives them. When this
2810 limit is reached, incoming packets are dropped. An unsigned integer
2811 in the range 0...4294967294. Defaults to unset and kernel's default
2812 is used.
2813
2815 The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of
2816 Packet First In First Out Head Drop (pfifo_head_drop).
2817 Parent=
2819 Configures the parent Queueing Discipline (qdisc). Takes one of
2820 "root", "clsact", "ingress" or a class identifier. The class
2821 identifier is specified as the major and minor numbers in
2822 hexadecimal in the range 0x1–0xffff separated with a colon
2823 ("major:minor"). Defaults to "root".
2824 Handle=
2826 Configures the major number of unique identifier of the qdisc,
2827 known as the handle. Takes a hexadecimal number in the range
2828 0x1–0xffff. Defaults to unset.
2829 PacketLimit=
2831 As in [PFIFO] section.
2832
2834 The [PFIFOFast] section manages the queueing discipline (qdisc) of
2835 Packet First In First Out Fast (pfifo_fast).
2836 Parent=
2838 Configures the parent Queueing Discipline (qdisc). Takes one of
2839 "root", "clsact", "ingress" or a class identifier. The class
2840 identifier is specified as the major and minor numbers in
2841 hexadecimal in the range 0x1–0xffff separated with a colon
2842 ("major:minor"). Defaults to "root".
2843 Handle=
2845 Configures the major number of unique identifier of the qdisc,
2846 known as the handle. Takes a hexadecimal number in the range
2847 0x1–0xffff. Defaults to unset.
2848
2850 The [CAKE] section manages the queueing discipline (qdisc) of Common
2851 Applications Kept Enhanced (CAKE).
2852 Parent=
2854 Configures the parent Queueing Discipline (qdisc). Takes one of
2855 "root", "clsact", "ingress" or a class identifier. The class
2856 identifier is specified as the major and minor numbers in
2857 hexadecimal in the range 0x1–0xffff separated with a colon
2858 ("major:minor"). Defaults to "root".
2859 Handle=
2861 Configures the major number of unique identifier of the qdisc,
2862 known as the handle. Takes a hexadecimal number in the range
2863 0x1–0xffff. Defaults to unset.
2864 Bandwidth=
2866 Specifies the shaper bandwidth. When suffixed with K, M, or G, the
2867 specified size is parsed as Kilobits, Megabits, or Gigabits,
2868 respectively, to the base of 1000. Defaults to unset and kernel's
2869 default is used.
2870 AutoRateIngress=
2872 Takes a boolean value. Enables automatic capacity estimation based
2873 on traffic arriving at this qdisc. This is most likely to be useful
2874 with cellular links, which tend to change quality randomly. If this
2875 setting is enabled, the Bandwidth= setting is used as an initial
2876 estimate. Defaults to unset, and the kernel's default is used.
2877 OverheadBytes=
2879 Specifies that bytes to be addeded to the size of each packet.
2880 Bytes may be negative. Takes an integer in the range -64...256.
2881 Defaults to unset and kernel's default is used.
2882 MPUBytes=
2884 Rounds each packet (including overhead) up to the specified bytes.
2885 Takes an integer in the range 1...256. Defaults to unset and
2886 kernel's default is used.
2887 CompensationMode=
2889 Takes one of "none", "atm", or "ptm". Specifies the compensation
2890 mode for overhead calculation. When "none", no compensation is
2891 taken into account. When "atm", enables the compensation for ATM
2892 cell framing, which is normally found on ADSL links. When "ptm",
2893 enables the compensation for PTM encoding, which is normally found
2894 on VDSL2 links and uses a 64b/65b encoding scheme. Defaults to
2895 unset and the kernel's default is used.
2896 UseRawPacketSize=
2898 Takes a boolean value. When true, the packet size reported by the
2899 Linux kernel will be used, instead of the underlying IP packet
2900 size. Defaults to unset, and the kernel's default is used.
2901 FlowIsolationMode=
2903 CAKE places packets from different flows into different queues,
2904 then packets from each queue are delivered fairly. This specifies
2905 whether the fairness is based on source address, destination
2906 address, individual flows, or any combination of those. The
2907 available values are:
2908 none
2910 The flow isolation is disabled, and all traffic passes through
2911 a single queue.
2912 src-host
2914 Flows are defined only by source address. Equivalent to the
2915 "srchost" option for tc qdisc command. See also tc-cake(8).
2916 dst-host
2918 Flows are defined only by destination address. Equivalent to
2919 the "dsthost" option for tc qdisc command. See also tc-cake(8).
2920 hosts
2922 Flows are defined by source-destination host pairs. Equivalent
2923 to the same option for tc qdisc command. See also tc-cake(8).
2924 flows
2926 Flows are defined by the entire 5-tuple of source address,
2927 destination address, transport protocol, source port and
2928 destination port. Equivalent to the same option for tc qdisc
2929 command. See also tc-cake(8).
