]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.netdev.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: fix assorted issues reported by the manpage-l10n project
[thirdparty/systemd.git] / man / systemd.netdev.xml
CommitLineData
eac684ef 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
db9ecf05 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
eac684ef
TG		 5
6<refentry id="systemd.netdev" conditional='ENABLE_NETWORKD'>
7
798d3a52
ZJS		 8 <refentryinfo>
9 <title>systemd.network</title>
10 <productname>systemd</productname>
798d3a52
ZJS		 11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>systemd.netdev</refentrytitle>
15 <manvolnum>5</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>systemd.netdev</refname>
20 <refpurpose>Virtual Network Device configuration</refpurpose>
21 </refnamediv>
22
23 <refsynopsisdiv>
24 <para><filename><replaceable>netdev</replaceable>.netdev</filename></para>
25 </refsynopsisdiv>
26
27 <refsect1>
28 <title>Description</title>
29
d4de2b2a 30 <para>A plain ini-style text file that encodes configuration about a virtual network device, used by
798d3a52 31 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
675fa6ea 32 See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
d4de2b2a 33 for a general description of the syntax.</para>
798d3a52 34
bac150e9
ZJS		 35 <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
36 other extensions are ignored. Virtual network devices are created as soon as networkd is
37 started. If a netdev with the specified name already exists, networkd will use that as-is rather
38 than create its own. Note that the settings of the pre-existing netdev will not be changed by
798d3a52
ZJS		 39 networkd.</para>
40
bac150e9
ZJS		 41 <para>The <filename>.netdev</filename> files are read from the files located in the system
42 network directory <filename>/usr/lib/systemd/network</filename>, the volatile runtime network
43 directory <filename>/run/systemd/network</filename> and the local administration network
44 directory <filename>/etc/systemd/network</filename>. All configuration files are collectively
45 sorted and processed in lexical order, regardless of the directories in which they live.
3b121157
ZJS		 46 However, files with identical filenames replace each other. Files in <filename>/etc/</filename>
47 have the highest priority, files in <filename>/run/</filename> take precedence over files with
48 the same name in <filename>/usr/lib/</filename>. This can be used to override a system-supplied
bac150e9
ZJS		 49 configuration file with a local file if needed. As a special case, an empty file (file size 0)
50 or symlink with the same name pointing to <filename>/dev/null</filename> disables the
51 configuration file entirely (it is "masked").</para>
52
53 <para>Along with the netdev file <filename>foo.netdev</filename>, a "drop-in" directory
54 <filename>foo.netdev.d/</filename> may exist. All files with the suffix <literal>.conf</literal>
e6655fbe
YW		 55 from this directory will be merged in the alphanumeric order and parsed after the main file itself
56 has been parsed. This is useful to alter or add configuration settings, without having to modify
57 the main configuration file. Each drop-in file must have appropriate section headers.</para>
bac150e9
ZJS		 58
59 <para>In addition to <filename>/etc/systemd/network</filename>, drop-in <literal>.d</literal>
60 directories can be placed in <filename>/usr/lib/systemd/network</filename> or
61 <filename>/run/systemd/network</filename> directories. Drop-in files in
3b121157
ZJS		 62 <filename>/etc/</filename> take precedence over those in <filename>/run/</filename> which in turn
63 take precedence over those in <filename>/usr/lib/</filename>. Drop-in files under any of these
bac150e9 64 directories take precedence over the main netdev file wherever located. (Of course, since
3b121157 65 <filename>/run/</filename> is temporary and <filename>/usr/lib/</filename> is for vendors, it is
bac150e9 66 unlikely drop-ins should be used in either of those places.)</para>
798d3a52
ZJS		 67 </refsect1>
68
69 <refsect1>
70 <title>Supported netdev kinds</title>
71
72 <para>The following kinds of virtual network devices may be
73 configured in <filename>.netdev</filename> files:</para>
74
75 <table>
76 <title>Supported kinds of virtual network devices</title>
77
78 <tgroup cols='2'>
79 <colspec colname='kind' />
80 <colspec colname='explanation' />
81 <thead><row>
82 <entry>Kind</entry>
83 <entry>Description</entry>
84 </row></thead>
85 <tbody>
86 <row><entry><varname>bond</varname></entry>
de70ff66 87 <entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.</entry></row>
798d3a52
ZJS		 88
89 <row><entry><varname>bridge</varname></entry>
a8eaaee7 90 <entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
798d3a52
ZJS		 91
92 <row><entry><varname>dummy</varname></entry>
93 <entry>A dummy device drops all packets sent to it.</entry></row>
94
95 <row><entry><varname>gre</varname></entry>
96 <entry>A Level 3 GRE tunnel over IPv4. See <ulink url="https://tools.ietf.org/html/rfc2784">RFC 2784</ulink> for details.</entry></row>
97
98 <row><entry><varname>gretap</varname></entry>
99 <entry>A Level 2 GRE tunnel over IPv4.</entry></row>
100
2266864b 101 <row><entry><varname>erspan</varname></entry>
d653a359 102 <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch and the destination switch.</entry></row>
2266864b 103
798d3a52
ZJS		 104 <row><entry><varname>ip6gre</varname></entry>
105 <entry>A Level 3 GRE tunnel over IPv6.</entry></row>
106
107 <row><entry><varname>ip6tnl</varname></entry>
108 <entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
109
110 <row><entry><varname>ip6gretap</varname></entry>
037a3ded 111 <entry>A Level 2 GRE tunnel over IPv6.</entry></row>
798d3a52
ZJS		 112
113 <row><entry><varname>ipip</varname></entry>
114 <entry>An IPv4 over IPv4 tunnel.</entry></row>
115
116 <row><entry><varname>ipvlan</varname></entry>
e9dd6984 117 <entry>An IPVLAN device is a stacked device which receives packets from its underlying device based on IP address filtering.</entry></row>
798d3a52 118
69c317a0 119 <row><entry><varname>ipvtap</varname></entry>
e9dd6984 120 <entry>An IPVTAP device is a stacked device which receives packets from its underlying device based on IP address filtering and can be accessed using the tap user space interface.</entry></row>
69c317a0 121
798d3a52
ZJS		 122 <row><entry><varname>macvlan</varname></entry>
123 <entry>A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
124
0371f2df
SS		 125 <row><entry><varname>macvtap</varname></entry>
126 <entry>A macvtap device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
127
798d3a52
ZJS		 128 <row><entry><varname>sit</varname></entry>
129 <entry>An IPv6 over IPv4 tunnel.</entry></row>
130
131 <row><entry><varname>tap</varname></entry>
132 <entry>A persistent Level 2 tunnel between a network device and a device node.</entry></row>
133
134 <row><entry><varname>tun</varname></entry>
135 <entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
136
137 <row><entry><varname>veth</varname></entry>
a8eaaee7 138 <entry>An Ethernet tunnel between a pair of network devices.</entry></row>
798d3a52
ZJS		 139
140 <row><entry><varname>vlan</varname></entry>
141 <entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
142
143 <row><entry><varname>vti</varname></entry>
144 <entry>An IPv4 over IPSec tunnel.</entry></row>
145
5cc0748e
SS		 146 <row><entry><varname>vti6</varname></entry>
147 <entry>An IPv6 over IPSec tunnel.</entry></row>
148
798d3a52
ZJS		 149 <row><entry><varname>vxlan</varname></entry>
150 <entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
20897a0d 151
6598e046
SS		 152 <row><entry><varname>geneve</varname></entry>
153 <entry>A GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev driver.</entry></row>
154
3a56e697
SS		 155 <row><entry><varname>l2tp</varname></entry>
156 <entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
157
81962db7
SS		 158 <row><entry><varname>macsec</varname></entry>
159 <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
160
20897a0d 161 <row><entry><varname>vrf</varname></entry>
92c918b0
SS		 162 <entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
163
164 <row><entry><varname>vcan</varname></entry>
ba9fa3bc 165 <entry>The virtual CAN driver (vcan). Similar to the network loopback devices, vcan offers a virtual local CAN interface.</entry></row>
20897a0d 166
d6df583c
SS		 167 <row><entry><varname>vxcan</varname></entry>
168 <entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
169 </entry></row>
170
e5719363
JT		 171 <row><entry><varname>wireguard</varname></entry>
172 <entry>WireGuard Secure Network Tunnel.</entry></row>
173
d61e4c5b
YW		 174 <row><entry><varname>nlmon</varname></entry>
175 <entry>A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages.</entry></row>
53cb501a
SS		 176
177 <row><entry><varname>fou</varname></entry>
178 <entry>Foo-over-UDP tunneling.</entry></row>
179
98d20a17 180 <row><entry><varname>xfrm</varname></entry>
181 <entry>A virtual tunnel interface like vti/vti6 but with several advantages.</entry></row>
182
3295a461 183 <row><entry><varname>ifb</varname></entry>
d5630d27 184 <entry>The Intermediate Functional Block (ifb) pseudo network interface acts as a QoS concentrator for multiple different sources of traffic.</entry></row>
3295a461 185
e6980c72 186 <row><entry><varname>bareudp</varname></entry>
d5630d27 187 <entry>Bare UDP tunnels provide a generic L3 encapsulation support for tunnelling different L3 protocols like MPLS, IP etc. inside of an UDP tunnel.</entry></row>
c0267a59
AW		 188
189 <row><entry><varname>batadv</varname></entry>
d5630d27 190 <entry><ulink url="https://www.open-mesh.org/projects/open-mesh/wiki">B.A.T.M.A.N. Advanced</ulink> is a routing protocol for multi-hop mobile ad-hoc networks which operates on layer 2.</entry></row>
798d3a52
ZJS		 191 </tbody>
192 </tgroup>
193 </table>
194
195 </refsect1>
196
197 <refsect1>
198 <title>[Match] Section Options</title>
199
200 <para>A virtual network device is only created if the
bdac5608 201 [Match] section matches the current
798d3a52
ZJS		 202 environment, or if the section is empty. The following keys are
203 accepted:</para>
204
205 <variablelist class='network-directives'>
206 <varlistentry>
207 <term><varname>Host=</varname></term>
208 <listitem>
d689bbca
YW		 209 <para>Matches against the hostname or machine ID of the host. See
210 <literal>ConditionHost=</literal> in
798d3a52 211 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 212 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
213 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 214 </para>
215 </listitem>
216 </varlistentry>
217 <varlistentry>
218 <term><varname>Virtualization=</varname></term>
219 <listitem>
d689bbca
YW		 220 <para>Checks whether the system is executed in a virtualized environment and optionally test
221 whether it is a specific implementation. See <literal>ConditionVirtualization=</literal> in
798d3a52 222 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 223 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
224 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 225 </para>
226 </listitem>
227 </varlistentry>
228 <varlistentry>
229 <term><varname>KernelCommandLine=</varname></term>
230 <listitem>
d689bbca 231 <para>Checks whether a specific kernel command line option is set. See
798d3a52
ZJS		 232 <literal>ConditionKernelCommandLine=</literal> in
233 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 234 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
235 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 236 </para>
237 </listitem>
238 </varlistentry>
5022f08a
LP		 239 <varlistentry>
240 <term><varname>KernelVersion=</varname></term>
241 <listitem>
d689bbca
YW		 242 <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a
243 certain expression. See <literal>ConditionKernelVersion=</literal> in
244 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
245 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
246 If an empty string is assigned, then previously assigned value is cleared.
5022f08a
LP		 247 </para>
248 </listitem>
249 </varlistentry>
798d3a52
ZJS		 250 <varlistentry>
251 <term><varname>Architecture=</varname></term>
252 <listitem>
d689bbca
YW		 253 <para>Checks whether the system is running on a specific architecture. See
254 <literal>ConditionArchitecture=</literal> in
798d3a52 255 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca 256 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
cbcdcaaa
UKK		 257 If an empty string is assigned, then previously assigned value is cleared.
