]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.netdev.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #15955 from anitazha/nullorempty
[thirdparty/systemd.git] / man / systemd.netdev.xml
CommitLineData
eac684ef 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791 4<!-- SPDX-License-Identifier: LGPL-2.1+ -->
eac684ef
TG		 5
6<refentry id="systemd.netdev" conditional='ENABLE_NETWORKD'>
7
798d3a52
ZJS		 8 <refentryinfo>
9 <title>systemd.network</title>
10 <productname>systemd</productname>
798d3a52
ZJS		 11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>systemd.netdev</refentrytitle>
15 <manvolnum>5</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>systemd.netdev</refname>
20 <refpurpose>Virtual Network Device configuration</refpurpose>
21 </refnamediv>
22
23 <refsynopsisdiv>
24 <para><filename><replaceable>netdev</replaceable>.netdev</filename></para>
25 </refsynopsisdiv>
26
27 <refsect1>
28 <title>Description</title>
29
d4de2b2a 30 <para>A plain ini-style text file that encodes configuration about a virtual network device, used by
798d3a52 31 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
d4de2b2a
ZJS		 32 See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
33 for a general description of the syntax.</para>
798d3a52 34
bac150e9
ZJS		 35 <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
36 other extensions are ignored. Virtual network devices are created as soon as networkd is
37 started. If a netdev with the specified name already exists, networkd will use that as-is rather
38 than create its own. Note that the settings of the pre-existing netdev will not be changed by
798d3a52
ZJS		 39 networkd.</para>
40
bac150e9
ZJS		 41 <para>The <filename>.netdev</filename> files are read from the files located in the system
42 network directory <filename>/usr/lib/systemd/network</filename>, the volatile runtime network
43 directory <filename>/run/systemd/network</filename> and the local administration network
44 directory <filename>/etc/systemd/network</filename>. All configuration files are collectively
45 sorted and processed in lexical order, regardless of the directories in which they live.
46 However, files with identical filenames replace each other. Files in <filename>/etc</filename>
47 have the highest priority, files in <filename>/run</filename> take precedence over files with
48 the same name in <filename>/usr/lib</filename>. This can be used to override a system-supplied
49 configuration file with a local file if needed. As a special case, an empty file (file size 0)
50 or symlink with the same name pointing to <filename>/dev/null</filename> disables the
51 configuration file entirely (it is "masked").</para>
52
53 <para>Along with the netdev file <filename>foo.netdev</filename>, a "drop-in" directory
54 <filename>foo.netdev.d/</filename> may exist. All files with the suffix <literal>.conf</literal>
55 from this directory will be parsed after the file itself is parsed. This is useful to alter or
56 add configuration settings, without having to modify the main configuration file. Each drop-in
57 file must have appropriate section headers.</para>
58
59 <para>In addition to <filename>/etc/systemd/network</filename>, drop-in <literal>.d</literal>
60 directories can be placed in <filename>/usr/lib/systemd/network</filename> or
61 <filename>/run/systemd/network</filename> directories. Drop-in files in
62 <filename>/etc</filename> take precedence over those in <filename>/run</filename> which in turn
63 take precedence over those in <filename>/usr/lib</filename>. Drop-in files under any of these
64 directories take precedence over the main netdev file wherever located. (Of course, since
65 <filename>/run</filename> is temporary and <filename>/usr/lib</filename> is for vendors, it is
66 unlikely drop-ins should be used in either of those places.)</para>
798d3a52
ZJS		 67 </refsect1>
68
69 <refsect1>
70 <title>Supported netdev kinds</title>
71
72 <para>The following kinds of virtual network devices may be
73 configured in <filename>.netdev</filename> files:</para>
74
75 <table>
76 <title>Supported kinds of virtual network devices</title>
77
78 <tgroup cols='2'>
79 <colspec colname='kind' />
80 <colspec colname='explanation' />
81 <thead><row>
82 <entry>Kind</entry>
83 <entry>Description</entry>
84 </row></thead>
85 <tbody>
86 <row><entry><varname>bond</varname></entry>
87 <entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.Local configuration</entry></row>
88
89 <row><entry><varname>bridge</varname></entry>
a8eaaee7 90 <entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
798d3a52
ZJS		 91
92 <row><entry><varname>dummy</varname></entry>
93 <entry>A dummy device drops all packets sent to it.</entry></row>
94
95 <row><entry><varname>gre</varname></entry>
96 <entry>A Level 3 GRE tunnel over IPv4. See <ulink url="https://tools.ietf.org/html/rfc2784">RFC 2784</ulink> for details.</entry></row>
97
98 <row><entry><varname>gretap</varname></entry>
99 <entry>A Level 2 GRE tunnel over IPv4.</entry></row>
