"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
+ SPDX-License-Identifier: LGPL-2.1+
+
This file is part of systemd.
Copyright 2013 Tom Gundersen
<listitem>
<para>A whitespace-separated list of shell-style globs
matching the persistent path, as exposed by the udev
- property <literal>ID_PATH</literal>.</para>
+ property <literal>ID_PATH</literal>. If the list is
+ prefixed with a "!", the test is inverted; i.e. it is
+ true when <literal>ID_PATH</literal> does not match any
+ item in the list.</para>
</listitem>
</varlistentry>
<varlistentry>
exposed by the udev property <literal>DRIVER</literal>
of its parent device, or if that is not set the driver
as exposed by <literal>ethtool -i</literal> of the
- device itself.</para>
+ device itself. If the list is prefixed with a "!", the
+ test is inverted.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>A whitespace-separated list of shell-style globs
matching the device type, as exposed by the udev property
- <literal>DEVTYPE</literal>.</para>
+ <literal>DEVTYPE</literal>. If the list is prefixed with
+ a "!", the test is inverted.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>A whitespace-separated list of shell-style globs
matching the device name, as exposed by the udev property
- <literal>INTERFACE</literal>.</para>
+ <literal>INTERFACE</literal>. If the list is prefixed
+ with a "!", the test is inverted.</para>
</listitem>
</varlistentry>
<varlistentry>
the network otherwise.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Unmanaged=</varname></term>
+ <listitem>
+ <para>A boolean. When <literal>yes</literal>, no attempts are
+ made to bring up or configure matching links, equivalent to
+ when there are no matching network files. Defaults to
+ <literal>no</literal>.</para>
+ <para>This is useful for preventing later matching network
+ files from interfering with certain interfaces that are fully
+ controlled by other applications.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>RequiredForOnline=</varname></term>
+ <listitem>
+ <para>A boolean. When <literal>yes</literal>, the network is deemed
+ required when determining whether the system is online when running
+ <literal>systemd-networkd-wait-online</literal>.
+ When <literal>no</literal>, the network is ignored when checking for
+ online state. Defaults to <literal>yes</literal>.</para>
+ <para>The network will be brought up normally in all cases, but in
+ the event that there is no address being assigned by DHCP or the
+ cable is not plugged in, the link will simply remain offline and be
+ skipped automatically by <literal>systemd-networkd-wait-online</literal>
+ if <literal>RequiredForOnline=true</literal>.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<listitem>
<para>Enables DHCPv4 and/or DHCPv6 client support. Accepts
<literal>yes</literal>, <literal>no</literal>,
- <literal>ipv4</literal>, or <literal>ipv6</literal>.</para>
+ <literal>ipv4</literal>, or <literal>ipv6</literal>. Defaults
+ to <literal>no</literal>.</para>
<para>Note that DHCPv6 will by default be triggered by Router
Advertisement, if that is enabled, regardless of this parameter.