2930 dual-src-host
2932 Flows are defined by the 5-tuple (see "flows" in the above),
2933 and fairness is applied first over source addresses, then over
2934 individual flows. Equivalent to the "dual-srchost" option for
2935 tc qdisc command. See also tc-cake(8).
2936 dual-dst-host
2938 Flows are defined by the 5-tuple (see "flows" in the above),
2939 and fairness is applied first over destination addresses, then
2940 over individual flows. Equivalent to the "dual-dsthost" option
2941 for tc qdisc command. See also tc-cake(8).
2942 triple
2944 Flows are defined by the 5-tuple (see "flows"), and fairness is
2945 applied over source and destination addresses, and also over
2946 individual flows. Equivalent to the "triple-isolate" option for
2947 tc qdisc command. See also tc-cake(8).
2948 Defaults to unset and the kernel's default is used.
2950 NAT=
2952 Takes a boolean value. When true, CAKE performs a NAT lookup before
2953 applying flow-isolation rules, to determine the true addresses and
2954 port numbers of the packet, to improve fairness between hosts
2955 inside the NAT. This has no practical effect when
2956 FlowIsolationMode= is "none" or "flows", or if NAT is performed on
2957 a different host. Defaults to unset, and the kernel's default is
2958 used.
2959 PriorityQueueingPreset=
2961 CAKE divides traffic into "tins", and each tin has its own
2962 independent set of flow-isolation queues, bandwidth threshold, and
2963 priority. This specifies the preset of tin profiles. The available
2964 values are:
2965 besteffort
2967 Disables priority queueing by placing all traffic in one tin.
2968 precedence
2970 Enables priority queueing based on the legacy interpretation of
2971 TOS "Precedence" field. Use of this preset on the modern
2972 Internet is firmly discouraged.
2973 diffserv8
2975 Enables priority queueing based on the Differentiated Service
2976 ("DiffServ") field with eight tins: Background Traffic, High
2977 Throughput, Best Effort, Video Streaming, Low Latency
2978 Transactions, Interactive Shell, Minimum Latency, and Network
2979 Control.
2980 diffserv4
2982 Enables priority queueing based on the Differentiated Service
2983 ("DiffServ") field with four tins: Background Traffic, Best
2984 Effort, Streaming Media, and Latency Sensitive.
2985 diffserv3
2987 Enables priority queueing based on the Differentiated Service
2988 ("DiffServ") field with three tins: Background Traffic, Best
2989 Effort, and Latency Sensitive.
2990 Defaults to unset, and the kernel's default is used.
2992 FirewallMark=
2994 Takes an integer in the range 1...4294967295. When specified,
2995 firewall-mark-based overriding of CAKE's tin selection is enabled.
2996 Defaults to unset, and the kernel's default is used.
2997 Wash=
2999 Takes a boolean value. When true, CAKE clears the DSCP fields,
3000 except for ECN bits, of any packet passing through CAKE. Defaults
3001 to unset, and the kernel's default is used.
3002 SplitGSO=
3004 Takes a boolean value. When true, CAKE will split General
3005 Segmentation Offload (GSO) super-packets into their on-the-wire
3006 components and dequeue them individually. Defaults to unset, and
3007 the kernel's default is used.
3008 RTTSec=
3010 Specifies the RTT for the filter. Takes a timespan. Typical values
3011 are e.g. 100us for extremely high-performance 10GigE+ networks like
3012 datacentre, 1ms for non-WiFi LAN connections, 100ms for typical
3013 internet connections. Defaults to unset, and the kernel's default
3014 will be used.
3015 AckFilter=
3017 Takes a boolean value, or special value "aggressive". If enabled,
3018 ACKs in each flow are queued and redundant ACKs to the upstream are
3019 dropped. If yes, the filter will always keep at least two redundant
3020 ACKs in the queue, while in "aggressive" mode, it will filter down
3021 to a single ACK. This may improve download throughput on links with
3022 very asymmetrical rate limits. Defaults to unset, and the kernel's
3023 default will be used.
3024
3026 The [ControlledDelay] section manages the queueing discipline (qdisc)
3027 of controlled delay (CoDel).
3028 Parent=
3030 Configures the parent Queueing Discipline (qdisc). Takes one of
3031 "root", "clsact", "ingress" or a class identifier. The class
3032 identifier is specified as the major and minor numbers in
3033 hexadecimal in the range 0x1–0xffff separated with a colon
3034 ("major:minor"). Defaults to "root".
3035 Handle=
3037 Configures the major number of unique identifier of the qdisc,
3038 known as the handle. Takes a hexadecimal number in the range
3039 0x1–0xffff. Defaults to unset.
3040 PacketLimit=
3042 Specifies the hard limit on the queue size in number of packets.
3043 When this limit is reached, incoming packets are dropped. An
3044 unsigned integer in the range 0...4294967294. Defaults to unset and
3045 kernel's default is used.
3046 TargetSec=
3048 Takes a timespan. Specifies the acceptable minimum
3049 standing/persistent queue delay. Defaults to unset and kernel's
3050 default is used.
