<para>A plain ini-style text file that encodes configuration about a virtual network device, used by
<citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for a general description of the syntax.</para>
<para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
<title>[Match] Section Options</title>
<para>A virtual network device is only created if the
- <literal>[Match]</literal> section matches the current
+ [Match] section matches the current
environment, or if the section is empty. The following keys are
accepted:</para>
<refsect1>
<title>[NetDev] Section Options</title>
- <para>The <literal>[NetDev]</literal> section accepts the
+ <para>The [NetDev] section accepts the
following keys:</para>
<variablelist class='network-directives'>
<para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G
are supported and are understood to the base of 1024. For <literal>tun</literal> or
<literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
- <literal>[NetDev]</literal> section. Please specify it in <literal>[Link]</literal> section of
+ [NetDev] section. Please specify it in [Link] section of
corresponding
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
files.</para>
<term><varname>MACAddress=</varname></term>
<listitem>
<para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
- devices, setting <varname>MACAddress=</varname> in the <literal>[NetDev]</literal> section is not
- supported. Please specify it in <literal>[Link]</literal> section of the corresponding
+ devices, setting <varname>MACAddress=</varname> in the [NetDev] section is not
+ supported. Please specify it in [Link] section of the corresponding
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
physical interface. For other kind of netdevs, if this option is not set, then MAC address is
<refsect1>
<title>[Bridge] Section Options</title>
- <para>The <literal>[Bridge]</literal> section only applies for
+ <para>The [Bridge] section only applies for
netdevs of kind <literal>bridge</literal>, and accepts the
following keys:</para>
<refsect1>
<title>[VLAN] Section Options</title>
- <para>The <literal>[VLAN]</literal> section only applies for
+ <para>The [VLAN] section only applies for
netdevs of kind <literal>vlan</literal>, and accepts the
following key:</para>
<refsect1>
<title>[MACVLAN] Section Options</title>
- <para>The <literal>[MACVLAN]</literal> section only applies for
+ <para>The [MACVLAN] section only applies for
netdevs of kind <literal>macvlan</literal>, and accepts the
following key:</para>
<para>The MACVLAN mode to use. The supported options are
<literal>private</literal>,
<literal>vepa</literal>,
- <literal>bridge</literal>, and
- <literal>passthru</literal>.
+ <literal>bridge</literal>,
+ <literal>passthru</literal>, and
+ <literal>source</literal>.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SourceMACAddress=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of remote hardware addresses allowed on the MACVLAN. This
+ option only has an effect in source mode. Use full colon-, hyphen- or dot-delimited
+ hexadecimal. This option may appear more than once, in which case the lists are merged. If
+ the empty string is assigned to this option, the list of hardware addresses defined prior
+ to this is reset. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>[MACVTAP] Section Options</title>
- <para>The <literal>[MACVTAP]</literal> section applies for
+ <para>The [MACVTAP] section applies for
netdevs of kind <literal>macvtap</literal> and accepts the
- same key as <literal>[MACVLAN]</literal>.</para>
+ same key as [MACVLAN].</para>
</refsect1>
<refsect1>
<title>[IPVLAN] Section Options</title>
- <para>The <literal>[IPVLAN]</literal> section only applies for
+ <para>The [IPVLAN] section only applies for
netdevs of kind <literal>ipvlan</literal>, and accepts the
following key:</para>
<refsect1>
<title>[IPVTAP] Section Options</title>
- <para>The <literal>[IPVTAP]</literal> section only applies for
+ <para>The [IPVTAP] section only applies for
netdevs of kind <literal>ipvtap</literal> and accepts the
- same key as <literal>[IPVLAN]</literal>.</para>
+ same key as [IPVLAN].</para>
</refsect1>
<refsect1>
<title>[VXLAN] Section Options</title>
- <para>The <literal>[VXLAN]</literal> section only applies for
+ <para>The [VXLAN] section only applies for
netdevs of kind <literal>vxlan</literal>, and accepts the
following keys:</para>
<refsect1>
<title>[GENEVE] Section Options</title>
- <para>The <literal>[GENEVE]</literal> section only applies for
