<refsect1>
<title>Description</title>
- <para>A plain ini-style text file that encodes network configuration for matching network interfaces,
- used by
+ <para>A plain ini-style text file that encodes network configuration for matching network
+ interfaces, used by
<citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for a general description of the syntax.</para>
directories <filename>/usr/lib/systemd/network</filename> and
<filename>/usr/local/lib/systemd/network</filename>, the volatile runtime network directory
<filename>/run/systemd/network</filename> and the local administration network directory
- <filename>/etc/systemd/network</filename>. All configuration files are collectively sorted and processed
- in lexical order, regardless of the directories in which they live. However, files with identical
- filenames replace each other. Files in <filename>/etc/</filename> have the highest priority, files in
- <filename>/run/</filename> take precedence over files with the same name under
- <filename>/usr/</filename>. This can be used to override a system-supplied configuration file with a local
- file if needed. As a special case, an empty file (file size 0) or symlink with the same name pointing to
- <filename>/dev/null</filename> disables the configuration file entirely (it is "masked").</para>
+ <filename>/etc/systemd/network</filename>. All configuration files are collectively sorted and
+ processed in lexical order, regardless of the directories in which they live. However, files with
+ identical filenames replace each other. Files in <filename>/etc/</filename> have the highest
+ priority, files in <filename>/run/</filename> take precedence over files with the same name under
+ <filename>/usr/</filename>. This can be used to override a system-supplied configuration file with
+ a local file if needed. As a special case, an empty file (file size 0) or symlink with the same
+ name pointing to <filename>/dev/null</filename> disables the configuration file entirely (it is
+ "masked").</para>
<para>Along with the network file <filename>foo.network</filename>, a "drop-in" directory
<filename>foo.network.d/</filename> may exist. All files with the suffix
<refsect1>
<title>[Match] Section Options</title>
- <para>The network file contains a [Match] section, which determines if a given network file may be
- applied to a given device; and a [Network] section specifying how the device should be configured. The
- first (in lexical order) of the network files that matches a given device is applied, all later files
- are ignored, even if they match as well.</para>
+ <para>The network file contains a [Match] section, which determines if a given network file may
+ be applied to a given device; and a [Network] section specifying how the device should be
+ configured. The first (in lexical order) of the network files that matches a given device is
+ applied, all later files are ignored, even if they match as well.</para>
- <para>A network file is said to match a network interface if all matches specified by the [Match]
- section are satisfied. When a network file does not contain valid settings in [Match] section, then the
- file will match all interfaces and <command>systemd-networkd</command> warns about that. Hint: to avoid
- the warning and to make it clear that all interfaces shall be matched, add the following:
- <programlisting>Name=*</programlisting> The following keys are accepted:</para>
+ <para>A network file is said to match a network interface if all matches specified by the [Match]
+ section are satisfied. When a network file does not contain valid settings in [Match] section, then
+ the file will match all interfaces and <command>systemd-networkd</command> warns about that. Hint:
+ to avoid the warning and to make it clear that all interfaces shall be matched, add the following:
+ <programlisting>Name=*</programlisting> The following keys are accepted:</para>
- <variablelist class='network-directives'>
- <xi:include href="systemd.link.xml" xpointer="mac-address" />
- <xi:include href="systemd.link.xml" xpointer="permanent-mac-address" />
- <xi:include href="systemd.link.xml" xpointer="path" />
- <xi:include href="systemd.link.xml" xpointer="driver" />
- <xi:include href="systemd.link.xml" xpointer="type" />
- <xi:include href="systemd.link.xml" xpointer="property" />
-
- <varlistentry>
- <term><varname>Name=</varname></term>
- <listitem>
- <para>A whitespace-separated list of shell-style globs matching the device name, as exposed
- by the udev property <literal>INTERFACE</literal>, or device's alternative names. If the
- list is prefixed with a "!", the test is inverted.</para>
- </listitem>
- </varlistentry>
+ <variablelist class='network-directives'>
+ <xi:include href="systemd.link.xml" xpointer="mac-address" />
+ <xi:include href="systemd.link.xml" xpointer="permanent-mac-address" />
+ <xi:include href="systemd.link.xml" xpointer="path" />
+ <xi:include href="systemd.link.xml" xpointer="driver" />
+ <xi:include href="systemd.link.xml" xpointer="type" />
+ <xi:include href="systemd.link.xml" xpointer="kind" />
+ <xi:include href="systemd.link.xml" xpointer="property" />
- <varlistentry>
- <term><varname>WLANInterfaceType=</varname></term>
- <listitem>
- <para>A whitespace-separated list of wireless network type. Supported values are
- <literal>ad-hoc</literal>, <literal>station</literal>, <literal>ap</literal>,
- <literal>ap-vlan</literal>, <literal>wds</literal>, <literal>monitor</literal>,
- <literal>mesh-point</literal>, <literal>p2p-client</literal>, <literal>p2p-go</literal>,
- <literal>p2p-device</literal>, <literal>ocb</literal>, and <literal>nan</literal>. If the
- list is prefixed with a "!", the test is inverted.
- </para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>Name=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of shell-style globs matching the device name, as exposed
+ by the udev property <literal>INTERFACE</literal>, or device's alternative names. If the
+ list is prefixed with a "!", the test is inverted.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>SSID=</varname></term>
- <listitem>
- <para>A whitespace-separated list of shell-style globs matching the SSID of the currently
- connected wireless LAN. If the list is prefixed with a "!", the test is inverted.
- </para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>WLANInterfaceType=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of wireless network type. Supported values are
+ <literal>ad-hoc</literal>, <literal>station</literal>, <literal>ap</literal>,
+ <literal>ap-vlan</literal>, <literal>wds</literal>, <literal>monitor</literal>,
+ <literal>mesh-point</literal>, <literal>p2p-client</literal>, <literal>p2p-go</literal>,
+ <literal>p2p-device</literal>, <literal>ocb</literal>, and <literal>nan</literal>. If the
+ list is prefixed with a "!", the test is inverted. </para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>BSSID=</varname></term>
- <listitem>
- <para>A whitespace-separated list of hardware address of the currently connected wireless
- LAN. Use full colon-, hyphen- or dot-delimited hexadecimal. See the example in
- <varname>MACAddress=</varname>. This option may appear more than once, in which case the
- lists are merged. If the empty string is assigned to this option, the list is reset.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SSID=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of shell-style globs matching the SSID of the currently
+ connected wireless LAN. If the list is prefixed with a "!", the test is inverted.</para>
+ </listitem>
+ </varlistentry>
- <xi:include href="systemd.link.xml" xpointer="host" />
- <xi:include href="systemd.link.xml" xpointer="virtualization" />
- <xi:include href="systemd.link.xml" xpointer="kernel-command-line" />
- <xi:include href="systemd.link.xml" xpointer="kernel-version" />
- <xi:include href="systemd.link.xml" xpointer="architecture" />
- <xi:include href="systemd.link.xml" xpointer="firmware" />
- </variablelist>
+ <varlistentry>
+ <term><varname>BSSID=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of hardware address of the currently connected wireless
+ LAN. Use full colon-, hyphen- or dot-delimited hexadecimal. See the example in
+ <varname>MACAddress=</varname>. This option may appear more than once, in which case the
+ lists are merged. If the empty string is assigned to this option, the list is reset.</para>
+ </listitem>
+ </varlistentry>
+ <xi:include href="systemd.link.xml" xpointer="host" />
+ <xi:include href="systemd.link.xml" xpointer="virtualization" />
+ <xi:include href="systemd.link.xml" xpointer="kernel-command-line" />
+ <xi:include href="systemd.link.xml" xpointer="kernel-version" />
+ <xi:include href="systemd.link.xml" xpointer="architecture" />
+ <xi:include href="systemd.link.xml" xpointer="firmware" />
+ </variablelist>
</refsect1>
<refsect1>
<para>The hardware address to set for the device.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>MTUBytes=</varname></term>
<listitem>
- <para>The maximum transmission unit in bytes to set for the
- device. The usual suffixes K, M, G, are supported and are
- understood to the base of 1024.</para>
- <para>Note that if IPv6 is enabled on the interface, and the MTU is chosen
- below 1280 (the minimum MTU for IPv6) it will automatically be increased to this value.</para>
+ <para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M,
+ G, are supported and are understood to the base of 1024.</para>
+ <para>Note that if IPv6 is enabled on the interface, and the MTU is chosen below 1280 (the
+ minimum MTU for IPv6) it will automatically be increased to this value.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>ARP=</varname></term>
<listitem>
the network otherwise. Defaults to unset.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>Multicast=</varname></term>
<listitem>
- <para>Takes a boolean. If set to true, the multicast flag on the device is enabled. Defaults to unset.</para>
+ <para>Takes a boolean. If set to true, the multicast flag on the device is enabled. Defaults
+ to unset.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>AllMulticast=</varname></term>
<listitem>
- <para>Takes a boolean. If set to true, the driver retrieves all multicast packets from the network.
- This happens when multicast routing is enabled. Defaults to unset.</para>
+ <para>Takes a boolean. If set to true, the driver retrieves all multicast packets from the
+ network. This happens when multicast routing is enabled. Defaults to unset.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>Promiscuous=</varname></term>
<listitem>
- <para>Takes a boolean. If set to true, promiscuous mode of the interface is enabled.
- Defaults to unset.</para>
- <para>If this is set to false for the underlying link of a <literal>passthru</literal> mode MACVLAN/MACVTAP,
- the virtual interface will be created with the <literal>nopromisc</literal> flag set.</para>
+ <para>Takes a boolean. If set to true, promiscuous mode of the interface is enabled. Defaults
+ to unset.</para>
+ <para>If this is set to false for the underlying link of a <literal>passthru</literal> mode
+ MACVLAN/MACVTAP, the virtual interface will be created with the <literal>nopromisc</literal>
+ flag set.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>Unmanaged=</varname></term>
<listitem>
- <para>Takes a boolean. When <literal>yes</literal>, no attempts are
- made to bring up or configure matching links, equivalent to
- when there are no matching network files. Defaults to
+ <para>Takes a boolean. When <literal>yes</literal>, no attempts are made to bring up or
+ configure matching links, equivalent to when there are no matching network files. Defaults to
<literal>no</literal>.</para>
- <para>This is useful for preventing later matching network
- files from interfering with certain interfaces that are fully
- controlled by other applications.</para>
+ <para>This is useful for preventing later matching network files from interfering with
+ certain interfaces that are fully controlled by other applications.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>Group=</varname></term>
<listitem>
- <para>Link groups are similar to port ranges found in managed switches. When network interfaces
- are added to a numbered group, operations on all the interfaces from that group can be
- performed at once. Takes an unsigned integer in the range 0…2147483647. Defaults to unset.
- </para>
+ <para>Link groups are similar to port ranges found in managed switches. When network
+ interfaces are added to a numbered group, operations on all the interfaces from that group
+ can be performed at once. Takes an unsigned integer in the range 0…2147483647. Defaults to
+ unset.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>RequiredForOnline=</varname></term>
<listitem>
- <para>Takes a boolean or a minimum operational state and an optional maximum operational state.
- Please see <citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- for possible operational states. When <literal>yes</literal>, the network is deemed required when
- determining whether the system is online (including when running
- <command>systemd-networkd-wait-online</command>). When <literal>no</literal>, the network is ignored
- when determining the online state. When a minimum operational state and an optional maximum operational
- state are set, <literal>yes</literal> is implied, and this controls the minimum and maximum
- operational state required for the network interface to be considered online.</para>
-
- <para>Defaults to <literal>yes</literal> when <varname>ActivationPolicy=</varname> is not set,
- or set to <literal>up</literal>, <literal>always-up</literal>, or <literal>bound</literal>.
- Defaults to <literal>no</literal> when <varname>ActivationPolicy=</varname> is set to
- <literal>manual</literal> or <literal>down</literal>. This is forced to <literal>no</literal>
- when <varname>ActivationPolicy=</varname> is set to <literal>always-down</literal>.</para>
-
- <para>The network will be brought up normally (as configured by <varname>ActivationPolicy=</varname>),
- but in the event that there is no address being assigned by DHCP or the
- cable is not plugged in, the link will simply remain offline and be
- skipped automatically by <command>systemd-networkd-wait-online</command>
- if <literal>RequiredForOnline=no</literal>.</para>
+ <para>Takes a boolean or a minimum operational state and an optional maximum operational
+ state. Please see
+ <citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ for possible operational states. When <literal>yes</literal>, the network is deemed required
+ when determining whether the system is online (including when running
+ <command>systemd-networkd-wait-online</command>). When <literal>no</literal>, the network is
+ ignored when determining the online state. When a minimum operational state and an optional
+ maximum operational state are set, <literal>yes</literal> is implied, and this controls the
+ minimum and maximum operational state required for the network interface to be considered
+ online.</para>
+
+ <para>Defaults to <literal>yes</literal> when <varname>ActivationPolicy=</varname> is not
+ set, or set to <literal>up</literal>, <literal>always-up</literal>, or
+ <literal>bound</literal>. Defaults to <literal>no</literal> when
+ <varname>ActivationPolicy=</varname> is set to <literal>manual</literal> or
+ <literal>down</literal>. This is forced to <literal>no</literal> when
+ <varname>ActivationPolicy=</varname> is set to <literal>always-down</literal>.</para>
+
+ <para>The network will be brought up normally (as configured by
+ <varname>ActivationPolicy=</varname>), but in the event that there is no address being
+ assigned by DHCP or the cable is not plugged in, the link will simply remain offline and be
+ skipped automatically by <command>systemd-networkd-wait-online</command> if
+ <literal>RequiredForOnline=no</literal>.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>RequiredFamilyForOnline=</varname></term>
<listitem>
- <para>Takes an address family. When specified, an IP address in the given family is deemed required
- when determining whether the link is online (including when running
+ <para>Takes an address family. When specified, an IP address in the given family is deemed
+ required when determining whether the link is online (including when running
<command>systemd-networkd-wait-online</command>). Takes one of <literal>ipv4</literal>,
<literal>ipv6</literal>, <literal>both</literal>, or <literal>any</literal>. Defaults to
<literal>any</literal>. Note that this option has no effect if
- <literal>RequiredForOnline=no</literal>, or if <literal>RequiredForOnline=</literal> specifies a
- minimum operational state below <literal>degraded</literal>.</para>
+ <literal>RequiredForOnline=no</literal>, or if <literal>RequiredForOnline=</literal>
+ specifies a minimum operational state below <literal>degraded</literal>.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>ActivationPolicy=</varname></term>
<listitem>
<para>Specifies the policy for <command>systemd-networkd</command> managing the link
administrative state. Specifically, this controls how <command>systemd-networkd</command>
changes the network device's <literal>IFF_UP</literal> flag, which is sometimes
- controlled by system administrators by running e.g., <command>ip link set dev eth0 up</command>
- or <command>ip link set dev eth0 down</command>, and can also be changed with
- <command>networkctl up eth0</command> or <command>networkctl down eth0</command>.</para>
+ controlled by system administrators by running e.g.,
+ <command>ip link set dev eth0 up</command> or <command>ip link set dev eth0 down</command>,
+ and can also be changed with <command>networkctl up eth0</command> or
+ <command>networkctl down eth0</command>.</para>
<para>Takes one of <literal>up</literal>, <literal>always-up</literal>,
<literal>manual</literal>, <literal>always-down</literal>, <literal>down</literal>,
- or <literal>bound</literal>. When <literal>manual</literal>, <command>systemd-networkd</command>
- will not change the link's admin state automatically; the system administrator must bring the
- interface up or down manually, as desired. When <literal>up</literal> (the default) or
- <literal>always-up</literal>, or <literal>down</literal> or <literal>always-down</literal>,
- <command>systemd-networkd</command> will set the link up or down, respectively,
- when the interface is (re)configured. When <literal>always-up</literal> or
- <literal>always-down</literal>, <command>systemd-networkd</command> will set the link up
- or down, respectively, any time <command>systemd-networkd</command> detects a change in
- the administrative state. When <varname>BindCarrier=</varname> is also set, this is
- automatically set to <literal>bound</literal> and any other value is ignored.</para>
-
- <para>When the policy is set to <literal>down</literal> or <literal>manual</literal>,
- the default value of <varname>RequiredForOnline=</varname> is <literal>no</literal>.
- When the policy is set to <literal>always-down</literal>, the value of
+ or <literal>bound</literal>. When <literal>manual</literal>,
+ <command>systemd-networkd</command> will not change the link's admin state automatically;
+ the system administrator must bring the interface up or down manually, as desired. When
+ <literal>up</literal> (the default) or <literal>always-up</literal>, or
+ <literal>down</literal> or <literal>always-down</literal>,
+ <command>systemd-networkd</command> will set the link up or down, respectively, when the
+ interface is (re)configured. When <literal>always-up</literal> or
+ <literal>always-down</literal>, <command>systemd-networkd</command> will set the link up or
+ down, respectively, any time <command>systemd-networkd</command> detects a change in the
+ administrative state. When <varname>BindCarrier=</varname> is also set, this is automatically
+ set to <literal>bound</literal> and any other value is ignored.</para>
+
+ <para>When the policy is set to <literal>down</literal> or <literal>manual</literal>, the
+ default value of <varname>RequiredForOnline=</varname> is <literal>no</literal>. When the
+ policy is set to <literal>always-down</literal>, the value of
<varname>RequiredForOnline=</varname> forced to <literal>no</literal>.</para>
<para>The administrative state is not the same as the carrier state, so using
- <literal>always-up</literal> does not mean the link will never lose carrier. The link
- carrier depends on both the administrative state as well as the network device's physical
- connection. However, to avoid reconfiguration failures, when using <literal>always-up</literal>,
+ <literal>always-up</literal> does not mean the link will never lose carrier. The link carrier
+ depends on both the administrative state as well as the network device's physical connection.
