<entry>A Level 2 GRE tunnel over IPv4.</entry></row>
<row><entry><varname>erspan</varname></entry>
- <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch.
- The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch
- and the destination switch.</entry></row>
+ <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch and the destination switch.</entry></row>
<row><entry><varname>ip6gre</varname></entry>
<entry>A Level 3 GRE tunnel over IPv6.</entry></row>
<row><entry><varname>l2tp</varname></entry>
<entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
+ <row><entry><varname>macsec</varname></entry>
+ <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
+
<row><entry><varname>vrf</varname></entry>
<entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
<varlistentry>
<term><varname>Host=</varname></term>
<listitem>
- <para>Matches against the hostname or machine ID of the
- host. See <literal>ConditionHost=</literal> in
+ <para>Matches against the hostname or machine ID of the host. See
+ <literal>ConditionHost=</literal> in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.
+ for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
+ If an empty string is assigned, then previously assigned value is cleared.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Virtualization=</varname></term>
<listitem>
- <para>Checks whether the system is executed in a virtualized
- environment and optionally test whether it is a specific
- implementation. See
- <literal>ConditionVirtualization=</literal> in
+ <para>Checks whether the system is executed in a virtualized environment and optionally test
+ whether it is a specific implementation. See <literal>ConditionVirtualization=</literal> in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.
+ for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
+ If an empty string is assigned, then previously assigned value is cleared.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>KernelCommandLine=</varname></term>
<listitem>
- <para>Checks whether a specific kernel command line option
- is set (or if prefixed with the exclamation mark unset). See
+ <para>Checks whether a specific kernel command line option is set. See
<literal>ConditionKernelCommandLine=</literal> in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.
+ for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
+ If an empty string is assigned, then previously assigned value is cleared.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>KernelVersion=</varname></term>
<listitem>
- <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a certain
- expression (or if prefixed with the exclamation mark does not match it). See
- <literal>ConditionKernelVersion=</literal> in
- <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.
+ <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a
+ certain expression. See <literal>ConditionKernelVersion=</literal> in
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
+ If an empty string is assigned, then previously assigned value is cleared.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Architecture=</varname></term>
<listitem>
- <para>Checks whether the system is running on a specific
- architecture. See <literal>ConditionArchitecture=</literal> in
+ <para>Checks whether the system is running on a specific architecture. See
+ <literal>ConditionArchitecture=</literal> in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.
+ for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
+ If an empty string is assigned, then previously assigned value is cleared.
</para>
</listitem>
</varlistentry>
</varlistentry>
</variablelist>
</refsect1>
+ <refsect1>
+ <title>[MACsec] Section Options</title>
+ <para>The <literal>[MACsec]</literal> section only applies for network devices of kind
+ <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
+ secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Encrypt=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecReceiveChannel] Section Options</title>
+ <para>The <literal>[MACsecReceiveChannel]</literal> section only applies for network devices of
+ kind <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
+ secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
+ compulsory, and is not set by default.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MACAddress=</varname></term>
+ <listitem>
+ <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
+ used to make secure channel identifier (SCI). This option is compulsory, and is not set by
+ default.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecTransmitAssociation] Section Options</title>
+ <para>The <literal>[MACsecTransmitAssociation]</literal> section only applies for network devices
+ of kind <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>PacketNumber=</varname></term>
+ <listitem>
+ <para>Specifies the packet number to be used for replay protection and the construction of
+ the initialization vector (along with the secure channel identifier [SCI]). Takes a value
+ between 1-4,294,967,295. Defaults to unset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyId=</varname></term>
+ <listitem>
+ <para>Specifies the identification for the key. Takes a number between 0-255. This option
+ is compulsory, and is not set by default.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>Specifies the encryption key used in the transmission channel. The same key must be
+ configured on the peer’s matching receive channel. This option is compulsory, and is not set
+ by default. Takes a 128-bit key encoded in a hexadecimal string, for example
+ <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
+ string, which will be used in the transmission channel. When this option is specified,
+ <varname>Key=</varname> is ignored. Note that the file must be readable by the user
+ <literal>systemd-network</literal>, so it should be, e.g., owned by
+ <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Activate=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
+ unset.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>UseForEncoding=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
+ one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
+ <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecReceiveAssociation] Section Options</title>
+ <para>The <literal>[MACsecReceiveAssociation]</literal> section only applies for
+ network devices of kind <literal>macsec</literal>, and accepts the
+ following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MACAddress=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>PacketNumber=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyId=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Activate=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
<refsect1>
<title>[Tunnel] Section Options</title>
<varlistentry>
<term><varname>Local=</varname></term>
<listitem>
- <para>A static local address for tunneled packets. It must
- be an address on another interface of this host.</para>
+ <para>A static local address for tunneled packets. It must be an address on another interface of
+ this host, or the special value <literal>any</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Remote=</varname></term>
<listitem>
- <para>The remote endpoint of the tunnel.</para>
+ <para>The remote endpoint of the tunnel. Takes an IP address or the special value
+ <literal>any</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
and control path) in ip xfrm (framework used to implement IPsec protocol).
