name in <filename>/usr/lib</filename>. This can be used to
override a system-supplied configuration file with a local file if
needed. As a special case, an empty file (file size 0) or symlink
- with the same name pointing to <filename>/dev/null</filename>,
- disable the configuration file entirely (it is "masked").</para>
+ with the same name pointing to <filename>/dev/null</filename>
+ disables the configuration file entirely (it is "masked").</para>
</refsect1>
<refsect1>
<entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.Local configuration</entry></row>
<row><entry><varname>bridge</varname></entry>
- <entry>A bridge device is a software switch, each of its slave devices and the bridge itself are ports of the switch.</entry></row>
+ <entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
<row><entry><varname>dummy</varname></entry>
<entry>A dummy device drops all packets sent to it.</entry></row>
<entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
<row><entry><varname>ip6gretap</varname></entry>
- <entry>An Level 2 GRE tunnel over IPv6.</entry></row>
+ <entry>A Level 2 GRE tunnel over IPv6.</entry></row>
<row><entry><varname>ipip</varname></entry>
<entry>An IPv4 over IPv4 tunnel.</entry></row>
<entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
<row><entry><varname>veth</varname></entry>
- <entry>An ethernet tunnel between a pair of network devices.</entry></row>
+ <entry>An Ethernet tunnel between a pair of network devices.</entry></row>
<row><entry><varname>vlan</varname></entry>
<entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
<row><entry><varname>vxlan</varname></entry>
<entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
+
+ <row><entry><varname>vrf</varname></entry>
+ <entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
+
</tbody>
</tgroup>
</table>
<para>The <literal>[Bridge]</literal> section only applies for
netdevs of kind <literal>bridge</literal>, and accepts the
- following key:</para>
+ following keys:</para>
<variablelist class='network-directives'>
<varlistentry>
<term><varname>HelloTimeSec=</varname></term>
<listitem>
- <para>HelloTimeSec specifies the number of seconds a hello packet is
+ <para>HelloTimeSec specifies the number of seconds between two hello packets
sent out by the root bridge and the designated bridges. Hello packets are
used to communicate information about the topology throughout the entire
bridged local area network.</para>
of the Listening and Learning states before the Forwarding state is entered.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>MulticastQuerier=</varname></term>
+ <listitem>
+ <para>A boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
+ If enabled, the kernel will send general ICMP queries from a zero source address.
+ This feature should allow faster convergence on startup, but it causes some
+ multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
+ When unset, the kernel's default setting applies.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MulticastSnooping=</varname></term>
+ <listitem>
+ <para>A boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
+ If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
+ between hosts and multicast routers. When unset, the kernel's default setting applies.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>VLANFiltering=</varname></term>
+ <listitem>
+ <para>A boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
+ If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's
+ default setting applies.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<para>The <literal>[MACVTAP]</literal> section applies for
netdevs of kind <literal>macvtap</literal> and accepts the
- same key as <literal>[MACVLAN].</literal> </para>
+ same key as <literal>[MACVLAN]</literal>.</para>
</refsect1>
<term><varname>TTL=</varname></term>
<listitem>
<para>A fixed Time To Live N on Virtual eXtensible Local
- Area Network packets. N is a number in the range 1-255. 0
+ Area Network packets. N is a number in the range 1–255. 0
is a special value meaning that packets inherit the TTL
value.</para>
</listitem>
<term><varname>FDBAgeingSec=</varname></term>
<listitem>
<para>The lifetime of Forwarding Database entry learnt by
- the kernel in seconds.</para>
+ the kernel, in seconds.</para>
</listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>ARPProxy=</varname></term>
<listitem>
- <para>A boolean. When true, enables ARP proxy.</para>
+ <para>A boolean. When true, enables ARP proxying.</para>
</listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>L3MissNotification=</varname></term>
<listitem>
- <para>A boolean. When true, enables netlink IP ADDR miss
+ <para>A boolean. When true, enables netlink IP address miss
notifications.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>RouteShortCircuit=</varname></term>
<listitem>
- <para>A boolean. When true route short circuit is turned
+ <para>A boolean. When true, route short circuiting is turned
on.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>UDPCheckSum=</varname></term>
<listitem>
- <para>A boolean. When true transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
+ <para>A boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>UDP6ZeroChecksumTx=</varname></term>
<listitem>
- <para>A boolean. When true sending zero checksums in VXLAN/IPv6 is turned on.</para>
+ <para>A boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>UDP6ZeroCheckSumRx=</varname></term>
<listitem>
- <para>A boolean. When true receiving zero checksums in VXLAN/IPv6 is turned on.</para>
+ <para>A boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>GroupPolicyExtension=</varname></term>
<listitem>
- <para>A boolean. When true it enables Group Policy VXLAN extension security label mechanism
- across network peers based on VXLAN. For details about the Group Policy VXLAN see the
+ <para>A boolean. When true, it enables Group Policy VXLAN extension security label mechanism
+ across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
<ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
VXLAN Group Policy </ulink> document. Defaults to false.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>DestinationPort=</varname></term>
+ <listitem>
+ <para>Configures the default destination UDP port on a per-device basis.