+ However, to avoid reconfiguration failures, when using <literal>always-up</literal>,
<varname>IgnoreCarrierLoss=</varname> is forced to true.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
+ <xi:include href="systemd.link.xml" xpointer="sr-iov" />
+
<refsect1>
- <title>[SR-IOV] Section Options</title>
- <para>The [SR-IOV] section accepts the following keys. Specify several [SR-IOV] sections to configure
- several SR-IOVs. SR-IOV provides the ability to partition a single physical PCI resource into virtual
- PCI functions which can then be injected into a VM. In the case of network VFs, SR-IOV improves
- north-south network performance (that is, traffic with endpoints outside the host machine) by allowing
- traffic to bypass the host machine’s network stack.</para>
+ <title>[Network] Section Options</title>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>VirtualFunction=</varname></term>
- <listitem>
- <para>Specifies a Virtual Function (VF), lightweight PCIe function designed solely to move data
- in and out. Takes an unsigned integer in the range 0…2147483646. This option is compulsory.</para>
- </listitem>
- </varlistentry>
+ <para>The [Network] section accepts the following keys:</para>
- <varlistentry>
- <term><varname>VLANId=</varname></term>
- <listitem>
- <para>Specifies VLAN ID of the virtual function. Takes an unsigned integer in the range 1…4095.</para>
- </listitem>
- </varlistentry>
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Description=</varname></term>
+ <listitem>
+ <para>A description of the device. This is only used for presentation purposes.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>QualityOfService=</varname></term>
- <listitem>
- <para>Specifies quality of service of the virtual function. Takes an unsigned integer in the range 1…4294967294.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>DHCP=</varname></term>
+ <listitem>
+ <para>Enables DHCPv4 and/or DHCPv6 client support. Accepts <literal>yes</literal>,
+ <literal>no</literal>, <literal>ipv4</literal>, or <literal>ipv6</literal>. Defaults to
+ <literal>no</literal>.</para>
- <varlistentry>
- <term><varname>VLANProtocol=</varname></term>
- <listitem>
- <para>Specifies VLAN protocol of the virtual function. Takes <literal>802.1Q</literal> or
- <literal>802.1ad</literal>.</para>
- </listitem>
- </varlistentry>
+ <para>Note that DHCPv6 will by default be triggered by Router Advertisement, if that is
+ enabled, regardless of this parameter. By enabling DHCPv6 support explicitly, the DHCPv6
+ client will be started regardless of the presence of routers on the link, or what flags the
+ routers pass. See <literal>IPv6AcceptRA=</literal>.</para>
- <varlistentry>
- <term><varname>MACSpoofCheck=</varname></term>
- <listitem>
- <para>Takes a boolean. Controls the MAC spoof checking. When unset, the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
+ <para>Furthermore, note that by default the domain name specified through DHCP is not used
+ for name resolution. See option <option>UseDomains=</option> below.</para>
- <varlistentry>
- <term><varname>QueryReceiveSideScaling=</varname></term>
- <listitem>
- <para>Takes a boolean. Toggle the ability of querying the receive side scaling (RSS)
- configuration of the virtual function (VF). The VF RSS information like RSS hash key may be
- considered sensitive on some devices where this information is shared between VF and the
- physical function (PF). When unset, the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
+ <para>See the [DHCPv4] or [DHCPv6] sections below for further configuration options for the
+ DHCP client support.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>Trust=</varname></term>
- <listitem>
- <para>Takes a boolean. Allows to set trust mode of the virtual function (VF). When set, VF
- users can set a specific feature which may impact security and/or performance. When unset,
- the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>DHCPServer=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If set to <literal>yes</literal>, DHCPv4 server will be started.
+ Defaults to <literal>no</literal>. Further settings for the DHCP server may be set in the
+ [DHCPServer] section described below.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>LinkState=</varname></term>
- <listitem>
- <para>Allows to set the link state of the virtual function (VF). Takes a boolean or a
- special value <literal>auto</literal>. Setting to <literal>auto</literal> means a
- reflection of the physical function (PF) link state, <literal>yes</literal> lets the VF to
- communicate with other VFs on this host even if the PF link state is down,
- <literal>no</literal> causes the hardware to drop any packets sent by the VF. When unset,
- the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>LinkLocalAddressing=</varname></term>
+ <listitem>
+ <para>Enables link-local address autoconfiguration. Accepts <option>yes</option>,
+ <option>no</option>, <option>ipv4</option>, and <option>ipv6</option>. An IPv6 link-local
+ address is configured when <option>yes</option> or <option>ipv6</option>. An IPv4 link-local
+ address is configured when <option>yes</option> or <option>ipv4</option> and when DHCPv4
+ autoconfiguration has been unsuccessful for some time. (IPv4 link-local address
+ autoconfiguration will usually happen in parallel with repeated attempts to acquire a DHCPv4
+ lease).</para>
+
+ <para>Defaults to <option>no</option> when <varname>KeepMaster=</varname> or
+ <varname>Bridge=</varname> is set or when the specified
+ <varname>MACVLAN=</varname>/<varname>MACVTAP=</varname> has <varname>Mode=passthru</varname>,
+ or <option>ipv6</option> otherwise.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>MACAddress=</varname></term>
- <listitem>
- <para>Specifies the MAC address for the virtual function.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
+ <varlistentry>
+ <term><varname>IPv6LinkLocalAddressGenerationMode=</varname></term>
+ <listitem>
+ <para>Specifies how IPv6 link local address is generated. Takes one of
+ <literal>eui64</literal>, <literal>none</literal>, <literal>stable-privacy</literal> and
+ <literal>random</literal>. When unset, <literal>stable-privacy</literal> is used if
+ <varname>IPv6StableSecretAddress=</varname> is specified, and if not,
+ <literal>eui64</literal> is used. Note that if <varname>LinkLocalAddressing=</varname> is
+ <literal>no</literal> or <literal>ipv4</literal>, then
+ <varname>IPv6LinkLocalAddressGenerationMode=</varname> will be ignored. Also, even if
+ <varname>LinkLocalAddressing=</varname> is <literal>yes</literal> or <literal>ipv6</literal>,
+ setting <varname>IPv6LinkLocalAddressGenerationMode=none</varname>
+ disables to configure an IPv6 link-local address.</para>
+ </listitem>
+ </varlistentry>
- <refsect1>
- <title>[Network] Section Options</title>
+ <varlistentry>
+ <term><varname>IPv6StableSecretAddress=</varname></term>
+ <listitem>
+ <para>Takes an IPv6 address. The specified address will be used as a stable secret for
+ generating IPv6 link-local address. If this setting is specified, and
+ <varname>IPv6LinkLocalAddressGenerationMode=</varname> is unset, then
+ <varname>IPv6LinkLocalAddressGenerationMode=stable-privacy</varname> is implied.
+ If this setting is not specified, and <literal>stable-privacy</literal> is set to
+ <varname>IPv6LinkLocalAddressGenerationMode=</varname>,
+ then a stable secret address will be generated from the local machine ID and the interface
+ name.</para>
+ </listitem>
+ </varlistentry>
- <para>The [Network] section accepts the following keys:</para>
+ <varlistentry>
+ <term><varname>IPv4LLRoute=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If set to true, sets up the route needed for non-IPv4LL hosts to
+ communicate with IPv4LL-only hosts. Defaults to false.</para>
+ </listitem>
+ </varlistentry>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Description=</varname></term>
- <listitem>
- <para>A description of the device. This is only used for
- presentation purposes.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DHCP=</varname></term>
- <listitem>
- <para>Enables DHCPv4 and/or DHCPv6 client support. Accepts
- <literal>yes</literal>, <literal>no</literal>,
- <literal>ipv4</literal>, or <literal>ipv6</literal>. Defaults
- to <literal>no</literal>.</para>
-
- <para>Note that DHCPv6 will by default be triggered by Router
- Advertisement, if that is enabled, regardless of this parameter.
- By enabling DHCPv6 support explicitly, the DHCPv6 client will
- be started regardless of the presence of routers on the link,
- or what flags the routers pass. See
- <literal>IPv6AcceptRA=</literal>.</para>
-
- <para>Furthermore, note that by default the domain name
- specified through DHCP is not used for name resolution.
- See option <option>UseDomains=</option> below.</para>
-
- <para>See the [DHCPv4] or [DHCPv6] sections below for further configuration options for the DHCP
- client support.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DHCPServer=</varname></term>
- <listitem>
- <para>Takes a boolean. If set to <literal>yes</literal>, DHCPv4 server will be started. Defaults
- to <literal>no</literal>. Further settings for the DHCP server may be set in the [DHCPServer]
- section described below.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>LinkLocalAddressing=</varname></term>
- <listitem>
- <para>Enables link-local address autoconfiguration. Accepts <option>yes</option>,
- <option>no</option>, <option>ipv4</option>, and <option>ipv6</option>. An IPv6 link-local address
- is configured when <option>yes</option> or <option>ipv6</option>. An IPv4 link-local address is
- configured when <option>yes</option> or <option>ipv4</option> and when DHCPv4 autoconfiguration
- has been unsuccessful for some time. (IPv4 link-local address autoconfiguration will usually
- happen in parallel with repeated attempts to acquire a DHCPv4 lease).</para>
-
- <para>Defaults to <option>no</option> when <varname>KeepMaster=</varname> or
- <varname>Bridge=</varname> is set or when the specified
- <varname>MACVLAN=</varname>/<varname>MACVTAP=</varname> has <varname>Mode=passthru</varname>, or
- <option>ipv6</option> otherwise.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6LinkLocalAddressGenerationMode=</varname></term>
- <listitem>
- <para>Specifies how IPv6 link local address is generated. Takes one of
- <literal>eui64</literal>, <literal>none</literal>, <literal>stable-privacy</literal> and
- <literal>random</literal>. When unset, <literal>stable-privacy</literal> is used if
- <varname>IPv6StableSecretAddress=</varname> is specified, and if not,
- <literal>eui64</literal> is used. Note that if <varname>LinkLocalAddressing=</varname> is
- <literal>no</literal> or <literal>ipv4</literal>, then
- <varname>IPv6LinkLocalAddressGenerationMode=</varname> will be ignored. Also, even if
- <varname>LinkLocalAddressing=</varname> is <literal>yes</literal> or
- <literal>ipv6</literal>, setting <varname>IPv6LinkLocalAddressGenerationMode=none</varname>
- disables to configure an IPv6 link-local address.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6StableSecretAddress=</varname></term>
- <listitem>
- <para>Takes an IPv6 address. The specified address will be used as a stable secret for
- generating IPv6 link-local address. If this setting is specified, and
- <varname>IPv6LinkLocalAddressGenerationMode=</varname> is unset, then
- <varname>IPv6LinkLocalAddressGenerationMode=stable-privacy</varname> is implied.
- If this setting is not specified, and <literal>stable-privacy</literal> is set to
- <varname>IPv6LinkLocalAddressGenerationMode=</varname>,
- then a stable secret address will be generated from the local machine ID and the interface
- name.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv4LLRoute=</varname></term>
- <listitem>
- <para>Takes a boolean. If set to true, sets up the route needed for
- non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults
- to false.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DefaultRouteOnDevice=</varname></term>
- <listitem>
- <para>Takes a boolean. If set to true, sets up the default route bound to the interface.
- Defaults to false. This is useful when creating routes on point-to-point interfaces.
- This is equivalent to e.g. the following,
- <programlisting>ip route add default dev veth99</programlisting>
- or,
- <programlisting>[Route]
+ <varlistentry>
+ <term><varname>DefaultRouteOnDevice=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If set to true, sets up the default route bound to the interface.
+ Defaults to false. This is useful when creating routes on point-to-point interfaces. This is
+ equivalent to e.g. the following,
+ <programlisting>ip route add default dev veth99</programlisting>
+ or,
+ <programlisting>[Route]
Gateway=0.0.0.0</programlisting></para>
- <para>Currently, there are no way to specify e.g., the table for the route configured by
- this setting. To configure the default route with such an additional property, please use
- the following instead:
- <programlisting>[Route]
+ <para>Currently, there are no way to specify e.g., the table for the route configured by this
+ setting. To configure the default route with such an additional property, please use the
+ following instead:
+ <programlisting>[Route]
Gateway=0.0.0.0
Table=1234</programlisting></para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>LLMNR=</varname></term>
- <listitem>
- <para>Takes a boolean or <literal>resolve</literal>. When true,
- enables <ulink
- url="https://tools.ietf.org/html/rfc4795">Link-Local
- Multicast Name Resolution</ulink> on the link. When set to
- <literal>resolve</literal>, only resolution is enabled,
- but not host registration and announcement. Defaults to
- true. This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>MulticastDNS=</varname></term>
- <listitem>
- <para>Takes a boolean or <literal>resolve</literal>. When true,
- enables <ulink
- url="https://tools.ietf.org/html/rfc6762">Multicast
- DNS</ulink> support on the link. When set to
- <literal>resolve</literal>, only resolution is enabled,
- but not host or service registration and
- announcement. Defaults to false. This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DNSOverTLS=</varname></term>
- <listitem>
- <para>Takes a boolean or <literal>opportunistic</literal>. When true, enables
- <ulink url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink> support on the link.
- When set to <literal>opportunistic</literal>, compatibility with non-DNS-over-TLS servers
- is increased, by automatically turning off DNS-over-TLS servers in this case. This option
- defines a per-interface setting for
- <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
- global <varname>DNSOverTLS=</varname> option. Defaults to unset, and the global setting
- will be used. This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DNSSEC=</varname></term>
- <listitem>
- <para>Takes a boolean or <literal>allow-downgrade</literal>. When true, enables
- <ulink url="https://tools.ietf.org/html/rfc4033">DNSSEC</ulink> DNS validation support on
- the link. When set to <literal>allow-downgrade</literal>, compatibility with non-DNSSEC
- capable networks is increased, by automatically turning off DNSSEC in this case. This
- option defines a per-interface setting for
- <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
- global <varname>DNSSEC=</varname> option. Defaults to unset, and the global setting will be
- used. This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DNSSECNegativeTrustAnchors=</varname></term>
- <listitem><para>A space-separated list of DNSSEC negative
- trust anchor domains. If specified and DNSSEC is enabled,
- look-ups done via the interface's DNS server will be subject
- to the list of negative trust anchors, and not require
- authentication for the specified domains, or anything below
- it. Use this to disable DNSSEC authentication for specific
- private domains, that cannot be proven valid using the
- Internet DNS hierarchy. Defaults to the empty list. This
- setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>LLDP=</varname></term>
- <listitem>
- <para>Controls support for Ethernet LLDP packet reception. LLDP is a link-layer protocol commonly
- implemented on professional routers and bridges which announces which physical port a system is connected
- to, as well as other related data. Accepts a boolean or the special value
- <literal>routers-only</literal>. When true, incoming LLDP packets are accepted and a database of all LLDP
- neighbors maintained. If <literal>routers-only</literal> is set only LLDP data of various types of routers
- is collected and LLDP data about other types of devices ignored (such as stations, telephones and
- others). If false, LLDP reception is disabled. Defaults to <literal>routers-only</literal>. Use
- <citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to query the
- collected neighbor data. LLDP is only available on Ethernet links. See <varname>EmitLLDP=</varname> below
- for enabling LLDP packet emission from the local system.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>EmitLLDP=</varname></term>
- <listitem>
- <para>Controls support for Ethernet LLDP packet emission. Accepts a boolean parameter or the special values
- <literal>nearest-bridge</literal>, <literal>non-tpmr-bridge</literal> and
- <literal>customer-bridge</literal>. Defaults to false, which turns off LLDP packet emission. If not false,
- a short LLDP packet with information about the local system is sent out in regular intervals on the
- link. The LLDP packet will contain information about the local hostname, the local machine ID (as stored
- in <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>) and the
- local interface name, as well as the pretty hostname of the system (as set in
- <citerefentry><refentrytitle>machine-info</refentrytitle><manvolnum>5</manvolnum></citerefentry>). LLDP
- emission is only available on Ethernet links. Note that this setting passes data suitable for
- identification of host to the network and should thus not be enabled on untrusted networks, where such
- identification data should not be made available. Use this option to permit other systems to identify on
- which interfaces they are connected to this system. The three special values control propagation of the
- LLDP packets. The <literal>nearest-bridge</literal> setting permits propagation only to the nearest
- connected bridge, <literal>non-tpmr-bridge</literal> permits propagation across Two-Port MAC Relays, but
- not any other bridges, and <literal>customer-bridge</literal> permits propagation until a customer bridge
- is reached. For details about these concepts, see <ulink
- url="https://standards.ieee.org/findstds/standard/802.1AB-2016.html">IEEE 802.1AB-2016</ulink>. Note that
- configuring this setting to true is equivalent to <literal>nearest-bridge</literal>, the recommended and
- most restricted level of propagation. See <varname>LLDP=</varname> above for an option to enable LLDP
- reception.</para>
- </listitem>
- </varlistentry>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>BindCarrier=</varname></term>
- <listitem>
- <para>A link name or a list of link names. When set, controls the behavior of the current
- link. When all links in the list are in an operational down state, the current link is brought
- down. When at least one link has carrier, the current interface is brought up.</para>
+ <varlistentry>
+ <term><varname>LLMNR=</varname></term>
+ <listitem>
+ <para>Takes a boolean or <literal>resolve</literal>. When true, enables
+ <ulink url="https://tools.ietf.org/html/rfc4795">Link-Local Multicast Name Resolution</ulink>
+ on the link. When set to <literal>resolve</literal>, only resolution is enabled, but not host
+ registration and announcement. Defaults to true. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
- <para>This forces <varname>ActivationPolicy=</varname> to be set to <literal>bound</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Address=</varname></term>
- <listitem>
- <para>A static IPv4 or IPv6 address and its prefix length,
- separated by a <literal>/</literal> character. Specify
- this key more than once to configure several addresses.
- The format of the address must be as described in
- <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- This is a short-hand for an [Address] section only
- containing an Address key (see below). This option may be
- specified more than once.
- </para>
+ <varlistentry>
+ <term><varname>MulticastDNS=</varname></term>
+ <listitem>
+ <para>Takes a boolean or <literal>resolve</literal>. When true, enables
+ <ulink url="https://tools.ietf.org/html/rfc6762">Multicast DNS</ulink> support on the link.
+ When set to <literal>resolve</literal>, only resolution is enabled, but not host or service
+ registration and announcement. Defaults to false. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
- <para>If the specified address is <literal>0.0.0.0</literal> (for IPv4) or <literal>::</literal>
- (for IPv6), a new address range of the requested size is automatically allocated from a
- system-wide pool of unused ranges. Note that the prefix length must be equal or larger than 8 for
- IPv4, and 64 for IPv6. The allocated range is checked against all current network interfaces and
- all known network configuration files to avoid address range conflicts. The default system-wide
- pool consists of 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8 for IPv6.
- This functionality is useful to manage a large number of dynamically created network interfaces
- with the same network configuration and automatic address range assignment.</para>
+ <varlistentry>
+ <term><varname>DNSOverTLS=</varname></term>
+ <listitem>
+ <para>Takes a boolean or <literal>opportunistic</literal>. When true, enables
+ <ulink url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink> support on the link.
+ When set to <literal>opportunistic</literal>, compatibility with non-DNS-over-TLS servers is
+ increased, by automatically turning off DNS-over-TLS servers in this case. This option
+ defines a per-interface setting for
+ <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+ global <varname>DNSOverTLS=</varname> option. Defaults to unset, and the global setting will
+ be used. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Gateway=</varname></term>
- <listitem>
- <para>The gateway address, which must be in the format
- described in
- <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- This is a short-hand for a [Route] section only containing
- a Gateway key. This option may be specified more than
- once.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DNS=</varname></term>
- <listitem>
- <para>A DNS server address, which must be in the format described in
- <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- This option may be specified more than once. Each address can optionally take a port number
- separated with <literal>:</literal>, a network interface name or index separated with
- <literal>%</literal>, and a Server Name Indication (SNI) separated with <literal>#</literal>.