258 </para>
259 </listitem>
260 </varlistentry>
261 <varlistentry>
262 <term><varname>Firmware=</varname></term>
263 <listitem>
264 <para>Checks whether the system is running on a machine with the specified firmware. See
265 <literal>ConditionFirmware=</literal> in
266 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
267 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
d689bbca 268 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 269 </para>
270 </listitem>
271 </varlistentry>
272 </variablelist>
798d3a52
ZJS		 273 </refsect1>
274
275 <refsect1>
276 <title>[NetDev] Section Options</title>
277
bdac5608 278 <para>The [NetDev] section accepts the
488d0ba1
YW		 279 following keys:</para>
280
281 <variablelist class='network-directives'>
282 <varlistentry>
283 <term><varname>Description=</varname></term>
284 <listitem>
285 <para>A free-form description of the netdev.</para>
286 </listitem>
287 </varlistentry>
288 <varlistentry>
289 <term><varname>Name=</varname></term>
290 <listitem>
291 <para>The interface name used when creating the netdev.
e9dd6984 292 This setting is compulsory.</para>
488d0ba1
YW		 293 </listitem>
294 </varlistentry>
295 <varlistentry>
296 <term><varname>Kind=</varname></term>
297 <listitem>
e9dd6984 298 <para>The netdev kind. This setting is compulsory. See the
488d0ba1
YW		 299 <literal>Supported netdev kinds</literal> section for the
300 valid keys.</para>
301 </listitem>
302 </varlistentry>
303 <varlistentry>
304 <term><varname>MTUBytes=</varname></term>
305 <listitem>
e9dd6984 306 <para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G
488d0ba1
YW		 307 are supported and are understood to the base of 1024. For <literal>tun</literal> or
308 <literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
bdac5608 309 [NetDev] section. Please specify it in [Link] section of
488d0ba1
YW		 310 corresponding
311 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
312 files.</para>
313 </listitem>
314 </varlistentry>
315 <varlistentry>
316 <term><varname>MACAddress=</varname></term>
317 <listitem>
318 <para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
bdac5608
ZJS		 319 devices, setting <varname>MACAddress=</varname> in the [NetDev] section is not
320 supported. Please specify it in [Link] section of the corresponding
488d0ba1
YW		 321 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
322 file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
323 physical interface. For other kind of netdevs, if this option is not set, then MAC address is
324 generated based on the interface name and the
325 <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
326 </para>
327 </listitem>
328 </varlistentry>
329 </variablelist>
798d3a52
ZJS		 330 </refsect1>
331
488d0ba1 332 <refsect1>
3428fe07
SS		 333 <title>[Bridge] Section Options</title>
334
bdac5608 335 <para>The [Bridge] section only applies for
488d0ba1
YW		 336 netdevs of kind <literal>bridge</literal>, and accepts the
337 following keys:</para>
338
339 <variablelist class='network-directives'>
340 <varlistentry>
341 <term><varname>HelloTimeSec=</varname></term>
342 <listitem>
343 <para>HelloTimeSec specifies the number of seconds between two hello packets
344 sent out by the root bridge and the designated bridges. Hello packets are
345 used to communicate information about the topology throughout the entire
346 bridged local area network.</para>
347 </listitem>
348 </varlistentry>
349 <varlistentry>
350 <term><varname>MaxAgeSec=</varname></term>
351 <listitem>
352 <para>MaxAgeSec specifies the number of seconds of maximum message age.
353 If the last seen (received) hello packet is more than this number of
354 seconds old, the bridge in question will start the takeover procedure
355 in attempt to become the Root Bridge itself.</para>
356 </listitem>
357 </varlistentry>
358 <varlistentry>
359 <term><varname>ForwardDelaySec=</varname></term>
360 <listitem>
361 <para>ForwardDelaySec specifies the number of seconds spent in each
362 of the Listening and Learning states before the Forwarding state is entered.</para>
363 </listitem>
364 </varlistentry>
365 <varlistentry>
366 <term><varname>AgeingTimeSec=</varname></term>
367 <listitem>
368 <para>This specifies the number of seconds a MAC Address will be kept in
369 the forwarding database after having a packet received from this MAC Address.</para>
370 </listitem>
371 </varlistentry>
372 <varlistentry>
373 <term><varname>Priority=</varname></term>
374 <listitem>
375 <para>The priority of the bridge. An integer between 0 and 65535. A lower value
376 means higher priority. The bridge having the lowest priority will be elected as root bridge.</para>
377 </listitem>
378 </varlistentry>
379 <varlistentry>
380 <term><varname>GroupForwardMask=</varname></term>
381 <listitem>
382 <para>A 16-bit bitmask represented as an integer which allows forwarding of link
383 local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND
384 is performed between the specified bitmask and the exponentiation of 2^X, the
385 lower nibble of the last octet of the MAC address. For example, a value of 8
386 would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para>
387 </listitem>
388 </varlistentry>
389 <varlistentry>
390 <term><varname>DefaultPVID=</varname></term>
391 <listitem>
392 <para>This specifies the default port VLAN ID of a newly attached bridge port.
be0d27ee 393 Set this to an integer in the range 1…4094 or <literal>none</literal> to disable the PVID.</para>
488d0ba1
YW		 394 </listitem>
395 </varlistentry>
396 <varlistentry>
397 <term><varname>MulticastQuerier=</varname></term>
398 <listitem>
399 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
400 If enabled, the kernel will send general ICMP queries from a zero source address.
401 This feature should allow faster convergence on startup, but it causes some
402 multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
403 When unset, the kernel's default will be used.
404 </para>
405 </listitem>
406 </varlistentry>
407 <varlistentry>
408 <term><varname>MulticastSnooping=</varname></term>
409 <listitem>
410 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
411 If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
412 between hosts and multicast routers. When unset, the kernel's default will be used.
413 </para>
414 </listitem>
415 </varlistentry>
416 <varlistentry>
417 <term><varname>VLANFiltering=</varname></term>
418 <listitem>
419 <para>Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
420 If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used.
421 </para>
422 </listitem>
423 </varlistentry>
4df4df5b
RF		 424 <varlistentry>
425 <term><varname>VLANProtocol=</varname></term>
426 <listitem>
427 <para>Allows setting the protocol used for VLAN filtering. Takes
428 <option>802.1q</option> or,
429 <option>802.1ad</option>, and defaults to unset and kernel's default is used.
430 </para>
431 </listitem>
432 </varlistentry>
488d0ba1
YW		 433 <varlistentry>
434 <term><varname>STP=</varname></term>
435 <listitem>
436 <para>Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP).
437 When unset, the kernel's default will be used.
afa51e2d
SS		 438 </para>
439 </listitem>
440 </varlistentry>
441 <varlistentry>
e8489008 442 <term><varname>MulticastIGMPVersion=</varname></term>
afa51e2d 443 <listitem>
11fcfc53
FS		 444 <para>Allows changing bridge's multicast Internet Group Management Protocol (IGMP) version.
445 Takes an integer 2 or 3. When unset, the kernel's default will be used.
488d0ba1
YW		 446 </para>
447 </listitem>
448 </varlistentry>
449 </variablelist>
3428fe07
SS		 450 </refsect1>
451
798d3a52
ZJS		 452 <refsect1>
453 <title>[VLAN] Section Options</title>
454
bdac5608 455 <para>The [VLAN] section only applies for
488d0ba1
YW		 456 netdevs of kind <literal>vlan</literal>, and accepts the
457 following key:</para>
458
459 <variablelist class='network-directives'>
460 <varlistentry>
461 <term><varname>Id=</varname></term>
462 <listitem>
be0d27ee 463 <para>The VLAN ID to use. An integer in the range 0…4094.
e9dd6984 464 This setting is compulsory.</para>
488d0ba1
YW		 465 </listitem>
466 </varlistentry>
2d453f35 467 <varlistentry>
468 <term><varname>Protocol=</varname></term>
469 <listitem>
470 <para>Allows setting the protocol used for the VLAN interface. Takes <literal>802.1q</literal> or,
471 <literal>802.1ad</literal>, and defaults to unset and kernel's default is used.</para>
472 </listitem>
473 </varlistentry>
488d0ba1
YW		 474 <varlistentry>
475 <term><varname>GVRP=</varname></term>
476 <listitem>
477 <para>Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that
478 allows automatic learning of VLANs on a network.
479 When unset, the kernel's default will be used.
480 </para>
481 </listitem>
482 </varlistentry>
483 <varlistentry>
484 <term><varname>MVRP=</varname></term>
485 <listitem>
486 <para>Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN
487 Registration Protocol (GVRP) is a standards-based Layer 2 network protocol,
488 for automatic configuration of VLAN information on switches. It was defined
489 in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used.
490 </para>
491 </listitem>
492 </varlistentry>
493 <varlistentry>
494 <term><varname>LooseBinding=</varname></term>
495 <listitem>
496 <para>Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed
497 from the parent to the associated VLANs, but the VLAN device state is not changed.
498 When unset, the kernel's default will be used.</para>
499 </listitem>
500 </varlistentry>
501 <varlistentry>
502 <term><varname>ReorderHeader=</varname></term>
503 <listitem>
e9dd6984
ZJS		 504 <para>Takes a boolean. When enabled, the VLAN reorder header is used and VLAN interfaces behave
505 like physical interfaces. When unset, the kernel's default will be used.</para>
488d0ba1
YW		 506 </listitem>
507 </varlistentry>
0d9b8913
SS		 508 <varlistentry>
509 <term><varname>EgressQOSMaps=</varname></term>
510 <listitem>
511 <para>Defines a mapping of Linux internal packet priority (<constant>SO_PRIORITY</constant>) to VLAN header
512 PCP field for outgoing frames. Takes a whitespace-separated list of unsigned integer pairs in the format
513 <literal>from</literal>-<literal>to</literal>, e.g., <literal>21-7 45-5</literal> ranges 1–4294967294.
514 Note that <literal>from</literal> must be greater than or equal to <literal>to</literal>. When unset,
515 the kernel's default will be used.
516 </para>
517 </listitem>
518 </varlistentry>
ea070862
SS		 519 <varlistentry>
520 <term><varname>IngressQOSMaps=</varname></term>
521 <listitem>
522 <para>Defines a mapping of Linux internal packet priority (<constant>SO_PRIORITY</constant>) to VLAN header
523 PCP field for incoming frames. Takes a whitespace-separated list of unsigned integer pairs in the format
524 <literal>from</literal>-<literal>to</literal>, e.g., <literal>21-7 45-5</literal> ranges 1–4294967294.
525 Note that <literal>from</literal> must be greater than or equal to <literal>to</literal>. When unset,
526 the kernel's default will be used.
527 </para>
528 </listitem>
529 </varlistentry>
488d0ba1 530 </variablelist>
798d3a52
ZJS		 531 </refsect1>
532
533 <refsect1>
534 <title>[MACVLAN] Section Options</title>
535
bdac5608 536 <para>The [MACVLAN] section only applies for
798d3a52
ZJS		 537 netdevs of kind <literal>macvlan</literal>, and accepts the
538 following key:</para>
539
540 <variablelist class='network-directives'>
541 <varlistentry>
542 <term><varname>Mode=</varname></term>
543 <listitem>
544 <para>The MACVLAN mode to use. The supported options are
545 <literal>private</literal>,
546 <literal>vepa</literal>,
0d0de133
 547 <literal>bridge</literal>,
548 <literal>passthru</literal>, and
549 <literal>source</literal>.
798d3a52
ZJS		 550 </para>
551 </listitem>
552 </varlistentry>
0d0de133
 553 <varlistentry>
554 <term><varname>SourceMACAddress=</varname></term>
555 <listitem>
556 <para>A whitespace-separated list of remote hardware addresses allowed on the MACVLAN. This
48c19082 557 option only has an effect in source mode. Use full colon-, hyphen- or dot-delimited
0d0de133
 558 hexadecimal. This option may appear more than once, in which case the lists are merged. If
559 the empty string is assigned to this option, the list of hardware addresses defined prior
560 to this is reset. Defaults to unset.</para>
dca0a4e1
SS		 561 </listitem>
562 </varlistentry>
563 <varlistentry>
564 <term><varname>BroadcastMulticastQueueLength=</varname></term>
565 <listitem>
566 <para>Specifies the length of the receive queue for broadcast/multicast packets. An unsigned
1d3a473b 567 integer in the range 0…4294967294. Defaults to unset.</para>
0d0de133
 568 </listitem>
569 </varlistentry>
798d3a52 570 </variablelist>
798d3a52
ZJS		 571 </refsect1>
572
488d0ba1 573 <refsect1>
0371f2df
SS		 574 <title>[MACVTAP] Section Options</title>
575
885a4e6c
ZJS		 576 <para>The [MACVTAP] section applies for netdevs of kind <literal>macvtap</literal> and accepts the same
577 keys as [MACVLAN].</para>
488d0ba1 578 </refsect1>
0371f2df 579
798d3a52
ZJS		 580 <refsect1>
581 <title>[IPVLAN] Section Options</title>
582
bdac5608 583 <para>The [IPVLAN] section only applies for
798d3a52
ZJS		 584 netdevs of kind <literal>ipvlan</literal>, and accepts the
585 following key:</para>
586
587 <variablelist class='network-directives'>
588 <varlistentry>
589 <term><varname>Mode=</varname></term>
488d0ba1
YW		 590 <listitem>
591 <para>The IPVLAN mode to use. The supported options are
592 <literal>L2</literal>,<literal>L3</literal> and <literal>L3S</literal>.