3051 IntervalSec=
3053 Takes a timespan. This is used to ensure that the measured minimum
3054 delay does not become too stale. Defaults to unset and kernel's
3055 default is used.
3056 ECN=
3058 Takes a boolean. This can be used to mark packets instead of
3059 dropping them. Defaults to unset and kernel's default is used.
3060 CEThresholdSec=
3062 Takes a timespan. This sets a threshold above which all packets are
3063 marked with ECN Congestion Experienced (CE). Defaults to unset and
3064 kernel's default is used.
3065
3067 The [DeficitRoundRobinScheduler] section manages the queueing
3068 discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
3069 Parent=
3071 Configures the parent Queueing Discipline (qdisc). Takes one of
3072 "root", "clsact", "ingress" or a class identifier. The class
3073 identifier is specified as the major and minor numbers in
3074 hexadecimal in the range 0x1–0xffff separated with a colon
3075 ("major:minor"). Defaults to "root".
3076 Handle=
3078 Configures the major number of unique identifier of the qdisc,
3079 known as the handle. Takes a hexadecimal number in the range
3080 0x1–0xffff. Defaults to unset.
3081
3083 The [DeficitRoundRobinSchedulerClass] section manages the traffic
3084 control class of Deficit Round Robin Scheduler (DRR).
3085 Parent=
3087 Configures the parent Queueing Discipline (qdisc). Takes one of
3088 "root", or a qdisc identifier. The qdisc identifier is specified as
3089 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3090 separated with a colon ("major:minor"). Defaults to "root".
3091 ClassId=
3093 Configures the unique identifier of the class. It is specified as
3094 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3095 separated with a colon ("major:minor"). Defaults to unset.
3096 QuantumBytes=
3098 Specifies the amount of bytes a flow is allowed to dequeue before
3099 the scheduler moves to the next class. When suffixed with K, M, or
3100 G, the specified size is parsed as Kilobytes, Megabytes, or
3101 Gigabytes, respectively, to the base of 1024. Defaults to the MTU
3102 of the interface.
3103
3105 The [EnhancedTransmissionSelection] section manages the queueing
3106 discipline (qdisc) of Enhanced Transmission Selection (ETS).
3107 Parent=
3109 Configures the parent Queueing Discipline (qdisc). Takes one of
3110 "root", "clsact", "ingress" or a class identifier. The class
3111 identifier is specified as the major and minor numbers in
3112 hexadecimal in the range 0x1–0xffff separated with a colon
3113 ("major:minor"). Defaults to "root".
3114 Handle=
3116 Configures the major number of unique identifier of the qdisc,
3117 known as the handle. Takes a hexadecimal number in the range
3118 0x1–0xffff. Defaults to unset.
3119 Bands=
3121 Specifies the number of bands. An unsigned integer in the range
3122 1...16. This value has to be at least large enough to cover the
3123 strict bands specified through the StrictBands= and
3124 bandwidth-sharing bands specified in QuantumBytes=.
3125 StrictBands=
3127 Specifies the number of bands that should be created in strict
3128 mode. An unsigned integer in the range 1...16.
3129 QuantumBytes=
3131 Specifies the white-space separated list of quantum used in
3132 band-sharing bands. When suffixed with K, M, or G, the specified
3133 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3134 to the base of 1024. This setting can be specified multiple times.
3135 If an empty string is assigned, then the all previous assignments
3136 are cleared.
3137 PriorityMap=
3139 The priority map maps the priority of a packet to a band. The
3140 argument is a whitespace separated list of numbers. The first
3141 number indicates which band the packets with priority 0 should be
3142 put to, the second is for priority 1, and so on. There can be up to
3143 16 numbers in the list. If there are fewer, the default band that
3144 traffic with one of the unmentioned priorities goes to is the last
3145 one. Each band number must be in the range 0...255. This setting
3146 can be specified multiple times. If an empty string is assigned,
3147 then the all previous assignments are cleared.
3148
3150 The [GenericRandomEarlyDetection] section manages the queueing
3151 discipline (qdisc) of Generic Random Early Detection (GRED).
3152 Parent=
3154 Configures the parent Queueing Discipline (qdisc). Takes one of
3155 "root", "clsact", "ingress" or a class identifier. The class
3156 identifier is specified as the major and minor numbers in
3157 hexadecimal in the range 0x1–0xffff separated with a colon
3158 ("major:minor"). Defaults to "root".
3159 Handle=
3161 Configures the major number of unique identifier of the qdisc,
3162 known as the handle. Takes a hexadecimal number in the range
3163 0x1–0xffff. Defaults to unset.
3164 VirtualQueues=
3166 Specifies the number of virtual queues. Takes an integer in the
3167 range 1...16. Defaults to unset and kernel's default is used.
3168 DefaultVirtualQueue=
3170 Specifies the number of default virtual queue. This must be less
3171 than VirtualQueue=. Defaults to unset and kernel's default is used.
