<row><entry><varname>l2tp</varname></entry>
<entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
+ <row><entry><varname>macsec</varname></entry>
+ <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
+
<row><entry><varname>vrf</varname></entry>
<entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
</varlistentry>
</variablelist>
</refsect1>
+ <refsect1>
+ <title>[MACsec] Section Options</title>
+ <para>The <literal>[MACsec]</literal> section only applies for network devices of kind
+ <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
+ secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Encrypt=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecReceiveChannel] Section Options</title>
+ <para>The <literal>[MACsecReceiveChannel]</literal> section only applies for network devices of
+ kind <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
+ secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
+ compulsory, and is not set by default.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MACAddress=</varname></term>
+ <listitem>
+ <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
+ used to make secure channel identifier (SCI). This option is compulsory, and is not set by
+ default.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecTransmitAssociation] Section Options</title>
+ <para>The <literal>[MACsecTransmitAssociation]</literal> section only applies for network devices
+ of kind <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>PacketNumber=</varname></term>
+ <listitem>
+ <para>Specifies the packet number to be used for replay protection and the construction of
+ the initialization vector (along with the secure channel identifier [SCI]). Takes a value
+ between 1-4,294,967,295. Defaults to unset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyId=</varname></term>
+ <listitem>
+ <para>Specifies the identification for the key. Takes a number between 0-255. This option
+ is compulsory, and is not set by default.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>Specifies the encryption key used in the transmission channel. The same key must be
+ configured on the peer’s matching receive channel. This option is compulsory, and is not set
+ by default. Takes a 128-bit key encoded in a hexadecimal string, for example
+ <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
+ string, which will be used in the transmission channel. When this option is specified,
+ <varname>Key=</varname> is ignored. Note that the file must be readable by the user
+ <literal>systemd-network</literal>, so it should be, e.g., owned by
+ <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecReceiveAssociation] Section Options</title>
+ <para>The <literal>[MACsecReceiveAssociation]</literal> section only applies for
+ network devices of kind <literal>macsec</literal>, and accepts the
+ following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MACAddress=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>PacketNumber=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyId=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
<refsect1>
<title>[Tunnel] Section Options</title>
<term><varname>FooOverUDP=</varname></term>
<listitem>
<para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
- Defaults to false. For more detail information see
+ Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
+ For more detail information see
<ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
</listitem>
</varlistentry>
<term><varname>FOUDestinationPort=</varname></term>
<listitem>
<para>This setting specifies the UDP destination port for encapsulation.
- This field is mandatory and is not set by default.</para>
+ This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
</listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>Encapsulation=</varname></term>
<listitem>
- <para>Accepts the same key as <literal>[FooOverUDP]</literal></para>
+ <para>Accepts the same key as in the <literal>[FooOverUDP]</literal> section.</para>
</listitem>
</varlistentry>
<varlistentry>
following keys:</para>
<variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Protocol=</varname></term>
- <listitem>
- <para>The <varname>Protocol=</varname> specifies the protocol number of the
- packets arriving at the UDP port. This field is mandatory and is not set by default. Valid range is 1-255.</para>
- </listitem>
- </varlistentry>
<varlistentry>
<term><varname>Encapsulation=</varname></term>
<listitem>
for delivery to the real destination. This option is mandatory.</para>
</listitem>
</varlistentry>
- </variablelist>
+ <varlistentry>
+ <term><varname>Protocol=</varname></term>
+ <listitem>
+ <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
+ at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
+ and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
+ <literal>ipip</literal>, or an integer within the range 1-255. When
+ <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</refsect1>
<refsect1>
<title>[Peer] Section Options</title>
<varlistentry>
<term><varname>PrivateKeyFile=</varname></term>
<listitem>
- <para>Takes a absolute path to a file which contains the Base64 encoded private key for the interface.
- If both <varname>PrivateKey=</varname> and <varname>PrivateKeyFile=</varname> are specified, and if
- the file specified in <varname>PrivateKeyFile=</varname> contains valid wireguard key, then
- the key provided by <varname>PrivateKey=</varname> is ignored.
+ <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
+ When this option is specified, then <varname>PrivateKey=</varname> is ignored.
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
should be, e.g., owned by <literal>root:systemd-network</literal> with a
<literal>0640</literal> file mode.</para>
with a <literal>0640</literal> file mode.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>PresharedKeyFile=</varname></term>
+ <listitem>
+ <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
+ peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
+ Note that the file must be readable by the user <literal>systemd-network</literal>, so it
+ should be, e.g., owned by <literal>root:systemd-network</literal> with a
+ <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>AllowedIPs=</varname></term>
<listitem>