593 </para>
594 </listitem>
d384826f 595 </varlistentry>
488d0ba1 596 <varlistentry>
d384826f 597 <term><varname>Flags=</varname></term>
488d0ba1
YW		 598 <listitem>
599 <para>The IPVLAN flags to use. The supported options are
600 <literal>bridge</literal>,<literal>private</literal> and <literal>vepa</literal>.
601 </para>
602 </listitem>
798d3a52
ZJS		 603 </varlistentry>
604 </variablelist>
798d3a52
ZJS		 605 </refsect1>
606
69c317a0
SS		 607 <refsect1>
608 <title>[IPVTAP] Section Options</title>
609
885a4e6c
ZJS		 610 <para>The [IPVTAP] section only applies for netdevs of kind <literal>ipvtap</literal> and accepts the
611 same keys as [IPVLAN].</para>
69c317a0
SS		 612 </refsect1>
613
798d3a52
ZJS		 614 <refsect1>
615 <title>[VXLAN] Section Options</title>
488d0ba1 616
bdac5608 617 <para>The [VXLAN] section only applies for
798d3a52
ZJS		 618 netdevs of kind <literal>vxlan</literal>, and accepts the
619 following keys:</para>
620
621 <variablelist class='network-directives'>
622 <varlistentry>
6f213e4a 623 <term><varname>VNI=</varname></term>
798d3a52 624 <listitem>
1d3a473b 625 <para>The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number in the range 1…16777215.</para>
798d3a52
ZJS		 626 </listitem>
627 </varlistentry>
628 <varlistentry>
d35e5d37 629 <term><varname>Remote=</varname></term>
798d3a52 630 <listitem>
bf443be9 631 <para>Configures destination IP address.</para>
798d3a52
ZJS		 632 </listitem>
633 </varlistentry>
634 <varlistentry>
d35e5d37
SS		 635 <term><varname>Local=</varname></term>
636 <listitem>
637 <para>Configures local IP address.</para>
638 </listitem>
83cb24ac
SS		 639 </varlistentry>
640 <varlistentry>
641 <term><varname>Group=</varname></term>
642 <listitem>
e9dd6984
ZJS		 643 <para>Configures VXLAN multicast group IP address. All members of a VXLAN must use the same
644 multicast group address.</para>
83cb24ac 645 </listitem>
d35e5d37 646 </varlistentry>
488d0ba1 647 <varlistentry>
798d3a52
ZJS		 648 <term><varname>TOS=</varname></term>
649 <listitem>
650 <para>The Type Of Service byte value for a vxlan interface.</para>
651 </listitem>
652 </varlistentry>
653 <varlistentry>
654 <term><varname>TTL=</varname></term>
655 <listitem>
f4a8ca32 656 <para>A fixed Time To Live N on Virtual eXtensible Local Area Network packets.
be0d27ee 657 Takes <literal>inherit</literal> or a number in the range 0…255. 0 is a special
f4a8ca32
SS		 658 value meaning inherit the inner protocol's TTL value. <literal>inherit</literal>
659 means that it will inherit the outer protocol's TTL value.</para>
798d3a52
ZJS		 660 </listitem>
661 </varlistentry>
662 <varlistentry>
663 <term><varname>MacLearning=</varname></term>
664 <listitem>
9b6ffef3 665 <para>Takes a boolean. When true, enables dynamic MAC learning
798d3a52
ZJS		 666 to discover remote MAC addresses.</para>
667 </listitem>
668 </varlistentry>
669 <varlistentry>
670 <term><varname>FDBAgeingSec=</varname></term>
671 <listitem>
672 <para>The lifetime of Forwarding Database entry learnt by
b938cb90 673 the kernel, in seconds.</para>
798d3a52
ZJS		 674 </listitem>
675 </varlistentry>
676 <varlistentry>
3d276dd2
SS		 677 <term><varname>MaximumFDBEntries=</varname></term>
678 <listitem>
679 <para>Configures maximum number of FDB entries.</para>
680 </listitem>
681 </varlistentry>
798d3a52 682 <varlistentry>
7dd6974c 683 <term><varname>ReduceARPProxy=</varname></term>
798d3a52 684 <listitem>
9b6ffef3 685 <para>Takes a boolean. When true, bridge-connected VXLAN tunnel
7dd6974c
SS		 686 endpoint answers ARP requests from the local bridge on behalf
687 of remote Distributed Overlay Virtual Ethernet
688 <ulink url="https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet">
689 (DVOE)</ulink> clients. Defaults to false.</para>
798d3a52
ZJS		 690 </listitem>
691 </varlistentry>
692 <varlistentry>
693 <term><varname>L2MissNotification=</varname></term>
694 <listitem>
9b6ffef3 695 <para>Takes a boolean. When true, enables netlink LLADDR miss
798d3a52
ZJS		 696 notifications.</para>
697 </listitem>
698 </varlistentry>
699 <varlistentry>
700 <term><varname>L3MissNotification=</varname></term>
701 <listitem>
e9dd6984 702 <para>Takes a boolean. When true, enables netlink IP address miss notifications.</para>
798d3a52
ZJS		 703 </listitem>
704 </varlistentry>
705 <varlistentry>
706 <term><varname>RouteShortCircuit=</varname></term>
707 <listitem>
9b6ffef3 708 <para>Takes a boolean. When true, route short circuiting is turned
798d3a52
ZJS		 709 on.</para>
710 </listitem>
711 </varlistentry>
cffacc74 712 <varlistentry>
53c06862 713 <term><varname>UDPChecksum=</varname></term>
cffacc74 714 <listitem>
9b6ffef3 715 <para>Takes a boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
cffacc74
SS		 716 </listitem>
717 </varlistentry>
718 <varlistentry>
719 <term><varname>UDP6ZeroChecksumTx=</varname></term>
720 <listitem>
9b6ffef3 721 <para>Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
cffacc74
SS		 722 </listitem>
723 </varlistentry>
724 <varlistentry>
53c06862 725 <term><varname>UDP6ZeroChecksumRx=</varname></term>
cffacc74 726 <listitem>
9b6ffef3 727 <para>Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
16441027
SS		 728 </listitem>
729 </varlistentry>
730 <varlistentry>
53c06862 731 <term><varname>RemoteChecksumTx=</varname></term>
16441027 732 <listitem>
9b6ffef3 733 <para>Takes a boolean. When true, remote transmit checksum offload of VXLAN is turned on.</para>
16441027
SS		 734 </listitem>
735 </varlistentry>
736 <varlistentry>
53c06862 737 <term><varname>RemoteChecksumRx=</varname></term>
16441027 738 <listitem>
9b6ffef3 739 <para>Takes a boolean. When true, remote receive checksum offload in VXLAN is turned on.</para>
cffacc74
SS		 740 </listitem>
741 </varlistentry>
488d0ba1
YW		 742 <varlistentry>
743 <term><varname>GroupPolicyExtension=</varname></term>
744 <listitem>
745 <para>Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism
746 across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
747 <ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
748 VXLAN Group Policy </ulink> document. Defaults to false.</para>
749 </listitem>
750 </varlistentry>
751 <varlistentry>
752 <term><varname>GenericProtocolExtension=</varname></term>
753 <listitem>
754 <para>Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol
755 to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE
756 Header, see the <ulink url="https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07">
757 Generic Protocol Extension for VXLAN </ulink> document. If destination port is not specified and
758 Generic Protocol Extension is set then default port of 4790 is used. Defaults to false.</para>
759 </listitem>
760 </varlistentry>
761 <varlistentry>
762 <term><varname>DestinationPort=</varname></term>
763 <listitem>
e6fd398d
ZJS		 764 <para>Configures the default destination UDP port. If the destination port is not specified then
765 Linux kernel default will be used. Set to 4789 to get the IANA assigned value.</para>
488d0ba1
YW		 766 </listitem>
767 </varlistentry>
768 <varlistentry>
769 <term><varname>PortRange=</varname></term>
ea0288d1 770 <listitem>
e6fd398d
ZJS		 771 <para>Configures the source port range for the VXLAN. The kernel assigns the source UDP port based
772 on the flow to help the receiver to do load balancing. When this option is not set, the normal
773 range of local UDP ports is used.</para>
ea0288d1
SS		 774 </listitem>
775 </varlistentry>
488d0ba1
YW		 776 <varlistentry>
777 <term><varname>FlowLabel=</varname></term>
d8653945
SS		 778 <listitem>
779 <para>Specifies the flow label to use in outgoing packets.
780 The valid range is 0-1048575.
781 </para>
782 </listitem>
488d0ba1 783 </varlistentry>
1189c00a
SS		 784 <varlistentry>
785 <term><varname>IPDoNotFragment=</varname></term>
786 <listitem>
11fcfc53 787 <para>Allows setting the IPv4 Do not Fragment (DF) bit in outgoing packets, or to inherit its
1189c00a
SS		 788 value from the IPv4 inner header. Takes a boolean value, or <literal>inherit</literal>. Set
789 to <literal>inherit</literal> if the encapsulated protocol is IPv6. When unset, the kernel's
790 default will be used.</para>
791 </listitem>
d8653945 792 </varlistentry>
798d3a52
ZJS		 793 </variablelist>
794 </refsect1>
488d0ba1 795
6598e046
SS		 796 <refsect1>
797 <title>[GENEVE] Section Options</title>
488d0ba1 798
bdac5608 799 <para>The [GENEVE] section only applies for
6598e046
SS		 800 netdevs of kind <literal>geneve</literal>, and accepts the
801 following keys:</para>
802
803 <variablelist class='network-directives'>
804 <varlistentry>
805 <term><varname>Id=</varname></term>
806 <listitem>
e375ceb6
ZJS		 807 <para>Specifies the Virtual Network Identifier (VNI) to use, a number between 0 and 16777215. This
808 field is mandatory.</para>
6598e046
SS		 809 </listitem>
810 </varlistentry>
811 <varlistentry>
812 <term><varname>Remote=</varname></term>
813 <listitem>
814 <para>Specifies the unicast destination IP address to use in outgoing packets.</para>
815 </listitem>
816 </varlistentry>
817 <varlistentry>
818 <term><varname>TOS=</varname></term>
819 <listitem>
e375ceb6 820 <para>Specifies the TOS value to use in outgoing packets. Takes a number between 1 and 255.</para>
6598e046
SS		 821 </listitem>
822 </varlistentry>
823 <varlistentry>
824 <term><varname>TTL=</varname></term>
825 <listitem>
bdac5608 826 <para>Accepts the same values as in the [VXLAN] section, except that when unset
e9dd6984 827 or set to 0, the kernel's default will be used, meaning that packet TTL will be set from
328184d1 828 <filename>/proc/sys/net/ipv4/ip_default_ttl</filename>.</para>
6598e046
SS		 829 </listitem>
830 </varlistentry>
831 <varlistentry>
832 <term><varname>UDPChecksum=</varname></term>
833 <listitem>
e9dd6984
ZJS		 834 <para>Takes a boolean. When true, specifies that UDP checksum is calculated for transmitted packets
835 over IPv4.</para>
6598e046
SS		 836 </listitem>
837 </varlistentry>
838 <varlistentry>
839 <term><varname>UDP6ZeroChecksumTx=</varname></term>
840 <listitem>
9b6ffef3 841 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
6598e046
SS		 842 </listitem>
843 </varlistentry>
844 <varlistentry>
845 <term><varname>UDP6ZeroChecksumRx=</varname></term>
846 <listitem>
9b6ffef3 847 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
6598e046
SS		 848 </listitem>
849 </varlistentry>
488d0ba1
YW		 850 <varlistentry>
851 <term><varname>DestinationPort=</varname></term>
852 <listitem>
853 <para>Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default
854 port of 6081 is used.</para>
855 </listitem>
856 </varlistentry>
857 <varlistentry>
858 <term><varname>FlowLabel=</varname></term>
6598e046
SS		 859 <listitem>
860 <para>Specifies the flow label to use in outgoing packets.</para>
861 </listitem>
488d0ba1
YW		 862 </varlistentry>
863 <varlistentry>
864 <term><varname>IPDoNotFragment=</varname></term>
aac35019 865 <listitem>
885a4e6c 866 <para>Accepts the same key as in [VXLAN] section.</para>
aac35019 867 </listitem>
488d0ba1 868 </varlistentry>
a9b8450b
SS		 869 <varlistentry>
870 <term><varname>Independent=</varname></term>
871 <listitem>
905a03e7
ZJS		 872 <para>Takes a boolean. When true, the vxlan interface is created without any underlying network
873 interface. Defaults to false, which means that a .network file that requests this tunnel using
874 <varname>Tunnel=</varname> is required for the tunnel to be created.</para>
a9b8450b
SS		 875 </listitem>
876 </varlistentry>
6598e046
SS		 877 </variablelist>
878 </refsect1>
488d0ba1 879
e6980c72
SS		 880 <refsect1>
881 <title>[BareUDP] Section Options</title>
882
883 <para>The [BareUDP] section only applies for
884 netdevs of kind <literal>bareudp</literal>, and accepts the
885 following keys:</para>
886
887 <variablelist class='network-directives'>
888 <varlistentry>
889 <term><varname>DestinationPort=</varname></term>
890 <listitem>
891 <para>Specifies the destination UDP port (in range 1…65535). This is mandatory.</para>
892 </listitem>
893 </varlistentry>
894
895 <varlistentry>
896 <term><varname>EtherType=</varname></term>
897 <listitem>
898 <para>Specifies the L3 protocol. Takes one of <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>mpls-uc</literal>
899 or <literal>mpls-mc</literal>. This is mandatory.</para>
900 </listitem>
901 </varlistentry>
902 </variablelist>
903 </refsect1>
904
3a56e697
SS		 905 <refsect1>
906 <title>[L2TP] Section Options</title>
488d0ba1 907
bdac5608 908 <para>The [L2TP] section only applies for
3a56e697
SS		 909 netdevs of kind <literal>l2tp</literal>, and accepts the
910 following keys:</para>
911
912 <variablelist class='network-directives'>
913 <varlistentry>
914 <term><varname>TunnelId=</varname></term>
915 <listitem>
be0d27ee 916 <para>Specifies the tunnel identifier. Takes an number in the range 1…4294967295. The value used
e9dd6984
ZJS		 917 must match the <literal>PeerTunnelId=</literal> value being used at the peer. This setting is
918 compulsory.</para>
3a56e697
SS		 919 </listitem>
920 </varlistentry>
921 <varlistentry>
922 <term><varname>PeerTunnelId=</varname></term>
923 <listitem>
1d3a473b 924 <para>Specifies the peer tunnel id. Takes a number in the range 1…4294967295. The value used must
885a4e6c
ZJS		 925 match the <literal>TunnelId=</literal> value being used at the peer. This setting is compulsory.