DNS validation support on the link. When set to
<literal>allow-downgrade</literal>, compatibility with
non-DNSSEC capable networks is increased, by automatically
- turning off DNSEC in this case. This option defines a
+ turning off DNSSEC in this case. This option defines a
per-interface setting for
<citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
global <varname>DNSSEC=</varname> option. Defaults to
<varlistentry>
<term><varname>Domains=</varname></term>
<listitem>
- <para>The domains used for DNS host name resolution on this link. Takes a list of DNS domain names which
- are used as search suffixes for extending single-label host names (host names containing no dots) to become
- fully qualified domain names (FQDNs). If a single-label host name is resolved on this interface, each of
- the specified search domains are appended to it in turn, converting it into a fully qualified domain name,
- until one of them may be successfully resolved.</para>
-
- <para>The specified domains are also used for routing of DNS queries: look-ups for host names ending in the
- domains specified here are preferably routed to the DNS servers configured for this interface. If a domain
- name is prefixed with <literal>~</literal>, the domain name becomes a pure "routing" domain, the DNS server
- is used for the given domain names only and is not used in the described domain search logic. By specifying a
- routing domain of <literal>~.</literal> (the tilde indicating definition of a routing domain, the dot
- referring to the DNS root domain which is the implied suffix of all valid DNS names) it is possible to
- route all DNS traffic preferably to the DNS server specified for this interface. The route domain logic is
- particularly useful on multi-homed hosts with DNS servers serving particular private DNS zones on each
- interface.</para>
+ <para>A list of domains which should be resolved using the DNS servers on this link. Each item in the list
+ should be a domain name, optionally prefixed with a tilde (<literal>~</literal>). The domains with the
+ prefix are called "routing-only domains". The domains without the prefix are called "search domains" and
+ are first used as search suffixes for extending single-label host names (host names containing no dots) to
+ become fully qualified domain names (FQDNs). If a single-label host name is resolved on this interface,
+ each of the specified search domains are appended to it in turn, converting it into a fully qualified
+ domain name, until one of them may be successfully resolved.</para>
+
+ <para>Both "search" and "routing-only" domains are used for routing of DNS queries: look-ups for host names
+ ending in those domains (hence also single label names, if any "search domains" are listed), are routed to
+ the DNS servers configured for this interface. The domain routing logic is particularly useful on
+ multi-homed hosts with DNS servers serving particular private DNS zones on each interface.</para>
+
+ <para>The "routing-only" domain <literal>~.</literal> (the tilde indicating definition of a routing domain,
+ the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special
+ effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed
+ to DNS servers specified for this interface. This setting is useful to prefer a certain set of DNS servers
+ if a link on which they are connected is available.</para>
<para>This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ "Search domains" correspond to the <varname>domain</varname> and <varname>search</varname> entries in
+ <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Domain name routing has no equivalent in the traditional glibc API, which has no concept of domain
+ name servers limited to a specific link.</para>
</listitem>
</varlistentry>
<varlistentry>
</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>ProxyARP=</varname></term>
- <listitem><para>A boolean. Configures proxy ARP. Proxy ARP is the technique in which one host,
+ <term><varname>IPv4ProxyARP=</varname></term>
+ <listitem><para>A boolean. Configures proxy ARP for IPv4. Proxy ARP is the technique in which one host,
usually a router, answers ARP requests intended for another machine. By "faking" its identity,
the router accepts responsibility for routing packets to the "real" destination. (see <ulink
url="https://tools.ietf.org/html/rfc1027">RFC 1027</ulink>.
Defaults to unset.
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>IPv6ProxyNDP=</varname></term>
+ <listitem><para>A boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor Discovery
+ Protocol) is a technique for IPv6 to allow routing of addresses to a different
+ destination when peers expect them to be present on a certain physical link.
+ In this case a router answers Neighbour Advertisement messages intended for
+ another machine by offering its own MAC address as destination.
+ Unlike proxy ARP for IPv4, it is not enabled globally, but will only send Neighbour
+ Advertisement messages for addresses in the IPv6 neighbor proxy table,
+ which can also be shown by <command>ip -6 neighbour show proxy</command>.
+ systemd-networkd will control the per-interface `proxy_ndp` switch for each configured
+ interface depending on this option.
+ Defautls to unset.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>IPv6ProxyNDPAddress=</varname></term>
+ <listitem><para>An IPv6 address, for which Neighbour Advertisement messages will be
+ proxied. This option may be specified more than once. systemd-networkd will add the
+ <option>IPv6ProxyNDPAddress=</option> entries to the kernel's IPv6 neighbor proxy table.
+ This option implies <option>IPv6ProxyNDP=true</option> but has no effect if
+ <option>IPv6ProxyNDP</option> has been set to false. Defaults to unset.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>IPv6PrefixDelegation=</varname></term>
+ <listitem><para>Whether to enable or disable Router Advertisement sending on a link.
+ Defaults to <literal>false</literal>. See the <literal>[IPv6PrefixDelegation]</literal>
+ and the <literal>[IPv6Prefix]</literal> sections for configuration options.