3172 GenericRIO=
3174 Takes a boolean. It turns on the RIO-like buffering scheme.
3175 Defaults to unset and kernel's default is used.
3176
3178 The [FairQueueingControlledDelay] section manages the queueing
3179 discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
3180 Parent=
3182 Configures the parent Queueing Discipline (qdisc). Takes one of
3183 "root", "clsact", "ingress" or a class identifier. The class
3184 identifier is specified as the major and minor numbers in
3185 hexadecimal in the range 0x1–0xffff separated with a colon
3186 ("major:minor"). Defaults to "root".
3187 Handle=
3189 Configures the major number of unique identifier of the qdisc,
3190 known as the handle. Takes a hexadecimal number in the range
3191 0x1–0xffff. Defaults to unset.
3192 PacketLimit=
3194 Specifies the hard limit on the real queue size. When this limit is
3195 reached, incoming packets are dropped. Defaults to unset and
3196 kernel's default is used.
3197 MemoryLimitBytes=
3199 Specifies the limit on the total number of bytes that can be queued
3200 in this FQ-CoDel instance. When suffixed with K, M, or G, the
3201 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3202 respectively, to the base of 1024. Defaults to unset and kernel's
3203 default is used.
3204 Flows=
3206 Specifies the number of flows into which the incoming packets are
3207 classified. Defaults to unset and kernel's default is used.
3208 TargetSec=
3210 Takes a timespan. Specifies the acceptable minimum
3211 standing/persistent queue delay. Defaults to unset and kernel's
3212 default is used.
3213 IntervalSec=
3215 Takes a timespan. This is used to ensure that the measured minimum
3216 delay does not become too stale. Defaults to unset and kernel's
3217 default is used.
3218 QuantumBytes=
3220 Specifies the number of bytes used as the "deficit" in the fair
3221 queuing algorithm timespan. When suffixed with K, M, or G, the
3222 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3223 respectively, to the base of 1024. Defaults to unset and kernel's
3224 default is used.
3225 ECN=
3227 Takes a boolean. This can be used to mark packets instead of
3228 dropping them. Defaults to unset and kernel's default is used.
3229 CEThresholdSec=
3231 Takes a timespan. This sets a threshold above which all packets are
3232 marked with ECN Congestion Experienced (CE). Defaults to unset and
3233 kernel's default is used.
3234
3236 The [FairQueueing] section manages the queueing discipline (qdisc) of
3237 fair queue traffic policing (FQ).
3238 Parent=
3240 Configures the parent Queueing Discipline (qdisc). Takes one of
3241 "root", "clsact", "ingress" or a class identifier. The class
3242 identifier is specified as the major and minor numbers in
3243 hexadecimal in the range 0x1–0xffff separated with a colon
3244 ("major:minor"). Defaults to "root".
3245 Handle=
3247 Configures the major number of unique identifier of the qdisc,
3248 known as the handle. Takes a hexadecimal number in the range
3249 0x1–0xffff. Defaults to unset.
3250 PacketLimit=
3252 Specifies the hard limit on the real queue size. When this limit is
3253 reached, incoming packets are dropped. Defaults to unset and
3254 kernel's default is used.
3255 FlowLimit=
3257 Specifies the hard limit on the maximum number of packets queued
3258 per flow. Defaults to unset and kernel's default is used.
3259 QuantumBytes=
3261 Specifies the credit per dequeue RR round, i.e. the amount of bytes
3262 a flow is allowed to dequeue at once. When suffixed with K, M, or
3263 G, the specified size is parsed as Kilobytes, Megabytes, or
3264 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3265 kernel's default is used.
3266 InitialQuantumBytes=
3268 Specifies the initial sending rate credit, i.e. the amount of bytes
3269 a new flow is allowed to dequeue initially. When suffixed with K,
3270 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3271 Gigabytes, respectively, to the base of 1024. Defaults to unset and
3272 kernel's default is used.
3273 MaximumRate=
3275 Specifies the maximum sending rate of a flow. When suffixed with K,
3276 M, or G, the specified size is parsed as Kilobits, Megabits, or
3277 Gigabits, respectively, to the base of 1000. Defaults to unset and
3278 kernel's default is used.
3279 Buckets=
3281 Specifies the size of the hash table used for flow lookups.
3282 Defaults to unset and kernel's default is used.
3283 OrphanMask=
3285 Takes an unsigned integer. For packets not owned by a socket, fq is
3286 able to mask a part of hash and reduce number of buckets associated
3287 with the traffic. Defaults to unset and kernel's default is used.
3288 Pacing=
3290 Takes a boolean, and enables or disables flow pacing. Defaults to
3291 unset and kernel's default is used.
3292 CEThresholdSec=
3294 Takes a timespan. This sets a threshold above which all packets are
3295 marked with ECN Congestion Experienced (CE). Defaults to unset and
3296 kernel's default is used.