100
2266864b 101 <row><entry><varname>erspan</varname></entry>
d653a359 102 <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch and the destination switch.</entry></row>
2266864b 103
798d3a52
ZJS		 104 <row><entry><varname>ip6gre</varname></entry>
105 <entry>A Level 3 GRE tunnel over IPv6.</entry></row>
106
107 <row><entry><varname>ip6tnl</varname></entry>
108 <entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
109
110 <row><entry><varname>ip6gretap</varname></entry>
037a3ded 111 <entry>A Level 2 GRE tunnel over IPv6.</entry></row>
798d3a52
ZJS		 112
113 <row><entry><varname>ipip</varname></entry>
114 <entry>An IPv4 over IPv4 tunnel.</entry></row>
115
116 <row><entry><varname>ipvlan</varname></entry>
e9dd6984 117 <entry>An IPVLAN device is a stacked device which receives packets from its underlying device based on IP address filtering.</entry></row>
798d3a52 118
69c317a0 119 <row><entry><varname>ipvtap</varname></entry>
e9dd6984 120 <entry>An IPVTAP device is a stacked device which receives packets from its underlying device based on IP address filtering and can be accessed using the tap user space interface.</entry></row>
69c317a0 121
798d3a52
ZJS		 122 <row><entry><varname>macvlan</varname></entry>
123 <entry>A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
124
0371f2df
SS		 125 <row><entry><varname>macvtap</varname></entry>
126 <entry>A macvtap device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
127
798d3a52
ZJS		 128 <row><entry><varname>sit</varname></entry>
129 <entry>An IPv6 over IPv4 tunnel.</entry></row>
130
131 <row><entry><varname>tap</varname></entry>
132 <entry>A persistent Level 2 tunnel between a network device and a device node.</entry></row>
133
134 <row><entry><varname>tun</varname></entry>
135 <entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
136
137 <row><entry><varname>veth</varname></entry>
a8eaaee7 138 <entry>An Ethernet tunnel between a pair of network devices.</entry></row>
798d3a52
ZJS		 139
140 <row><entry><varname>vlan</varname></entry>
141 <entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
142
143 <row><entry><varname>vti</varname></entry>
144 <entry>An IPv4 over IPSec tunnel.</entry></row>
145
5cc0748e
SS		 146 <row><entry><varname>vti6</varname></entry>
147 <entry>An IPv6 over IPSec tunnel.</entry></row>
148
798d3a52
ZJS		 149 <row><entry><varname>vxlan</varname></entry>
150 <entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
20897a0d 151
6598e046
SS		 152 <row><entry><varname>geneve</varname></entry>
153 <entry>A GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev driver.</entry></row>
154
3a56e697
SS		 155 <row><entry><varname>l2tp</varname></entry>
156 <entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
157
81962db7
SS		 158 <row><entry><varname>macsec</varname></entry>
159 <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
160
20897a0d 161 <row><entry><varname>vrf</varname></entry>
92c918b0
SS		 162 <entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
163
164 <row><entry><varname>vcan</varname></entry>
ba9fa3bc 165 <entry>The virtual CAN driver (vcan). Similar to the network loopback devices, vcan offers a virtual local CAN interface.</entry></row>
20897a0d 166
d6df583c
SS		 167 <row><entry><varname>vxcan</varname></entry>
168 <entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
169 </entry></row>
170
e5719363
JT		 171 <row><entry><varname>wireguard</varname></entry>
172 <entry>WireGuard Secure Network Tunnel.</entry></row>
173
d61e4c5b
YW		 174 <row><entry><varname>nlmon</varname></entry>
175 <entry>A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages.</entry></row>
53cb501a
SS		 176
177 <row><entry><varname>fou</varname></entry>
178 <entry>Foo-over-UDP tunneling.</entry></row>
179
98d20a17 180 <row><entry><varname>xfrm</varname></entry>
181 <entry>A virtual tunnel interface like vti/vti6 but with several advantages.</entry></row>
182
3295a461
SS		 183 <row><entry><varname>ifb</varname></entry>
184 <entry> The Intermediate Functional Block (ifb) pseudo network interface acts as a QoS concentrator for multiple different sources of traffic.</entry></row>
185
798d3a52
ZJS		 186 </tbody>
187 </tgroup>
188 </table>
189
190 </refsect1>
191
192 <refsect1>
193 <title>[Match] Section Options</title>
194
195 <para>A virtual network device is only created if the
bdac5608 196 [Match] section matches the current
798d3a52
ZJS		 197 environment, or if the section is empty. The following keys are
198 accepted:</para>
199
200 <variablelist class='network-directives'>
201 <varlistentry>
202 <term><varname>Host=</varname></term>
203 <listitem>
d689bbca
YW		 204 <para>Matches against the hostname or machine ID of the host. See
205 <literal>ConditionHost=</literal> in
798d3a52 206 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 207 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
208 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 209 </para>
210 </listitem>
211 </varlistentry>
212 <varlistentry>