+ </para></listitem>
+ </varlistentry>
<varlistentry>
<term><varname>Bridge=</varname></term>
<listitem>
- <para>The name of the bridge to add the link to.</para>
+ <para>The name of the bridge to add the link to. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Bond=</varname></term>
<listitem>
- <para>The name of the bond to add the link to.</para>
+ <para>The name of the bond to add the link to. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>VRF=</varname></term>
<listitem>
- <para>The name of the VRF to add the link to.</para>
+ <para>The name of the VRF to add the link to. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>VLAN=</varname></term>
<listitem>
- <para>The name of a VLAN to create on the link. This
- option may be specified more than once.</para>
+ <para>The name of a VLAN to create on the link. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ This option may be specified more than once.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>MACVLAN=</varname></term>
<listitem>
- <para>The name of a MACVLAN to create on the link. This
- option may be specified more than once.</para>
+ <para>The name of a MACVLAN to create on the link. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ This option may be specified more than once.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>VXLAN=</varname></term>
<listitem>
- <para>The name of a VXLAN to create on the link. This
- option may be specified more than once.</para>
+ <para>The name of a VXLAN to create on the link. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ This option may be specified more than once.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Tunnel=</varname></term>
<listitem>
- <para>The name of a Tunnel to create on the link. This
- option may be specified more than once.</para>
+ <para>The name of a Tunnel to create on the link. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ This option may be specified more than once.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>ActiveSlave=</varname></term>
+ <listitem>
+ <para>A boolean. Specifies the new active slave. The <literal>ActiveSlave=</literal>
+ option is only valid for following modes:
+ <literal>active-backup</literal>,
+ <literal>balance-alb</literal> and
+ <literal>balance-tlb</literal>. Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>PrimarySlave=</varname></term>
+ <listitem>
+ <para>A boolean. Specifies which slave is the primary device. The specified
+ device will always be the active slave while it is available. Only when the
+ primary is off-line will alternate devices be used. This is useful when
+ one slave is preferred over another, e.g. when one slave has higher throughput
+ than another. The <literal>PrimarySlave=</literal> option is only valid for
+ following modes:
+ <literal>active-backup</literal>,
+ <literal>balance-alb</literal> and
+ <literal>balance-tlb</literal>. Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>ConfigureWithoutCarrier=</varname></term>
+ <listitem>
+ <para>A boolean. Allows networkd to configure a specific link even if it has no carrier.
+ Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
which is then configured to use them explicitly.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Scope=</varname></term>
+ <listitem>
+ <para>The scope of the address, which can be <literal>global</literal>,
+ <literal>link</literal> or <literal>host</literal> or an unsigned integer ranges 0 to 255.
+ Defaults to <literal>global</literal>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>HomeAddress=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. Designates this address the "home address" as defined in
+ <ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink>.
+ Supported only on IPv6. Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>DuplicateAddressDetection=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. Do not perform Duplicate Address Detection
+ <ulink url="https://tools.ietf.org/html/rfc4862">RFC 4862</ulink> when adding this address.
+ Supported only on IPv6. Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>ManageTemporaryAddress=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. If true the kernel manage temporary addresses created
+ from this one as template on behalf of Privacy Extensions
+ <ulink url="https://tools.ietf.org/html/rfc3041">RFC 3041</ulink>. For this to become
+ active, the use_tempaddr sysctl setting has to be set to a value greater than zero.