- When IPv6 address is specified with a port number, then the address must be in the square
- brackets. That is, the acceptable full formats are
- <literal>111.222.333.444:9953%ifname#example.com</literal> for IPv4 and
- <literal>[1111:2222::3333]:9953%ifname#example.com</literal> for IPv6. If an empty string is
- assigned, then the all previous assignments are cleared. This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Domains=</varname></term>
- <listitem>
- <para>A whitespace-separated list of domains which should be resolved using the DNS servers on
- this link. Each item in the list should be a domain name, optionally prefixed with a tilde
- (<literal>~</literal>). The domains with the prefix are called "routing-only domains". The
- domains without the prefix are called "search domains" and are first used as search suffixes for
- extending single-label hostnames (hostnames containing no dots) to become fully qualified
- domain names (FQDNs). If a single-label hostname is resolved on this interface, each of the
- specified search domains are appended to it in turn, converting it into a fully qualified domain
- name, until one of them may be successfully resolved.</para>
-
- <para>Both "search" and "routing-only" domains are used for routing of DNS queries: look-ups for hostnames
- ending in those domains (hence also single label names, if any "search domains" are listed), are routed to
- the DNS servers configured for this interface. The domain routing logic is particularly useful on
- multi-homed hosts with DNS servers serving particular private DNS zones on each interface.</para>
-
- <para>The "routing-only" domain <literal>~.</literal> (the tilde indicating definition of a routing domain,
- the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special
- effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed
- to DNS servers specified for this interface. This setting is useful to prefer a certain set of DNS servers
- if a link on which they are connected is available.</para>
-
- <para>This setting is read by
- <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- "Search domains" correspond to the <varname>domain</varname> and <varname>search</varname> entries in
- <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- Domain name routing has no equivalent in the traditional glibc API, which has no concept of domain
- name servers limited to a specific link.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DNSDefaultRoute=</varname></term>
- <listitem>
- <para>Takes a boolean argument. If true, this link's configured DNS servers are used for resolving domain
- names that do not match any link's configured <varname>Domains=</varname> setting. If false, this link's
- configured DNS servers are never used for such domains, and are exclusively used for resolving names that
- match at least one of the domains configured on this link. If not specified defaults to an automatic mode:
- queries not matching any link's configured domains will be routed to this link if it has no routing-only
- domains configured.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>NTP=</varname></term>
- <listitem>
- <para>An NTP server address (either an IP address, or a hostname). This option may be specified more than once. This setting is read by
- <citerefentry><refentrytitle>systemd-timesyncd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPForward=</varname></term>
- <listitem><para>Configures IP packet forwarding for the
- system. If enabled, incoming packets on any network
- interface will be forwarded to any other interfaces
- according to the routing table. Takes a boolean,
- or the values <literal>ipv4</literal> or
- <literal>ipv6</literal>, which only enable IP packet
- forwarding for the specified address family. This controls
- the <filename>net.ipv4.ip_forward</filename> and
- <filename>net.ipv6.conf.all.forwarding</filename> sysctl
- options of the network interface (see <ulink
- url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink>
- for details about sysctl options). Defaults to
- <literal>no</literal>.</para>
+ <varlistentry>
+ <term><varname>DNSSEC=</varname></term>
+ <listitem>
+ <para>Takes a boolean or <literal>allow-downgrade</literal>. When true, enables
+ <ulink url="https://tools.ietf.org/html/rfc4033">DNSSEC</ulink> DNS validation support on the
+ link. When set to <literal>allow-downgrade</literal>, compatibility with non-DNSSEC capable
+ networks is increased, by automatically turning off DNSSEC in this case. This option defines
+ a per-interface setting for
+ <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+ global <varname>DNSSEC=</varname> option. Defaults to unset, and the global setting will be
+ used. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
- <para>Note: this setting controls a global kernel option,
- and does so one way only: if a network that has this setting
- enabled is set up the global setting is turned on. However,
- it is never turned off again, even after all networks with
- this setting enabled are shut down again.</para>
+ <varlistentry>
+ <term><varname>DNSSECNegativeTrustAnchors=</varname></term>
+ <listitem>
+ <para>A space-separated list of DNSSEC negative trust anchor domains. If specified and DNSSEC
+ is enabled, look-ups done via the interface's DNS server will be subject to the list of
+ negative trust anchors, and not require authentication for the specified domains, or anything
+ below it. Use this to disable DNSSEC authentication for specific private domains, that cannot
+ be proven valid using the Internet DNS hierarchy. Defaults to the empty list. This setting is
+ read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
- <para>To allow IP packet forwarding only between specific
- network interfaces use a firewall.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPMasquerade=</varname></term>
- <listitem><para>Configures IP masquerading for the network interface. If enabled, packets
- forwarded from the network interface will be appear as coming from the local host. Takes one
- of <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>, or
+ <varlistentry>
+ <term><varname>LLDP=</varname></term>
+ <listitem>
+ <para>Controls support for Ethernet LLDP packet reception. LLDP is a link-layer protocol
+ commonly implemented on professional routers and bridges which announces which physical port
+ a system is connected to, as well as other related data. Accepts a boolean or the special
+ value <literal>routers-only</literal>. When true, incoming LLDP packets are accepted and a
+ database of all LLDP neighbors maintained. If <literal>routers-only</literal> is set only
+ LLDP data of various types of routers is collected and LLDP data about other types of devices
+ ignored (such as stations, telephones and others). If false, LLDP reception is disabled.
+ Defaults to <literal>routers-only</literal>. Use
+ <citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ to query the collected neighbor data. LLDP is only available on Ethernet links. See
+ <varname>EmitLLDP=</varname> below for enabling LLDP packet emission from the local system.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>EmitLLDP=</varname></term>
+ <listitem>
+ <para>Controls support for Ethernet LLDP packet emission. Accepts a boolean parameter or the
+ special values <literal>nearest-bridge</literal>, <literal>non-tpmr-bridge</literal> and
+ <literal>customer-bridge</literal>. Defaults to false, which turns off LLDP packet emission.
+ If not false, a short LLDP packet with information about the local system is sent out in
+ regular intervals on the link. The LLDP packet will contain information about the local
+ hostname, the local machine ID (as stored in
+ <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+ and the local interface name, as well as the pretty hostname of the system (as set in
+ <citerefentry><refentrytitle>machine-info</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
+ LLDP emission is only available on Ethernet links. Note that this setting passes data
+ suitable for identification of host to the network and should thus not be enabled on
+ untrusted networks, where such identification data should not be made available. Use this
+ option to permit other systems to identify on which interfaces they are connected to this
+ system. The three special values control propagation of the LLDP packets. The
+ <literal>nearest-bridge</literal> setting permits propagation only to the nearest connected
+ bridge, <literal>non-tpmr-bridge</literal> permits propagation across Two-Port MAC Relays,
+ but not any other bridges, and <literal>customer-bridge</literal> permits propagation until
+ a customer bridge is reached. For details about these concepts, see
+ <ulink url="https://standards.ieee.org/findstds/standard/802.1AB-2016.html">IEEE 802.1AB-2016</ulink>.
+ Note that configuring this setting to true is equivalent to
+ <literal>nearest-bridge</literal>, the recommended and most restricted level of propagation.
+ See <varname>LLDP=</varname> above for an option to enable LLDP reception.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BindCarrier=</varname></term>
+ <listitem>
+ <para>A link name or a list of link names. When set, controls the behavior of the current
+ link. When all links in the list are in an operational down state, the current link is
+ brought down. When at least one link has carrier, the current interface is brought up.</para>
+
+ <para>This forces <varname>ActivationPolicy=</varname> to be set to <literal>bound</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Address=</varname></term>
+ <listitem>
+ <para>A static IPv4 or IPv6 address and its prefix length, separated by a
+ <literal>/</literal> character. Specify this key more than once to configure several
+ addresses. The format of the address must be as described in
+ <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ This is a short-hand for an [Address] section only containing an Address key (see below).
+ This option may be specified more than once.</para>
+
+ <para>If the specified address is <literal>0.0.0.0</literal> (for IPv4) or
+ <literal>::</literal> (for IPv6), a new address range of the requested size is automatically
+ allocated from a system-wide pool of unused ranges. Note that the prefix length must be equal
+ or larger than 8 for IPv4, and 64 for IPv6. The allocated range is checked against all
+ current network interfaces and all known network configuration files to avoid address range
+ conflicts. The default system-wide pool consists of 192.168.0.0/16, 172.16.0.0/12 and
+ 10.0.0.0/8 for IPv4, and fd00::/8 for IPv6. This functionality is useful to manage a large
+ number of dynamically created network interfaces with the same network configuration and
+ automatic address range assignment.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Gateway=</varname></term>
+ <listitem>
+ <para>The gateway address, which must be in the format described in
+ <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ This is a short-hand for a [Route] section only containing a <varname>Gateway=</varname> key.
+ This option may be specified more than once.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DNS=</varname></term>
+ <listitem>
+ <para>A DNS server address, which must be in the format described in
+ <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ This option may be specified more than once. Each address can optionally take a port number
+ separated with <literal>:</literal>, a network interface name or index separated with
+ <literal>%</literal>, and a Server Name Indication (SNI) separated with <literal>#</literal>.
+ When IPv6 address is specified with a port number, then the address must be in the square
+ brackets. That is, the acceptable full formats are
+ <literal>111.222.333.444:9953%ifname#example.com</literal> for IPv4 and
+ <literal>[1111:2222::3333]:9953%ifname#example.com</literal> for IPv6. If an empty string is
+ assigned, then the all previous assignments are cleared. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Domains=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of domains which should be resolved using the DNS servers
+ on this link. Each item in the list should be a domain name, optionally prefixed with a tilde
+ (<literal>~</literal>). The domains with the prefix are called "routing-only domains". The
+ domains without the prefix are called "search domains" and are first used as search suffixes
+ for extending single-label hostnames (hostnames containing no dots) to become fully qualified
+ domain names (FQDNs). If a single-label hostname is resolved on this interface, each of the
+ specified search domains are appended to it in turn, converting it into a fully qualified
+ domain name, until one of them may be successfully resolved.</para>
+
+ <para>Both "search" and "routing-only" domains are used for routing of DNS queries: look-ups
+ for hostnames ending in those domains (hence also single label names, if any "search domains"
+ are listed), are routed to the DNS servers configured for this interface. The domain routing
+ logic is particularly useful on multi-homed hosts with DNS servers serving particular private
+ DNS zones on each interface.</para>
+
+ <para>The "routing-only" domain <literal>~.</literal> (the tilde indicating definition of a
+ routing domain, the dot referring to the DNS root domain which is the implied suffix of all
+ valid DNS names) has special effect. It causes all DNS traffic which does not match another
+ configured domain routing entry to be routed to DNS servers specified for this interface.
+ This setting is useful to prefer a certain set of DNS servers if a link on which they are
+ connected is available.</para>
+
+ <para>This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ "Search domains" correspond to the <varname>domain</varname> and <varname>search</varname>
+ entries in
+ <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Domain name routing has no equivalent in the traditional glibc API, which has no concept of
+ domain name servers limited to a specific link.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DNSDefaultRoute=</varname></term>
+ <listitem>
+ <para>Takes a boolean argument. If true, this link's configured DNS servers are used for
+ resolving domain names that do not match any link's configured <varname>Domains=</varname>
+ setting. If false, this link's configured DNS servers are never used for such domains, and
+ are exclusively used for resolving names that match at least one of the domains configured on
+ this link. If not specified defaults to an automatic mode: queries not matching any link's
+ configured domains will be routed to this link if it has no routing-only domains configured.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>NTP=</varname></term>
+ <listitem>
+ <para>An NTP server address (either an IP address, or a hostname). This option may be
+ specified more than once. This setting is read by
+ <citerefentry><refentrytitle>systemd-timesyncd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPForward=</varname></term>
+ <listitem>
+ <para>Configures IP packet forwarding for the system. If enabled, incoming packets on any
+ network interface will be forwarded to any other interfaces according to the routing table.
+ Takes a boolean, or the values <literal>ipv4</literal> or <literal>ipv6</literal>, which only
+ enable IP packet forwarding for the specified address family. This controls the
+ <filename>net.ipv4.ip_forward</filename> and <filename>net.ipv6.conf.all.forwarding</filename>
+ sysctl options of the network interface (see
+ <ulink url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink>
+ for details about sysctl options). Defaults to <literal>no</literal>.</para>
+
+ <para>Note: this setting controls a global kernel option, and does so one way only: if a
+ network that has this setting enabled is set up the global setting is turned on. However,
+ it is never turned off again, even after all networks with this setting enabled are shut
+ down again.</para>
+
+ <para>To allow IP packet forwarding only between specific network interfaces use a firewall.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPMasquerade=</varname></term>
+ <listitem>
+ <para>Configures IP masquerading for the network interface. If enabled, packets forwarded
+ from the network interface will be appear as coming from the local host. Takes one of
+ <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>, or
<literal>no</literal>. Defaults to <literal>no</literal>. If enabled, this automatically sets
<varname>IPForward=</varname> to one of <literal>ipv4</literal>, <literal>ipv6</literal> or
<literal>yes</literal>.</para>
<para>Note. Any positive boolean values such as <literal>yes</literal> or
<literal>true</literal> are now deprecated. Please use one of the values in the above.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6PrivacyExtensions=</varname></term>
- <listitem><para>Configures use of stateless temporary
- addresses that change over time (see <ulink
- url="https://tools.ietf.org/html/rfc4941">RFC 4941</ulink>,
- Privacy Extensions for Stateless Address Autoconfiguration
- in IPv6). Takes a boolean or the special values
- <literal>prefer-public</literal> and
- <literal>kernel</literal>. When true, enables the privacy
- extensions and prefers temporary addresses over public
- addresses. When <literal>prefer-public</literal>, enables the
- privacy extensions, but prefers public addresses over
- temporary addresses. When false, the privacy extensions
- remain disabled. When <literal>kernel</literal>, the kernel's
- default setting will be left in place. Defaults to
- <literal>no</literal>.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6AcceptRA=</varname></term>
- <listitem><para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the
- interface. If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may
- trigger the start of the DHCPv6 client if the relevant flags are set in the RA data, or if no
- routers are found on the link. The default is to disable RA reception for bridge devices or when IP
- forwarding is enabled, and to enable it otherwise. Cannot be enabled on bond devices and when link
- local addressing is disabled.</para>
-
- <para>Further settings for the IPv6 RA support may be configured in the [IPv6AcceptRA] section, see
- below.</para>
-
- <para>Also see <ulink
- url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink> in the kernel
- documentation regarding <literal>accept_ra</literal>, but note that systemd's setting of
- <constant>1</constant> (i.e. true) corresponds to kernel's setting of <constant>2</constant>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6PrivacyExtensions=</varname></term>
+ <listitem>
+ <para>Configures use of stateless temporary addresses that change over time (see
+ <ulink url="https://tools.ietf.org/html/rfc4941">RFC 4941</ulink>,
+ Privacy Extensions for Stateless Address Autoconfiguration in IPv6). Takes a boolean or the
+ special values <literal>prefer-public</literal> and <literal>kernel</literal>. When true,
+ enables the privacy extensions and prefers temporary addresses over public addresses. When
+ <literal>prefer-public</literal>, enables the privacy extensions, but prefers public
+ addresses over temporary addresses. When false, the privacy extensions remain disabled. When
+ <literal>kernel</literal>, the kernel's default setting will be left in place. Defaults to
+ <literal>no</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6AcceptRA=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the
+ interface. If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they
+ may trigger the start of the DHCPv6 client if the relevant flags are set in the RA data, or
+ if no routers are found on the link. The default is to disable RA reception for bridge
+ devices or when IP forwarding is enabled, and to enable it otherwise. Cannot be enabled on
+ bond devices and when link local addressing is disabled.</para>
+
+ <para>Further settings for the IPv6 RA support may be configured in the [IPv6AcceptRA]
+ section, see below.</para>
+
+ <para>Also see
+ <ulink url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink>
+ in the kernel documentation regarding <literal>accept_ra</literal>, but note that systemd's
+ setting of <constant>1</constant> (i.e. true) corresponds to kernel's setting of
+ <constant>2</constant>.</para>
<para>Note that kernel's implementation of the IPv6 RA protocol is always disabled,
regardless of this setting. If this option is enabled, a userspace implementation of the IPv6
RA protocol is used, and the kernel's own implementation remains disabled, since
<command>systemd-networkd</command> needs to know all details supplied in the advertisements,
- and these are not available from the kernel if the kernel's own implementation is used.</para>
+ and these are not available from the kernel if the kernel's own implementation is used.
+ </para>
</listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6DuplicateAddressDetection=</varname></term>
- <listitem><para>Configures the amount of IPv6 Duplicate
- Address Detection (DAD) probes to send. When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6HopLimit=</varname></term>
- <listitem><para>Configures IPv6 Hop Limit. For each router that
- forwards the packet, the hop limit is decremented by 1. When the
- hop limit field reaches zero, the packet is discarded.
- When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv4AcceptLocal=</varname></term>
- <listitem><para>Takes a boolean. Accept packets with local source addresses. In combination
- with suitable routing, this can be used to direct packets between two local interfaces over
- the wire and have them accepted properly. When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv4RouteLocalnet=</varname></term>
- <listitem><para>Takes a boolean. When true, the kernel does not consider loopback addresses as martian source or destination
- while routing. This enables the use of 127.0.0.0/8 for local routing purposes. When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv4ProxyARP=</varname></term>
- <listitem><para>Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the technique in which one host,
- usually a router, answers ARP requests intended for another machine. By "faking" its identity,
- the router accepts responsibility for routing packets to the "real" destination. See <ulink
- url="https://tools.ietf.org/html/rfc1027">RFC 1027</ulink>.
- When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6ProxyNDP=</varname></term>
- <listitem><para>Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor Discovery
- Protocol) is a technique for IPv6 to allow routing of addresses to a different
- destination when peers expect them to be present on a certain physical link.
- In this case a router answers Neighbour Advertisement messages intended for
- another machine by offering its own MAC address as destination.
- Unlike proxy ARP for IPv4, it is not enabled globally, but will only send Neighbour
- Advertisement messages for addresses in the IPv6 neighbor proxy table,
- which can also be shown by <command>ip -6 neighbour show proxy</command>.
- systemd-networkd will control the per-interface `proxy_ndp` switch for each configured
- interface depending on this option.
- When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6ProxyNDPAddress=</varname></term>
- <listitem><para>An IPv6 address, for which Neighbour Advertisement messages will be
- proxied. This option may be specified more than once. systemd-networkd will add the
- <option>IPv6ProxyNDPAddress=</option> entries to the kernel's IPv6 neighbor proxy table.