+ If destination port is not specified then Linux kernel default will be used.
+ Set destination port 4789 to get the IANA assigned value,
+ and destination port 0 to get default values.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>PortRange=</varname></term>
+ <listitem>
+ <para>Configures VXLAN port range. VXLAN bases source
+ UDP port based on flow to help the receiver to be able
+ to load balance based on outer header flow. It
+ restricts the port range to the normal UDP local
+ ports, and allows overriding via configuration.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<term><varname>TOS=</varname></term>
<listitem>
<para>The Type Of Service byte value for a tunnel interface.
- For details about the TOS see the
+ For details about the TOS, see the
<ulink url="http://tools.ietf.org/html/rfc1349"> Type of
Service in the Internet Protocol Suite </ulink> document.
</para>
<term><varname>TTL=</varname></term>
<listitem>
<para>A fixed Time To Live N on tunneled packets. N is a
- number in the range 1-255. 0 is a special value meaning that
+ number in the range 1–255. 0 is a special value meaning that
packets inherit the TTL value. The default value for IPv4
- tunnels is: inherit. The default value for IPv6 tunnels is:
+ tunnels is: inherit. The default value for IPv6 tunnels is
64.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>IPv6FlowLabel=</varname></term>
<listitem>
- <para>Configures The 20-bit Flow Label (see <ulink url="https://tools.ietf.org/html/rfc6437">
+ <para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
- RFC 2460</ulink>), is used by a node to label packets of a flow.
- It's only used for IPv6 Tunnels.
- A Flow Label of zero is used to indicate packets that have
- not been labeled. Takes following values.
- When <literal>inherit</literal> it uses the original flowlabel,
- or can be configured to any value between 0 to 0xFFFFF.</para>
+ RFC 2460</ulink>), which is used by a node to label packets of a flow.
+ It is only used for IPv6 tunnels.
+ A flow label of zero is used to indicate packets that have
+ not been labeled.
+ It can be configured to a value in the range 0–0xFFFFF, or be
+ set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
</listitem>
</varlistentry>
<varlistentry>
value of zero means that a packet carrying that option may not enter
another tunnel before exiting the current tunnel.
(see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
- The valid range is 0-255 and <literal>none</literal>. Defaults to 4.
+ The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>The <varname>Key=</varname> parameter specifies the same key to use in
+ both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
+ The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
+ It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
+ and control path) in ip xfrm (framework used to implement IPsec protocol).
+ See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
+ ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6
+ tunnels.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>InputKey=</varname></term>
+ <listitem>
+ <para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
+ The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6 tunnels.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>OutputKey=</varname></term>
+ <listitem>
+ <para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
+ The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6 tunnels.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>Mode=</varname></term>
<listitem>
- <para>An <literal>ip6tnl</literal> tunnels can have three
+ <para>An <literal>ip6tnl</literal> tunnel can be in one of three
modes
<literal>ip6ip6</literal> for IPv6 over IPv6,
<literal>ipip6</literal> for IPv4 over IPv6 or
<para>The <literal>[Peer]</literal> section only applies for
netdevs of kind <literal>veth</literal> and accepts the
- following key:</para>
+ following keys:</para>
<variablelist class='network-directives'>
<varlistentry>
<varlistentry>
<term><varname>MACAddress=</varname></term>
<listitem>
- <para>The peer MACAddress, if not set it is generated in
+ <para>The peer MACAddress, if not set, it is generated in
the same way as the MAC address of the main
interface.</para>
</listitem>
<term><varname>PacketInfo=</varname></term>
<listitem><para>Takes a boolean argument. Configures whether
packets should be prepended with four extra bytes (two flag
- bytes and two protocol bytes). If disabled it indicates that
+ bytes and two protocol bytes). If disabled, it indicates that
the packets will be pure IP packets. Defaults to
<literal>no</literal>.</para>
</listitem>
<literal>layer2</literal>,
<literal>layer3+4</literal>,
<literal>layer2+3</literal>,
- <literal>encap2+3</literal>,
- <literal>802.3ad</literal>, and
+ <literal>encap2+3</literal>, and
<literal>encap3+4</literal>.
</para>
</listitem>
<term><varname>LearnPacketIntervalSec=</varname></term>
<listitem>
<para>Specifies the number of seconds between instances where the bonding
- driver sends learning packets to each slaves peer switch.
- The valid range is 1 - 0x7fffffff; the default value is 1. This Option
- has effect only in balance-tlb and balance-alb modes.</para>
+ driver sends learning packets to each slave peer switch.