+ The given address needs to have a prefix length of 64. This flag allows to use privacy
+ extensions in a manually configured network, just like if stateless auto-configuration
+ was active. Defaults to false. </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>PrefixRoute=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. When adding or modifying an IPv6 address, the userspace
+ application needs a way to suppress adding a prefix route. This is for example relevant
+ together with IFA_F_MANAGERTEMPADDR, where userspace creates autoconf generated addresses,
+ but depending on on-link, no route for the prefix should be added. Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>AutoJoin=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. Joining multicast group on ethernet level via
+ <command>ip maddr</command> command would not work if we have an Ethernet switch that does
+ IGMP snooping since the switch would not replicate multicast packets on ports that did not
+ have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
+ <command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
+ that enables then to do the required join. By extending ip address command with option
+ <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS) vxlan
+ interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
+ Defaults to <literal>no</literal>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>[IPv6AddressLabel] Section Options</title>
+
+ <para>An <literal>[IPv6AddressLabel]</literal> section accepts the
+ following keys. Specify several <literal>[IPv6AddressLabel]</literal>
+ sections to configure several address labels. IPv6 address labels are
+ used for address selection. See <ulink url="https://tools.ietf.org/html/rfc3484">RFC 3484</ulink>.
+ Precedence is managed by userspace, and only the label itself is stored in the kernel</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Label=</varname></term>
+ <listitem>
+ <para> The label for the prefix (an unsigned integer) ranges 0 to 4294967294.
+ 0xffffffff is reserved. This key is mandatory.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Prefix=</varname></term>
+ <listitem>
+ <para>IPv6 prefix is an address with a prefix length, separated by a slash <literal>/</literal> character.
+ This key is mandatory. </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>[RoutingPolicyRule] Section Options</title>
+
+ <para>An <literal>[RoutingPolicyRule]</literal> section accepts the
+ following keys. Specify several <literal>[RoutingPolicyRule]</literal>
+ sections to configure several rules.</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>TypeOfService=</varname></term>
+ <listitem>
+ <para>Specifies the type of service to match a number between 0 to 255.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>From=</varname></term>
+ <listitem>
+ <para>Specifies the source address prefix to match. Possibly followed by a slash and the prefix length.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>To=</varname></term>
+ <listitem>
+ <para>Specifies the destination address prefix to match. Possibly followed by a slash and the prefix length.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>FirewallMark=</varname></term>
+ <listitem>
+ <para>Specifies the iptables firewall mark value to match (a number between 1 and 4294967295).</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Table=</varname></term>
+ <listitem>
+ <para>Specifies the routing table identifier to lookup if the rule
+ selector matches. The table identifier for a route (a number between 1 and 4294967295).</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Priority=</varname></term>
+ <listitem>
+ <para>Specifies the priority of this rule. <varname>Priority=</varname> is an unsigned
+ integer. Higher number means lower priority, and rules get processed in order of increasing number.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>IncomingInterface=</varname></term>
+ <listitem>
+ <para>Specifies incoming device to match. If the interface is loopback, the rule only matches packets originating from this host.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>OutgoingInterface=</varname></term>
+ <listitem>
+ <para>Specifies the outgoing device to match. The outgoing interface is only available for packets originating from local sockets that are bound to a device.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<para>As in the <literal>[Network]</literal> section.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>GatewayOnlink=</varname></term>
+ <listitem>
+ <para>The <literal>GatewayOnlink</literal> option tells the kernel that it does not have
+ to check if the gateway is reachable directly by the current machine (i.e., the kernel does
+ not need to check if the gateway is attached to the local network), so that we can insert the
+ route in the kernel table without it being complained about. A boolean, defaults to <literal>no</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>Destination=</varname></term>
<listitem>
<para>The metric of the route (an unsigned integer).</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>IPv6Preference=</varname></term>
+ <listitem>
+ <para>Specifies the route preference as defined in <ulink
+ url="https://tools.ietf.org/html/rfc4191">RFC4191</ulink> for Router Discovery messages.