- This option implies <option>IPv6ProxyNDP=yes</option> but has no effect if
- <option>IPv6ProxyNDP</option> has been set to false. When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6SendRA=</varname></term>
- <listitem><para>Whether to enable or disable Router Advertisement sending on a link. Takes a
- boolean value. When enabled, prefixes configured in [IPv6Prefix] sections and routes
- configured in [IPv6RoutePrefix] sections are distributed as defined in the [IPv6SendRA]
- section. If <varname>DHCPPrefixDelegation=</varname> is enabled, then the delegated prefixes
- are also distributed. See <varname>DCHPPrefixDelegation=</varname> setting and the
- [IPv6SendRA], [IPv6Prefix], [IPv6RoutePrefix], and [DHCPPrefixDelegation] sections for more
- configuration options.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DHCPPrefixDelegation=</varname></term>
- <listitem><para>Takes a boolean value. When enabled, requests subnet prefixes acquired by a
- DHCPv6 client, or by a DHCPv4 client through the 6RD option configured on another link. By
- default, an address within each delegated prefix will be assigned, and the prefixes will be
- announced through IPv6 Router Advertisement when <varname>IPv6SendRA=</varname> is enabled.
- Such default settings can be configured in [DHCPPrefixDelegation] section. Defaults to
- disabled.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6MTUBytes=</varname></term>
- <listitem><para>Configures IPv6 maximum transmission unit (MTU).
- An integer greater than or equal to 1280 bytes. When unset, the kernel's default will be used.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>KeepMaster=</varname></term>
- <listitem>
- <para>Takes a boolean value. When enabled, the current master interface index will not be
- changed, and <varname>BatmanAdvanced=</varname>, <varname>Bond=</varname>,
- <varname>Bridge=</varname>, and <varname>VRF=</varname> settings are ignored. This may be
- useful when a netdev with a master interface is created by another program, e.g.
- <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
- Defaults to false.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>BatmanAdvanced=</varname></term>
- <term><varname>Bond=</varname></term>
- <term><varname>Bridge=</varname></term>
- <term><varname>VRF=</varname></term>
- <listitem>
- <para>The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF interface to add the link
- to. See
- <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPoIB=</varname></term>
- <term><varname>IPVLAN=</varname></term>
- <term><varname>IPVTAP=</varname></term>
- <term><varname>L2TP=</varname></term>
- <term><varname>MACsec=</varname></term>
- <term><varname>MACVLAN=</varname></term>
- <term><varname>MACVTAP=</varname></term>
- <term><varname>Tunnel=</varname></term>
- <term><varname>VLAN=</varname></term>
- <term><varname>VXLAN=</varname></term>
- <term><varname>Xfrm=</varname></term>
- <listitem>
- <para>The name of an IPoIB, IPVLAN, IPVTAP, L2TP, MACsec, MACVLAN, MACVTAP, tunnel, VLAN,
- VXLAN, or Xfrm to be created on the link. See
- <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- This option may be specified more than once.</para>
- </listitem>
- </varlistentry>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6DuplicateAddressDetection=</varname></term>
+ <listitem>
+ <para>Configures the amount of IPv6 Duplicate Address Detection (DAD) probes to send. When
+ unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6HopLimit=</varname></term>
+ <listitem>
+ <para>Configures IPv6 Hop Limit. For each router that forwards the packet, the hop limit is
+ decremented by 1. When the hop limit field reaches zero, the packet is discarded. When unset,
+ the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv4AcceptLocal=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Accept packets with local source addresses. In combination with
+ suitable routing, this can be used to direct packets between two local interfaces over the
+ wire and have them accepted properly. When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv4RouteLocalnet=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true, the kernel does not consider loopback addresses as martian
+ source or destination while routing. This enables the use of 127.0.0.0/8 for local routing
+ purposes. When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv4ProxyARP=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the technique in which one
+ host, usually a router, answers ARP requests intended for another machine. By "faking" its
+ identity, the router accepts responsibility for routing packets to the "real" destination.
+ See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 1027</ulink>. When unset, the
+ kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6ProxyNDP=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor Discovery Protocol)
+ is a technique for IPv6 to allow routing of addresses to a different destination when peers
+ expect them to be present on a certain physical link. In this case a router answers Neighbour
+ Advertisement messages intended for another machine by offering its own MAC address as
+ destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send
+ Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can
+ also be shown by <command>ip -6 neighbour show proxy</command>. systemd-networkd will control
+ the per-interface `proxy_ndp` switch for each configured interface depending on this option.
+ When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6ProxyNDPAddress=</varname></term>
+ <listitem>
+ <para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This
+ option may be specified more than once. systemd-networkd will add the
+ <varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table.
+ This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if
+ <varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will
+ be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6SendRA=</varname></term>
+ <listitem>
+ <para>Whether to enable or disable Router Advertisement sending on a link. Takes a boolean
+ value. When enabled, prefixes configured in [IPv6Prefix] sections and routes configured in
+ the [IPv6RoutePrefix] sections are distributed as defined in the [IPv6SendRA] section. If
+ <varname>DHCPPrefixDelegation=</varname> is enabled, then the delegated prefixes are also
+ distributed. See <varname>DCHPPrefixDelegation=</varname> setting and the [IPv6SendRA],
+ [IPv6Prefix], [IPv6RoutePrefix], and [DHCPPrefixDelegation] sections for more configuration
+ options.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DHCPPrefixDelegation=</varname></term>
+ <listitem>
+ <para>Takes a boolean value. When enabled, requests subnet prefixes on another link via the DHCPv6
+ protocol or via the 6RD option in the DHCPv4 protocol. An address within each delegated prefix will
+ be assigned, and the prefixes will be announced through IPv6 Router Advertisement if
+ <varname>IPv6SendRA=</varname> is enabled. This behaviour can be configured in the
+ [DHCPPrefixDelegation] section. Defaults to disabled.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6MTUBytes=</varname></term>
+ <listitem>
+ <para>Configures IPv6 maximum transmission unit (MTU). An integer greater than or equal to
+ 1280 bytes. When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>KeepMaster=</varname></term>
+ <listitem>
+ <para>Takes a boolean value. When enabled, the current master interface index will not be
+ changed, and <varname>BatmanAdvanced=</varname>, <varname>Bond=</varname>,
+ <varname>Bridge=</varname>, and <varname>VRF=</varname> settings are ignored. This may be
+ useful when a netdev with a master interface is created by another program, e.g.
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+ Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BatmanAdvanced=</varname></term>
+ <term><varname>Bond=</varname></term>
+ <term><varname>Bridge=</varname></term>
+ <term><varname>VRF=</varname></term>
+ <listitem>
+ <para>The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF interface to add the link
+ to. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPoIB=</varname></term>
+ <term><varname>IPVLAN=</varname></term>
+ <term><varname>IPVTAP=</varname></term>
+ <term><varname>MACsec=</varname></term>
+ <term><varname>MACVLAN=</varname></term>
+ <term><varname>MACVTAP=</varname></term>
+ <term><varname>Tunnel=</varname></term>
+ <term><varname>VLAN=</varname></term>
+ <term><varname>VXLAN=</varname></term>
+ <term><varname>Xfrm=</varname></term>
+ <listitem>
+ <para>The name of an IPoIB, IPVLAN, IPVTAP, MACsec, MACVLAN, MACVTAP, tunnel, VLAN,
+ VXLAN, or Xfrm to be created on the link. See
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ This option may be specified more than once.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>ActiveSlave=</varname></term>
<listitem>
<para>Takes a boolean. Specifies the new active slave. The <literal>ActiveSlave=</literal>
- option is only valid for following modes:
- <literal>active-backup</literal>,
- <literal>balance-alb</literal> and
- <literal>balance-tlb</literal>. Defaults to false.
- </para>
+ option is only valid for following modes: <literal>active-backup</literal>,
+ <literal>balance-alb</literal>, and <literal>balance-tlb</literal>. Defaults to false.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>PrimarySlave=</varname></term>
<listitem>
- <para>Takes a boolean. Specifies which slave is the primary device. The specified
- device will always be the active slave while it is available. Only when the
- primary is off-line will alternate devices be used. This is useful when
- one slave is preferred over another, e.g. when one slave has higher throughput
- than another. The <literal>PrimarySlave=</literal> option is only valid for
- following modes:
- <literal>active-backup</literal>,
- <literal>balance-alb</literal> and
- <literal>balance-tlb</literal>. Defaults to false.
- </para>
+ <para>Takes a boolean. Specifies which slave is the primary device. The specified device will
+ always be the active slave while it is available. Only when the primary is off-line will
+ alternate devices be used. This is useful when one slave is preferred over another, e.g.
+ when one slave has higher throughput than another. The <literal>PrimarySlave=</literal>
+ option is only valid for following modes: <literal>active-backup</literal>,
+ <literal>balance-alb</literal>, and <literal>balance-tlb</literal>. Defaults to false.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>ConfigureWithoutCarrier=</varname></term>
<listitem>
- <para>Takes a boolean. Allows networkd to configure a specific link even if it has no carrier.
- Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> setting is not
- explicitly set, then it is enabled as well.
- </para>
+ <para>Takes a boolean. Allows networkd to configure a specific link even if it has no
+ carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> setting
+ is not explicitly set, then it is enabled as well.</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>IgnoreCarrierLoss=</varname></term>
<listitem>
</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term><varname>KeepConfiguration=</varname></term>
<listitem>
lease expires. This is contrary to the DHCP specification, but may be the best choice if,
e.g., the root filesystem relies on this connection. The setting <literal>dhcp</literal>
implies <literal>dhcp-on-stop</literal>, and <literal>yes</literal> implies
- <literal>dhcp</literal> and <literal>static</literal>. Defaults to <literal>no</literal>.
- </para>
+ <literal>dhcp</literal> and <literal>static</literal>. Defaults to
+ <literal>dhcp-on-stop</literal> when <command>systemd-networkd</command> is running in
+ initrd, <literal>yes</literal> when the root filesystem is a network filesystem, and
+ <literal>no</literal> otherwise.</para>
</listitem>
</varlistentry>
</variablelist>
<refsect1>
<title>[Address] Section Options</title>
- <para>An [Address] section accepts the following keys. Specify several [Address]
- sections to configure several addresses.</para>
-
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Address=</varname></term>
- <listitem>
- <para>As in the [Network] section. This key is mandatory. Each [Address] section can contain one
- <varname>Address=</varname> setting.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Peer=</varname></term>
- <listitem>
- <para>The peer address in a point-to-point connection.
- Accepts the same format as the <varname>Address=</varname>
- key.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Broadcast=</varname></term>
- <listitem>
- <para>Takes an IPv4 address or boolean value. The address must be in the format described in
- <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- If set to true, then the IPv4 broadcast address will be derived from the
- <varname>Address=</varname> setting. If set to false, then the broadcast address will not
- be set. Defaults to true, except for wireguard interfaces, where it default to false.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Label=</varname></term>
- <listitem>
- <para>Specifies the label for the IPv4 address. The label must be a 7-bit ASCII string with
- a length of 1…15 characters. Defaults to unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>PreferredLifetime=</varname></term>
- <listitem>
- <para>Allows the default "preferred lifetime" of the address to be overridden. Only three
- settings are accepted: <literal>forever</literal>, <literal>infinity</literal>, which is the
- default and means that the address never expires, and <literal>0</literal>, which means that the
- address is considered immediately "expired" and will not be used, unless explicitly requested. A
- setting of <option>PreferredLifetime=0</option> is useful for addresses which are added to be
- used only by a specific application, which is then configured to use them explicitly.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Scope=</varname></term>
- <listitem>
- <para>The scope of the address, which can be
- <literal>global</literal> (valid everywhere on the network, even through a gateway),
- <literal>link</literal> (only valid on this device, will not traverse a gateway) or
- <literal>host</literal> (only valid within the device itself, e.g. 127.0.0.1)
- or an unsigned integer in the range 0…255.
- Defaults to <literal>global</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>RouteMetric=</varname></term>
- <listitem>
- <para>The metric of the prefix route, which is pointing to the subnet of the configured IP
- address, taking the configured prefix length into account. Takes an unsigned integer in the
- range 0…4294967295. When unset or set to 0, the kernel's default value is used. This
- setting will be ignored when <varname>AddPrefixRoute=</varname> is false.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>HomeAddress=</varname></term>
- <listitem>
- <para>Takes a boolean. Designates this address the "home address" as defined in
- <ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink>.
- Supported only on IPv6. Defaults to false.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DuplicateAddressDetection=</varname></term>
- <listitem>
- <para>Takes one of <literal>ipv4</literal>, <literal>ipv6</literal>,
- <literal>both</literal>, <literal>none</literal>. When <literal>ipv4</literal>,
- performs IPv4 Address Conflict Detection. See
- <ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>.
- When <literal>ipv6</literal>, performs IPv6 Duplicate Address Detection. See
- <ulink url="https://tools.ietf.org/html/rfc4862">RFC 4862</ulink>.
- Defaults to <literal>ipv6</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>ManageTemporaryAddress=</varname></term>
- <listitem>
- <para>Takes a boolean. If true the kernel manage temporary addresses created
- from this one as template on behalf of Privacy Extensions
- <ulink url="https://tools.ietf.org/html/rfc3041">RFC 3041</ulink>. For this to become
- active, the use_tempaddr sysctl setting has to be set to a value greater than zero.
- The given address needs to have a prefix length of 64. This flag allows using privacy
- extensions in a manually configured network, just like if stateless auto-configuration
- was active. Defaults to false.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>AddPrefixRoute=</varname></term>
- <listitem>
- <para>Takes a boolean. When true, the prefix route for the address is automatically added.
- Defaults to true.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>AutoJoin=</varname></term>
- <listitem>
- <para>Takes a boolean. Joining multicast group on ethernet level via
- <command>ip maddr</command> command would not work if we have an Ethernet switch that does
- IGMP snooping since the switch would not replicate multicast packets on ports that did not
- have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
- <command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
- that enables then to do the required join. By extending ip address command with option
- <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS) vxlan
- interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
- Defaults to <literal>no</literal>.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
+ <para>An [Address] section accepts the following keys. Specify several [Address] sections to
+ configure several addresses.</para>
- <refsect1>
- <title>[Neighbor] Section Options</title>
- <para>A [Neighbor] section accepts the following keys. The neighbor section adds a permanent, static
- entry to the neighbor table (IPv6) or ARP table (IPv4) for the given hardware address on the links
- matched for the network. Specify several [Neighbor] sections to configure several static neighbors.
- </para>
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Address=</varname></term>
+ <listitem>
+ <para>As in the [Network] section. This setting is mandatory. Each [Address] section can
+ contain one <varname>Address=</varname> setting.</para>
+ </listitem>
+ </varlistentry>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Address=</varname></term>
- <listitem>
- <para>The IP address of the neighbor.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>LinkLayerAddress=</varname></term>
- <listitem>
- <para>The link layer address (MAC address or IP address) of the neighbor.</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ <varlistentry>
+ <term><varname>Peer=</varname></term>
+ <listitem>
+ <para>The peer address in a point-to-point connection. Accepts the same format as the
+ <varname>Address=</varname> setting.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Broadcast=</varname></term>
+ <listitem>
+ <para>Takes an IPv4 address or boolean value. The address must be in the format described in
+ <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ If set to true, then the IPv4 broadcast address will be derived from the
+ <varname>Address=</varname> setting. If set to false, then the broadcast address will not be
+ set. Defaults to true, except for wireguard interfaces, where it default to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Label=</varname></term>
+ <listitem>
+ <para>Specifies the label for the IPv4 address. The label must be a 7-bit ASCII string with
+ a length of 1…15 characters. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PreferredLifetime=</varname></term>
+ <listitem>
+ <para>Allows the default "preferred lifetime" of the address to be overridden. Only three
+ settings are accepted: <literal>forever</literal>, <literal>infinity</literal>, which is the
+ default and means that the address never expires, and <literal>0</literal>, which means that
+ the address is considered immediately "expired" and will not be used, unless explicitly
+ requested. A setting of <option>PreferredLifetime=0</option> is useful for addresses which
+ are added to be used only by a specific application, which is then configured to use them
+ explicitly.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Scope=</varname></term>
+ <listitem>
+ <para>The scope of the address, which can be <literal>global</literal> (valid everywhere on
+ the network, even through a gateway), <literal>link</literal> (only valid on this device,
+ will not traverse a gateway) or <literal>host</literal> (only valid within the device itself,
+ e.g. 127.0.0.1) or an integer in the range 0…255. Defaults to <literal>global</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>RouteMetric=</varname></term>
+ <listitem>
+ <para>The metric of the prefix route, which is pointing to the subnet of the configured IP
+ address, taking the configured prefix length into account. Takes an unsigned integer in the
+ range 0…4294967295. When unset or set to 0, the kernel's default value is used. This
+ setting will be ignored when <varname>AddPrefixRoute=</varname> is false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>HomeAddress=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Designates this address the "home address" as defined in
+ <ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink>. Supported only on IPv6.
+ Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DuplicateAddressDetection=</varname></term>
+ <listitem>
+ <para>Takes one of <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>,
+ or <literal>none</literal>. When <literal>ipv4</literal>, performs IPv4 Address Conflict
+ Detection. See <ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>.
+ When <literal>ipv6</literal>, performs IPv6 Duplicate Address Detection. See
+ <ulink url="https://tools.ietf.org/html/rfc4862">RFC 4862</ulink>. Defaults to
+ <literal>ipv6</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ManageTemporaryAddress=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If true the kernel manage temporary addresses created from this one as
+ template on behalf of Privacy Extensions
+ <ulink url="https://tools.ietf.org/html/rfc3041">RFC 3041</ulink>. For this to become active,
+ the use_tempaddr sysctl setting has to be set to a value greater than zero. The given address
+ needs to have a prefix length of 64. This flag allows using privacy extensions in a manually
+ configured network, just like if stateless auto-configuration was active. Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>AddPrefixRoute=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true, the prefix route for the address is automatically added.
+ Defaults to true.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>AutoJoin=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Joining multicast group on ethernet level via
+ <command>ip maddr</command> command would not work if we have an Ethernet switch that does
+ IGMP snooping since the switch would not replicate multicast packets on ports that did not
+ have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
+ <command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
+ that enables then to do the required join. By extending ip address command with option
+ <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS) vxlan
+ interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
+ Defaults to <literal>no</literal>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</refsect1>
- <refsect1>
+ <refsect1>
+ <title>[Neighbor] Section Options</title>
+
+ <para>A [Neighbor] section accepts the following keys. The neighbor section adds a permanent,
+ static entry to the neighbor table (IPv6) or ARP table (IPv4) for the given hardware address on the
+ links matched for the network. Specify several [Neighbor] sections to configure several static
+ neighbors.</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Address=</varname></term>
+ <listitem>
+ <para>The IP address of the neighbor.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>LinkLayerAddress=</varname></term>
+ <listitem>
+ <para>The link layer address (MAC address or IP address) of the neighbor.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
<title>[IPv6AddressLabel] Section Options</title>
- <para>An [IPv6AddressLabel] section accepts the following keys. Specify several [IPv6AddressLabel]
- sections to configure several address labels. IPv6 address labels are used for address selection. See
- <ulink url="https://tools.ietf.org/html/rfc3484">RFC 3484</ulink>. Precedence is managed by userspace,
- and only the label itself is stored in the kernel.</para>
+ <para>An [IPv6AddressLabel] section accepts the following keys. Specify several [IPv6AddressLabel]
+ sections to configure several address labels. IPv6 address labels are used for address selection.