+ <para>The [GENEVE] section only applies for
netdevs of kind <literal>geneve</literal>, and accepts the
following keys:</para>
<varlistentry>
<term><varname>TTL=</varname></term>
<listitem>
- <para>Accepts the same values as in the <literal>[VXLAN]</literal> section, except that when unset
+ <para>Accepts the same values as in the [VXLAN] section, except that when unset
or set to 0, the kernel's default will be used, meaning that packet TTL will be set from
<filename>/proc/sys/net/ipv4/ip_default_ttl</filename>.</para>
</listitem>
<varlistentry>
<term><varname>IPDoNotFragment=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[VXLAN]</literal> section.</para>
+ <para>Accepts the same key in [VXLAN] section.</para>
</listitem>
</varlistentry>
</variablelist>
<refsect1>
<title>[L2TP] Section Options</title>
- <para>The <literal>[L2TP]</literal> section only applies for
+ <para>The [L2TP] section only applies for
netdevs of kind <literal>l2tp</literal>, and accepts the
following keys:</para>
<refsect1>
<title>[L2TPSession] Section Options</title>
- <para>The <literal>[L2TPSession]</literal> section only applies for
+ <para>The [L2TPSession] section only applies for
netdevs of kind <literal>l2tp</literal>, and accepts the
following keys:</para>
<variablelist class='network-directives'>
<refsect1>
<title>[MACsec] Section Options</title>
- <para>The <literal>[MACsec]</literal> section only applies for network devices of kind
+ <para>The [MACsec] section only applies for network devices of kind
<literal>macsec</literal>, and accepts the following keys:</para>
<variablelist class='network-directives'>
<refsect1>
<title>[MACsecReceiveChannel] Section Options</title>
- <para>The <literal>[MACsecReceiveChannel]</literal> section only applies for network devices of
+ <para>The [MACsecReceiveChannel] section only applies for network devices of
kind <literal>macsec</literal>, and accepts the following keys:</para>
<variablelist class='network-directives'>
<refsect1>
<title>[MACsecTransmitAssociation] Section Options</title>
- <para>The <literal>[MACsecTransmitAssociation]</literal> section only applies for network devices
+ <para>The [MACsecTransmitAssociation] section only applies for network devices
of kind <literal>macsec</literal>, and accepts the following keys:</para>
<variablelist class='network-directives'>
<varlistentry>
<term><varname>KeyFile=</varname></term>
<listitem>
- <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
- string, which will be used in the transmission channel. When this option is specified,
+ <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
+ which will be used in the transmission channel. When this option is specified,
<varname>Key=</varname> is ignored. Note that the file must be readable by the user
<literal>systemd-network</literal>, so it should be, e.g., owned by
- <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+ <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
+ refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
+ it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>UseForEncoding=</varname></term>
<listitem>
<para>Takes a boolean. If enabled, then the security association is used for encoding. Only
- one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
+ one [MACsecTransmitAssociation] section can enable this option. When enabled,
<varname>Activate=yes</varname> is implied. Defaults to unset.</para>
</listitem>
</varlistentry>
<refsect1>
<title>[MACsecReceiveAssociation] Section Options</title>
- <para>The <literal>[MACsecReceiveAssociation]</literal> section only applies for
+ <para>The [MACsecReceiveAssociation] section only applies for
network devices of kind <literal>macsec</literal>, and accepts the
following keys:</para>
<varlistentry>
<term><varname>Port=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ <para>Accepts the same key in [MACsecReceiveChannel] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>MACAddress=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ <para>Accepts the same key in [MACsecReceiveChannel] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>PacketNumber=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>KeyId=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Key=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>KeyFile=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Activate=</varname></term>
<listitem>
- <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
</listitem>
</varlistentry>
</variablelist>