213 <term><varname>Virtualization=</varname></term>
214 <listitem>
d689bbca
YW		 215 <para>Checks whether the system is executed in a virtualized environment and optionally test
216 whether it is a specific implementation. See <literal>ConditionVirtualization=</literal> in
798d3a52 217 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 218 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
219 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 220 </para>
221 </listitem>
222 </varlistentry>
223 <varlistentry>
224 <term><varname>KernelCommandLine=</varname></term>
225 <listitem>
d689bbca 226 <para>Checks whether a specific kernel command line option is set. See
798d3a52
ZJS		 227 <literal>ConditionKernelCommandLine=</literal> in
228 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 229 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
230 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 231 </para>
232 </listitem>
233 </varlistentry>
5022f08a
LP		 234 <varlistentry>
235 <term><varname>KernelVersion=</varname></term>
236 <listitem>
d689bbca
YW		 237 <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a
238 certain expression. See <literal>ConditionKernelVersion=</literal> in
239 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
240 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
241 If an empty string is assigned, then previously assigned value is cleared.
5022f08a
LP		 242 </para>
243 </listitem>
244 </varlistentry>
798d3a52
ZJS		 245 <varlistentry>
246 <term><varname>Architecture=</varname></term>
247 <listitem>
d689bbca
YW		 248 <para>Checks whether the system is running on a specific architecture. See
249 <literal>ConditionArchitecture=</literal> in
798d3a52 250 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 251 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
252 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 253 </para>
254 </listitem>
255 </varlistentry>
256 </variablelist>
798d3a52
ZJS		 257 </refsect1>
258
259 <refsect1>
260 <title>[NetDev] Section Options</title>
261
bdac5608 262 <para>The [NetDev] section accepts the
488d0ba1
YW		 263 following keys:</para>
264
265 <variablelist class='network-directives'>
266 <varlistentry>
267 <term><varname>Description=</varname></term>
268 <listitem>
269 <para>A free-form description of the netdev.</para>
270 </listitem>
271 </varlistentry>
272 <varlistentry>
273 <term><varname>Name=</varname></term>
274 <listitem>
275 <para>The interface name used when creating the netdev.
e9dd6984 276 This setting is compulsory.</para>
488d0ba1
YW		 277 </listitem>
278 </varlistentry>
279 <varlistentry>
280 <term><varname>Kind=</varname></term>
281 <listitem>
e9dd6984 282 <para>The netdev kind. This setting is compulsory. See the
488d0ba1
YW		 283 <literal>Supported netdev kinds</literal> section for the
284 valid keys.</para>
285 </listitem>
286 </varlistentry>
287 <varlistentry>
288 <term><varname>MTUBytes=</varname></term>
289 <listitem>
e9dd6984 290 <para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G
488d0ba1
YW		 291 are supported and are understood to the base of 1024. For <literal>tun</literal> or
292 <literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
bdac5608 293 [NetDev] section. Please specify it in [Link] section of
488d0ba1
YW		 294 corresponding
295 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
296 files.</para>
297 </listitem>
298 </varlistentry>
299 <varlistentry>
300 <term><varname>MACAddress=</varname></term>
301 <listitem>
302 <para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
bdac5608
ZJS		 303 devices, setting <varname>MACAddress=</varname> in the [NetDev] section is not
304 supported. Please specify it in [Link] section of the corresponding
488d0ba1
YW		 305 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
306 file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
307 physical interface. For other kind of netdevs, if this option is not set, then MAC address is
308 generated based on the interface name and the
309 <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
310 </para>
311 </listitem>
312 </varlistentry>
313 </variablelist>
798d3a52
ZJS		 314 </refsect1>
315
488d0ba1 316 <refsect1>
3428fe07
SS		 317 <title>[Bridge] Section Options</title>
318
bdac5608 319 <para>The [Bridge] section only applies for
488d0ba1
YW		 320 netdevs of kind <literal>bridge</literal>, and accepts the
321 following keys:</para>
322
323 <variablelist class='network-directives'>
324 <varlistentry>
325 <term><varname>HelloTimeSec=</varname></term>
326 <listitem>
327 <para>HelloTimeSec specifies the number of seconds between two hello packets
328 sent out by the root bridge and the designated bridges. Hello packets are
329 used to communicate information about the topology throughout the entire
330 bridged local area network.</para>
331 </listitem>
332 </varlistentry>
333 <varlistentry>
334 <term><varname>MaxAgeSec=</varname></term>
335 <listitem>
336 <para>MaxAgeSec specifies the number of seconds of maximum message age.