+ See <ulink url="https://tools.ietf.org/html/rfc3484">RFC 3484</ulink>. Precedence is managed by
+ userspace, and only the label itself is stored in the kernel.</para>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Label=</varname></term>
- <listitem>
- <para>The label for the prefix, an unsigned integer in the range 0…4294967294.
- 0xffffffff is reserved. This setting is mandatory.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Prefix=</varname></term>
- <listitem>
- <para>IPv6 prefix is an address with a prefix length, separated by a slash <literal>/</literal> character.
- This key is mandatory. </para>
- </listitem>
- </varlistentry>
- </variablelist>
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Label=</varname></term>
+ <listitem>
+ <para>The label for the prefix, an unsigned integer in the range 0…4294967294. 0xffffffff is
+ reserved. This setting is mandatory.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Prefix=</varname></term>
+ <listitem>
+ <para>IPv6 prefix is an address with a prefix length, separated by a slash
+ <literal>/</literal> character. This setting is mandatory. </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</refsect1>
- <refsect1>
+ <refsect1>
<title>[RoutingPolicyRule] Section Options</title>
- <para>An [RoutingPolicyRule] section accepts the following keys. Specify several [RoutingPolicyRule]
- sections to configure several rules.</para>
+ <para>An [RoutingPolicyRule] section accepts the following settings. Specify several
+ [RoutingPolicyRule] sections to configure several rules.</para>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>TypeOfService=</varname></term>
- <listitem>
- <para>Takes a number between 0 and 255 that specifies the type of service to match.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>From=</varname></term>
- <listitem>
- <para>Specifies the source address prefix to match. Possibly followed by a slash and the prefix length.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>To=</varname></term>
- <listitem>
- <para>Specifies the destination address prefix to match. Possibly followed by a slash and the prefix length.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>FirewallMark=</varname></term>
- <listitem>
- <para>Specifies the iptables firewall mark value to match (a number between 1 and
- 4294967295). Optionally, the firewall mask (also a number between 1 and 4294967295) can be
- suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Table=</varname></term>
- <listitem>
- <para>Specifies the routing table identifier to lookup if the rule selector matches. Takes one of predefined names
- <literal>default</literal>, <literal>main</literal>, and <literal>local</literal>, and names defined in <varname>RouteTable=</varname>
- in <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- or a number between 1 and 4294967295. Defaults to <literal>main</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Priority=</varname></term>
- <listitem>
- <para>Specifies the priority of this rule. <varname>Priority=</varname> is an unsigned
- integer in the range 0…4294967295. Higher number means lower priority, and rules get
- processed in order of increasing number. Defaults to unset, and the kernel will pick
- a value dynamically.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IncomingInterface=</varname></term>
- <listitem>
- <para>Specifies incoming device to match. If the interface is loopback, the rule only matches packets originating from this host.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>OutgoingInterface=</varname></term>
- <listitem>
- <para>Specifies the outgoing device to match. The outgoing interface is only available for packets originating from local sockets that are bound to a device.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>SourcePort=</varname></term>
- <listitem>
- <para>Specifies the source IP port or IP port range match in forwarding information base (FIB) rules.
- A port range is specified by the lower and upper port separated by a dash. Defaults to unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DestinationPort=</varname></term>
- <listitem>
- <para>Specifies the destination IP port or IP port range match in forwarding information base (FIB) rules.
- A port range is specified by the lower and upper port separated by a dash. Defaults to unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPProtocol=</varname></term>
- <listitem>
- <para>Specifies the IP protocol to match in forwarding information base (FIB) rules. Takes IP protocol name such as <literal>tcp</literal>,
- <literal>udp</literal> or <literal>sctp</literal>, or IP protocol number such as <literal>6</literal> for <literal>tcp</literal> or
- <literal>17</literal> for <literal>udp</literal>.
- Defaults to unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>InvertRule=</varname></term>
- <listitem>
- <para>A boolean. Specifies whether the rule is to be inverted. Defaults to false.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Family=</varname></term>
- <listitem>
- <para>Takes a special value <literal>ipv4</literal>, <literal>ipv6</literal>, or
- <literal>both</literal>. By default, the address family is determined by the address
- specified in <varname>To=</varname> or <varname>From=</varname>. If neither
- <varname>To=</varname> nor <varname>From=</varname> are specified, then defaults to
- <literal>ipv4</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>User=</varname></term>
- <listitem>
- <para>Takes a username, a user ID, or a range of user IDs separated by a dash. Defaults to
- unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>SuppressPrefixLength=</varname></term>
- <listitem>
- <para>Takes a number <replaceable>N</replaceable> in the range 0…128 and rejects routing
- decisions that have a prefix length of <replaceable>N</replaceable> or less. Defaults to
- unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>SuppressInterfaceGroup=</varname></term>
- <listitem>
- <para>Takes an integer in the range 0…2147483647 and rejects routing decisions that have
- an interface with the same group id. It has the same meaning as
- <option>suppress_ifgroup</option> in <command>ip rule</command>. Defaults to unset.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Type=</varname></term>
- <listitem>
- <para>Specifies Routing Policy Database (RPDB) rule type. Takes one of <literal>blackhole</literal>,
- <literal>unreachable</literal> or <literal>prohibit</literal>.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>TypeOfService=</varname></term>
+ <listitem>
+ <para>Takes a number between 0 and 255 that specifies the type of service to match.</para>
+ </listitem>
+ </varlistentry>
- <refsect1>
- <title>[NextHop] Section Options</title>
- <para>The [NextHop] section is used to manipulate entries in the kernel's "nexthop" tables. The
- [NextHop] section accepts the following keys. Specify several [NextHop] sections to configure several
- hops.</para>
+ <varlistentry>
+ <term><varname>From=</varname></term>
+ <listitem>
+ <para>Specifies the source address prefix to match. Possibly followed by a slash and the
+ prefix length.</para>
+ </listitem>
+ </varlistentry>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Id=</varname></term>
- <listitem>
- <para>The id of the next hop. Takes an unsigned integer in the range 1…4294967295. If left
- unspecified, then automatically chosen by kernel.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Gateway=</varname></term>
- <listitem>
- <para>As in the [Network] section.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Family=</varname></term>
- <listitem>
- <para>Takes one of the special values <literal>ipv4</literal> or <literal>ipv6</literal>.
- By default, the family is determined by the address specified in
- <varname>Gateway=</varname>. If <varname>Gateway=</varname> is not specified, then defaults
- to <literal>ipv4</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>OnLink=</varname></term>
- <listitem>
- <para>Takes a boolean. If set to true, the kernel does not have to check if the gateway is
- reachable directly by the current machine (i.e., attached to the local network), so that we
- can insert the nexthop in the kernel table without it being complained about. Defaults to
- <literal>no</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Blackhole=</varname></term>
- <listitem>
- <para>Takes a boolean. If enabled, packets to the corresponding routes are discarded
- silently, and <varname>Gateway=</varname> cannot be specified. Defaults to
- <literal>no</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Group=</varname></term>
- <listitem>
- <para>Takes a whitespace separated list of nexthop IDs. Each ID must be in the range
- 1…4294967295. Optionally, each nexthop ID can take a weight after a colon
- (<literal><replaceable>id</replaceable><optional>:<replaceable>weight</replaceable></optional></literal>).
- The weight must be in the range 1…255. If the weight is not specified, then it is assumed
- that the weight is 1. This setting cannot be specified with <varname>Gateway=</varname>,
- <varname>Family=</varname>, <varname>Blackhole=</varname>. This setting can be specified
- multiple times. If an empty string is assigned, then the all previous assignments are
- cleared. Defaults to unset.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
+ <varlistentry>
+ <term><varname>To=</varname></term>
+ <listitem>
+ <para>Specifies the destination address prefix to match. Possibly followed by a slash and the
+ prefix length.</para>
+ </listitem>
+ </varlistentry>
- <refsect1>
- <title>[Route] Section Options</title>
- <para>The [Route] section accepts the following keys. Specify several [Route] sections to configure
- several routes.</para>
+ <varlistentry>
+ <term><varname>FirewallMark=</varname></term>
+ <listitem>
+ <para>Specifies the iptables firewall mark value to match (a number in the range
+ 1…4294967295). Optionally, the firewall mask (also a number between 1…4294967295) can be
+ suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>.</para>
+ </listitem>
+ </varlistentry>
- <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>Gateway=</varname></term>
- <listitem>
- <para>Takes the gateway address or the special values <literal>_dhcp4</literal> and
- <literal>_ipv6ra</literal>. If <literal>_dhcp4</literal> or <literal>_ipv6ra</literal> is
- set, then the gateway address provided by DHCPv4 or IPv6 RA is used.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>GatewayOnLink=</varname></term>
- <listitem>
- <para>Takes a boolean. If set to true, the kernel does not have to check if the gateway is
- reachable directly by the current machine (i.e., attached to the local network), so that we
- can insert the route in the kernel table without it being complained about. Defaults to
- <literal>no</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Destination=</varname></term>
- <listitem>
- <para>The destination prefix of the route. Possibly
- followed by a slash and the prefix length. If omitted, a
- full-length host route is assumed.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Source=</varname></term>
- <listitem>
- <para>The source prefix of the route. Possibly followed by
- a slash and the prefix length. If omitted, a full-length
- host route is assumed.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Metric=</varname></term>
- <listitem>
- <para>The metric of the route. Takes an unsigned integer in the range 0…4294967295.
- Defaults to unset, and the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPv6Preference=</varname></term>
- <listitem>
- <para>Specifies the route preference as defined in <ulink
- url="https://tools.ietf.org/html/rfc4191">RFC 4191</ulink> for Router Discovery messages. Which
- can be one of <literal>low</literal> the route has a lowest priority, <literal>medium</literal>
- the route has a default priority or <literal>high</literal> the route has a highest priority.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Scope=</varname></term>
- <listitem>
- <para>The scope of the IPv4 route, which can be <literal>global</literal>, <literal>site</literal>,
- <literal>link</literal>, <literal>host</literal>, or
- <literal>nowhere</literal>:</para>
- <itemizedlist>
- <listitem><para><literal>global</literal> means the route can reach
- hosts more than one hop away.</para></listitem>
-
- <listitem><para><literal>site</literal> means an interior route in
- the local autonomous system.</para></listitem>
-
- <listitem><para><literal>link</literal> means the route can only
- reach hosts on the local network (one hop away).</para></listitem>
-
- <listitem><para><literal>host</literal> means the route will not
- leave the local machine (used for internal addresses like
- 127.0.0.1).</para></listitem>
-
- <listitem><para><literal>nowhere</literal> means the destination
- doesn't exist.</para></listitem>
- </itemizedlist>
- <para>For IPv4 route, defaults to <literal>host</literal> if <varname>Type=</varname> is
- <literal>local</literal> or <literal>nat</literal>,
- and <literal>link</literal> if <varname>Type=</varname> is
- <literal>broadcast</literal>, <literal>multicast</literal>, or <literal>anycast</literal>.
- In other cases, defaults to <literal>global</literal>. The value is
- not used for IPv6.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>PreferredSource=</varname></term>
- <listitem>
- <para>The preferred source address of the route. The address
- must be in the format described in
- <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Table=</varname></term>
- <listitem>
- <para>The table identifier for the route. Takes one of predefined names <literal>default</literal>, <literal>main</literal>,
- and <literal>local</literal>, and names defined in <varname>RouteTable=</varname> in <citerefentry><refentrytitle>networkd.conf</refentrytitle>
- <manvolnum>5</manvolnum></citerefentry>, or a number between 1 and 4294967295. The table can be retrieved using
- <command>ip route show table <replaceable>num</replaceable></command>. If unset and <varname>Type=</varname> is <literal>local</literal>,
- <literal>broadcast</literal>, <literal>anycast</literal>, or <literal>nat</literal>, then <literal>local</literal> is used.
- In other cases, defaults to <literal>main</literal>.
+ <varlistentry>
+ <term><varname>Table=</varname></term>
+ <listitem>
+ <para>Specifies the routing table identifier to lookup if the rule selector matches. Takes
+ one of predefined names <literal>default</literal>, <literal>main</literal>, and
+ <literal>local</literal>, and names defined in <varname>RouteTable=</varname> in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ or a number between 1 and 4294967295. Defaults to <literal>main</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Priority=</varname></term>
+ <listitem>
+ <para>Specifies the priority of this rule. <varname>Priority=</varname> is an integer in the
+ range 0…4294967295. Higher number means lower priority, and rules get processed in order of
+ increasing number. Defaults to unset, and the kernel will pick a value dynamically.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IncomingInterface=</varname></term>
+ <listitem>
+ <para>Specifies incoming device to match. If the interface is loopback, the rule only matches
+ packets originating from this host.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>OutgoingInterface=</varname></term>
+ <listitem>
+ <para>Specifies the outgoing device to match. The outgoing interface is only available for
+ packets originating from local sockets that are bound to a device.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SourcePort=</varname></term>
+ <listitem>
+ <para>Specifies the source IP port or IP port range match in forwarding information base
+ (FIB) rules. A port range is specified by the lower and upper port separated by a dash.
+ Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DestinationPort=</varname></term>
+ <listitem>
+ <para>Specifies the destination IP port or IP port range match in forwarding information base
+ (FIB) rules. A port range is specified by the lower and upper port separated by a dash.
+ Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPProtocol=</varname></term>
+ <listitem>
+ <para>Specifies the IP protocol to match in forwarding information base (FIB) rules. Takes IP
+ protocol name such as <literal>tcp</literal>, <literal>udp</literal> or
+ <literal>sctp</literal>, or IP protocol number such as <literal>6</literal> for
+ <literal>tcp</literal> or <literal>17</literal> for <literal>udp</literal>. Defaults to unset.
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Protocol=</varname></term>
- <listitem>
- <para>The protocol identifier for the route. Takes a number between 0 and 255 or the special values
- <literal>kernel</literal>, <literal>boot</literal>, <literal>static</literal>,
- <literal>ra</literal> and <literal>dhcp</literal>. Defaults to <literal>static</literal>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>Type=</varname></term>
- <listitem>
- <para>Specifies the type for the route. Takes one of <literal>unicast</literal>,
- <literal>local</literal>, <literal>broadcast</literal>, <literal>anycast</literal>,
- <literal>multicast</literal>, <literal>blackhole</literal>, <literal>unreachable</literal>,
- <literal>prohibit</literal>, <literal>throw</literal>, <literal>nat</literal>, and
- <literal>xresolve</literal>. If <literal>unicast</literal>, a regular route is defined, i.e. a
- route indicating the path to take to a destination network address. If <literal>blackhole</literal>, packets
- to the defined route are discarded silently. If <literal>unreachable</literal>, packets to the defined route
- are discarded and the ICMP message "Host Unreachable" is generated. If <literal>prohibit</literal>, packets
- to the defined route are discarded and the ICMP message "Communication Administratively Prohibited" is
- generated. If <literal>throw</literal>, route lookup in the current routing table will fail and the route
- selection process will return to Routing Policy Database (RPDB). Defaults to <literal>unicast</literal>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>InitialCongestionWindow=</varname></term>
- <listitem>
- <para>The TCP initial congestion window is used during the start of a TCP connection.
- During the start of a TCP session, when a client requests a resource, the server's initial
- congestion window determines how many packets will be sent during the initial burst of data
- without waiting for acknowledgement. Takes a number between 1 and 1023. Note that 100 is
- considered an extremely large value for this option. When unset, the kernel's default
- (typically 10) will be used.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>InitialAdvertisedReceiveWindow=</varname></term>
- <listitem>
- <para>The TCP initial advertised receive window is the amount of receive data (in bytes)
- that can initially be buffered at one time on a connection. The sending host can send only
- that amount of data before waiting for an acknowledgment and window update from the
- receiving host. Takes a number between 1 and 1023. Note that 100 is considered an extremely
- large value for this option. When unset, the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>QuickAck=</varname></term>
- <listitem>
- <para>Takes a boolean. When true enables TCP quick ack mode for the route. When unset, the kernel's default will be used.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>FastOpenNoCookie=</varname></term>
- <listitem>
- <para>Takes a boolean. When true enables TCP fastopen without a cookie on a per-route basis.
- When unset, the kernel's default will be used.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>TTLPropagate=</varname></term>
- <listitem>
- <para>Takes a boolean. When true enables TTL propagation at Label Switched Path (LSP) egress.
- When unset, the kernel's default will be used.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>InvertRule=</varname></term>
+ <listitem>
+ <para>A boolean. Specifies whether the rule is to be inverted. Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Family=</varname></term>
+ <listitem>
+ <para>Takes a special value <literal>ipv4</literal>, <literal>ipv6</literal>, or
+ <literal>both</literal>. By default, the address family is determined by the address
+ specified in <varname>To=</varname> or <varname>From=</varname>. If neither
+ <varname>To=</varname> nor <varname>From=</varname> are specified, then defaults to
+ <literal>ipv4</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>User=</varname></term>
+ <listitem>
+ <para>Takes a username, a user ID, or a range of user IDs separated by a dash. Defaults to
+ unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SuppressPrefixLength=</varname></term>
+ <listitem>
+ <para>Takes a number <replaceable>N</replaceable> in the range 0…128 and rejects routing
+ decisions that have a prefix length of <replaceable>N</replaceable> or less. Defaults to
+ unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SuppressInterfaceGroup=</varname></term>
+ <listitem>
+ <para>Takes an integer in the range 0…2147483647 and rejects routing decisions that have
+ an interface with the same group id. It has the same meaning as
+ <option>suppress_ifgroup</option> in <command>ip rule</command>. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Type=</varname></term>
+ <listitem>
+ <para>Specifies Routing Policy Database (RPDB) rule type. Takes one of
+ <literal>blackhole</literal>, <literal>unreachable</literal> or <literal>prohibit</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>[NextHop] Section Options</title>
+
+ <para>The [NextHop] section is used to manipulate entries in the kernel's "nexthop" tables. The
+ [NextHop] section accepts the following settings. Specify several [NextHop] sections to configure
+ several hops.</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Id=</varname></term>
+ <listitem>
+ <para>The id of the next hop. Takes an integer in the range 1…4294967295. If unspecified,
+ then automatically chosen by kernel.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Gateway=</varname></term>
+ <listitem>
+ <para>As in the [Network] section.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Family=</varname></term>
+ <listitem>
+ <para>Takes one of the special values <literal>ipv4</literal> or <literal>ipv6</literal>.