See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
- ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6
- tunnels.</para>
+ ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
+ GRE, GRETAP, and ERSPAN tunnels.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>InputKey=</varname></term>
<listitem>
<para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
- The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6 tunnels.</para>
+ The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
+ and ERSPAN tunnels.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>OutputKey=</varname></term>
<listitem>
<para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
- The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6 tunnels.</para>
+ The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
+ and ERSPAN tunnels.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>FooOverUDP=</varname></term>
<listitem>
<para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
- Defaults to false. For more detail information see
+ Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
+ For more detail information see
<ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
</listitem>
</varlistentry>
<term><varname>FOUDestinationPort=</varname></term>
<listitem>
<para>This setting specifies the UDP destination port for encapsulation.
- This field is mandatory and is not set by default.</para>
+ This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
</listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>Encapsulation=</varname></term>
<listitem>
- <para>Accepts the same key as <literal>[FooOverUDP]</literal></para>
+ <para>Accepts the same key as in the <literal>[FooOverUDP]</literal> section.</para>
</listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>SerializeTunneledPackets=</varname></term>
<listitem>
- <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for ERSPAN tunnel.
- When unset, the kernel's default will be used.
+ <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for GRE,
+ GRETAP, and ERSPAN tunnels. When unset, the kernel's default will be used.
</para>
</listitem>
</varlistentry>
following keys:</para>
<variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Protocol=</varname></term>
- <listitem>
- <para>The <varname>Protocol=</varname> specifies the protocol number of the
- packets arriving at the UDP port. This field is mandatory and is not set by default. Valid range is 1-255.</para>
- </listitem>
- </varlistentry>
<varlistentry>
<term><varname>Encapsulation=</varname></term>
<listitem>
for delivery to the real destination. This option is mandatory.</para>
</listitem>
</varlistentry>
- </variablelist>
+ <varlistentry>
+ <term><varname>Protocol=</varname></term>
+ <listitem>
+ <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
+ at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
+ and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
+ <literal>ipip</literal>, or an integer within the range 1-255. When
+ <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</refsect1>
<refsect1>
<title>[Peer] Section Options</title>
<varlistentry>
<term><varname>PrivateKeyFile=</varname></term>
<listitem>
- <para>Takes a absolute path to a file which contains the Base64 encoded private key for the interface.
- If both <varname>PrivateKey=</varname> and <varname>PrivateKeyFile=</varname> are specified, and if
- the file specified in <varname>PrivateKeyFile=</varname> contains valid wireguard key, then
- the key provided by <varname>PrivateKey=</varname> is ignored.
+ <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
+ When this option is specified, then <varname>PrivateKey=</varname> is ignored.
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
should be, e.g., owned by <literal>root:systemd-network</literal> with a
<literal>0640</literal> file mode.</para>
with a <literal>0640</literal> file mode.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>PresharedKeyFile=</varname></term>
+ <listitem>
+ <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
+ peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
+ Note that the file must be readable by the user <literal>systemd-network</literal>, so it
+ should be, e.g., owned by <literal>root:systemd-network</literal> with a
+ <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>AllowedIPs=</varname></term>
<listitem>
projects / thirdparty / systemd.git / blobdiff