337 If the last seen (received) hello packet is more than this number of
338 seconds old, the bridge in question will start the takeover procedure
339 in attempt to become the Root Bridge itself.</para>
340 </listitem>
341 </varlistentry>
342 <varlistentry>
343 <term><varname>ForwardDelaySec=</varname></term>
344 <listitem>
345 <para>ForwardDelaySec specifies the number of seconds spent in each
346 of the Listening and Learning states before the Forwarding state is entered.</para>
347 </listitem>
348 </varlistentry>
349 <varlistentry>
350 <term><varname>AgeingTimeSec=</varname></term>
351 <listitem>
352 <para>This specifies the number of seconds a MAC Address will be kept in
353 the forwarding database after having a packet received from this MAC Address.</para>
354 </listitem>
355 </varlistentry>
356 <varlistentry>
357 <term><varname>Priority=</varname></term>
358 <listitem>
359 <para>The priority of the bridge. An integer between 0 and 65535. A lower value
360 means higher priority. The bridge having the lowest priority will be elected as root bridge.</para>
361 </listitem>
362 </varlistentry>
363 <varlistentry>
364 <term><varname>GroupForwardMask=</varname></term>
365 <listitem>
366 <para>A 16-bit bitmask represented as an integer which allows forwarding of link
367 local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND
368 is performed between the specified bitmask and the exponentiation of 2^X, the
369 lower nibble of the last octet of the MAC address. For example, a value of 8
370 would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para>
371 </listitem>
372 </varlistentry>
373 <varlistentry>
374 <term><varname>DefaultPVID=</varname></term>
375 <listitem>
376 <para>This specifies the default port VLAN ID of a newly attached bridge port.
377 Set this to an integer in the range 1–4094 or <literal>none</literal> to disable the PVID.</para>
378 </listitem>
379 </varlistentry>
380 <varlistentry>
381 <term><varname>MulticastQuerier=</varname></term>
382 <listitem>
383 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
384 If enabled, the kernel will send general ICMP queries from a zero source address.
385 This feature should allow faster convergence on startup, but it causes some
386 multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
387 When unset, the kernel's default will be used.
388 </para>
389 </listitem>
390 </varlistentry>
391 <varlistentry>
392 <term><varname>MulticastSnooping=</varname></term>
393 <listitem>
394 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
395 If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
396 between hosts and multicast routers. When unset, the kernel's default will be used.
397 </para>
398 </listitem>
399 </varlistentry>
400 <varlistentry>
401 <term><varname>VLANFiltering=</varname></term>
402 <listitem>
403 <para>Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
404 If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used.
405 </para>
406 </listitem>
407 </varlistentry>
4df4df5b
RF		 408 <varlistentry>
409 <term><varname>VLANProtocol=</varname></term>
410 <listitem>
411 <para>Allows setting the protocol used for VLAN filtering. Takes
412 <option>802.1q</option> or,
413 <option>802.1ad</option>, and defaults to unset and kernel's default is used.
414 </para>
415 </listitem>
416 </varlistentry>
488d0ba1
YW		 417 <varlistentry>
418 <term><varname>STP=</varname></term>
419 <listitem>
420 <para>Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP).
421 When unset, the kernel's default will be used.
afa51e2d
SS		 422 </para>
423 </listitem>
424 </varlistentry>
425 <varlistentry>
e8489008 426 <term><varname>MulticastIGMPVersion=</varname></term>
afa51e2d 427 <listitem>
11fcfc53
FS		 428 <para>Allows changing bridge's multicast Internet Group Management Protocol (IGMP) version.