+ By default, the family is determined by the address specified in
+ <varname>Gateway=</varname>. If <varname>Gateway=</varname> is not specified, then defaults
+ to <literal>ipv4</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>OnLink=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If set to true, the kernel does not have to check if the gateway is
+ reachable directly by the current machine (i.e., attached to the local network), so that we
+ can insert the nexthop in the kernel table without it being complained about. Defaults to
+ <literal>no</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Blackhole=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If enabled, packets to the corresponding routes are discarded
+ silently, and <varname>Gateway=</varname> cannot be specified. Defaults to
+ <literal>no</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Group=</varname></term>
+ <listitem>
+ <para>Takes a whitespace separated list of nexthop IDs. Each ID must be in the range
+ 1…4294967295. Optionally, each nexthop ID can take a weight after a colon
+ (<literal><replaceable>id</replaceable><optional>:<replaceable>weight</replaceable></optional></literal>).
+ The weight must be in the range 1…255. If the weight is not specified, then it is assumed
+ that the weight is 1. This setting cannot be specified with <varname>Gateway=</varname>,
+ <varname>Family=</varname>, <varname>Blackhole=</varname>. This setting can be specified
+ multiple times. If an empty string is assigned, then the all previous assignments are
+ cleared. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>[Route] Section Options</title>
+
+ <para>The [Route] section accepts the following settings. Specify several [Route] sections to
+ configure several routes.</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Gateway=</varname></term>
+ <listitem>
+ <para>Takes the gateway address or the special values <literal>_dhcp4</literal> and
+ <literal>_ipv6ra</literal>. If <literal>_dhcp4</literal> or <literal>_ipv6ra</literal> is
+ set, then the gateway address provided by DHCPv4 or IPv6 RA is used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>GatewayOnLink=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If set to true, the kernel does not have to check if the gateway is
+ reachable directly by the current machine (i.e., attached to the local network), so that we
+ can insert the route in the kernel table without it being complained about. Defaults to
+ <literal>no</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Destination=</varname></term>
+ <listitem>
+ <para>The destination prefix of the route. Possibly followed by a slash and the prefix
+ length. If omitted, a full-length host route is assumed.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Source=</varname></term>
+ <listitem>
+ <para>The source prefix of the route. Possibly followed by a slash and the prefix length. If
+ omitted, a full-length host route is assumed.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Metric=</varname></term>
+ <listitem>
+ <para>The metric of the route. Takes an unsigned integer in the range 0…4294967295. Defaults
+ to unset, and the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6Preference=</varname></term>
+ <listitem>
+ <para>Specifies the route preference as defined in
+ <ulink url="https://tools.ietf.org/html/rfc4191">RFC 4191</ulink> for Router Discovery
+ messages. Which can be one of <literal>low</literal> the route has a lowest priority,
+ <literal>medium</literal> the route has a default priority or <literal>high</literal> the
+ route has a highest priority.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Scope=</varname></term>
+ <listitem>
+ <para>The scope of the IPv4 route, which can be <literal>global</literal>,
+ <literal>site</literal>, <literal>link</literal>, <literal>host</literal>, or
+ <literal>nowhere</literal>:</para>
+ <itemizedlist>
+ <listitem>
+ <para><literal>global</literal> means the route can reach hosts more than one hop away.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para><literal>site</literal> means an interior route in the local autonomous system.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para><literal>link</literal> means the route can only reach hosts on the local network
+ (one hop away).</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>host</literal> means the route will not leave the local machine (used for
+ internal addresses like 127.0.0.1).</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>nowhere</literal> means the destination doesn't exist.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>For IPv4 route, defaults to <literal>host</literal> if <varname>Type=</varname> is
+ <literal>local</literal> or <literal>nat</literal>, and <literal>link</literal> if
+ <varname>Type=</varname> is <literal>broadcast</literal>, <literal>multicast</literal>,
+ <literal>anycast</literal>, or direct <literal>unicast</literal> routes. In other cases,
+ defaults to <literal>global</literal>. The value is not used for IPv6.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PreferredSource=</varname></term>
+ <listitem>
+ <para>The preferred source address of the route. The address must be in the format described
+ in
+ <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Table=</varname></term>
+ <listitem>
+ <para>The table identifier for the route. Takes one of predefined names
+ <literal>default</literal>, <literal>main</literal>, and <literal>local</literal>, and names
+ defined in <varname>RouteTable=</varname> in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ or a number between 1 and 4294967295. The table can be retrieved using
+ <command>ip route show table <replaceable>num</replaceable></command>. If unset and
+ <varname>Type=</varname> is <literal>local</literal>, <literal>broadcast</literal>,
+ <literal>anycast</literal>, or <literal>nat</literal>, then <literal>local</literal> is used.
+ In other cases, defaults to <literal>main</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Protocol=</varname></term>
+ <listitem>
+ <para>The protocol identifier for the route. Takes a number between 0 and 255 or the special
+ values <literal>kernel</literal>, <literal>boot</literal>, <literal>static</literal>,
+ <literal>ra</literal> and <literal>dhcp</literal>. Defaults to <literal>static</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Type=</varname></term>
+ <listitem>
+ <para>Specifies the type for the route. Takes one of <literal>unicast</literal>,
+ <literal>local</literal>, <literal>broadcast</literal>, <literal>anycast</literal>,
+ <literal>multicast</literal>, <literal>blackhole</literal>, <literal>unreachable</literal>,
+ <literal>prohibit</literal>, <literal>throw</literal>, <literal>nat</literal>, and
+ <literal>xresolve</literal>. If <literal>unicast</literal>, a regular route is defined, i.e.
+ a route indicating the path to take to a destination network address. If
+ <literal>blackhole</literal>, packets to the defined route are discarded silently. If
+ <literal>unreachable</literal>, packets to the defined route are discarded and the ICMP
+ message "Host Unreachable" is generated. If <literal>prohibit</literal>, packets to the
+ defined route are discarded and the ICMP message "Communication Administratively Prohibited"
+ is generated. If <literal>throw</literal>, route lookup in the current routing table will
+ fail and the route selection process will return to Routing Policy Database (RPDB). Defaults
+ to <literal>unicast</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>InitialCongestionWindow=</varname></term>
+ <listitem>
+ <para>The TCP initial congestion window is used during the start of a TCP connection.
+ During the start of a TCP session, when a client requests a resource, the server's initial
+ congestion window determines how many packets will be sent during the initial burst of data
+ without waiting for acknowledgement. Takes a number between 1 and 1023. Note that 100 is
+ considered an extremely large value for this option. When unset, the kernel's default
+ (typically 10) will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>InitialAdvertisedReceiveWindow=</varname></term>
+ <listitem>
+ <para>The TCP initial advertised receive window is the amount of receive data (in bytes)
+ that can initially be buffered at one time on a connection. The sending host can send only
+ that amount of data before waiting for an acknowledgment and window update from the
+ receiving host. Takes a number between 1 and 1023. Note that 100 is considered an extremely
+ large value for this option. When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>QuickAck=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true enables TCP quick ack mode for the route. When unset, the
+ kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>FastOpenNoCookie=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true enables TCP fastopen without a cookie on a per-route basis.
+ When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>TTLPropagate=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true enables TTL propagation at Label Switched Path (LSP) egress.
+ When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>MTUBytes=</varname></term>
<listitem>
- <para>The maximum transmission unit in bytes to set for the
- route. The usual suffixes K, M, G, are supported and are
- understood to the base of 1024.</para>
- <para>Note that if IPv6 is enabled on the interface, and the MTU is chosen
- below 1280 (the minimum MTU for IPv6) it will automatically be increased to this value.</para>
+ <para>The maximum transmission unit in bytes to set for the route. The usual suffixes K, M,
+ G, are supported and are understood to the base of 1024.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>TCPAdvertisedMaximumSegmentSize=</varname></term>
+ <listitem>
+ <para>Specifies the Path MSS (in bytes) hints given on TCP layer. The usual suffixes K, M, G,
+ are supported and are understood to the base of 1024. An unsigned integer in the range
+ 1…4294967294. When unset, the kernel's default will be used.</para>
</listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>IPServiceType=</varname></term>
- <listitem>
- <para>Takes one of the special values <literal>none</literal>, <literal>CS6</literal>, or
- <literal>CS4</literal>. When <literal>none</literal> no IP service type is set to the packet
- sent from the DHCPv4 client. When <literal>CS6</literal> (network control) or
- <literal>CS4</literal> (realtime), the corresponding service type will be set. Defaults to
- <literal>CS6</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>TCPAdvertisedMaximumSegmentSize=</varname></term>
- <listitem>
- <para>Specifies the Path MSS (in bytes) hints given on TCP layer. The usual suffixes K, M, G, are
- supported and are understood to the base of 1024. An unsigned integer in the range 1…4294967294.
- When unset, the kernel's default will be used.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>MultiPathRoute=<replaceable>address</replaceable>[@<replaceable>name</replaceable>] [<replaceable>weight</replaceable>]</varname></term>
- <listitem>
- <para>Configures multipath route. Multipath routing is the technique of using multiple
- alternative paths through a network. Takes gateway address. Optionally, takes a network
- interface name or index separated with <literal>@</literal>, and a weight in 1..256 for
- this multipath route separated with whitespace. This setting can be specified multiple
- times. If an empty string is assigned, then the all previous assignments are cleared.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>NextHop=</varname></term>
- <listitem>
- <para>Specifies the nexthop id. Takes an unsigned integer in the range 1…4294967295.
- If set, the corresponding [NextHop] section must be configured. Defaults to unset.</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>MultiPathRoute=<replaceable>address</replaceable>[@<replaceable>name</replaceable>] [<replaceable>weight</replaceable>]</varname></term>
+ <listitem>
+ <para>Configures multipath route. Multipath routing is the technique of using multiple
+ alternative paths through a network. Takes gateway address. Optionally, takes a network
+ interface name or index separated with <literal>@</literal>, and a weight in 1..256 for this
+ multipath route separated with whitespace. This setting can be specified multiple times. If
+ an empty string is assigned, then the all previous assignments are cleared.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>NextHop=</varname></term>
+ <listitem>
+ <para>Specifies the nexthop id. Takes an unsigned integer in the range 1…4294967295. If set,
+ the corresponding [NextHop] section must be configured. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</refsect1>
<refsect1>
<title>[DHCPv4] Section Options</title>
- <para>The [DHCPv4] section configures the DHCPv4 client, if it is enabled with the
- <varname>DHCP=</varname> setting described above:</para>
- <variablelist class='network-directives'>
+ <para>The [DHCPv4] section configures the DHCPv4 client, if it is enabled with the
+ <varname>DHCP=</varname> setting described above:</para>
- <!-- DHCP packet contents -->
+ <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>SendHostname=</varname></term>
- <listitem>
- <para>When true (the default), the machine's hostname (or the value specified with
- <varname>Hostname=</varname>, described below) will be sent to the DHCP server. Note that the
- hostname must consist only of 7-bit ASCII lower-case characters and no spaces or dots, and be
- formatted as a valid DNS domain name. Otherwise, the hostname is not sent even if this option is
- true.</para>
- </listitem>
- </varlistentry>
+ <!-- DHCP packet contents -->
- <varlistentry>
- <term><varname>Hostname=</varname></term>
- <listitem>
- <para>Use this value for the hostname which is sent to the DHCP server, instead of machine's hostname.
- Note that the specified hostname must consist only of 7-bit ASCII lower-case characters and
- no spaces or dots, and be formatted as a valid DNS domain name.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SendHostname=</varname></term>
+ <listitem>
+ <para>When true (the default), the machine's hostname (or the value specified with
+ <varname>Hostname=</varname>, described below) will be sent to the DHCP server. Note that the
+ hostname must consist only of 7-bit ASCII lower-case characters and no spaces or dots, and be
+ formatted as a valid DNS domain name. Otherwise, the hostname is not sent even if this option
+ is true.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>MUDURL=</varname></term>
- <listitem>
- <para>When configured, the specified Manufacturer Usage Description (MUD) URL will be sent to the
- DHCPv4 server. Takes a URL of length up to 255 characters. A superficial verification that the
- string is a valid URL will be performed. DHCPv4 clients are intended to have at most one MUD URL
- associated with them. See <ulink url="https://tools.ietf.org/html/rfc8520">RFC 8520</ulink>.
- </para>
+ <varlistentry>
+ <term><varname>Hostname=</varname></term>
+ <listitem>
+ <para>Use this value for the hostname which is sent to the DHCP server, instead of machine's
+ hostname. Note that the specified hostname must consist only of 7-bit ASCII lower-case
+ characters and no spaces or dots, and be formatted as a valid DNS domain name.</para>
+ </listitem>
+ </varlistentry>
- <para>MUD is an embedded software standard defined by the IETF that allows IoT device makers to
- advertise device specifications, including the intended communication patterns for their device
- when it connects to the network. The network can then use this to author a context-specific
- access policy, so the device functions only within those parameters.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>MUDURL=</varname></term>
+ <listitem>
+ <para>When configured, the specified Manufacturer Usage Description (MUD) URL will be sent
+ to the DHCPv4 server. Takes a URL of length up to 255 characters. A superficial verification
+ that the string is a valid URL will be performed. DHCPv4 clients are intended to have at most
+ one MUD URL associated with them. See
+ <ulink url="https://tools.ietf.org/html/rfc8520">RFC 8520</ulink>.</para>
+
+ <para>MUD is an embedded software standard defined by the IETF that allows IoT device makers
+ to advertise device specifications, including the intended communication patterns for their
+ device when it connects to the network. The network can then use this to author a
+ context-specific access policy, so the device functions only within those parameters.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>ClientIdentifier=</varname></term>
- <listitem>
- <para>The DHCPv4 client identifier to use. Takes one of <option>mac</option>,
- <option>duid</option> or <option>duid-only</option>. If set to <option>mac</option>, the
- MAC address of the link is used. If set to <option>duid</option>, an RFC4361-compliant Client
- ID, which is the combination of IAID and DUID (see below), is used. If set to
- <option>duid-only</option>, only DUID is used, this may not be RFC compliant, but some setups
- may require to use this. Defaults to <option>duid</option>.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>ClientIdentifier=</varname></term>
+ <listitem>
+ <para>The DHCPv4 client identifier to use. Takes one of <option>mac</option>,
+ <option>duid</option> or <option>duid-only</option>. If set to <option>mac</option>, the
+ MAC address of the link is used. If set to <option>duid</option>, an RFC4361-compliant Client
+ ID, which is the combination of IAID and DUID (see below), is used. If set to
+ <option>duid-only</option>, only DUID is used, this may not be RFC compliant, but some setups
+ may require to use this. Defaults to <option>duid</option>.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>VendorClassIdentifier=</varname></term>
- <listitem>
- <para>The vendor class identifier used to identify vendor
- type and configuration.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>VendorClassIdentifier=</varname></term>
+ <listitem>
+ <para>The vendor class identifier used to identify vendor type and configuration.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UserClass=</varname></term>
- <listitem>
- <para>A DHCPv4 client can use UserClass option to identify the type or category of user or
- applications it represents. The information contained in this option is a string that represents
- the user class of which the client is a member. Each class sets an identifying string of
- information to be used by the DHCP service to classify clients. Takes a whitespace-separated list
- of strings.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UserClass=</varname></term>
+ <listitem>
+ <para>A DHCPv4 client can use UserClass option to identify the type or category of user or
+ applications it represents. The information contained in this option is a string that
+ represents the user class of which the client is a member. Each class sets an identifying
+ string of information to be used by the DHCP service to classify clients. Takes a
+ whitespace-separated list of strings.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>DUIDType=</varname></term>
- <listitem>
- <para>Override the global <varname>DUIDType=</varname> setting for this network. See
- <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for a description of possible values.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>DUIDType=</varname></term>
+ <listitem>
+ <para>Override the global <varname>DUIDType=</varname> setting for this network. See
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for a description of possible values.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>DUIDRawData=</varname></term>
- <listitem>
- <para>Override the global <varname>DUIDRawData=</varname> setting for this network. See
- <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for a description of possible values.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>DUIDRawData=</varname></term>
+ <listitem>
+ <para>Override the global <varname>DUIDRawData=</varname> setting for this network. See
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for a description of possible values.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>IAID=</varname></term>
- <listitem>
- <para>The DHCP Identity Association Identifier (IAID) for the interface, a 32-bit unsigned
- integer.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>IAID=</varname></term>
+ <listitem>
+ <para>The DHCP Identity Association Identifier (IAID) for the interface, a 32-bit unsigned
+ integer.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>Anonymize=</varname></term>
- <listitem>
- <para>Takes a boolean. When true, the options sent to the DHCP server will follow the
- <ulink url="https://tools.ietf.org/html/rfc7844">RFC 7844</ulink> (Anonymity Profiles for
- DHCP Clients) to minimize disclosure of identifying information. Defaults to false.</para>
+ <varlistentry>
+ <term><varname>Anonymize=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true, the options sent to the DHCP server will follow the
+ <ulink url="https://tools.ietf.org/html/rfc7844">RFC 7844</ulink> (Anonymity Profiles for
+ DHCP Clients) to minimize disclosure of identifying information. Defaults to false.</para>
- <para>This option should only be set to true when <varname>MACAddressPolicy=</varname> is
- set to <option>random</option> (see
- <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
- </para>
+ <para>This option should only be set to true when <varname>MACAddressPolicy=</varname> is set
+ to <option>random</option> (see
+ <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
+ </para>
- <para>When true, <varname>SendHostname=</varname>, <varname>ClientIdentifier=</varname>,
- <varname>VendorClassIdentifier=</varname>, <varname>UserClass=</varname>,
- <varname>RequestOptions=</varname>, <varname>SendOption=</varname>,
- <varname>SendVendorOption=</varname>, and <varname>MUDURL=</varname> are ignored.</para>
+ <para>When true, <varname>SendHostname=</varname>, <varname>ClientIdentifier=</varname>,
+ <varname>VendorClassIdentifier=</varname>, <varname>UserClass=</varname>,
+ <varname>RequestOptions=</varname>, <varname>SendOption=</varname>,
+ <varname>SendVendorOption=</varname>, and <varname>MUDURL=</varname> are ignored.</para>
- <para>With this option enabled DHCP requests will mimic those generated by Microsoft
- Windows, in order to reduce the ability to fingerprint and recognize installations. This
- means DHCP request sizes will grow and lease data will be more comprehensive than normally,
- though most of the requested data is not actually used.</para>
- </listitem>
- </varlistentry>
+ <para>With this option enabled DHCP requests will mimic those generated by Microsoft
+ Windows, in order to reduce the ability to fingerprint and recognize installations. This
+ means DHCP request sizes will grow and lease data will be more comprehensive than normally,
+ though most of the requested data is not actually used.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>RequestOptions=</varname></term>
- <listitem>
- <para>Sets request options to be sent to the server in the DHCPv4 request options list. A
- whitespace-separated list of integers in the range 1…254. Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>RequestOptions=</varname></term>
+ <listitem>
+ <para>Sets request options to be sent to the server in the DHCPv4 request options list. A
+ whitespace-separated list of integers in the range 1…254. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>SendOption=</varname></term>
- <listitem>
- <para>Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP option number, data type
- and data separated with a colon
- (<literal><replaceable>option</replaceable>:<replaceable>type</replaceable>:<replaceable>value</replaceable></literal>).