3297
3299 The [TrivialLinkEqualizer] section manages the queueing discipline
3300 (qdisc) of trivial link equalizer (teql).
3301 Parent=
3303 Configures the parent Queueing Discipline (qdisc). Takes one of
3304 "root", "clsact", "ingress" or a class identifier. The class
3305 identifier is specified as the major and minor numbers in
3306 hexadecimal in the range 0x1–0xffff separated with a colon
3307 ("major:minor"). Defaults to "root".
3308 Handle=
3310 Configures the major number of unique identifier of the qdisc,
3311 known as the handle. Takes a hexadecimal number in the range
3312 0x1–0xffff. Defaults to unset.
3313 Id=
3315 Specifies the interface ID "N" of teql. Defaults to "0". Note that
3316 when teql is used, currently, the module sch_teql with
3317 max_equalizers=N+1 option must be loaded before systemd-networkd is
3318 started.
3319
3321 The [HierarchyTokenBucket] section manages the queueing discipline
3322 (qdisc) of hierarchy token bucket (htb).
3323 Parent=
3325 Configures the parent Queueing Discipline (qdisc). Takes one of
3326 "root", "clsact", "ingress" or a class identifier. The class
3327 identifier is specified as the major and minor numbers in
3328 hexadecimal in the range 0x1–0xffff separated with a colon
3329 ("major:minor"). Defaults to "root".
3330 Handle=
3332 Configures the major number of unique identifier of the qdisc,
3333 known as the handle. Takes a hexadecimal number in the range
3334 0x1–0xffff. Defaults to unset.
3335 DefaultClass=
3337 Takes the minor id in hexadecimal of the default class.
3338 Unclassified traffic gets sent to the class. Defaults to unset.
3339 RateToQuantum=
3341 Takes an unsigned integer. The DRR quantums are calculated by
3342 dividing the value configured in Rate= by RateToQuantum=.
3343
3345 The [HierarchyTokenBucketClass] section manages the traffic control
3346 class of hierarchy token bucket (htb).
3347 Parent=
3349 Configures the parent Queueing Discipline (qdisc). Takes one of
3350 "root", or a qdisc identifier. The qdisc identifier is specified as
3351 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3352 separated with a colon ("major:minor"). Defaults to "root".
3353 ClassId=
3355 Configures the unique identifier of the class. It is specified as
3356 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3357 separated with a colon ("major:minor"). Defaults to unset.
3358 Priority=
3360 Specifies the priority of the class. In the round-robin process,
3361 classes with the lowest priority field are tried for packets first.
3362 QuantumBytes=
3364 Specifies how many bytes to serve from leaf at once. When suffixed
3365 with K, M, or G, the specified size is parsed as Kilobytes,
3366 Megabytes, or Gigabytes, respectively, to the base of 1024.
3367 MTUBytes=
3369 Specifies the maximum packet size we create. When suffixed with K,
3370 M, or G, the specified size is parsed as Kilobytes, Megabytes, or
3371 Gigabytes, respectively, to the base of 1024.
3372 OverheadBytes=
3374 Takes an unsigned integer which specifies per-packet size overhead
3375 used in rate computations. When suffixed with K, M, or G, the
3376 specified size is parsed as Kilobytes, Megabytes, or Gigabytes,
3377 respectively, to the base of 1024.
3378 Rate=
3380 Specifies the maximum rate this class and all its children are
3381 guaranteed. When suffixed with K, M, or G, the specified size is
3382 parsed as Kilobits, Megabits, or Gigabits, respectively, to the
3383 base of 1000. This setting is mandatory.
3384 CeilRate=
3386 Specifies the maximum rate at which a class can send, if its parent
3387 has bandwidth to spare. When suffixed with K, M, or G, the
3388 specified size is parsed as Kilobits, Megabits, or Gigabits,
3389 respectively, to the base of 1000. When unset, the value specified
3390 with Rate= is used.
3391 BufferBytes=
3393 Specifies the maximum bytes burst which can be accumulated during
3394 idle period. When suffixed with K, M, or G, the specified size is
3395 parsed as Kilobytes, Megabytes, or Gigabytes, respectively, to the
3396 base of 1024.
3397 CeilBufferBytes=
3399 Specifies the maximum bytes burst for ceil which can be accumulated
3400 during idle period. When suffixed with K, M, or G, the specified
3401 size is parsed as Kilobytes, Megabytes, or Gigabytes, respectively,
3402 to the base of 1024.
3403
3405 The [HeavyHitterFilter] section manages the queueing discipline (qdisc)
3406 of Heavy Hitter Filter (hhf).
3407 Parent=
3409 Configures the parent Queueing Discipline (qdisc). Takes one of
3410 "root", "clsact", "ingress" or a class identifier. The class
3411 identifier is specified as the major and minor numbers in
3412 hexadecimal in the range 0x1–0xffff separated with a colon
3413 ("major:minor"). Defaults to "root".
3414 Handle=
3416 Configures the major number of unique identifier of the qdisc,
3417 known as the handle. Takes a hexadecimal number in the range
3418 0x1–0xffff. Defaults to unset.