429 Takes an integer 2 or 3. When unset, the kernel's default will be used.
488d0ba1
YW		 430 </para>
431 </listitem>
432 </varlistentry>
433 </variablelist>
3428fe07
SS		 434 </refsect1>
435
798d3a52
ZJS		 436 <refsect1>
437 <title>[VLAN] Section Options</title>
438
bdac5608 439 <para>The [VLAN] section only applies for
488d0ba1
YW		 440 netdevs of kind <literal>vlan</literal>, and accepts the
441 following key:</para>
442
443 <variablelist class='network-directives'>
444 <varlistentry>
445 <term><varname>Id=</varname></term>
446 <listitem>
447 <para>The VLAN ID to use. An integer in the range 0–4094.
e9dd6984 448 This setting is compulsory.</para>
488d0ba1
YW		 449 </listitem>
450 </varlistentry>
451 <varlistentry>
452 <term><varname>GVRP=</varname></term>
453 <listitem>
454 <para>Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that
455 allows automatic learning of VLANs on a network.
456 When unset, the kernel's default will be used.
457 </para>
458 </listitem>
459 </varlistentry>
460 <varlistentry>
461 <term><varname>MVRP=</varname></term>
462 <listitem>
463 <para>Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN
464 Registration Protocol (GVRP) is a standards-based Layer 2 network protocol,
465 for automatic configuration of VLAN information on switches. It was defined
466 in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used.
467 </para>
468 </listitem>
469 </varlistentry>
470 <varlistentry>
471 <term><varname>LooseBinding=</varname></term>
472 <listitem>
473 <para>Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed
474 from the parent to the associated VLANs, but the VLAN device state is not changed.
475 When unset, the kernel's default will be used.</para>
476 </listitem>
477 </varlistentry>
478 <varlistentry>
479 <term><varname>ReorderHeader=</varname></term>
480 <listitem>
e9dd6984
ZJS		 481 <para>Takes a boolean. When enabled, the VLAN reorder header is used and VLAN interfaces behave
482 like physical interfaces. When unset, the kernel's default will be used.</para>
488d0ba1
YW		 483 </listitem>
484 </varlistentry>
485 </variablelist>
798d3a52
ZJS		 486 </refsect1>
487
488 <refsect1>
489 <title>[MACVLAN] Section Options</title>
490
bdac5608 491 <para>The [MACVLAN] section only applies for
798d3a52
ZJS		 492 netdevs of kind <literal>macvlan</literal>, and accepts the
493 following key:</para>
494
495 <variablelist class='network-directives'>
496 <varlistentry>
497 <term><varname>Mode=</varname></term>
498 <listitem>
499 <para>The MACVLAN mode to use. The supported options are
500 <literal>private</literal>,
501 <literal>vepa</literal>,
502 <literal>bridge</literal>, and
503 <literal>passthru</literal>.
504 </para>
505 </listitem>
506 </varlistentry>
507 </variablelist>
798d3a52
ZJS		 508 </refsect1>
509
488d0ba1 510 <refsect1>
0371f2df
SS		 511 <title>[MACVTAP] Section Options</title>
512
bdac5608 513 <para>The [MACVTAP] section applies for
0371f2df 514 netdevs of kind <literal>macvtap</literal> and accepts the
bdac5608 515 same key as [MACVLAN].</para>
488d0ba1 516 </refsect1>
0371f2df 517
798d3a52
ZJS		 518 <refsect1>
519 <title>[IPVLAN] Section Options</title>
520
bdac5608 521 <para>The [IPVLAN] section only applies for
798d3a52
ZJS		 522 netdevs of kind <literal>ipvlan</literal>, and accepts the
523 following key:</para>
524
525 <variablelist class='network-directives'>
526 <varlistentry>
527 <term><varname>Mode=</varname></term>
488d0ba1
YW		 528 <listitem>
529 <para>The IPVLAN mode to use. The supported options are
530 <literal>L2</literal>,<literal>L3</literal> and <literal>L3S</literal>.
531 </para>
532 </listitem>
d384826f 533 </varlistentry>
488d0ba1 534 <varlistentry>
d384826f 535 <term><varname>Flags=</varname></term>
488d0ba1
YW		 536 <listitem>
537 <para>The IPVLAN flags to use. The supported options are
538 <literal>bridge</literal>,<literal>private</literal> and <literal>vepa</literal>.