- The option number must be an integer in the range 1…254. The type takes one of
- <literal>uint8</literal>, <literal>uint16</literal>, <literal>uint32</literal>,
- <literal>ipv4address</literal>, or <literal>string</literal>. Special characters in the data
- string may be escaped using <ulink
- url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
- escapes</ulink>. This setting can be specified multiple times. If an empty string is specified,
- then all options specified earlier are cleared. Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SendOption=</varname></term>
+ <listitem>
+ <para>Send an arbitrary raw option in the DHCPv4 request. Takes a DHCP option number, data
+ type and data separated with a colon
+ (<literal><replaceable>option</replaceable>:<replaceable>type</replaceable>:<replaceable>value</replaceable></literal>).
+ The option number must be an integer in the range 1…254. The type takes one of
+ <literal>uint8</literal>, <literal>uint16</literal>, <literal>uint32</literal>,
+ <literal>ipv4address</literal>, or <literal>string</literal>. Special characters in the data
+ string may be escaped using
+ <ulink url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
+ escapes</ulink>. This setting can be specified multiple times. If an empty string is
+ specified, then all options specified earlier are cleared. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>SendVendorOption=</varname></term>
- <listitem>
- <para>Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP option number, data
- type and data separated with a colon
- (<literal><replaceable>option</replaceable>:<replaceable>type</replaceable>:<replaceable>value</replaceable></literal>).
- The option number must be an integer in the range 1…254. The type takes one of
- <literal>uint8</literal>, <literal>uint16</literal>, <literal>uint32</literal>,
- <literal>ipv4address</literal>, or <literal>string</literal>. Special characters in the data
- string may be escaped using <ulink
- url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
- escapes</ulink>. This setting can be specified multiple times. If an empty string is specified,
- then all options specified earlier are cleared. Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SendVendorOption=</varname></term>
+ <listitem>
+ <para>Send an arbitrary vendor option in the DHCPv4 request. Takes a DHCP option number, data
+ type and data separated with a colon
+ (<literal><replaceable>option</replaceable>:<replaceable>type</replaceable>:<replaceable>value</replaceable></literal>).
+ The option number must be an integer in the range 1…254. The type takes one of
+ <literal>uint8</literal>, <literal>uint16</literal>, <literal>uint32</literal>,
+ <literal>ipv4address</literal>, or <literal>string</literal>. Special characters in the data
+ string may be escaped using
+ <ulink url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
+ escapes</ulink>. This setting can be specified multiple times. If an empty string is specified,
+ then all options specified earlier are cleared. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <!-- How to use the DHCP lease -->
+ <varlistentry>
+ <term><varname>IPServiceType=</varname></term>
+ <listitem>
+ <para>Takes one of the special values <literal>none</literal>, <literal>CS6</literal>, or
+ <literal>CS4</literal>. When <literal>none</literal> no IP service type is set to the packet
+ sent from the DHCPv4 client. When <literal>CS6</literal> (network control) or
+ <literal>CS4</literal> (realtime), the corresponding service type will be set. Defaults to
+ <literal>CS6</literal>.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>Label=</varname></term>
- <listitem>
- <para>Specifies the label for the IPv4 address received from the DHCP server.
- The label must be a 7-bit ASCII string with a length of 1…15 characters.
- Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ <!-- How to use the DHCP lease -->
- <varlistentry>
- <term><varname>UseDNS=</varname></term>
- <listitem>
- <para>When true (the default), the DNS servers received from the DHCP server will be used.</para>
+ <varlistentry>
+ <term><varname>Label=</varname></term>
+ <listitem>
+ <para>Specifies the label for the IPv4 address received from the DHCP server. The label must
+ be a 7-bit ASCII string with a length of 1…15 characters. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <para>This corresponds to the <option>nameserver</option>
- option in <citerefentry
- project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseDNS=</varname></term>
+ <listitem>
+ <para>When true (the default), the DNS servers received from the DHCP server will be used.
+ </para>
- <varlistentry>
- <term><varname>RoutesToDNS=</varname></term>
- <listitem>
- <para>When true, the routes to the DNS servers received from the DHCP server will be
- configured. When <varname>UseDNS=</varname> is disabled, this setting is ignored.
- Defaults to true.</para>
- </listitem>
- </varlistentry>
+ <para>This corresponds to the <option>nameserver</option> option in
+ <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseNTP=</varname></term>
- <listitem>
- <para>When true (the default), the NTP servers received from the DHCP server will be used by
- <filename>systemd-timesyncd.service</filename>.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>RoutesToDNS=</varname></term>
+ <listitem>
+ <para>When true, the routes to the DNS servers received from the DHCP server will be
+ configured. When <varname>UseDNS=</varname> is disabled, this setting is ignored. Defaults to
+ true.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>RoutesToNTP=</varname></term>
- <listitem>
- <para>When true, the routes to the NTP servers received from the DHCP server will be
- configured. When <varname>UseNTP=</varname> is disabled, this setting is ignored.
- Defaults to true.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseNTP=</varname></term>
+ <listitem>
+ <para>When true (the default), the NTP servers received from the DHCP server will be used by
+ <filename>systemd-timesyncd.service</filename>.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseSIP=</varname></term>
- <listitem>
- <para>When true (the default), the SIP servers received from the DHCP server will be collected
- and made available to client programs.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>RoutesToNTP=</varname></term>
+ <listitem>
+ <para>When true, the routes to the NTP servers received from the DHCP server will be
+ configured. When <varname>UseNTP=</varname> is disabled, this setting is ignored. Defaults to
+ true.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseMTU=</varname></term>
- <listitem>
- <para>When true, the interface maximum transmission unit from the DHCP server will be used on the
- current link. If <varname>MTUBytes=</varname> is set, then this setting is ignored. Defaults to
- false.</para>
- <para>Note, some drivers will reset the interfaces if the MTU is changed. For such
- interfaces, please try to use <varname>IgnoreCarrierLoss=</varname> with a short timespan,
- e.g. <literal>3 seconds</literal>.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseSIP=</varname></term>
+ <listitem>
+ <para>When true (the default), the SIP servers received from the DHCP server will be collected
+ and made available to client programs.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseHostname=</varname></term>
- <listitem>
- <para>When true (the default), the hostname received from the DHCP server will be set as the
- transient hostname of the system.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseMTU=</varname></term>
+ <listitem>
+ <para>When true, the interface maximum transmission unit from the DHCP server will be used on
+ the current link. If <varname>MTUBytes=</varname> is set, then this setting is ignored.
+ Defaults to false.</para>
- <varlistentry>
- <term><varname>UseDomains=</varname></term>
- <listitem>
- <para>Takes a boolean, or the special value <option>route</option>. When true, the domain name
- received from the DHCP server will be used as DNS search domain over this link, similar to the
- effect of the <option>Domains=</option> setting. If set to <option>route</option>, the domain
- name received from the DHCP server will be used for routing DNS queries only, but not for
- searching, similar to the effect of the <option>Domains=</option> setting when the argument is
- prefixed with <literal>~</literal>. Defaults to false.</para>
-
- <para>It is recommended to enable this option only on trusted networks, as setting this affects
- resolution of all hostnames, in particular of single-label names. It is generally safer to use
- the supplied domain only as routing domain, rather than as search domain, in order to not have it
- affect local resolution of single-label names.</para>
-
- <para>When set to true, this setting corresponds to the <option>domain</option> option in
- <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- </para>
- </listitem>
- </varlistentry>
+ <para>Note, some drivers will reset the interfaces if the MTU is changed. For such
+ interfaces, please try to use <varname>IgnoreCarrierLoss=</varname> with a short timespan,
+ e.g. <literal>3 seconds</literal>.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseRoutes=</varname></term>
- <listitem>
- <para>When true (the default), the static routes will be requested from the DHCP server and added
- to the routing table with a metric of 1024, and a scope of <option>global</option>,
- <option>link</option> or <option>host</option>, depending on the route's destination and
- gateway. If the destination is on the local host, e.g., 127.x.x.x, or the same as the link's own
- address, the scope will be set to <option>host</option>. Otherwise if the gateway is null (a
- direct route), a <option>link</option> scope will be used. For anything else, scope defaults to
- <option>global</option>.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseHostname=</varname></term>
+ <listitem>
+ <para>When true (the default), the hostname received from the DHCP server will be set as the
+ transient hostname of the system.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>RouteMetric=</varname></term>
- <listitem>
- <para>Set the routing metric for routes specified by the DHCP server (including the prefix
- route added for the specified prefix). Takes an unsigned integer in the range 0…4294967295.
- Defaults to 1024.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseDomains=</varname></term>
+ <listitem>
+ <para>Takes a boolean, or the special value <option>route</option>. When true, the domain
+ name received from the DHCP server will be used as DNS search domain over this link, similar
+ to the effect of the <option>Domains=</option> setting. If set to <option>route</option>, the
+ domain name received from the DHCP server will be used for routing DNS queries only, but not
+ for searching, similar to the effect of the <option>Domains=</option> setting when the
+ argument is prefixed with <literal>~</literal>. Defaults to false.</para>
+
+ <para>It is recommended to enable this option only on trusted networks, as setting this
+ affects resolution of all hostnames, in particular of single-label names. It is generally
+ safer to use the supplied domain only as routing domain, rather than as search domain, in
+ order to not have it affect local resolution of single-label names.</para>
+
+ <para>When set to true, this setting corresponds to the <option>domain</option> option in
+ <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>UseRoutes=</varname></term>
+ <listitem>
+ <para>When true (the default), the static routes will be requested from the DHCP server and
+ added to the routing table with a metric of 1024, and a scope of <option>global</option>,
+ <option>link</option> or <option>host</option>, depending on the route's destination and
+ gateway. If the destination is on the local host, e.g., 127.x.x.x, or the same as the link's
+ own address, the scope will be set to <option>host</option>. Otherwise if the gateway is null
+ (a direct route), a <option>link</option> scope will be used. For anything else, scope
+ defaults to <option>global</option>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>RouteMetric=</varname></term>
+ <listitem>
+ <para>Set the routing metric for routes specified by the DHCP server (including the prefix
+ route added for the specified prefix). Takes an unsigned integer in the range 0…4294967295.
+ Defaults to 1024.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>RouteTable=<replaceable>num</replaceable></varname></term>
+ <listitem>
+ <para>The table identifier for DHCP routes (a number between 1 and 4294967295, or 0 to
+ unset). The table can be retrieved using
+ <command>ip route show table <replaceable>num</replaceable></command>.</para>
- <varlistentry>
- <term><varname>RouteTable=<replaceable>num</replaceable></varname></term>
- <listitem>
- <para>The table identifier for DHCP routes (a number between 1 and 4294967295, or 0 to unset).
- The table can be retrieved using <command>ip route show table <replaceable>num</replaceable></command>.
- </para>
- <para>When used in combination with <varname>VRF=</varname>, the
- VRF's routing table is used when this parameter is not specified.
- </para>
- </listitem>
- </varlistentry>
+ <para>When used in combination with <varname>VRF=</varname>, the VRF's routing table is
+ used when this parameter is not specified.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>RouteMTUBytes=</varname></term>
- <listitem>
- <para>Specifies the MTU for the DHCP routes. Please see the [Route] section for further details.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>RouteMTUBytes=</varname></term>
+ <listitem>
+ <para>Specifies the MTU for the DHCP routes. Please see the [Route] section for further
+ details.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseGateway=</varname></term>
- <listitem>
- <para>When true, the gateway will be requested from the DHCP server and added to the routing
- table with a metric of 1024, and a scope of <option>link</option>. When unset, the value specified
- with <varname>UseRoutes=</varname> is used.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseGateway=</varname></term>
+ <listitem>
+ <para>When true, the gateway will be requested from the DHCP server and added to the routing
+ table with a metric of 1024, and a scope of <option>link</option>. When unset, the value
+ specified with <varname>UseRoutes=</varname> is used.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseTimezone=</varname></term>
- <listitem><para>When true, the timezone received from the DHCP server will be set as timezone of
- the local system. Defaults to false.</para></listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseTimezone=</varname></term>
+ <listitem><para>When true, the timezone received from the DHCP server will be set as timezone
+ of the local system. Defaults to false.</para></listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>Use6RD=</varname></term>
- <listitem><para>When true, subnets of the received IPv6 prefix are assigned to downstream
- interfaces which enables <varname>DHCPPrefixDelegation=</varname>. See also
+ <varlistentry>
+ <term><varname>Use6RD=</varname></term>
+ <listitem>
+ <para>When true, subnets of the received IPv6 prefix are assigned to downstream interfaces
+ which enables <varname>DHCPPrefixDelegation=</varname>. See also
<varname>DHCPPrefixDelegation=</varname> in the [Network] section, the [DHCPPrefixDelegation]
section, and <ulink url="https://tools.ietf.org/html/rfc5969">RFC 5969</ulink>. Defaults to
- false.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>FallbackLeaseLifetimeSec=</varname></term>
- <listitem>
- <para>Allows to set DHCPv4 lease lifetime when DHCPv4 server does not send the lease lifetime.
- Takes one of <literal>forever</literal> or <literal>infinity</literal>. The latter means that the
- address never expires. Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ false.</para>
+ </listitem>
+ </varlistentry>
- <!-- How to communicate with the server -->
+ <varlistentry>
+ <term><varname>FallbackLeaseLifetimeSec=</varname></term>
+ <listitem>
+ <para>Allows one to set DHCPv4 lease lifetime when DHCPv4 server does not send the lease
+ lifetime. Takes one of <literal>forever</literal> or <literal>infinity</literal>. If
+ specified, the acquired address never expires. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>RequestBroadcast=</varname></term>
- <listitem>
- <para>Request the server to use broadcast messages before the IP address has been configured.
- This is necessary for devices that cannot receive RAW packets, or that cannot receive packets at
- all before an IP address has been configured. On the other hand, this must not be enabled on
- networks where broadcasts are filtered out.</para>
- </listitem>
- </varlistentry>
+ <!-- How to communicate with the server -->
- <varlistentry>
- <term><varname>MaxAttempts=</varname></term>
- <listitem>
- <para>Specifies how many times the DHCPv4 client configuration should be attempted. Takes a
- number or <literal>infinity</literal>. Defaults to <literal>infinity</literal>. Note that the
- time between retries is increased exponentially, up to approximately one per minute, so the
- network will not be overloaded even if this number is high. The default is suitable in most
- circumstances.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>RequestBroadcast=</varname></term>
+ <listitem>
+ <para>Request the server to use broadcast messages before the IP address has been configured.
+ This is necessary for devices that cannot receive RAW packets, or that cannot receive packets
+ at all before an IP address has been configured. On the other hand, this must not be enabled
+ on networks where broadcasts are filtered out.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>ListenPort=</varname></term>
- <listitem>
- <para>Set the port from which the DHCP client packets originate.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>MaxAttempts=</varname></term>
+ <listitem>
+ <para>Specifies how many times the DHCPv4 client configuration should be attempted. Takes a
+ number or <literal>infinity</literal>. Defaults to <literal>infinity</literal>. Note that the
+ time between retries is increased exponentially, up to approximately one per minute, so the
+ network will not be overloaded even if this number is high. The default is suitable in most
+ circumstances.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>DenyList=</varname></term>
- <listitem>
- <para>A whitespace-separated list of IPv4 addresses. Each address can optionally take a
- prefix length after <literal>/</literal>. DHCP offers from servers in the list are
- rejected. Note that if <varname>AllowList=</varname> is configured then
- <varname>DenyList=</varname> is ignored.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>ListenPort=</varname></term>
+ <listitem>
+ <para>Set the port from which the DHCP client packets originate.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>AllowList=</varname></term>
- <listitem>
- <para>A whitespace-separated list of IPv4 addresses. Each address can optionally take a
- prefix length after <literal>/</literal>. DHCP offers from servers in the list are
- accepted.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>DenyList=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of IPv4 addresses. Each address can optionally take a
+ prefix length after <literal>/</literal>. DHCP offers from servers in the list are rejected.
+ Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
+ ignored.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>SendRelease=</varname></term>
- <listitem>
- <para>When true, the DHCPv4 client sends a DHCP release packet when it stops. Defaults to
- true.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>AllowList=</varname></term>
+ <listitem>
+ <para>A whitespace-separated list of IPv4 addresses. Each address can optionally take a
+ prefix length after <literal>/</literal>. DHCP offers from servers in the list are accepted.
+ </para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>SendDecline=</varname></term>
- <listitem>
- <para>A boolean. When <literal>true</literal>, the DHCPv4 client receives the IP address from the
- DHCP server. After a new IP is received, the DHCPv4 client performs IPv4 Duplicate Address
- Detection. If duplicate use is detected, the DHCPv4 client rejects the IP by sending a
- <constant>DHCPDECLINE</constant> packet and tries to obtain an IP address again. See <ulink
- url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to
- <literal>unset</literal>.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SendRelease=</varname></term>
+ <listitem>
+ <para>When true, the DHCPv4 client sends a DHCP release packet when it stops. Defaults to
+ true.</para>
+ </listitem>
+ </varlistentry>
- </variablelist>
- </refsect1>
+ <varlistentry>
+ <term><varname>SendDecline=</varname></term>
+ <listitem>
+ <para>A boolean. When true, <command>systemd-networkd</command> performs IPv4 Duplicate
+ Address Detection to the acquired address by the DHCPv4 client. If duplicate is detected,
+ the DHCPv4 client rejects the address by sending a <constant>DHCPDECLINE</constant> packet to
+ the DHCP server, and tries to obtain an IP address again. See
+ <ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to false.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
<refsect1>
<title>[DHCPv6] Section Options</title>
- <para>The [DHCPv6] section configures the DHCPv6 client, if it is enabled with the
- <varname>DHCP=</varname> setting described above, or invoked by the IPv6 Router Advertisement:</para>
- <variablelist class='network-directives'>
+ <para>The [DHCPv6] section configures the DHCPv6 client, if it is enabled with the
+ <varname>DHCP=</varname> setting described above, or invoked by the IPv6 Router Advertisement:
+ </para>
- <!-- DHCP packet contents -->
+ <variablelist class='network-directives'>
- <varlistentry>
- <term><varname>MUDURL=</varname></term>
- <term><varname>IAID=</varname></term>
- <term><varname>DUIDType=</varname></term>
- <term><varname>DUIDRawData=</varname></term>
- <term><varname>RequestOptions=</varname></term>
- <listitem>
- <para>As in the [DHCPv4] section.</para>
- </listitem>
- </varlistentry>
+ <!-- DHCP packet contents -->
- <varlistentry>
- <term><varname>SendOption=</varname></term>
- <listitem>
- <para>As in the [DHCPv4] section, however because DHCPv6 uses 16-bit fields to store option
- numbers, the option number is an integer in the range 1…65536.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>MUDURL=</varname></term>
+ <term><varname>IAID=</varname></term>
+ <term><varname>DUIDType=</varname></term>
+ <term><varname>DUIDRawData=</varname></term>
+ <term><varname>RequestOptions=</varname></term>
+ <listitem>
+ <para>As in the [DHCPv4] section.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>SendVendorOption=</varname></term>
- <listitem>
- <para>Send an arbitrary vendor option in the DHCPv6 request. Takes an enterprise identifier, DHCP
- option number, data type, and data separated with a colon (<literal><replaceable>enterprise
- identifier</replaceable>:<replaceable>option</replaceable>:<replaceable>type</replaceable>:<replaceable>value</replaceable></literal>).