3419 PacketLimit=
3421 Specifies the hard limit on the queue size in number of packets.
3422 When this limit is reached, incoming packets are dropped. An
3423 unsigned integer in the range 0...4294967294. Defaults to unset and
3424 kernel's default is used.
3425
3427 The [QuickFairQueueing] section manages the queueing discipline (qdisc)
3428 of Quick Fair Queueing (QFQ).
3429 Parent=
3431 Configures the parent Queueing Discipline (qdisc). Takes one of
3432 "root", "clsact", "ingress" or a class identifier. The class
3433 identifier is specified as the major and minor numbers in
3434 hexadecimal in the range 0x1–0xffff separated with a colon
3435 ("major:minor"). Defaults to "root".
3436 Handle=
3438 Configures the major number of unique identifier of the qdisc,
3439 known as the handle. Takes a hexadecimal number in the range
3440 0x1–0xffff. Defaults to unset.
3441
3443 The [QuickFairQueueingClass] section manages the traffic control class
3444 of Quick Fair Queueing (qfq).
3445 Parent=
3447 Configures the parent Queueing Discipline (qdisc). Takes one of
3448 "root", or a qdisc identifier. The qdisc identifier is specified as
3449 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3450 separated with a colon ("major:minor"). Defaults to "root".
3451 ClassId=
3453 Configures the unique identifier of the class. It is specified as
3454 the major and minor numbers in hexadecimal in the range 0x1–0xffff
3455 separated with a colon ("major:minor"). Defaults to unset.
3456 Weight=
3458 Specifies the weight of the class. Takes an integer in the range
3459 1...1023. Defaults to unset in which case the kernel default is
3460 used.
3461 MaxPacketBytes=
3463 Specifies the maximum packet size in bytes for the class. When
3464 suffixed with K, M, or G, the specified size is parsed as
3465 Kilobytes, Megabytes, or Gigabytes, respectively, to the base of
3466 1024. When unset, the kernel default is used.
3467
3469 The [BridgeVLAN] section manages the VLAN ID configuration of a bridge
3470 port and accepts the following keys. Specify several [BridgeVLAN]
3471 sections to configure several VLAN entries. The VLANFiltering= option
3472 has to be enabled, see the [Bridge] section in systemd.netdev(5).
3473 VLAN=
3475 The VLAN ID allowed on the port. This can be either a single ID or
3476 a range M-N. Takes an integer in the range 1...4094.
3477 EgressUntagged=
3479 The VLAN ID specified here will be used to untag frames on egress.
3480 Configuring EgressUntagged= implicates the use of VLAN= above and
3481 will enable the VLAN ID for ingress as well. This can be either a
3482 single ID or a range M-N.
3483 PVID=
3485 The Port VLAN ID specified here is assigned to all untagged frames
3486 at ingress. PVID= can be used only once. Configuring PVID=
3487 implicates the use of VLAN= above and will enable the VLAN ID for
3488 ingress as well.
3489
3491 Example 1. Static network configuration
3492 # /etc/systemd/network/50-static.network
3494 [Match]
3495 Name=enp2s0
3496 [Network]
3498 Address=192.168.0.15/24
3499 Gateway=192.168.0.1
3500 This brings interface "enp2s0" up with a static address. The specified
3502 gateway will be used for a default route.
3503 Example 2. DHCP on ethernet links
3505 # /etc/systemd/network/80-dhcp.network
3507 [Match]
3508 Name=en*
3509 [Network]
3511 DHCP=yes
3512 This will enable DHCPv4 and DHCPv6 on all interfaces with names
3514 starting with "en" (i.e. ethernet interfaces).
3515 Example 3. IPv6 Prefix Delegation (DHCPv6 PD)
3517 # /etc/systemd/network/55-dhcpv6-pd-upstream.network
3519 [Match]
3520 Name=enp1s0
3521 [Network]
3523 DHCP=ipv6
3524 # The below setting is optional, to also assign an address in the delegated prefix
3526 # to the upstream interface. If not necessary, then comment out the line below and
3527 # the [DHCPPrefixDelegation] section.
3528 DHCPPrefixDelegation=yes
3529 # If the upstream network provides Router Advertisement with Managed bit set,
3531 # then comment out the line below and WithoutRA= setting in the [DHCPv6] section.
3532 IPv6AcceptRA=no
3533 [DHCPv6]
3535 WithoutRA=solicit
3536 [DHCPPrefixDelegation]
3538 UplinkInterface=:self
3539 SubnetId=0
3540 Announce=no
3541 # /etc/systemd/network/55-dhcpv6-pd-downstream.network
3543 [Match]
3544 Name=enp2s0
3545 [Network]
3547 DHCPPrefixDelegation=yes
3548 IPv6SendRA=yes
3549 # It is expected that the host is acting as a router. So, usually it is not
3551 # necessary to receive Router Advertisement from other hosts in the downstream network.