926 </para>
3a56e697
SS		 927 </listitem>
928 </varlistentry>
929 <varlistentry>
930 <term><varname>Remote=</varname></term>
931 <listitem>
e9dd6984 932 <para>Specifies the IP address of the remote peer. This setting is compulsory.</para>
3a56e697
SS		 933 </listitem>
934 </varlistentry>
935 <varlistentry>
936 <term><varname>Local=</varname></term>
937 <listitem>
d053d08a
YW		 938 <para>Specifies the IP address of the local interface. Takes an IP address, or the special values
939 <literal>auto</literal>, <literal>static</literal>, or <literal>dynamic</literal>. When an address
940 is set, then the local interface must have the address. If <literal>auto</literal>, then one of the
941 addresses on the local interface is used. Similarly, if <literal>static</literal> or
942 <literal>dynamic</literal> is set, then one of the static or dynamic addresses on the local
943 interface is used. Defaults to <literal>auto</literal>.</para>
3a56e697
SS		 944 </listitem>
945 </varlistentry>
946 <varlistentry>
947 <term><varname>EncapsulationType=</varname></term>
948 <listitem>
e9dd6984
ZJS		 949 <para>Specifies the encapsulation type of the tunnel. Takes one of <literal>udp</literal> or
950 <literal>ip</literal>.</para>
3a56e697
SS		 951 </listitem>
952 </varlistentry>
953 <varlistentry>
954 <term><varname>UDPSourcePort=</varname></term>
955 <listitem>
e9dd6984
ZJS		 956 <para>Specifies the UDP source port to be used for the tunnel. When UDP encapsulation is selected
957 it's mandatory. Ignored when IP encapsulation is selected.</para>
3a56e697
SS		 958 </listitem>
959 </varlistentry>
960 <varlistentry>
c14faa94 961 <term><varname>UDPDestinationPort=</varname></term>
3a56e697 962 <listitem>
e9dd6984 963 <para>Specifies destination port. When UDP encapsulation is selected it's mandatory. Ignored when IP
3a56e697
SS		 964 encapsulation is selected.</para>
965 </listitem>
966 </varlistentry>
967 <varlistentry>
968 <term><varname>UDPChecksum=</varname></term>
969 <listitem>
e9dd6984
ZJS		 970 <para>Takes a boolean. When true, specifies that UDP checksum is calculated for transmitted packets
971 over IPv4.</para>
3a56e697
SS		 972 </listitem>
973 </varlistentry>
974 <varlistentry>
975 <term><varname>UDP6ZeroChecksumTx=</varname></term>
976 <listitem>
977 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
978 </listitem>
979 </varlistentry>
980 <varlistentry>
981 <term><varname>UDP6ZeroChecksumRx=</varname></term>
982 <listitem>
983 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
984 </listitem>
985 </varlistentry>
986 </variablelist>
987 </refsect1>
488d0ba1 988
3a56e697
SS		 989 <refsect1>
990 <title>[L2TPSession] Section Options</title>
488d0ba1 991
bdac5608 992 <para>The [L2TPSession] section only applies for
3a56e697
SS		 993 netdevs of kind <literal>l2tp</literal>, and accepts the
994 following keys:</para>
995 <variablelist class='network-directives'>
996 <varlistentry>
997 <term><varname>Name=</varname></term>
998 <listitem>
e9dd6984 999 <para>Specifies the name of the session. This setting is compulsory.</para>
3a56e697
SS		 1000 </listitem>
1001 </varlistentry>
1002 <varlistentry>
1003 <term><varname>SessionId=</varname></term>
1004 <listitem>
be0d27ee 1005 <para>Specifies the session identifier. Takes an number in the range 1…4294967295. The value used
e9dd6984
ZJS		 1006 must match the <literal>SessionId=</literal> value being used at the peer. This setting is
1007 compulsory.</para>
3a56e697
SS		 1008 </listitem>
1009 </varlistentry>
1010 <varlistentry>
1011 <term><varname>PeerSessionId=</varname></term>
1012 <listitem>
be0d27ee 1013 <para>Specifies the peer session identifier. Takes an number in the range 1…4294967295.
e9dd6984
ZJS		 1014 The value used must match the <literal>PeerSessionId=</literal> value being used at the peer.
1015 This setting is compulsory.</para>
3a56e697
SS		 1016 </listitem>
1017 </varlistentry>
1018 <varlistentry>
1019 <term><varname>Layer2SpecificHeader=</varname></term>
1020 <listitem>
1021 <para>Specifies layer2specific header type of the session. One of <literal>none</literal> or <literal>default</literal>. Defaults to <literal>default</literal>.</para>
1022 </listitem>
1023 </varlistentry>
1024 </variablelist>
1025 </refsect1>
488d0ba1 1026
81962db7
SS		 1027 <refsect1>
1028 <title>[MACsec] Section Options</title>
488d0ba1 1029
bdac5608 1030 <para>The [MACsec] section only applies for network devices of kind
81962db7
SS		 1031 <literal>macsec</literal>, and accepts the following keys:</para>
1032
1033 <variablelist class='network-directives'>
1034 <varlistentry>
1035 <term><varname>Port=</varname></term>
1036 <listitem>
1037 <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
1038 secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
1039 </para>
1040 </listitem>
1041 </varlistentry>
1042 <varlistentry>
1043 <term><varname>Encrypt=</varname></term>
1044 <listitem>
1045 <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
1046 </listitem>
1047 </varlistentry>
1048 </variablelist>
1049 </refsect1>
488d0ba1 1050
81962db7
SS		 1051 <refsect1>
1052 <title>[MACsecReceiveChannel] Section Options</title>
bdac5608 1053 <para>The [MACsecReceiveChannel] section only applies for network devices of
81962db7
SS		 1054 kind <literal>macsec</literal>, and accepts the following keys:</para>
1055
1056 <variablelist class='network-directives'>
1057 <varlistentry>
1058 <term><varname>Port=</varname></term>
1059 <listitem>
1060 <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
1061 secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
1062 compulsory, and is not set by default.</para>
1063 </listitem>
1064 </varlistentry>
1065 <varlistentry>
1066 <term><varname>MACAddress=</varname></term>
1067 <listitem>
1068 <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
e9dd6984 1069 used to make secure channel identifier (SCI). This setting is compulsory, and is not set by
81962db7
SS		 1070 default.</para>
1071 </listitem>
1072 </varlistentry>
1073 </variablelist>
1074 </refsect1>
488d0ba1 1075
81962db7
SS		 1076 <refsect1>
1077 <title>[MACsecTransmitAssociation] Section Options</title>
488d0ba1 1078
bdac5608 1079 <para>The [MACsecTransmitAssociation] section only applies for network devices
81962db7
SS		 1080 of kind <literal>macsec</literal>, and accepts the following keys:</para>
1081
1082 <variablelist class='network-directives'>
1083 <varlistentry>
1084 <term><varname>PacketNumber=</varname></term>
1085 <listitem>
1086 <para>Specifies the packet number to be used for replay protection and the construction of
1087 the initialization vector (along with the secure channel identifier [SCI]). Takes a value
1088 between 1-4,294,967,295. Defaults to unset.
1089 </para>
1090 </listitem>
1091 </varlistentry>
1092 <varlistentry>
1093 <term><varname>KeyId=</varname></term>
1094 <listitem>
1095 <para>Specifies the identification for the key. Takes a number between 0-255. This option
1096 is compulsory, and is not set by default.</para>
1097 </listitem>
1098 </varlistentry>
1099 <varlistentry>
1100 <term><varname>Key=</varname></term>
1101 <listitem>
1102 <para>Specifies the encryption key used in the transmission channel. The same key must be
e9dd6984 1103 configured on the peer’s matching receive channel. This setting is compulsory, and is not set
81962db7
SS		 1104 by default. Takes a 128-bit key encoded in a hexadecimal string, for example
1105 <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
1106 </listitem>
1107 </varlistentry>
eb4705fb
YW		 1108 <varlistentry>
1109 <term><varname>KeyFile=</varname></term>
1110 <listitem>
387f6955 1111 <para>Takes an absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
49f16281 1112 which will be used in the transmission channel. When this option is specified,
eb4705fb
YW		 1113 <varname>Key=</varname> is ignored. Note that the file must be readable by the user
1114 <literal>systemd-network</literal>, so it should be, e.g., owned by
49f16281
LP		 1115 <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
1116 refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
1117 it and the key read from it.</para>
eb4705fb
YW		 1118 </listitem>
1119 </varlistentry>
a7b9c52f
YW		 1120 <varlistentry>
1121 <term><varname>Activate=</varname></term>
1122 <listitem>
1123 <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
1124 unset.</para>
1125 </listitem>
1126 </varlistentry>
b0e13c31
YW		 1127 <varlistentry>
1128 <term><varname>UseForEncoding=</varname></term>
1129 <listitem>
1130 <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
bdac5608 1131 one [MACsecTransmitAssociation] section can enable this option. When enabled,
b0e13c31
YW		 1132 <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
1133 </listitem>
1134 </varlistentry>
81962db7
SS		 1135 </variablelist>
1136 </refsect1>
488d0ba1 1137
81962db7
SS		 1138 <refsect1>
1139 <title>[MACsecReceiveAssociation] Section Options</title>
488d0ba1 1140
bdac5608 1141 <para>The [MACsecReceiveAssociation] section only applies for
81962db7
SS		 1142 network devices of kind <literal>macsec</literal>, and accepts the
1143 following keys:</para>
1144
1145 <variablelist class='network-directives'>
1146 <varlistentry>
1147 <term><varname>Port=</varname></term>
1148 <listitem>
885a4e6c 1149 <para>Accepts the same key as in [MACsecReceiveChannel] section.</para>
81962db7
SS		 1150 </listitem>
1151 </varlistentry>
1152 <varlistentry>
1153 <term><varname>MACAddress=</varname></term>
1154 <listitem>
885a4e6c 1155 <para>Accepts the same key as in [MACsecReceiveChannel] section.</para>
81962db7
SS		 1156 </listitem>
1157 </varlistentry>
1158 <varlistentry>
1159 <term><varname>PacketNumber=</varname></term>
1160 <listitem>
885a4e6c 1161 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
81962db7
SS		 1162 </listitem>
1163 </varlistentry>
1164 <varlistentry>
1165 <term><varname>KeyId=</varname></term>
1166 <listitem>
885a4e6c 1167 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
81962db7
SS		 1168 </listitem>
1169 </varlistentry>
1170 <varlistentry>
1171 <term><varname>Key=</varname></term>
1172 <listitem>
885a4e6c 1173 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
81962db7
SS		 1174 </listitem>
1175 </varlistentry>
eb4705fb
YW		 1176 <varlistentry>
1177 <term><varname>KeyFile=</varname></term>
1178 <listitem>
885a4e6c 1179 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
eb4705fb
YW		 1180 </listitem>
1181 </varlistentry>
a7b9c52f
YW		 1182 <varlistentry>
1183 <term><varname>Activate=</varname></term>
1184 <listitem>
885a4e6c 1185 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
a7b9c52f
YW		 1186 </listitem>
1187 </varlistentry>
81962db7
SS		 1188 </variablelist>
1189 </refsect1>
488d0ba1 1190
798d3a52
ZJS		 1191 <refsect1>
1192 <title>[Tunnel] Section Options</title>
1193
bdac5608 1194 <para>The [Tunnel] section only applies for
798d3a52
ZJS		 1195 netdevs of kind
1196 <literal>ipip</literal>,
1197 <literal>sit</literal>,
1198 <literal>gre</literal>,
1199 <literal>gretap</literal>,
1200 <literal>ip6gre</literal>,
1201 <literal>ip6gretap</literal>,
5cc0748e 1202 <literal>vti</literal>,
af555aa3
YW		 1203 <literal>vti6</literal>,
1204 <literal>ip6tnl</literal>, and
1205 <literal>erspan</literal> and accepts
798d3a52
ZJS		 1206 the following keys:</para>
1207
1208 <variablelist class='network-directives'>
1209 <varlistentry>
1210 <term><varname>Local=</varname></term>
1211 <listitem>
8643885f
YW		 1212 <para>A static local address for tunneled packets. It must be an address on another interface of
1213 this host, or the special value <literal>any</literal>.</para>
798d3a52
ZJS		 1214 </listitem>
1215 </varlistentry>
1216 <varlistentry>
1217 <term><varname>Remote=</varname></term>
1218 <listitem>
8643885f
YW		 1219 <para>The remote endpoint of the tunnel. Takes an IP address or the special value
1220 <literal>any</literal>.</para>
798d3a52
ZJS		 1221 </listitem>
1222 </varlistentry>
1223 <varlistentry>
1224 <term><varname>TOS=</varname></term>
1225 <listitem>
1226 <para>The Type Of Service byte value for a tunnel interface.