- Enterprise identifier is an unsigned integer in the range 1…4294967294. The option number must be
- an integer in the range 1…254. Data type takes one of <literal>uint8</literal>,
- <literal>uint16</literal>, <literal>uint32</literal>, <literal>ipv4address</literal>,
- <literal>ipv6address</literal>, or <literal>string</literal>. Special characters in the data
- string may be escaped using <ulink
- url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
- escapes</ulink>. This setting can be specified multiple times. If an empty string is specified,
- then all options specified earlier are cleared. Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SendOption=</varname></term>
+ <listitem>
+ <para>As in the [DHCPv4] section, however because DHCPv6 uses 16-bit fields to store option
+ numbers, the option number is an integer in the range 1…65536.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UserClass=</varname></term>
- <listitem>
- <para>A DHCPv6 client can use User Class option to identify the type or category of user or
- applications it represents. The information contained in this option is a string that represents
- the user class of which the client is a member. Each class sets an identifying string of
- information to be used by the DHCP service to classify clients. Special characters in the data
- string may be escaped using <ulink
- url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
- escapes</ulink>. This setting can be specified multiple times. If an empty string is specified,
- then all options specified earlier are cleared. Takes a whitespace-separated list of
- strings. Note that currently <constant>NUL</constant> bytes are not allowed.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>SendVendorOption=</varname></term>
+ <listitem>
+ <para>Send an arbitrary vendor option in the DHCPv6 request. Takes an enterprise identifier,
+ DHCP option number, data type, and data separated with a colon
+ (<literal><replaceable>enterprise identifier</replaceable>:<replaceable>option</replaceable>:<replaceable>type</replaceable>:<replaceable>value</replaceable></literal>).
+ Enterprise identifier is an unsigned integer in the range 1…4294967294. The option number
+ must be an integer in the range 1…254. Data type takes one of <literal>uint8</literal>,
+ <literal>uint16</literal>, <literal>uint32</literal>, <literal>ipv4address</literal>,
+ <literal>ipv6address</literal>, or <literal>string</literal>. Special characters in the data
+ string may be escaped using
+ <ulink url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
+ escapes</ulink>. This setting can be specified multiple times. If an empty string is
+ specified, then all options specified earlier are cleared. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>VendorClass=</varname></term>
- <listitem>
- <para>A DHCPv6 client can use VendorClass option to identify the vendor that manufactured the
- hardware on which the client is running. The information contained in the data area of this
- option is contained in one or more opaque fields that identify details of the hardware
- configuration. Takes a whitespace-separated list of strings.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UserClass=</varname></term>
+ <listitem>
+ <para>A DHCPv6 client can use User Class option to identify the type or category of user or
+ applications it represents. The information contained in this option is a string that
+ represents the user class of which the client is a member. Each class sets an identifying
+ string of information to be used by the DHCP service to classify clients. Special characters
+ in the data string may be escaped using
+ <ulink url="https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences">C-style
+ escapes</ulink>. This setting can be specified multiple times. If an empty string is
+ specified, then all options specified earlier are cleared. Takes a whitespace-separated list
+ of strings. Note that currently <constant>NUL</constant> bytes are not allowed.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>PrefixDelegationHint=</varname></term>
- <listitem>
- <para>Takes an IPv6 address with prefix length in the same format as the
- <varname>Address=</varname> in the [Network] section. The DHCPv6 client will include a prefix
- hint in the DHCPv6 solicitation sent to the server. The prefix length must be in the range
- 1…128. Defaults to unset.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>VendorClass=</varname></term>
+ <listitem>
+ <para>A DHCPv6 client can use VendorClass option to identify the vendor that manufactured the
+ hardware on which the client is running. The information contained in the data area of this
+ option is contained in one or more opaque fields that identify details of the hardware
+ configuration. Takes a whitespace-separated list of strings.</para>
+ </listitem>
+ </varlistentry>
- <!-- How to use the DHCP lease -->
+ <varlistentry>
+ <term><varname>PrefixDelegationHint=</varname></term>
+ <listitem>
+ <para>Takes an IPv6 address with prefix length in the same format as the
+ <varname>Address=</varname> in the [Network] section. The DHCPv6 client will include a prefix
+ hint in the DHCPv6 solicitation sent to the server. The prefix length must be in the range
+ 1…128. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseAddress=</varname></term>
- <listitem>
- <para>When true (the default), the IP addresses provided by the DHCPv6 server will be
- assigned.</para>
- </listitem>
- </varlistentry>
+ <!-- How to use the DHCP lease -->
- <varlistentry>
- <term><varname>UseDelegatedPrefix=</varname></term>
- <listitem>
- <para>When true (the default), the client will request the DHCPv6 server to delegate
- prefixes. If the server provides prefixes to be delegated, then subnets of the prefixes are
- assigned to the interfaces which enables <varname>DHCPPrefixDelegation=</varname>.
- See also <varname>DHCPPrefixDelegation=</varname> in [Network] section,
- [DHCPPrefixDelegation] section, and
- <ulink url="https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3">RFC 8415</ulink>.
- </para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseAddress=</varname></term>
+ <listitem>
+ <para>When true (the default), the IP addresses provided by the DHCPv6 server will be
+ assigned.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>UseDNS=</varname></term>
- <term><varname>UseNTP=</varname></term>
- <term><varname>UseHostname=</varname></term>
- <term><varname>UseDomains=</varname></term>
- <listitem>
- <para>As in the [DHCPv4] section.</para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><varname>UseDelegatedPrefix=</varname></term>
+ <listitem>
+ <para>When true (the default), the client will request the DHCPv6 server to delegate
+ prefixes. If the server provides prefixes to be delegated, then subnets of the prefixes are
+ assigned to the interfaces which enables <varname>DHCPPrefixDelegation=</varname>.
+ See also the <varname>DHCPPrefixDelegation=</varname> setting in the [Network] section,
+ settings in the [DHCPPrefixDelegation] section, and
+ <ulink url="https://www.rfc-editor.org/rfc/rfc8415.html#section-6.3">RFC 8415</ulink>.
+ </para>
+ </listitem>
+ </varlistentry>
- <!-- How to communicate with the server -->
+ <varlistentry>
+ <term><varname>UseDNS=</varname></term>
+ <term><varname>UseNTP=</varname></term>
+ <term><varname>UseHostname=</varname></term>
+ <term><varname>UseDomains=</varname></term>
+ <listitem>
+ <para>As in the [DHCPv4] section.</para>
+ </listitem>
+ </varlistentry>
- <varlistentry>
- <term><varname>WithoutRA=</varname></term>
- <listitem>
- <para>Allows DHCPv6 client to start without router advertisements's managed or other
- address configuration flag. Takes one of <literal>no</literal>, <literal>solicit</literal>
- or <literal>information-request</literal>. If this is not specified,
- <literal>solicit</literal> is used when <varname>DHCPPrefixDelegation=</varname> is
- enabled and <varname>UplinkInterface=:self</varname> is specified in the
- [DHCPPrefixDelegation] section. Otherwise, defaults to <literal>no</literal>, and the
- DHCPv6 client will be started when an RA is received. See also
- <varname>DHCPv6Client=</varname> setting in the [IPv6AcceptRA] section.</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ <!-- How to communicate with the server -->
+
+ <varlistentry>
+ <term><varname>WithoutRA=</varname></term>
+ <listitem>
+ <para>Allows DHCPv6 client to start without router advertisements's managed or other
+ address configuration flag. Takes one of <literal>no</literal>, <literal>solicit</literal>
+ or <literal>information-request</literal>. If this is not specified,
+ <literal>solicit</literal> is used when <varname>DHCPPrefixDelegation=</varname> is enabled
+ and <varname>UplinkInterface=:self</varname> is specified in the [DHCPPrefixDelegation]
+ section. Otherwise, defaults to <literal>no</literal>, and the DHCPv6 client will be started
+ when an RA is received. See also the <varname>DHCPv6Client=</varname> setting in the
+ [IPv6AcceptRA] section.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</refsect1>
<refsect1>
<citerefentry><refentrytitle>sd-id128</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd_id128_from_string</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
and
- <citerefentry><refentrytitle>sd_id128_get_machine</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sd_id128_get_machine</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>
<para>
Note that the <literal>prefixstable</literal> algorithm uses both the interface
<term><varname>DNS=</varname></term>
<listitem><para><varname>EmitDNS=</varname> takes a boolean. Configures whether the DHCP leases
- handed out to clients shall contain DNS server information. Defaults to <literal>yes</literal>. The
- DNS servers to pass to clients may be configured with the <varname>DNS=</varname> option, which takes
- a list of IPv4 addresses. If the <varname>EmitDNS=</varname> option is enabled but no servers
- configured, the servers are automatically propagated from an "uplink" interface that has appropriate
- servers set. The "uplink" interface is determined by the default route of the system with the highest
- priority. Note that this information is acquired at the time the lease is handed out, and does not
- take uplink interfaces into account that acquire DNS server information at a later point. If no
- suitable uplink interface is found the DNS server data from <filename>/etc/resolv.conf</filename> is
- used. Also, note that the leases are not refreshed if the uplink network configuration changes. To
- ensure clients regularly acquire the most current uplink DNS server information, it is thus advisable
- to shorten the DHCP lease time via <varname>MaxLeaseTimeSec=</varname> described
- above.</para></listitem>
+ handed out to clients shall contain DNS server information. Defaults to <literal>yes</literal>.
+ The DNS servers to pass to clients may be configured with the <varname>DNS=</varname> option,
+ which takes a list of IPv4 addresses, or special value <literal>_server_address</literal> which
+ will be converted to the address used by the DHCP server.</para>
+
+ <para>If the <varname>EmitDNS=</varname> option is enabled but no servers configured, the
+ servers are automatically propagated from an "uplink" interface that has appropriate servers
+ set. The "uplink" interface is determined by the default route of the system with the highest
+ priority. Note that this information is acquired at the time the lease is handed out, and does
+ not take uplink interfaces into account that acquire DNS server information at a later point.
+ If no suitable uplink interface is found the DNS server data from
+ <filename>/etc/resolv.conf</filename> is used. Also, note that the leases are not refreshed if
+ the uplink network configuration changes. To ensure clients regularly acquire the most current
+ uplink DNS server information, it is thus advisable to shorten the DHCP lease time via
+ <varname>MaxLeaseTimeSec=</varname> described above.</para>
+
+ <para>This setting can be specified multiple times. If an empty string is specified, then all
+ DNS servers specified earlier are cleared.</para></listitem>
</varlistentry>
<varlistentry>
<filename>/etc/localtime</filename> symlink.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>BootServerAddress=</varname></term>
+
+ <listitem>
+ <para>Takes an IPv4 address of the boot server used by e.g. PXE boot systems. When specified,
+ the address is set to the <literal>siaddr</literal> field of the DHCP message header. See
+ <ulink url="https://www.rfc-editor.org/rfc/rfc2131.html">RFC 2131</ulink> for more details.
+ Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BootServerName=</varname></term>
+
+ <listitem>
+ <para>Takes a name of the boot server used by e.g. PXE boot systems. When specified, the
+ server name is set to the DHCP option 66. See
+ <ulink url="https://www.rfc-editor.org/rfc/rfc2132.html">RFC 2132</ulink> for more details.
+ Defaults to unset.</para>
+ <para>Note that typically one of
+ <varname>BootServerName=</varname>/<varname>BootServerAddress=</varname> is sufficient to be
+ set, but both can be set too, if desired.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>BootFilename=</varname></term>
+
+ <listitem>
+ <para>Takes a path or URL to a file loaded by e.g. a PXE boot loader. The specified path is
+ set to the DHCP option 67. See
+ <ulink url="https://www.rfc-editor.org/rfc/rfc2132.html">RFC 2132</ulink> for more details.
+ Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>SendOption=</varname></term>
<listitem>
receiving port. When unset, the kernel's default will be used.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Isolated=</varname></term>
+ <listitem>
+ <para>Takes a boolean. Configures whether this port is isolated or not. Within a bridge,
+ isolated ports can only communicate with non-isolated ports. When set to true, this port can only
+ communicate with other ports whose Isolated setting is false. When set to false, this port
+ can communicate with any other ports. When unset, the kernel's default will be used.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>UseBPDU=</varname></term>
<listitem>
<term><varname>SyncJumpWidth=</varname></term>
<listitem>
<para>Specifies the time quanta, propagation segment, phase buffer segment 1 and 2, and the
- synchronization jump width, which allow to define the CAN bit-timing in a hardware
+ synchronization jump width, which allow one to define the CAN bit-timing in a hardware
independent format as proposed by the Bosch CAN 2.0 Specification.
<varname>TimeQuantaNSec=</varname> takes a timespan in nanoseconds.
<varname>PropagationSegment=</varname>, <varname>PhaseBufferSegment1=</varname>,
<varlistentry>
<term><option>src-host</option></term>
<listitem><para>
- Flows are defined only by source address. Equivalnet to the <literal>srchost</literal>
+ Flows are defined only by source address. Equivalent to the <literal>srchost</literal>
option for <command>tc qdisc</command> command. See also
<citerefentry project='man-pages'><refentrytitle>tc-cake</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para></listitem>
<varlistentry>
<term><option>dst-host</option></term>
<listitem><para>
- Flows are defined only by destination address. Equivalnet to the
- <literal>srchost</literal> option for <command>tc qdisc</command> command. See also
+ Flows are defined only by destination address. Equivalent to the
+ <literal>dsthost</literal> option for <command>tc qdisc</command> command. See also
<citerefentry project='man-pages'><refentrytitle>tc-cake</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<term><option>dual-src-host</option></term>
<listitem><para>
Flows are defined by the 5-tuple (see <literal>flows</literal> in the above), and
- fairness is applied first over source addresses, then over individual flows. Equivalnet
+ fairness is applied first over source addresses, then over individual flows. Equivalent
to the <literal>dual-srchost</literal> option for <command>tc qdisc</command> command.
See also
<citerefentry project='man-pages'><refentrytitle>tc-cake</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
<listitem><para>
Flows are defined by the 5-tuple (see <literal>flows</literal> in the above), and
fairness is applied first over destination addresses, then over individual flows.
- Equivalnet to the <literal>dual-dsthost</literal> option for
+ Equivalent to the <literal>dual-dsthost</literal> option for
<command>tc qdisc</command> command. See also
<citerefentry project='man-pages'><refentrytitle>tc-cake</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para></listitem>
<listitem><para>
Flows are defined by the 5-tuple (see <literal>flows</literal>), and fairness is
applied over source and destination addresses, and also over individual flows.
- Equivalnet to the <literal>triple-isolate</literal> option for
+ Equivalent to the <literal>triple-isolate</literal> option for
<command>tc qdisc</command> command. See also
<citerefentry project='man-pages'><refentrytitle>tc-cake</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para></listitem>
</example>
<example>
- <title>IPv6 Prefix Delegation</title>
+ <title>IPv6 Prefix Delegation (DHCPv6 PD)</title>
- <programlisting># /etc/systemd/network/55-ipv6-pd-upstream.network
+ <programlisting># /etc/systemd/network/55-dhcpv6-pd-upstream.network
[Match]
Name=enp1s0
[Network]
-DHCP=ipv6</programlisting>
+DHCP=ipv6
+
+# The below setting is optional, to also assign an address in the delegated prefix
+# to the upstream interface. If not necessary, then comment out the line below and
+# the [DHCPPrefixDelegation] section.
+DHCPPrefixDelegation=yes
+
+# If the upstream network provides Router Advertisement with Managed bit set,
+# then comment out the line below and WithoutRA= setting in the [DHCPv6] section.
+IPv6AcceptRA=no
+
+[DHCPv6]
+WithoutRA=solicit
- <programlisting># /etc/systemd/network/56-ipv6-pd-downstream.network
+[DHCPPrefixDelegation]
+UplinkInterface=:self
+SubnetId=0
+Announce=no</programlisting>
+
+ <programlisting># /etc/systemd/network/55-dhcpv6-pd-downstream.network
[Match]
Name=enp2s0
[Network]
+DHCPPrefixDelegation=yes
IPv6SendRA=yes
-DHCPPrefixDelegation=yes</programlisting>
+
+# It is expected that the host is acting as a router. So, usually it is not
+# necessary to receive Router Advertisement from other hosts in the downstream network.
+IPv6AcceptRA=no
+
+[DHCPPrefixDelegation]
+UplinkInterface=enp1s0
+SubnetId=1
+Announce=yes</programlisting>
<para>This will enable DHCPv6-PD on the interface enp1s0 as an upstream interface where the
DHCPv6 client is running and enp2s0 as a downstream interface where the prefix is delegated to.
</para>
</example>
+ <example>
+ <title>IPv6 Prefix Delegation (DHCPv4 6RD)</title>
+
+ <programlisting># /etc/systemd/network/55-dhcpv4-6rd-upstream.network
+[Match]
+Name=enp1s0
+
+[Network]
+DHCP=ipv4
+
+# When DHCPv4-6RD is used, the upstream network does not support IPv6.
+# Hence, it is not necessary to wait for Router Advertisement, which is enabled by default.
+IPv6AcceptRA=no
+
+[DHCPv4]
+Use6RD=yes</programlisting>
+
+ <programlisting># /etc/systemd/network/55-dhcpv4-6rd-downstream.network
+[Match]
+Name=enp2s0
+
+[Network]
+DHCPPrefixDelegation=yes
+IPv6SendRA=yes
+
+# It is expected that the host is acting as a router. So, usually it is not
+# necessary to receive Router Advertisement from other hosts in the downstream network.
+IPv6AcceptRA=no
+
+[DHCPPrefixDelegation]
+UplinkInterface=enp1s0
+SubnetId=1
+Announce=yes</programlisting>
+
+ <para>This will enable DHCPv4-6RD on the interface enp1s0 as an upstream interface where the
+ DHCPv4 client is running and enp2s0 as a downstream interface where the prefix is delegated to.
+ The delegated prefixes are distributed by IPv6 Router Advertisement on the downstream network.
+ </para>
+ </example>
+
<example>
<title>A bridge with two enslaved links</title>
</example>
<example>
- <title></title>
+ <title>Bridge port with VLAN forwarding</title>
<programlisting>
-# /etc/systemd/network/20-bridge-slave-interface-vlan.network
+# /etc/systemd/network/25-bridge-slave-interface-1.network
[Match]
Name=enp2s0
<programlisting># /etc/systemd/network/27-xfrm.netdev
[NetDev]
Name=xfrm0
+Kind=xfrm
[Xfrm]
InterfaceId=7</programlisting>