+ Which can be one of <literal>low</literal> the route has a lowest priority,
+ <literal>medium</literal> the route has a default priority or
+ <literal>high</literal> the route has a highest priority.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>Scope=</varname></term>
<listitem>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Protocol=</varname></term>
+ <listitem>
+ <para>The Protocol identifier for the route. Takes a number between 0 and 255 or the special values
+ <literal>kernel</literal>, <literal>boot</literal> and <literal>static</literal>. Defaults to
+ <literal>static</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Type=</varname></term>
+ <listitem>
+ <para>The Type identifier for special route types, which can be
+ <literal>unicast</literal> route to a destination network address which describes the path to the destination,
+ <literal>blackhole</literal> packets are discarded silently,
+ <literal>unreachable</literal> packets are discarded and the ICMP message host unreachable is generated,
+ <literal>prohibit</literal> packets are discarded and the ICMP message communication administratively
+ prohibited is generated. Defaults to <literal>unicast</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
Defaults to false.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Anonymize=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. When true, the options sent to the DHCP server will
+ follow the <ulink url="https://tools.ietf.org/html/rfc7844">RFC 7844</ulink>
+ (Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying information.
+ Defaults to false.</para>
+
+ <para>This option should only be set to true when
+ <varname>MACAddressPolicy=</varname> is set to <literal>random</literal>
+ (see <citerefentry
+ project='man-pages'><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>).</para>
+
+ <para>Note that this configuration will overwrite others.
+ In concrete, the following variables will be ignored:
+ <varname>SendHostname=</varname>, <varname>ClientIdentifier=</varname>,
+ <varname>UseRoutes=</varname>, <varname>SendHostname=</varname>,
+ <varname>UseMTU=</varname>, <varname>VendorClassIdentifier=</varname>,
+ <varname>UseTimezone=</varname>.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>SendHostname=</varname></term>
<listitem>
<varlistentry>
<term><varname>UseRoutes=</varname></term>
<listitem>
- <para>When true (the default), the static routes will be
- requested from the DHCP server and added to the routing
- table with a metric of 1024.</para>
+ <para>When true (the default), the static routes will be requested from the DHCP server and added to the
+ routing table with a metric of 1024, and a scope of "global", "link" or "host", depending on the route's
+ destination and gateway. If the destination is on the local host, e.g., 127.x.x.x, or the same as the
+ link's own address, the scope will be set to "host". Otherwise if the gateway is null (a direct route), a
+ "link" scope will be used. For anything else, scope defaults to "global".</para>
</listitem>
</varlistentry>
<para>The table identifier for DHCP routes (a number between 1 and 4294967295, or 0 to unset).
The table can be retrieved using <command>ip route show table <replaceable>num</replaceable></command>.
</para>
+ <para>When used in combination with <varname>VRF=</varname> the
+ VRF's routing table is used unless this parameter is specified.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ListenPort=</varname></term>
+ <listitem>
+ <para>Allow setting custom port for the DHCP client to listen on.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
+ <title>[IPv6PrefixDelegation] Section Options</title>
+ <para>The <literal>[IPv6PrefixDelegation]</literal> section contains
+ settings for sending IPv6 Router Advertisements and whether to act as
+ a router, if enabled via the <varname>IPv6PrefixDelegation=</varname>
+ option described above. IPv6 network prefixes are defined with one or
+ more <literal>[IPv6Prefix]</literal> sections.</para>
+
+ <variablelist class='network-directives'>
+
+ <varlistentry>
+ <term><varname>Managed=</varname></term>
+ <term><varname>OtherInformation=</varname></term>
+
+ <listitem><para>Controls whether a DHCPv6 server is used to acquire IPv6
+ addresses on the network link when <varname>Managed=</varname> boolean
+ is set to <literal>true</literal> or if only additional network
+ information can be obtained via DHCPv6 for the network link when
+ <varname>OtherInformation=</varname> boolean is set to
+ <literal>true</literal>. Both settings default to
+ <literal>false</literal>, which means that a DHCPv6 server is not being
+ used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>RouterLifetimeSec=</varname></term>
+
+ <listitem><para>Configures the IPv6 router lifetime in seconds. If set,
+ this host also announces itself in Router Advertisements as an IPv6
+ router for the network link. Defaults to unset, which means the host is
+ not acting as a router.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>RouterPreference=</varname></term>
+
+ <listitem><para>Configures IPv6 router preference if
+ <varname>RouterLifetimeSec=</varname> is non-zero. Valid values are
+ <literal>high</literal>, <literal>medium</literal> and
+ <literal>low</literal>, with <literal>normal</literal> and
+ <literal>default</literal> added as synonyms for
+ <literal>medium</literal> just to make configuration easier. See
+ <ulink url="https://tools.ietf.org/html/rfc4191">RFC 4191</ulink>
+ for details. Defaults to <literal>medium</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>EmitDNS=</varname></term>
+ <term><varname>DNS=</varname></term>
+
+ <listitem><para><varname>DNS=</varname> specifies a list of recursive
+ DNS server IPv6 addresses that distributed via Router Advertisement
+ messages when <varname>EmitDNS=</varname> is true. If <varname>DNS=
+ </varname> is empty, DNS servers are read from the
+ <literal>[Network]</literal> section. If the
+ <literal>[Network]</literal> section does not contain any DNS servers
+ either, DNS servers from the uplink with the highest priority default
+ route are used. When <varname>EmitDNS=</varname> is false, no DNS server
+ information is sent in Router Advertisement messages.