b938cb90 1227 For details about the TOS, see the
798d3a52
ZJS		 1228 <ulink url="http://tools.ietf.org/html/rfc1349"> Type of
1229 Service in the Internet Protocol Suite </ulink> document.
1230 </para>
1231 </listitem>
1232 </varlistentry>
1233 <varlistentry>
1234 <term><varname>TTL=</varname></term>
1235 <listitem>
1236 <para>A fixed Time To Live N on tunneled packets. N is a
be0d27ee 1237 number in the range 1…255. 0 is a special value meaning that
798d3a52 1238 packets inherit the TTL value. The default value for IPv4
e9dd6984 1239 tunnels is 0 (inherit). The default value for IPv6 tunnels is
798d3a52
ZJS		 1240 64.</para>
1241 </listitem>
1242 </varlistentry>
1243 <varlistentry>
1244 <term><varname>DiscoverPathMTU=</varname></term>
1245 <listitem>
9b6ffef3 1246 <para>Takes a boolean. When true, enables Path MTU Discovery on
798d3a52
ZJS		 1247 the tunnel.</para>
1248 </listitem>
1249 </varlistentry>
276de526
SS		 1250 <varlistentry>
1251 <term><varname>IPv6FlowLabel=</varname></term>
1252 <listitem>
a8eaaee7 1253 <para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
276de526 1254 RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
a8eaaee7
JE		 1255 RFC 2460</ulink>), which is used by a node to label packets of a flow.
1256 It is only used for IPv6 tunnels.
1257 A flow label of zero is used to indicate packets that have
1258 not been labeled.
be0d27ee 1259 It can be configured to a value in the range 0…0xFFFFF, or be
a8eaaee7 1260 set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
276de526
SS		 1261 </listitem>
1262 </varlistentry>
9b0ca30a 1263 <varlistentry>
a9b70f9d 1264 <term><varname>CopyDSCP=</varname></term>
9b0ca30a 1265 <listitem>
9b6ffef3 1266 <para>Takes a boolean. When true, the Differentiated Service Code
3cf4bcab 1267 Point (DSCP) field will be copied to the inner header from
a9b70f9d 1268 outer header during the decapsulation of an IPv6 tunnel
3cf4bcab
ZJS		 1269 packet. DSCP is a field in an IP packet that enables different
1270 levels of service to be assigned to network traffic.
1271 Defaults to <literal>no</literal>.
9b0ca30a
SS		 1272 </para>
1273 </listitem>
1274 </varlistentry>
dae398a8
SS		 1275 <varlistentry>
1276 <term><varname>EncapsulationLimit=</varname></term>
1277 <listitem>
1278 <para>The Tunnel Encapsulation Limit option specifies how many additional
1279 levels of encapsulation are permitted to be prepended to the packet.
1280 For example, a Tunnel Encapsulation Limit option containing a limit
1281 value of zero means that a packet carrying that option may not enter
1282 another tunnel before exiting the current tunnel.
1283 (see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
b938cb90 1284 The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
dae398a8
SS		 1285 </para>
1286 </listitem>
1287 </varlistentry>
1d710029
SS		 1288 <varlistentry>
1289 <term><varname>Key=</varname></term>
1290 <listitem>
1291 <para>The <varname>Key=</varname> parameter specifies the same key to use in
1292 both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
1293 The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
1294 It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
e9dd6984 1295 and control path) in IP XFRM (framework used to implement IPsec protocol).
1d710029 1296 See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
c65c01c4
YW		 1297 ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
1298 GRE, GRETAP, and ERSPAN tunnels.</para>
1d710029
SS		 1299 </listitem>
1300 </varlistentry>
1301 <varlistentry>
1302 <term><varname>InputKey=</varname></term>
1303 <listitem>
1304 <para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
c65c01c4
YW		 1305 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1306 and ERSPAN tunnels.</para>
1d710029
SS		 1307 </listitem>
1308 </varlistentry>
1309 <varlistentry>
1310 <term><varname>OutputKey=</varname></term>
1311 <listitem>
1312 <para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
c65c01c4
YW		 1313 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1314 and ERSPAN tunnels.</para>
1d710029
SS		 1315 </listitem>
1316 </varlistentry>
798d3a52
ZJS		 1317 <varlistentry>
1318 <term><varname>Mode=</varname></term>
1319 <listitem>
a8eaaee7 1320 <para>An <literal>ip6tnl</literal> tunnel can be in one of three
798d3a52
ZJS		 1321 modes
1322 <literal>ip6ip6</literal> for IPv6 over IPv6,
1323 <literal>ipip6</literal> for IPv4 over IPv6 or
1324 <literal>any</literal> for either.
1325 </para>
1326 </listitem>
1327 </varlistentry>
4d7fa6de
SS		 1328 <varlistentry>
1329 <term><varname>Independent=</varname></term>
1330 <listitem>
905a03e7
ZJS		 1331 <para>Takes a boolean. When false (the default), the tunnel is always created over some network
1332 device, and a .network file that requests this tunnel using <varname>Tunnel=</varname> is required
1333 for the tunnel to be created. When true, the tunnel is created independently of any network as
1334 "tunnel@NONE".</para>
4d7fa6de
SS		 1335 </listitem>
1336 </varlistentry>
8c9c703c
YW		 1337 <varlistentry>
1338 <term><varname>AssignToLoopback=</varname></term>
1339 <listitem>
1340 <para>Takes a boolean. If set to <literal>yes</literal>, the loopback interface <literal>lo</literal>
1341 is used as the underlying device of the tunnel interface. Defaults to <literal>no</literal>.</para>
1342 </listitem>
1343 </varlistentry>
3a4f3e42
SS		 1344 <varlistentry>
1345 <term><varname>AllowLocalRemote=</varname></term>
1346 <listitem>
9b6ffef3 1347 <para>Takes a boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
025314d9 1348 When unset, the kernel's default will be used.
3a4f3e42
SS		 1349 </para>
1350 </listitem>
1351 </varlistentry>
53cb501a
SS		 1352 <varlistentry>
1353 <term><varname>FooOverUDP=</varname></term>
1354 <listitem>
9b6ffef3 1355 <para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
0b145817
YW		 1356 Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
1357 For more detail information see
53cb501a
SS		 1358 <ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
1359 </listitem>
1360 </varlistentry>
1361 <varlistentry>
1362 <term><varname>FOUDestinationPort=</varname></term>
1363 <listitem>
6f520e74 1364 <para>This setting specifies the UDP destination port for encapsulation.
0b145817 1365 This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
53cb501a
SS		 1366 </listitem>
1367 </varlistentry>
1368 <varlistentry>
1369 <term><varname>FOUSourcePort=</varname></term>
1370 <listitem>
6f520e74
ZJS		 1371 <para>This setting specifies the UDP source port for encapsulation. Defaults to <constant>0</constant>
1372 — that is, the source port for packets is left to the network stack to decide.</para>
53cb501a
SS		 1373 </listitem>
1374 </varlistentry>
1375 <varlistentry>
1376 <term><varname>Encapsulation=</varname></term>
1377 <listitem>
bdac5608 1378 <para>Accepts the same key as in the [FooOverUDP] section.</para>
53cb501a
SS		 1379 </listitem>
1380 </varlistentry>
d067cab3
DA		 1381 <varlistentry>
1382 <term><varname>IPv6RapidDeploymentPrefix=</varname></term>
1383 <listitem>
1384 <para>Reconfigure the tunnel for <ulink url="https://tools.ietf.org/html/rfc5569">IPv6 Rapid
1385 Deployment</ulink>, also known as 6rd. The value is an ISP-specific IPv6 prefix with a non-zero length. Only
1386 applicable to SIT tunnels.</para>
1387 </listitem>
1388 </varlistentry>
918049ad
SS		 1389 <varlistentry>
1390 <term><varname>ISATAP=</varname></term>
1391 <listitem>
1392 <para>Takes a boolean. If set, configures the tunnel as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnel.
1393 Only applicable to SIT tunnels. When unset, the kernel's default will be used.</para>
1394 </listitem>
1395 </varlistentry>
2266864b
SS		 1396 <varlistentry>
1397 <term><varname>SerializeTunneledPackets=</varname></term>
1398 <listitem>
c65c01c4
YW		 1399 <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for GRE,
1400 GRETAP, and ERSPAN tunnels. When unset, the kernel's default will be used.
2266864b
SS		 1401 </para>
1402 </listitem>
1403 </varlistentry>
1404 <varlistentry>
1405 <term><varname>ERSPANIndex=</varname></term>
1406 <listitem>
1d3a473b 1407 <para>Specifies the ERSPAN index field for the interface, an integer in the range 1…1048575 associated with
2266864b
SS		 1408 the ERSPAN traffic's source port and direction. This field is mandatory.
1409 </para>
1410 </listitem>
1411 </varlistentry>
798d3a52
ZJS		 1412 </variablelist>
1413 </refsect1>
53cb501a
SS		 1414
1415 <refsect1>
1416 <title>[FooOverUDP] Section Options</title>
1417
bdac5608 1418 <para>The [FooOverUDP] section only applies for
53cb501a
SS		 1419 netdevs of kind <literal>fou</literal> and accepts the
1420 following keys:</para>
1421
1422 <variablelist class='network-directives'>
53cb501a
SS		 1423 <varlistentry>
1424 <term><varname>Encapsulation=</varname></term>
1425 <listitem>
e9dd6984
ZJS		 1426 <para>Specifies the encapsulation mechanism used to store networking packets of various protocols
1427 inside the UDP packets. Supports the following values:
53cb501a 1428
885a4e6c 1429 <literal>FooOverUDP</literal> provides the simplest no-frills model of UDP encapsulation, it simply
e9dd6984
ZJS		 1430 encapsulates packets directly in the UDP payload. <literal>GenericUDPEncapsulation</literal> is a
1431 generic and extensible encapsulation, it allows encapsulation of packets for any IP protocol and
1432 optional data as part of the encapsulation. For more detailed information see <ulink
1433 url="https://lwn.net/Articles/615044">Generic UDP Encapsulation</ulink>. Defaults to
1434 <literal>FooOverUDP</literal>.