+ The valid range is 1–0x7fffffff; the default value is 1. This option
+ has an effect only for the balance-tlb and balance-alb modes.</para>
</listitem>
</varlistentry>
<listitem>
<para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
<literal>stable</literal>,
- <literal>bandwidth</literal>,
- <literal>count</literal>
+ <literal>bandwidth</literal> and
+ <literal>count</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>FailOverMACPolicy=</varname></term>
<listitem>
- <para>Specifies whether active-backup mode should set all slaves to
- the same MAC address at enslavement or, when enabled, perform special handling of the
+ <para>Specifies whether the active-backup mode should set all slaves to
+ the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
bond's MAC address in accordance with the selected policy. The default policy is none.
Possible values are
<literal>none</literal>,
- <literal>active</literal>,
- <literal>follow</literal>
+ <literal>active</literal> and
+ <literal>follow</literal>.
</para>
</listitem>
</varlistentry>
monitoring purposes. Possible values are
<literal>none</literal>,
<literal>active</literal>,
- <literal>backup</literal>,
- <literal>all</literal>
+ <literal>backup</literal> and
+ <literal>all</literal>.
</para>
</listitem>
</varlistentry>
<para>Specifies the IP addresses to use as ARP monitoring peers when
ARPIntervalSec is greater than 0. These are the targets of the ARP request
sent to determine the health of the link to the targets.
- Specify these values in ipv4 dotted decimal format. At least one IP
+ Specify these values in IPv4 dotted decimal format. At least one IP
address must be given for ARP monitoring to function. The
maximum number of targets that can be specified is 16. The
default value is no IP addresses.
in order for the ARP monitor to consider a slave as being up.
This option affects only active-backup mode for slaves with
ARPValidate enabled. Possible values are
- <literal>any</literal>,
- <literal>all</literal>
+ <literal>any</literal> and
+ <literal>all</literal>.
</para>
</listitem>
</varlistentry>
occurs. This option is designed to prevent flip-flopping between
the primary slave and other slaves. Possible values are
<literal>always</literal>,
- <literal>better</literal>,
- <literal>failure</literal>
+ <literal>better</literal> and
+ <literal>failure</literal>.
</para>
</listitem>
</varlistentry>
<para>Specifies the number of IGMP membership reports to be issued after
a failover event. One membership report is issued immediately after
the failover, subsequent packets are sent in each 200ms interval.
- The valid range is (0 - 255). Defaults to 1. A value of 0
+ The valid range is 0–255. Defaults to 1. A value of 0
prevents the IGMP membership report from being issued in response
to the failover event.
</para>
<varlistentry>
<term><varname>PacketsPerSlave=</varname></term>
<listitem>
- <para> Specify the number of packets to transmit through a slave before
- moving to the next one. When set to 0 then a slave is chosen at
- random. The valid range is (0 - 65535). Defaults to 1. This option
- has effect only in balance-rr mode.
+ <para>Specify the number of packets to transmit through a slave before
+ moving to the next one. When set to 0, then a slave is chosen at
+ random. The valid range is 0–65535. Defaults to 1. This option
+ only has effect when in balance-rr mode.
</para>
</listitem>
</varlistentry>
<listitem>
<para>Specify the number of peer notifications (gratuitous ARPs and
unsolicited IPv6 Neighbor Advertisements) to be issued after a
- failover event. As soon as the link is up on the new slave
+ failover event. As soon as the link is up on the new slave,
a peer notification is sent on the bonding device and each
VLAN sub-device. This is repeated at each link monitor interval
(ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
- greater than 1. The valid range is (0 - 255). Default value is 1.
+ greater than 1. The valid range is 0–255. The default value is 1.
These options affect only the active-backup mode.
</para>
</listitem>
<varlistentry>
<term><varname>AllSlavesActive=</varname></term>
<listitem>
- <para> A boolean. Specifies that duplicate frames (received on inactive ports)
- should be dropped false or delivered true. Normally, bonding will drop
+ <para>A boolean. Specifies that duplicate frames (received on inactive ports)
+ should be dropped when false, or delivered when true. Normally, bonding will drop
duplicate frames (received on inactive ports), which is desirable for
most users. But there are some times it is nice to allow duplicate
frames to be delivered. The default value is false (drop duplicate frames
Kind=dummy
MACAddress=12:34:56:78:9a:bc</programlisting>
</example>
+ <example>
+ <title>/etc/systemd/network/25-vrf.netdev</title>
+ <para>Create a VRF interface with table 42.</para>
+ <programlisting>[NetDev]
+Name=vrf-test
+Kind=vrf
+[VRF]
+TableId=42</programlisting>
+ </example>
</refsect1>
<refsect1>
<title>See Also</title>