3552 IPv6AcceptRA=no
3553 [DHCPPrefixDelegation]
3555 UplinkInterface=enp1s0
3556 SubnetId=1
3557 Announce=yes
3558 This will enable DHCPv6-PD on the interface enp1s0 as an upstream
3560 interface where the DHCPv6 client is running and enp2s0 as a downstream
3561 interface where the prefix is delegated to. The delegated prefixes are
3562 distributed by IPv6 Router Advertisement on the downstream network.
3563 Example 4. IPv6 Prefix Delegation (DHCPv4 6RD)
3565 # /etc/systemd/network/55-dhcpv4-6rd-upstream.network
3567 [Match]
3568 Name=enp1s0
3569 [Network]
3571 DHCP=ipv4
3572 # When DHCPv4-6RD is used, the upstream network does not support IPv6.
3574 # Hence, it is not necessary to wait for Router Advertisement, which is enabled by default.
3575 IPv6AcceptRA=no
3576 [DHCPv4]
3578 Use6RD=yes
3579 # /etc/systemd/network/55-dhcpv4-6rd-downstream.network
3581 [Match]
3582 Name=enp2s0
3583 [Network]
3585 DHCPPrefixDelegation=yes
3586 IPv6SendRA=yes
3587 # It is expected that the host is acting as a router. So, usually it is not
3589 # necessary to receive Router Advertisement from other hosts in the downstream network.
3590 IPv6AcceptRA=no
3591 [DHCPPrefixDelegation]
3593 UplinkInterface=enp1s0
3594 SubnetId=1
3595 Announce=yes
3596 This will enable DHCPv4-6RD on the interface enp1s0 as an upstream
3598 interface where the DHCPv4 client is running and enp2s0 as a downstream
3599 interface where the prefix is delegated to. The delegated prefixes are
3600 distributed by IPv6 Router Advertisement on the downstream network.
3601 Example 5. A bridge with two enslaved links
3603 # /etc/systemd/network/25-bridge-static.netdev
3605 [NetDev]
3606 Name=bridge0
3607 Kind=bridge
3608 # /etc/systemd/network/25-bridge-static.network
3610 [Match]
3611 Name=bridge0
3612 [Network]
3614 Address=192.168.0.15/24
3615 Gateway=192.168.0.1
3616 DNS=192.168.0.1
3617 # /etc/systemd/network/25-bridge-slave-interface-1.network
3619 [Match]
3620 Name=enp2s0
3621 [Network]
3623 Bridge=bridge0
3624 # /etc/systemd/network/25-bridge-slave-interface-2.network
3626 [Match]
3627 Name=wlp3s0
3628 [Network]
3630 Bridge=bridge0
3631 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
3633 The bridge will have the specified static address and network assigned,
3634 and a default route via the specified gateway will be added. The
3635 specified DNS server will be added to the global list of DNS resolvers.
3636 Example 6. Bridge port with VLAN forwarding
3638 # /etc/systemd/network/25-bridge-slave-interface-1.network
3640 [Match]
3641 Name=enp2s0
3642 [Network]
3644 Bridge=bridge0
3645 [BridgeVLAN]
3647 VLAN=1-32
3648 PVID=42
3649 EgressUntagged=42
3650 [BridgeVLAN]
3652 VLAN=100-200
3653 [BridgeVLAN]
3655 EgressUntagged=300-400
3656 This overrides the configuration specified in the previous example for
3658 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
3659 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
3660 300-400 will be untagged when they leave on this interface. Untagged
3661 packets which arrive on this interface will be assigned VLAN ID 42.
3662 Example 7. Various tunnels
3664 /etc/systemd/network/25-tunnels.network
3666 [Match]
3667 Name=ens1
3668 [Network]
3670 Tunnel=ipip-tun
3671 Tunnel=sit-tun
3672 Tunnel=gre-tun
3673 Tunnel=vti-tun
3674 /etc/systemd/network/25-tunnel-ipip.netdev
3677 [NetDev]
3678 Name=ipip-tun
3679 Kind=ipip
3680 /etc/systemd/network/25-tunnel-sit.netdev
3683 [NetDev]
3684 Name=sit-tun
3685 Kind=sit
3686 /etc/systemd/network/25-tunnel-gre.netdev
3689 [NetDev]
3690 Name=gre-tun
3691 Kind=gre
3692 /etc/systemd/network/25-tunnel-vti.netdev
3695 [NetDev]
3696 Name=vti-tun
3697 Kind=vti
3698 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
3701 tunnel, a GRE tunnel, and a VTI tunnel using it.