53cb501a
SS		 1435 </para>
1436 </listitem>
1437 </varlistentry>
1438 <varlistentry>
1439 <term><varname>Port=</varname></term>
1440 <listitem>
885a4e6c
ZJS		 1441 <para>Specifies the port number where the encapsulated packets will arrive. Those packets will be
1442 removed and manually fed back into the network stack with the encapsulation removed to be sent to
1443 the real destination. This option is mandatory.</para>
53cb501a 1444 </listitem>
488d0ba1 1445 </varlistentry>
8f02c9b0
SS		 1446 <varlistentry>
1447 <term><varname>PeerPort=</varname></term>
1448 <listitem>
e9dd6984
ZJS		 1449 <para>Specifies the peer port number. Defaults to unset. Note that when peer port is set
1450 <literal>Peer=</literal> address is mandatory.</para>
8f02c9b0 1451 </listitem>
488d0ba1 1452 </varlistentry>
0b145817
YW		 1453 <varlistentry>
1454 <term><varname>Protocol=</varname></term>
1455 <listitem>
1456 <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
1457 at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
1458 and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
1d3a473b 1459 <literal>ipip</literal>, or an integer within the range 1…255. When
0b145817
YW		 1460 <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
1461 </listitem>
1462 </varlistentry>
4502a61c
SS		 1463 <varlistentry>
1464 <term><varname>Peer=</varname></term>
1465 <listitem>
e9dd6984
ZJS		 1466 <para>Configures peer IP address. Note that when peer address is set <literal>PeerPort=</literal>
1467 is mandatory.</para>
4502a61c
SS		 1468 </listitem>
1469 </varlistentry>
1470 <varlistentry>
1471 <term><varname>Local=</varname></term>
1472 <listitem>
1473 <para>Configures local IP address.</para>
1474 </listitem>
1475 </varlistentry>
0b145817 1476 </variablelist>
53cb501a 1477 </refsect1>
488d0ba1 1478
798d3a52
ZJS		 1479 <refsect1>
1480 <title>[Peer] Section Options</title>
1481
bdac5608 1482 <para>The [Peer] section only applies for
488d0ba1
YW		 1483 netdevs of kind <literal>veth</literal> and accepts the
1484 following keys:</para>
1485
1486 <variablelist class='network-directives'>
1487 <varlistentry>
1488 <term><varname>Name=</varname></term>
1489 <listitem>
1490 <para>The interface name used when creating the netdev.
e9dd6984 1491 This setting is compulsory.</para>
488d0ba1
YW		 1492 </listitem>
1493 </varlistentry>
1494 <varlistentry>
1495 <term><varname>MACAddress=</varname></term>
1496 <listitem>
1497 <para>The peer MACAddress, if not set, it is generated in
1498 the same way as the MAC address of the main
1499 interface.</para>
1500 </listitem>
1501 </varlistentry>
1502 </variablelist>
798d3a52 1503 </refsect1>
488d0ba1 1504
d6df583c 1505 <refsect1>
488d0ba1
YW		 1506 <title>[VXCAN] Section Options</title>
1507
bdac5608 1508 <para>The [VXCAN] section only applies for
488d0ba1
YW		 1509 netdevs of kind <literal>vxcan</literal> and accepts the
1510 following key:</para>
1511
1512 <variablelist class='network-directives'>
1513 <varlistentry>
1514 <term><varname>Peer=</varname></term>
1515 <listitem>
1516 <para>The peer interface name used when creating the netdev.
e9dd6984 1517 This setting is compulsory.</para>
488d0ba1
YW		 1518 </listitem>
1519 </varlistentry>
1520 </variablelist>
d6df583c 1521 </refsect1>
488d0ba1 1522
798d3a52
ZJS		 1523 <refsect1>
1524 <title>[Tun] Section Options</title>
1525
bdac5608 1526 <para>The [Tun] section only applies for
798d3a52
ZJS		 1527 netdevs of kind <literal>tun</literal>, and accepts the following
1528 keys:</para>
1529
1530 <variablelist class='network-directives'>
798d3a52
ZJS		 1531 <varlistentry>
1532 <term><varname>MultiQueue=</varname></term>
9b6ffef3 1533 <listitem><para>Takes a boolean. Configures whether
798d3a52
ZJS		 1534 to use multiple file descriptors (queues) to parallelize
1535 packets sending and receiving. Defaults to
1536 <literal>no</literal>.</para>
1537 </listitem>
1538 </varlistentry>
1539 <varlistentry>
1540 <term><varname>PacketInfo=</varname></term>
9b6ffef3 1541 <listitem><para>Takes a boolean. Configures whether
ff9b60f3 1542 packets should be prepended with four extra bytes (two flag
b938cb90 1543 bytes and two protocol bytes). If disabled, it indicates that
798d3a52
ZJS		 1544 the packets will be pure IP packets. Defaults to
1545 <literal>no</literal>.</para>
1546 </listitem>
1547 </varlistentry>
43f78da4 1548 <varlistentry>
2aba142e 1549 <term><varname>VNetHeader=</varname></term>
9b6ffef3 1550 <listitem><para>Takes a boolean. Configures
75eed300 1551 IFF_VNET_HDR flag for a tun or tap device. It allows sending
43f78da4
SS		 1552 and receiving larger Generic Segmentation Offload (GSO)
1553 packets. This may increase throughput significantly.
1554 Defaults to
1555 <literal>no</literal>.</para>
1556 </listitem>
1557 </varlistentry>
798d3a52
ZJS		 1558 <varlistentry>
1559 <term><varname>User=</varname></term>
1560 <listitem><para>User to grant access to the
1561 <filename>/dev/net/tun</filename> device.</para>
1562 </listitem>
1563 </varlistentry>
1564 <varlistentry>
1565 <term><varname>Group=</varname></term>
1566 <listitem><para>Group to grant access to the
1567 <filename>/dev/net/tun</filename> device.</para>
1568 </listitem>
1569 </varlistentry>
798d3a52 1570 </variablelist>
798d3a52
ZJS		 1571 </refsect1>
1572
1573 <refsect1>
1574 <title>[Tap] Section Options</title>
1575
bdac5608 1576 <para>The [Tap] section only applies for
798d3a52 1577 netdevs of kind <literal>tap</literal>, and accepts the same keys
bdac5608 1578 as the [Tun] section.</para>
798d3a52
ZJS		 1579 </refsect1>
1580
e5719363
JT		 1581 <refsect1>
1582 <title>[WireGuard] Section Options</title>
1583
bdac5608 1584 <para>The [WireGuard] section accepts the following
e5719363
JT		 1585 keys:</para>
1586
1587 <variablelist class='network-directives'>
1588 <varlistentry>
1589 <term><varname>PrivateKey=</varname></term>
1590 <listitem>
1591 <para>The Base64 encoded private key for the interface. It can be
488d0ba1
YW		 1592 generated using the <command>wg genkey</command> command
1593 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
1594 This option or <varname>PrivateKeyFile=</varname> is mandatory to use WireGuard.
1595 Note that because this information is secret, you may want to set
1596 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
1597 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1598 </listitem>
1599 </varlistentry>
76df7779
YW		 1600 <varlistentry>
1601 <term><varname>PrivateKeyFile=</varname></term>
1602 <listitem>
49f16281
LP		 1603 <para>Takes an absolute path to a file which contains the Base64 encoded private key for the
1604 interface. When this option is specified, then <varname>PrivateKey=</varname> is ignored. Note
1605 that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
1606 e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
1607 the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
1608 made to it and the key read from it.</para>
76df7779
YW		 1609 </listitem>
1610 </varlistentry>
e5719363
JT		 1611 <varlistentry>
1612 <term><varname>ListenPort=</varname></term>
1613 <listitem>
1614 <para>Sets UDP port for listening. Takes either value between 1 and 65535
488d0ba1
YW		 1615 or <literal>auto</literal>. If <literal>auto</literal> is specified,
1616 the port is automatically generated based on interface name.
1617 Defaults to <literal>auto</literal>.</para>
e5719363
JT		 1618 </listitem>
1619 </varlistentry>
1620 <varlistentry>
1c30b174 1621 <term><varname>FirewallMark=</varname></term>
e5719363 1622 <listitem>
1c30b174 1623 <para>Sets a firewall mark on outgoing WireGuard packets from this interface. Takes a number between 1 and 4294967295.</para>
e5719363
JT		 1624 </listitem>
1625 </varlistentry>
1626 </variablelist>
1627 </refsect1>
1628
1629 <refsect1>
1630 <title>[WireGuardPeer] Section Options</title>
1631
bdac5608 1632 <para>The [WireGuardPeer] section accepts the following
e5719363
JT		 1633 keys:</para>
1634
1635 <variablelist class='network-directives'>
1636 <varlistentry>
1637 <term><varname>PublicKey=</varname></term>
1638 <listitem>
1639 <para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
488d0ba1
YW		 1640 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
1641 from a private key, and usually transmitted out of band to the
1642 author of the configuration file. This option is mandatory for this
1643 section.</para>
e5719363
JT		 1644 </listitem>
1645 </varlistentry>
1646 <varlistentry>
1647 <term><varname>PresharedKey=</varname></term>
1648 <listitem>
1649 <para>Optional preshared key for the interface. It can be generated
488d0ba1
YW		 1650 by the <command>wg genpsk</command> command. This option adds an
1651 additional layer of symmetric-key cryptography to be mixed into the
1652 already existing public-key cryptography, for post-quantum
1653 resistance.
1654 Note that because this information is secret, you may want to set
8aa36b1d 1655 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
488d0ba1 1656 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1657 </listitem>
1658 </varlistentry>
a3945c63
YW		 1659 <varlistentry>
1660 <term><varname>PresharedKeyFile=</varname></term>
1661 <listitem>
1662 <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
49f16281
LP		 1663 peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. Note that
1664 the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
1665 owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
1666 path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
1667 made to it and the key read from it.</para>
a3945c63
YW		 1668 </listitem>
1669 </varlistentry>
e5719363
JT		 1670 <varlistentry>
1671 <term><varname>AllowedIPs=</varname></term>
1672 <listitem>
1673 <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
488d0ba1 1674 from which this peer is allowed to send incoming traffic and to
c6b90e5c 1675 which outgoing traffic for this peer is directed.</para>
be0d27ee 1676
c6b90e5c
FK		 1677 <para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses,
1678 and ::/0 may be specified for matching all IPv6 addresses.</para>
be0d27ee
ZJS		 1679
1680 <para>Note that this only affects <emphasis>routing inside the network interface itself</emphasis>,
1681 i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in
1682 the first place, an appropriate route needs to be added as well — either in the
1683 <literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard
1684 interface, or externally to <filename>systemd-networkd</filename>.</para>
e5719363
JT		 1685 </listitem>
1686 </varlistentry>
1687 <varlistentry>
1688 <term><varname>Endpoint=</varname></term>
1689 <listitem>
1690 <para>Sets an endpoint IP address or hostname, followed by a colon, and then
488d0ba1
YW		 1691 a port number. This endpoint will be updated automatically once to
1692 the most recent source IP address and port of correctly
1693 authenticated packets from the peer at configuration time.</para>
e5719363
JT		 1694 </listitem>
1695 </varlistentry>
1696 <varlistentry>
1697 <term><varname>PersistentKeepalive=</varname></term>
1698 <listitem>
1699 <para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
488d0ba1
YW		 1700 to send an authenticated empty packet to the peer for the purpose
1701 of keeping a stateful firewall or NAT mapping valid persistently.
1702 For example, if the interface very rarely sends traffic, but it
1703 might at anytime receive traffic from a peer, and it is behind NAT,
1704 the interface might benefit from having a persistent keepalive
1705 interval of 25 seconds. If set to 0 or "off", this option is
1706 disabled. By default or when unspecified, this option is off.
1707 Most users will not need this.</para>
e5719363
JT		 1708 </listitem>
1709 </varlistentry>
1710 </variablelist>
1711 </refsect1>
1712
798d3a52
ZJS		 1713 <refsect1>
1714 <title>[Bond] Section Options</title>
1715
bdac5608 1716 <para>The [Bond] section accepts the following
798d3a52
ZJS		 1717 key:</para>
1718
1719 <variablelist class='network-directives'>
1720 <varlistentry>
1721 <term><varname>Mode=</varname></term>
1722 <listitem>
1723 <para>Specifies one of the bonding policies. The default is
1724 <literal>balance-rr</literal> (round robin). Possible values are
1725 <literal>balance-rr</literal>,
1726 <literal>active-backup</literal>,
1727 <literal>balance-xor</literal>,
1728 <literal>broadcast</literal>,
1729 <literal>802.3ad</literal>,
1730 <literal>balance-tlb</literal>, and
1731 <literal>balance-alb</literal>.