+ <varname>EmitDNS=</varname> defaults to true.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>EmitDomains=</varname></term>
+ <term><varname>Domains=</varname></term>
+
+ <listitem><para>A list of DNS search domains distributed via Router
+ Advertisement messages when <varname>EmitDomains=</varname> is true. If
+ <varname>Domains=</varname> is empty, DNS search domains are read from the
+ <literal>[Network]</literal> section. If the <literal>[Network]</literal>
+ section does not contain any DNS search domains either, DNS search
+ domains from the uplink with the highest priority default route are
+ used. When <varname>EmitDomains=</varname> is false, no DNS search domain
+ information is sent in Router Advertisement messages.
+ <varname>EmitDomains=</varname> defaults to true.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DNSLifetimeSec=</varname></term>
+
+ <listitem><para>Lifetime in seconds for the DNS server addresses listed
+ in <varname>DNS=</varname> and search domains listed in
+ <varname>Domains=</varname>.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>[IPv6Prefix] Section Options</title>
+ <para>One or more <literal>[IPv6Prefix]</literal> sections contain the IPv6
+ prefixes that are announced via Router Advertisements. See
+ <ulink url="https://tools.ietf.org/html/rfc4861">RFC 4861</ulink>
+ for further details.</para>
+
+ <variablelist class='network-directives'>
+
+ <varlistentry>
+ <term><varname>AddressAutoconfiguration=</varname></term>
+ <term><varname>OnLink=</varname></term>
+
+ <listitem><para>Boolean values to specify whether IPv6 addresses can be
+ autoconfigured with this prefix and whether the prefix can be used for
+ onlink determination. Both settings default to <literal>true</literal>
+ in order to ease configuration.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Prefix=</varname></term>
+
+ <listitem><para>The IPv6 prefix that is to be distributed to hosts.
+ Similarly to configuring static IPv6 addresses, the setting is
+ configured as an IPv6 prefix and its prefix length, separated by a
+ <literal>/</literal> character. Use multiple
+ <literal>[IPv6Prefix]</literal> sections to configure multiple IPv6
+ prefixes since prefix lifetimes, address autoconfiguration and onlink
+ status may differ from one prefix to another.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PreferredLifetimeSec=</varname></term>
+ <term><varname>ValidLifetimeSec=</varname></term>
+
+ <listitem><para>Preferred and valid lifetimes for the prefix measured in
+ seconds. <varname>PreferredLifetimeSec=</varname> defaults to 604800
+ seconds (one week) and <varname>ValidLifetimeSec=</varname> defaults
+ to 2592000 seconds (30 days).</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
<title>[Bridge] Section Options</title>
<para>The <literal>[Bridge]</literal> section accepts the
following keys.</para>
<para>Sets the "cost" of sending packets of this interface.
Each port in a bridge may have a different speed and the cost
is used to decide which link to use. Faster interfaces
- should have lower costs.</para>
+ should have lower costs. It is an integer value between 1 and
+ 65535.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Priority=</varname></term>
+ <listitem>
+ <para>Sets the "priority" of sending packets on this interface.