3702 Example 8. A bond device
3704 # /etc/systemd/network/30-bond1.network
3706 [Match]
3707 Name=bond1
3708 [Network]
3710 DHCP=ipv6
3711 # /etc/systemd/network/30-bond1.netdev
3713 [NetDev]
3714 Name=bond1
3715 Kind=bond
3716 # /etc/systemd/network/30-bond1-dev1.network
3718 [Match]
3719 MACAddress=52:54:00:e9:64:41
3720 [Network]
3722 Bond=bond1
3723 # /etc/systemd/network/30-bond1-dev2.network
3725 [Match]
3726 MACAddress=52:54:00:e9:64:42
3727 [Network]
3729 Bond=bond1
3730 This will create a bond device "bond1" and enslave the two devices with
3732 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
3733 will be used to acquire an address.
3734 Example 9. Virtual Routing and Forwarding (VRF)
3736 Add the "bond1" interface to the VRF master interface "vrf1". This will
3738 redirect routes generated on this interface to be within the routing
3739 table defined during VRF creation. For kernels before 4.8 traffic won't
3740 be redirected towards the VRFs routing table unless specific ip-rules
3741 are added.
3742 # /etc/systemd/network/25-vrf.network
3744 [Match]
3745 Name=bond1
3746 [Network]
3748 VRF=vrf1
3749 Example 10. MacVTap
3751 This brings up a network interface "macvtap-test" and attaches it to
3753 "enp0s25".
3754 # /usr/lib/systemd/network/25-macvtap.network
3756 [Match]
3757 Name=enp0s25
3758 [Network]
3760 MACVTAP=macvtap-test
3761 Example 11. A Xfrm interface with physical underlying device.
3763 # /etc/systemd/network/27-xfrm.netdev
3765 [NetDev]
3766 Name=xfrm0
3767 Kind=xfrm
3768 [Xfrm]
3770 InterfaceId=7
3771 # /etc/systemd/network/27-eth0.network
3773 [Match]
3774 Name=eth0
3775 [Network]
3777 Xfrm=xfrm0
3778 This creates a "xfrm0" interface and binds it to the "eth0" device.
3780 This allows hardware based ipsec offloading to the "eth0" nic. If
3781 offloading is not needed, xfrm interfaces can be assigned to the "lo"
3782 device.
3783
3785 systemd(1), systemd-networkd.service(8), systemd.link(5),
3786 systemd.netdev(5), systemd-network-generator.service(8), systemd-
3787 resolved.service(8)
3788
3790 1. System and Service Credentials
3791 https://systemd.io/CREDENTIALS
3792 2. Link-Local Multicast Name Resolution
3794 https://tools.ietf.org/html/rfc4795
3795 3. Multicast DNS
3797 https://tools.ietf.org/html/rfc6762
3798 4. DNS-over-TLS
3800 https://tools.ietf.org/html/rfc7858
3801 5. DNSSEC
3803 https://tools.ietf.org/html/rfc4033
3804 6. IEEE 802.1AB-2016
3806 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
3807 7. IP Sysctl
3809 https://docs.kernel.org/networking/ip-sysctl.html
3810 8. RFC 4941
3812 https://tools.ietf.org/html/rfc4941
3813 9. RFC 1027
3815 https://tools.ietf.org/html/rfc1027
3816 10. RFC 6275
3818 https://tools.ietf.org/html/rfc6275
3819 11. RFC 5227
3821 https://tools.ietf.org/html/rfc5227
3822 12. RFC 4862
3824 https://tools.ietf.org/html/rfc4862
3825 13. RFC 3041
3827 https://tools.ietf.org/html/rfc3041
3828 14. NetLabel
3830 https://docs.kernel.org/netlabel/index.html
3831 15. Linux Security Modules (LSMs)
3833 https://en.wikipedia.org/wiki/Linux_Security_Modules
3834 16. NetLabel Fallback Peer Labeling
3836 https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md
3837 17. RFC 3484
3839 https://tools.ietf.org/html/rfc3484
3840 18. Type of Service
3842 https://en.wikipedia.org/wiki/Type_of_service
3843 19. Differentiated services
3845 https://en.wikipedia.org/wiki/Differentiated_services
3846 20. RFC 4191
3848 https://tools.ietf.org/html/rfc4191
3849 21. RFC 8520
3851 https://tools.ietf.org/html/rfc8520
3852 22. RFC 7844
3854 https://tools.ietf.org/html/rfc7844
3855 23. C-style escapes
3857 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3858 24. RFC 5969
3860 https://tools.ietf.org/html/rfc5969
3861 25. RFC 3315
3863 https://tools.ietf.org/html/rfc3315#section-17.2.1
3864 26. RFC 8415
3866 https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3
3867 27. RFC 4291
3869 https://tools.ietf.org/html/rfc4291#section-2.5.4
3870 28. RFC 7217
3872 https://tools.ietf.org/html/rfc7217
3873 29. RFC 2131
3875 https://www.rfc-editor.org/rfc/rfc2131.html
3876 30. RFC 2132
3878 https://www.rfc-editor.org/rfc/rfc2132.html
3879 31. RFC 1542
3881 https://tools.ietf.org/html/rfc1542
3882 32. RFC 4861
3884 https://tools.ietf.org/html/rfc4861
3885systemd 254 SYSTEMD.NETWORK(5)