1732 </para>
1733 </listitem>
1734 </varlistentry>
1735
1736 <varlistentry>
1737 <term><varname>TransmitHashPolicy=</varname></term>
1738 <listitem>
1739 <para>Selects the transmit hash policy to use for slave
1740 selection in balance-xor, 802.3ad, and tlb modes. Possible
1741 values are
1742 <literal>layer2</literal>,
1743 <literal>layer3+4</literal>,
1744 <literal>layer2+3</literal>,
4d89618a 1745 <literal>encap2+3</literal>, and
798d3a52
ZJS		 1746 <literal>encap3+4</literal>.
1747 </para>
1748 </listitem>
1749 </varlistentry>
1750
1751 <varlistentry>
1752 <term><varname>LACPTransmitRate=</varname></term>
1753 <listitem>
1754 <para>Specifies the rate with which link partner transmits
1755 Link Aggregation Control Protocol Data Unit packets in
1756 802.3ad mode. Possible values are <literal>slow</literal>,
1757 which requests partner to transmit LACPDUs every 30 seconds,
1758 and <literal>fast</literal>, which requests partner to
1759 transmit LACPDUs every second. The default value is
1760 <literal>slow</literal>.</para>
1761 </listitem>
1762 </varlistentry>
1763
1764 <varlistentry>
1765 <term><varname>MIIMonitorSec=</varname></term>
1766 <listitem>
1767 <para>Specifies the frequency that Media Independent
1768 Interface link monitoring will occur. A value of zero
dd2b607b 1769 disables MII link monitoring. This value is rounded down to
798d3a52
ZJS		 1770 the nearest millisecond. The default value is 0.</para>
1771 </listitem>
1772 </varlistentry>
1773
1774 <varlistentry>
1775 <term><varname>UpDelaySec=</varname></term>
1776 <listitem>
1777 <para>Specifies the delay before a link is enabled after a
1778 link up status has been detected. This value is rounded down
1779 to a multiple of MIIMonitorSec. The default value is
1780 0.</para>
1781 </listitem>
1782 </varlistentry>
1783
1784 <varlistentry>
1785 <term><varname>DownDelaySec=</varname></term>
1786 <listitem>
1787 <para>Specifies the delay before a link is disabled after a
1788 link down status has been detected. This value is rounded
1789 down to a multiple of MIIMonitorSec. The default value is
1790 0.</para>
1791 </listitem>
1792 </varlistentry>
1793
81bd37a8 1794 <varlistentry>
38422da7 1795 <term><varname>LearnPacketIntervalSec=</varname></term>
81bd37a8
SS		 1796 <listitem>
1797 <para>Specifies the number of seconds between instances where the bonding
a8eaaee7
JE		 1798 driver sends learning packets to each slave peer switch.
1799 The valid range is 1–0x7fffffff; the default value is 1. This option
1800 has an effect only for the balance-tlb and balance-alb modes.</para>
81bd37a8
SS		 1801 </listitem>
1802 </varlistentry>
1803
1804 <varlistentry>
1805 <term><varname>AdSelect=</varname></term>
1806 <listitem>
1807 <para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
1808 <literal>stable</literal>,
a8eaaee7
JE		 1809 <literal>bandwidth</literal> and
1810 <literal>count</literal>.
81bd37a8
SS		 1811 </para>
1812 </listitem>
1813 </varlistentry>
1814
99f68ef0 1815 <varlistentry>
db688b7e 1816 <term><varname>AdActorSystemPriority=</varname></term>
99f68ef0 1817 <listitem>
1d3a473b 1818 <para>Specifies the 802.3ad actor system priority. Takes a number in the range 1…65535.</para>
99f68ef0
TJ		 1819 </listitem>
1820 </varlistentry>
1821
1822 <varlistentry>
1823 <term><varname>AdUserPortKey=</varname></term>
1824 <listitem>
e9dd6984 1825 <para>Specifies the 802.3ad user defined portion of the port key. Takes a number in the range
be0d27ee 1826 0…1023.</para>
99f68ef0
TJ		 1827 </listitem>
1828 </varlistentry>
1829
1830 <varlistentry>
1831 <term><varname>AdActorSystem=</varname></term>
1832 <listitem>
7ad41997
ZJS		 1833 <para>Specifies the 802.3ad system MAC address. This cannot be a null or multicast address.
1834 </para>
99f68ef0
TJ		 1835 </listitem>
1836 </varlistentry>
1837
81bd37a8 1838 <varlistentry>
38422da7 1839 <term><varname>FailOverMACPolicy=</varname></term>
81bd37a8 1840 <listitem>
a8eaaee7
JE		 1841 <para>Specifies whether the active-backup mode should set all slaves to
1842 the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
81bd37a8
SS		 1843 bond's MAC address in accordance with the selected policy. The default policy is none.
1844 Possible values are
1845 <literal>none</literal>,
a8eaaee7
JE		 1846 <literal>active</literal> and
1847 <literal>follow</literal>.
81bd37a8
SS		 1848 </para>
1849 </listitem>
1850 </varlistentry>
1851
1852 <varlistentry>
38422da7 1853 <term><varname>ARPValidate=</varname></term>
81bd37a8
SS		 1854 <listitem>
1855 <para>Specifies whether or not ARP probes and replies should be
38422da7 1856 validated in any mode that supports ARP monitoring, or whether
81bd37a8
SS		 1857 non-ARP traffic should be filtered (disregarded) for link
1858 monitoring purposes. Possible values are
1859 <literal>none</literal>,
1860 <literal>active</literal>,
a8eaaee7
JE		 1861 <literal>backup</literal> and
1862 <literal>all</literal>.
81bd37a8
SS		 1863 </para>
1864 </listitem>
1865 </varlistentry>
1866
1867 <varlistentry>
38422da7 1868 <term><varname>ARPIntervalSec=</varname></term>
81bd37a8 1869 <listitem>
06c52cc2
ZJS		 1870 <para>Specifies the ARP link monitoring frequency. A value of 0 disables ARP monitoring. The
1871 default value is 0, and the default unit seconds.
81bd37a8
SS		 1872 </para>
1873 </listitem>
1874 </varlistentry>
1875
1876 <varlistentry>
38422da7 1877 <term><varname>ARPIPTargets=</varname></term>
81bd37a8
SS		 1878 <listitem>
1879 <para>Specifies the IP addresses to use as ARP monitoring peers when
38422da7 1880 ARPIntervalSec is greater than 0. These are the targets of the ARP request
81bd37a8 1881 sent to determine the health of the link to the targets.
a8eaaee7 1882 Specify these values in IPv4 dotted decimal format. At least one IP
81bd37a8
SS		 1883 address must be given for ARP monitoring to function. The
1884 maximum number of targets that can be specified is 16. The
1885 default value is no IP addresses.
1886 </para>
1887 </listitem>
1888 </varlistentry>
1889
1890 <varlistentry>
38422da7 1891 <term><varname>ARPAllTargets=</varname></term>
81bd37a8 1892 <listitem>
38422da7 1893 <para>Specifies the quantity of ARPIPTargets that must be reachable
81bd37a8
SS		 1894 in order for the ARP monitor to consider a slave as being up.
1895 This option affects only active-backup mode for slaves with
38422da7 1896 ARPValidate enabled. Possible values are
a8eaaee7
JE		 1897 <literal>any</literal> and
1898 <literal>all</literal>.
81bd37a8
SS		 1899 </para>
1900 </listitem>
1901 </varlistentry>
1902
1903 <varlistentry>
38422da7 1904 <term><varname>PrimaryReselectPolicy=</varname></term>
81bd37a8
SS		 1905 <listitem>
1906 <para>Specifies the reselection policy for the primary slave. This
1907 affects how the primary slave is chosen to become the active slave
1908 when failure of the active slave or recovery of the primary slave
1909 occurs. This option is designed to prevent flip-flopping between
1910 the primary slave and other slaves. Possible values are
1911 <literal>always</literal>,
a8eaaee7
JE		 1912 <literal>better</literal> and
1913 <literal>failure</literal>.
81bd37a8
SS		 1914 </para>
1915 </listitem>
1916 </varlistentry>
1917
1918 <varlistentry>
1919 <term><varname>ResendIGMP=</varname></term>
1920 <listitem>
1921 <para>Specifies the number of IGMP membership reports to be issued after
1922 a failover event. One membership report is issued immediately after
1923 the failover, subsequent packets are sent in each 200ms interval.
b938cb90 1924 The valid range is 0–255. Defaults to 1. A value of 0
81bd37a8
SS		 1925 prevents the IGMP membership report from being issued in response
1926 to the failover event.
1927 </para>
1928 </listitem>
1929 </varlistentry>
1930
1931 <varlistentry>
1932 <term><varname>PacketsPerSlave=</varname></term>
1933 <listitem>
b938cb90 1934 <para>Specify the number of packets to transmit through a slave before
488d0ba1
YW		 1935 moving to the next one. When set to 0, then a slave is chosen at
1936 random. The valid range is 0–65535. Defaults to 1. This option
1937 only has effect when in balance-rr mode.
81bd37a8
SS		 1938 </para>
1939 </listitem>
1940 </varlistentry>
1941
1942 <varlistentry>
38422da7 1943 <term><varname>GratuitousARP=</varname></term>
81bd37a8
SS		 1944 <listitem>
1945 <para>Specify the number of peer notifications (gratuitous ARPs and
488d0ba1
YW		 1946 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1947 failover event. As soon as the link is up on the new slave,
1948 a peer notification is sent on the bonding device and each
1949 VLAN sub-device. This is repeated at each link monitor interval
1950 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
1951 greater than 1. The valid range is 0–255. The default value is 1.
1952 These options affect only the active-backup mode.
81bd37a8
SS		 1953 </para>
1954 </listitem>
1955 </varlistentry>
1956
1957 <varlistentry>
1958 <term><varname>AllSlavesActive=</varname></term>
1959 <listitem>
9b6ffef3 1960 <para>Takes a boolean. Specifies that duplicate frames (received on inactive ports)
a8eaaee7 1961 should be dropped when false, or delivered when true. Normally, bonding will drop
81bd37a8
SS		 1962 duplicate frames (received on inactive ports), which is desirable for
1963 most users. But there are some times it is nice to allow duplicate
1964 frames to be delivered. The default value is false (drop duplicate frames
1965 received on inactive ports).
1966 </para>
1967 </listitem>
1968 </varlistentry>
1969
fde60a42
SS		 1970 <varlistentry>
1971 <term><varname>DynamicTransmitLoadBalancing=</varname></term>
1972 <listitem>
1973 <para>Takes a boolean. Specifies if dynamic shuffling of flows is enabled. Applies only
1974 for balance-tlb mode. Defaults to unset.
1975 </para>
1976 </listitem>
1977 </varlistentry>
1978
81bd37a8
SS		 1979 <varlistentry>
1980 <term><varname>MinLinks=</varname></term>
1981 <listitem>
1982 <para>Specifies the minimum number of links that must be active before
1983 asserting carrier. The default value is 0.
1984 </para>
1985 </listitem>
1986 </varlistentry>
798d3a52 1987 </variablelist>
81bd37a8
SS		 1988
1989 <para>For more detail information see
1990 <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">
1991 Linux Ethernet Bonding Driver HOWTO</ulink></para>
b8d88b26 1992 </refsect1>
81bd37a8 1993
98d20a17 1994 <refsect1>
1995 <title>[Xfrm] Section Options</title>
1996
bdac5608 1997 <para>The [Xfrm] section accepts the following
98d20a17 1998 keys:</para>
1999
2000 <variablelist class='network-directives'>
2001 <varlistentry>
2002 <term><varname>InterfaceId=</varname></term>
2003 <listitem>
2004 <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
2005 Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
2006 </listitem>
2007 </varlistentry>
2008 <varlistentry>
2009 <term><varname>Independent=</varname></term>
2010 <listitem>
905a03e7
ZJS		 2011 <para>Takes a boolean. If false (the default), the xfrm interface must have an underlying device
2012 which can be used for hardware offloading.</para>
98d20a17 2013 </listitem>
2014 </varlistentry>
2015 </variablelist>
2016
2017 <para>For more detail information see
e9dd6984 2018 <ulink url="https://lwn.net/Articles/757391">Virtual XFRM Interfaces</ulink>.</para>
98d20a17 2019 </refsect1>
2020
b8d88b26
FP		 2021 <refsect1>
2022 <title>[VRF] Section Options</title>
bdac5608 2023 <para>The [VRF] section only applies for
b8d88b26
FP		 2024 netdevs of kind <literal>vrf</literal> and accepts the
2025 following key:</para>
2026
2027 <variablelist class='network-directives'>
2028 <varlistentry>
2029 <term><varname>Table=</varname></term>
2030 <listitem>
e9dd6984 2031 <para>The numeric routing table identifier. This setting is compulsory.</para>
b8d88b26
FP		 2032 </listitem>
2033 </varlistentry>
2034 </variablelist>
798d3a52
ZJS		 2035 </refsect1>
2036
c0267a59
AW		 2037 <refsect1>
2038 <title>[BatmanAdvanced] Section Options</title>
be0d27ee
ZJS		 2039
2040 <para>The [BatmanAdvanced] section only applies for netdevs of kind <literal>batadv</literal> and accepts
2041 the following keys:</para>
c0267a59
AW		 2042
2043 <variablelist class='network-directives'>
2044 <varlistentry>
2045 <term><varname>GatewayMode=</varname></term>
2046 <listitem>
2047 <para>Takes one of <literal>off</literal>, <literal>server</literal>, or <literal>client</literal>.