+ Each port in a bridge may have a different priority which is used
+ to decide which link to use. Lower value means higher priority.
+ It is an integer value between 0 to 63. Networkd does not set any
+ default, meaning the kernel default value of 32 is used.</para>
</listitem>
</varlistentry>
</variablelist>
<term><varname>VLANId=</varname></term>
<listitem>
<para>The VLAN ID for the new static MAC table entry. If
- omitted, no VLAN ID info is appended to the new static MAC
+ omitted, no VLAN ID information is appended to the new static MAC
table entry.</para>
</listitem>
</varlistentry>
</refsect1>
<refsect1>
- <title>Example</title>
+ <title>Examples</title>
<example>
- <title>/etc/systemd/network/50-static.network</title>
+ <title>Static network configuration</title>
- <programlisting>[Match]
+ <programlisting># /etc/systemd/network/50-static.network
+[Match]
Name=enp2s0
[Network]
Address=192.168.0.15/24
Gateway=192.168.0.1</programlisting>
+
+ <para>This brings interface <literal>enp2s0</literal> up with a static address. The
+ specified gateway will be used for a default route.</para>
</example>
<example>
- <title>/etc/systemd/network/80-dhcp.network</title>
+ <title>DHCP on ethernet links</title>
- <programlisting>[Match]
+ <programlisting># /etc/systemd/network/80-dhcp.network
+[Match]
Name=en*
[Network]
DHCP=yes</programlisting>
+
+ <para>This will enable DHCPv4 and DHCPv6 on all interfaces with names starting with
+ <literal>en</literal> (i.e. ethernet interfaces).</para>
</example>
<example>
- <title>/etc/systemd/network/25-bridge-static.network</title>
+ <title>A bridge with two enslaved links</title>
- <programlisting>[Match]
+ <programlisting># /etc/systemd/network/25-bridge-static.network
+[Match]
Name=bridge0
[Network]
Address=192.168.0.15/24
Gateway=192.168.0.1
DNS=192.168.0.1</programlisting>
- </example>
- <example>
- <title>/etc/systemd/network/25-bridge-slave-interface.network</title>
-
- <programlisting>[Match]
+ <programlisting># /etc/systemd/network/25-bridge-slave-interface-1.network
+[Match]
Name=enp2s0
[Network]
Bridge=bridge0</programlisting>
+
+ <programlisting># /etc/systemd/network/25-bridge-slave-interface-2.network
+[Match]
+Name=wlp3s0
+
+[Network]
+Bridge=bridge0</programlisting>
+
+ <para>This creates a bridge and attaches devices <literal>enp2s0</literal> and
+ <literal>wlp3s0</literal> to it. The bridge will have the specified static address
+ and network assigned, and a default route via the specified gateway will be
+ added. The specified DNS server will be added to the global list of DNS resolvers.