<refsect1>
<title>[Tunnel] Section Options</title>
- <para>The <literal>[Tunnel]</literal> section only applies for
+ <para>The [Tunnel] section only applies for
netdevs of kind
<literal>ipip</literal>,
<literal>sit</literal>,
<varlistentry>
<term><varname>Encapsulation=</varname></term>
<listitem>
- <para>Accepts the same key as in the <literal>[FooOverUDP]</literal> section.</para>
+ <para>Accepts the same key as in the [FooOverUDP] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<refsect1>
<title>[FooOverUDP] Section Options</title>
- <para>The <literal>[FooOverUDP]</literal> section only applies for
+ <para>The [FooOverUDP] section only applies for
netdevs of kind <literal>fou</literal> and accepts the
following keys:</para>
<refsect1>
<title>[Peer] Section Options</title>
- <para>The <literal>[Peer]</literal> section only applies for
+ <para>The [Peer] section only applies for
netdevs of kind <literal>veth</literal> and accepts the
following keys:</para>
<refsect1>
<title>[VXCAN] Section Options</title>
- <para>The <literal>[VXCAN]</literal> section only applies for
+ <para>The [VXCAN] section only applies for
netdevs of kind <literal>vxcan</literal> and accepts the
following key:</para>
<refsect1>
<title>[Tun] Section Options</title>
- <para>The <literal>[Tun]</literal> section only applies for
+ <para>The [Tun] section only applies for
netdevs of kind <literal>tun</literal>, and accepts the following
keys:</para>
<refsect1>
<title>[Tap] Section Options</title>
- <para>The <literal>[Tap]</literal> section only applies for
+ <para>The [Tap] section only applies for
netdevs of kind <literal>tap</literal>, and accepts the same keys
- as the <literal>[Tun]</literal> section.</para>
+ as the [Tun] section.</para>
</refsect1>
<refsect1>
<title>[WireGuard] Section Options</title>
- <para>The <literal>[WireGuard]</literal> section accepts the following
+ <para>The [WireGuard] section accepts the following
keys:</para>
<variablelist class='network-directives'>
<varlistentry>
<term><varname>PrivateKeyFile=</varname></term>
<listitem>
- <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
- When this option is specified, then <varname>PrivateKey=</varname> is ignored.
- Note that the file must be readable by the user <literal>systemd-network</literal>, so it
- should be, e.g., owned by <literal>root:systemd-network</literal> with a
- <literal>0640</literal> file mode.</para>
+ <para>Takes an absolute path to a file which contains the Base64 encoded private key for the
+ interface. When this option is specified, then <varname>PrivateKey=</varname> is ignored. Note
+ that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
+ e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
+ the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+ made to it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
<refsect1>
<title>[WireGuardPeer] Section Options</title>
- <para>The <literal>[WireGuardPeer]</literal> section accepts the following
+ <para>The [WireGuardPeer] section accepts the following
keys:</para>
<variablelist class='network-directives'>
<term><varname>PresharedKeyFile=</varname></term>
<listitem>
<para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
- peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
- Note that the file must be readable by the user <literal>systemd-network</literal>, so it
- should be, e.g., owned by <literal>root:systemd-network</literal> with a
- <literal>0640</literal> file mode.</para>
+ peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. Note that
+ the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
+ owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
+ path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+ made to it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
<refsect1>
<title>[Bond] Section Options</title>
- <para>The <literal>[Bond]</literal> section accepts the following
+ <para>The [Bond] section accepts the following
key:</para>
<variablelist class='network-directives'>
<refsect1>
<title>[Xfrm] Section Options</title>
- <para>The <literal>[Xfrm]</literal> section accepts the following
+ <para>The [Xfrm] section accepts the following
keys:</para>
<variablelist class='network-directives'>
<refsect1>
<title>[VRF] Section Options</title>
- <para>The <literal>[VRF]</literal> section only applies for
+ <para>The [VRF] section only applies for
netdevs of kind <literal>vrf</literal> and accepts the
following key:</para>
projects / thirdparty / systemd.git / blobdiff