2048 A batman-adv node can either run in server mode (sharing its internet
2049 connection with the mesh) or in client mode (searching for the most suitable internet connection
2050 in the mesh) or having the gateway support turned off entirely (which is the default setting).
2051 </para>
2052 </listitem>
2053 </varlistentry>
2054 <varlistentry>
2055 <term><varname>Aggregation=</varname></term>
2056 <listitem>
2057 <para>Takes a boolean value. Enables or disables aggregation of originator messages. Defaults to
2058 true.
2059 </para>
2060 </listitem>
2061 </varlistentry>
2062 <varlistentry>
2063 <term><varname>BridgeLoopAvoidance=</varname></term>
2064 <listitem>
2065 <para>Takes a boolean value. Enables or disables avoidance of loops on bridges. Defaults to true.
2066 </para>
2067 </listitem>
2068 </varlistentry>
2069 <varlistentry>
2070 <term><varname>DistributedArpTable=</varname></term>
2071 <listitem>
2072 <para>Takes a boolean value. Enables or disables the distributed ARP table. Defaults to true.</para>
2073 </listitem>
2074 </varlistentry>
2075 <varlistentry>
2076 <term><varname>Fragmentation=</varname></term>
2077 <listitem>
2078 <para>Takes a boolean value. Enables or disables fragmentation. Defaults to true.</para>
2079 </listitem>
2080 </varlistentry>
2081 <varlistentry>
2082 <term><varname>HopPenalty=</varname></term>
2083 <listitem>
2084 <para>The hop penalty setting allows to modify
ba3dc451 2085 <citerefentry project='mankier'><refentrytitle>batctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
fa027117 2086 preference for multihop routes vs. short routes. This integer value is applied to the
c0267a59
AW		 2087 TQ (Transmit Quality) of each forwarded OGM (Originator Message), thereby propagating the
2088 cost of an extra hop (the packet has to be received and retransmitted which costs airtime).
2089 A higher hop penalty will make it more unlikely that other nodes will choose this node as
2090 intermediate hop towards any given destination. The default hop penalty of '15' is a reasonable
2091 value for most setups and probably does not need to be changed. However, mobile nodes could
2092 choose a value of 255 (maximum value) to avoid being chosen as a router by other nodes.
2093 The minimum value is 0.
2094 </para>
2095 </listitem>
2096 </varlistentry>
2097 <varlistentry>
2098 <term><varname>OriginatorIntervalSec=</varname></term>
2099 <listitem>
2100 <para>The value specifies the interval in seconds, unless another time unit is specified in which
2101 batman-adv floods the network with its protocol information.
2102 See <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>
2103 for more information.</para>
2104 </listitem>
2105 </varlistentry>
2106 <varlistentry>
2107 <term><varname>GatewayBandwidthDown=</varname></term>
2108 <listitem>
2109 <para>If the node is a server, this
2110 parameter is used to inform other nodes in the network about
2111 this node's internet connection download bandwidth in bits per second. Just enter any number
2112 suffixed with K, M, G or T (base 1000) and the batman-adv
2113 module will propagate the entered value in the mesh.</para>
2114 </listitem>
2115 </varlistentry>
2116 <varlistentry>
2117 <term><varname>GatewayBandwidthUp=</varname></term>
2118 <listitem>
2119 <para>If the node is a server, this
2120 parameter is used to inform other nodes in the network about
2121 this node's internet connection upload bandwidth in bits per second. Just enter any number
2122 suffixed with K, M, G or T (base 1000) and the batman-adv
2123 module will propagate the entered value in the mesh.</para>
2124 </listitem>
2125 </varlistentry>
2126 <varlistentry>
2127 <term><varname>RoutingAlgorithm=</varname></term>
2128 <listitem>
2129 <para>This can be either <literal>batman-v</literal> or <literal>batman-iv</literal> and describes which routing_algo
2130 of <citerefentry><refentrytitle>batctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> to use. The algorithm
2131 cannot be changed after interface creation. Defaults to <literal>batman-v</literal>.
2132 </para>
2133 </listitem>
2134 </varlistentry>
2135 </variablelist>
2136 </refsect1>
2137
798d3a52 2138 <refsect1>
48847676 2139 <title>Examples</title>
798d3a52 2140 <example>
6c1695be 2141 <title>/etc/systemd/network/25-bridge.netdev</title>
798d3a52
ZJS		 2142
2143 <programlisting>[NetDev]
eac684ef
TG		 2144Name=bridge0
2145Kind=bridge</programlisting>
798d3a52 2146 </example>
eac684ef 2147
798d3a52 2148 <example>
6c1695be 2149 <title>/etc/systemd/network/25-vlan1.netdev</title>
eac684ef 2150
798d3a52 2151 <programlisting>[Match]
eac684ef
TG		 2152Virtualization=no
2153
2154[NetDev]
2155Name=vlan1
2156Kind=vlan
2157
2158[VLAN]
2159Id=1</programlisting>
798d3a52
ZJS		 2160 </example>
2161 <example>
6c1695be 2162 <title>/etc/systemd/network/25-ipip.netdev</title>
798d3a52 2163 <programlisting>[NetDev]
b35a2909
TG		 2164Name=ipip-tun
2165Kind=ipip
2166MTUBytes=1480
2167
2168[Tunnel]
2169Local=192.168.223.238
2170Remote=192.169.224.239
2171TTL=64</programlisting>
798d3a52 2172 </example>
53cb501a
SS		 2173 <example>
2174 <title>/etc/systemd/network/1-fou-tunnel.netdev</title>
2175 <programlisting>[NetDev]
2176Name=fou-tun
2177Kind=fou
2178
2179[FooOverUDP]
2180Port=5555
2181Protocol=4
2182 </programlisting>
2183 </example>
2184 <example>
2185 <title>/etc/systemd/network/25-fou-ipip.netdev</title>
2186 <programlisting>[NetDev]
53cb501a
SS		 2187Name=ipip-tun
2188Kind=ipip
2189
2190[Tunnel]
964c4eda 2191Independent=yes
53cb501a
SS		 2192Local=10.65.208.212
2193Remote=10.65.208.211
964c4eda 2194FooOverUDP=yes
53cb501a
SS		 2195FOUDestinationPort=5555
2196 </programlisting>
2197 </example>
798d3a52 2198 <example>
6c1695be 2199 <title>/etc/systemd/network/25-tap.netdev</title>
798d3a52 2200 <programlisting>[NetDev]
30ae9dfd
SS		 2201Name=tap-test
2202Kind=tap
2203
2204[Tap]
964c4eda
LP		 2205MultiQueue=yes
2206PacketInfo=yes</programlisting> </example>
eac684ef 2207
798d3a52 2208 <example>
6c1695be 2209 <title>/etc/systemd/network/25-sit.netdev</title>
798d3a52 2210 <programlisting>[NetDev]
b35a2909
TG		 2211Name=sit-tun
2212Kind=sit
2213MTUBytes=1480
2214
2215[Tunnel]
2216Local=10.65.223.238
2217Remote=10.65.223.239</programlisting>
798d3a52 2218 </example>
eac684ef 2219
d067cab3
DA		 2220 <example>
2221 <title>/etc/systemd/network/25-6rd.netdev</title>
2222 <programlisting>[NetDev]
2223Name=6rd-tun
2224Kind=sit
2225MTUBytes=1480
2226
2227[Tunnel]
2228Local=10.65.223.238
2229IPv6RapidDeploymentPrefix=2602::/24</programlisting>
2230 </example>
2231
798d3a52 2232 <example>
6c1695be 2233 <title>/etc/systemd/network/25-gre.netdev</title>
798d3a52 2234 <programlisting>[NetDev]
b35a2909
TG		 2235Name=gre-tun
2236Kind=gre
2237MTUBytes=1480
2238
2239[Tunnel]
2240Local=10.65.223.238
2241Remote=10.65.223.239</programlisting>
798d3a52 2242 </example>
b35a2909 2243
21bba27d 2244 <example>
2245 <title>/etc/systemd/network/25-ip6gre.netdev</title>
2246 <programlisting>[NetDev]
2247Name=ip6gre-tun
2248Kind=ip6gre
2249
2250[Tunnel]
2251Key=123</programlisting>
2252 </example>
2253
798d3a52 2254 <example>
6c1695be 2255 <title>/etc/systemd/network/25-vti.netdev</title>
b35a2909 2256
798d3a52 2257 <programlisting>[NetDev]
b35a2909
TG		 2258Name=vti-tun
2259Kind=vti
2260MTUBytes=1480
2261
2262[Tunnel]
2263Local=10.65.223.238
2264Remote=10.65.223.239</programlisting>
798d3a52 2265 </example>
b35a2909 2266
798d3a52 2267 <example>
6c1695be 2268 <title>/etc/systemd/network/25-veth.netdev</title>
798d3a52 2269 <programlisting>[NetDev]
b35a2909
TG		 2270Name=veth-test
2271Kind=veth
2272
2273[Peer]
2274Name=veth-peer</programlisting>
798d3a52 2275 </example>
b35a2909 2276
d94facdc 2277 <example>
6c1695be 2278 <title>/etc/systemd/network/25-bond.netdev</title>
d94facdc
MH		 2279 <programlisting>[NetDev]
2280Name=bond1
2281Kind=bond
2282
2283[Bond]
2284Mode=802.3ad
2285TransmitHashPolicy=layer3+4
2286MIIMonitorSec=1s
2287LACPTransmitRate=fast
2288</programlisting>
2289 </example>
2290
798d3a52 2291 <example>
6c1695be 2292 <title>/etc/systemd/network/25-dummy.netdev</title>
798d3a52 2293 <programlisting>[NetDev]
9e358851
TG		 2294Name=dummy-test
2295Kind=dummy
2296MACAddress=12:34:56:78:9a:bc</programlisting>
798d3a52 2297 </example>
20897a0d
AR		 2298 <example>
2299 <title>/etc/systemd/network/25-vrf.netdev</title>
037a3ded 2300 <para>Create a VRF interface with table 42.</para>
20897a0d
AR		 2301 <programlisting>[NetDev]
2302Name=vrf-test
2303Kind=vrf
798d3a52 2304
20897a0d 2305[VRF]
362f6336 2306Table=42</programlisting>
20897a0d 2307 </example>
42125eda
SS		 2308
2309 <example>
2310 <title>/etc/systemd/network/25-macvtap.netdev</title>
2311 <para>Create a MacVTap device.</para>
2312 <programlisting>[NetDev]
2313Name=macvtap-test
2314Kind=macvtap
2315 </programlisting>
2316 </example>
e5719363
JT		 2317 <example>
2318 <title>/etc/systemd/network/25-wireguard.netdev</title>
2319 <programlisting>[NetDev]
2320Name=wg0
2321Kind=wireguard
2322
2323[WireGuard]
2324PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
2325ListenPort=51820
2326
2327[WireGuardPeer]
2328PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
2329AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
2330Endpoint=wireguard.example.com:51820</programlisting>
2331 </example>
98d20a17 2332
2333 <example>
2334 <title>/etc/systemd/network/27-xfrm.netdev</title>
a15e1a5d 2335 <programlisting>[NetDev]
98d20a17 2336Name=xfrm0
2337Kind=xfrm
2338
2339[Xfrm]
2340Independent=yes</programlisting>
2341 </example>
798d3a52 2342 </refsect1>
488d0ba1 2343
798d3a52
ZJS		 2344 <refsect1>
2345 <title>See Also</title>
2346 <para>
2347 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
2348 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
2349 <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2350 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
2351 </para>
2352 </refsect1>
eac684ef
TG		 2353
2354</refentry>
Unnamed repository; edit this file 'description' to name the repository.