+ </para>
</example>
+
<example>
- <title>/etc/systemd/network/25-bridge-slave-interface-vlan.network</title>
+ <title></title>
- <programlisting>[Match]
+ <programlisting>
+# /etc/systemd/network/20-bridge-slave-interface-vlan.network
+[Match]
Name=enp2s0
[Network]
[BridgeVLAN]
EgressUntagged=300-400</programlisting>
+
+ <para>This overrides the configuration specified in the previous example for the
+ interface <literal>enp2s0</literal>, and enables VLAN on that bridge port. VLAN IDs
+ 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42, 300-400 will be
+ untagged when they leave on this interface. Untagged packets which arrive on this
+ interface will be assigned VLAN ID 42.</para>
</example>
+
<example>
- <title>/etc/systemd/network/25-ipip.network</title>
+ <title>Various tunnels</title>
- <programlisting>[Match]
-Name=em1
+ <programlisting>/etc/systemd/network/25-tunnels.network
+[Match]
+Name=ens1
[Network]
-Tunnel=ipip-tun</programlisting>
+Tunnel=ipip-tun
+Tunnel=sit-tun
+Tunnel=gre-tun
+Tunnel=vti-tun
+ </programlisting>
+
+ <programlisting>/etc/systemd/network/25-tunnel-ipip.netdev
+[NetDev]
+Name=ipip-tun
+Kind=ipip
+ </programlisting>
+
+ <programlisting>/etc/systemd/network/25-tunnel-sit.netdev
+[NetDev]
+Name=sit-tun
+Kind=sit
+ </programlisting>
+
+ <programlisting>/etc/systemd/network/25-tunnel-gre.netdev
+[NetDev]
+Name=gre-tun
+Kind=gre
+ </programlisting>
+
+ <programlisting>/etc/systemd/network/25-tunnel-vti.netdev
+[NetDev]
+Name=vti-tun
+Kind=vti
+ </programlisting>
+
+ <para>This will bring interface <literal>ens1</literal> up and create an IPIP tunnel,
+ a SIT tunnel, a GRE tunnel, and a VTI tunnel using it.</para>
</example>
<example>
- <title>/etc/systemd/network/25-sit.network</title>
+ <title>A bond device</title>
- <programlisting>[Match]
-Name=em1
+ <programlisting># /etc/systemd/network/30-bond1.network
+[Match]
+Name=bond1
[Network]
-Tunnel=sit-tun</programlisting>
- </example>
+DHCP=ipv6
+</programlisting>
- <example>
- <title>/etc/systemd/network/25-gre.network</title>
+ <programlisting># /etc/systemd/network/30-bond1.netdev
+[NetDev]
+Name=bond1
+Kind=bond
+</programlisting>
- <programlisting>[Match]
-Name=em1
+ <programlisting># /etc/systemd/network/30-bond1-dev1.network
+[Match]
+MACAddress=52:54:00:e9:64:41
[Network]
-Tunnel=gre-tun</programlisting>
- </example>
-
- <example>
- <title>/etc/systemd/network/25-vti.network</title>
+Bond=bond1
+</programlisting>
- <programlisting>[Match]
-Name=em1
+ <programlisting># /etc/systemd/network/30-bond1-dev2.network
+[Match]
+MACAddress=52:54:00:e9:64:42
[Network]
-Tunnel=vti-tun</programlisting>
+Bond=bond1
+</programlisting>
+
+ <para>This will create a bond device <literal>bond1</literal> and enslave the two
+ devices with MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
+ will be used to acquire an address.</para>
</example>
<example>
- <title>/etc/systemd/network/25-bond.network</title>
-
- <programlisting>[Match]
+ <title>Virtual Routing and Forwarding (VRF)</title>
+ <para>Add the <literal>bond1</literal> interface to the VRF master interface
+ <literal>vrf1</literal>. This will redirect routes generated on this interface to be
+ within the routing table defined during VRF creation. For kernels before 4.8 traffic
+ won't be redirected towards the VRFs routing table unless specific ip-rules are added.
+ </para>
+ <programlisting># /etc/systemd/network/25-vrf.network
+[Match]
Name=bond1
[Network]
-DHCP=yes
+VRF=vrf1
</programlisting>
</example>
<example>
- <title>/etc/systemd/network/25-vrf.network</title>
- <para>Add the bond1 interface to the VRF master interface vrf-test. This will redirect routes generated on this interface to be within the routing table defined during VRF creation. Traffic won't be redirected towards the VRFs routing table unless specific ip-rules are added.</para>
- <programlisting>[Match]
-Name=bond1
+ <title>MacVTap</title>
+ <para>This brings up a network interface <literal>macvtap-test</literal>
+ and attaches it to <literal>enp0s25</literal>.</para>
+ <programlisting># /usr/lib/systemd/network/25-macvtap.network
+[Match]
+Name=enp0s25
[Network]
-VRF=vrf-test
+MACVTAP=macvtap-test
</programlisting>
</example>
-
</refsect1>
<refsect1>