539 </para>
540 </listitem>
798d3a52
ZJS		 541 </varlistentry>
542 </variablelist>
798d3a52
ZJS		 543 </refsect1>
544
69c317a0
SS		 545 <refsect1>
546 <title>[IPVTAP] Section Options</title>
547
bdac5608 548 <para>The [IPVTAP] section only applies for
69c317a0 549 netdevs of kind <literal>ipvtap</literal> and accepts the
bdac5608 550 same key as [IPVLAN].</para>
69c317a0
SS		 551 </refsect1>
552
798d3a52
ZJS		 553 <refsect1>
554 <title>[VXLAN] Section Options</title>
488d0ba1 555
bdac5608 556 <para>The [VXLAN] section only applies for
798d3a52
ZJS		 557 netdevs of kind <literal>vxlan</literal>, and accepts the
558 following keys:</para>
559
560 <variablelist class='network-directives'>
561 <varlistentry>
6f213e4a 562 <term><varname>VNI=</varname></term>
798d3a52 563 <listitem>
6f213e4a 564 <para>The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number in the range 1-16777215.</para>
798d3a52
ZJS		 565 </listitem>
566 </varlistentry>
567 <varlistentry>
d35e5d37 568 <term><varname>Remote=</varname></term>
798d3a52 569 <listitem>
bf443be9 570 <para>Configures destination IP address.</para>
798d3a52
ZJS		 571 </listitem>
572 </varlistentry>
573 <varlistentry>
d35e5d37
SS		 574 <term><varname>Local=</varname></term>
575 <listitem>
576 <para>Configures local IP address.</para>
577 </listitem>
83cb24ac
SS		 578 </varlistentry>
579 <varlistentry>
580 <term><varname>Group=</varname></term>
581 <listitem>
e9dd6984
ZJS		 582 <para>Configures VXLAN multicast group IP address. All members of a VXLAN must use the same
583 multicast group address.</para>
83cb24ac 584 </listitem>
d35e5d37 585 </varlistentry>
488d0ba1 586 <varlistentry>
798d3a52
ZJS		 587 <term><varname>TOS=</varname></term>
588 <listitem>
589 <para>The Type Of Service byte value for a vxlan interface.</para>
590 </listitem>
591 </varlistentry>
592 <varlistentry>
593 <term><varname>TTL=</varname></term>
594 <listitem>
f4a8ca32
SS		 595 <para>A fixed Time To Live N on Virtual eXtensible Local Area Network packets.
596 Takes <literal>inherit</literal> or a number in the range 0–255. 0 is a special
597 value meaning inherit the inner protocol's TTL value. <literal>inherit</literal>
598 means that it will inherit the outer protocol's TTL value.</para>
798d3a52
ZJS		 599 </listitem>
600 </varlistentry>
601 <varlistentry>
602 <term><varname>MacLearning=</varname></term>
603 <listitem>
9b6ffef3 604 <para>Takes a boolean. When true, enables dynamic MAC learning
798d3a52
ZJS		 605 to discover remote MAC addresses.</para>
606 </listitem>
607 </varlistentry>
608 <varlistentry>
609 <term><varname>FDBAgeingSec=</varname></term>
610 <listitem>
611 <para>The lifetime of Forwarding Database entry learnt by
b938cb90 612 the kernel, in seconds.</para>
798d3a52
ZJS		 613 </listitem>
614 </varlistentry>
615 <varlistentry>
3d276dd2
SS		 616 <term><varname>MaximumFDBEntries=</varname></term>
617 <listitem>
618 <para>Configures maximum number of FDB entries.</para>
619 </listitem>
620 </varlistentry>
798d3a52 621 <varlistentry>
7dd6974c 622 <term><varname>ReduceARPProxy=</varname></term>
798d3a52 623 <listitem>
9b6ffef3 624 <para>Takes a boolean. When true, bridge-connected VXLAN tunnel
7dd6974c
SS		 625 endpoint answers ARP requests from the local bridge on behalf
626 of remote Distributed Overlay Virtual Ethernet
627 <ulink url="https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet">
628 (DVOE)</ulink> clients. Defaults to false.</para>
798d3a52
ZJS		 629 </listitem>
630 </varlistentry>
631 <varlistentry>
632 <term><varname>L2MissNotification=</varname></term>
633 <listitem>
9b6ffef3 634 <para>Takes a boolean. When true, enables netlink LLADDR miss
798d3a52
ZJS		 635 notifications.</para>
636 </listitem>
637 </varlistentry>
638 <varlistentry>
639 <term><varname>L3MissNotification=</varname></term>
640 <listitem>
e9dd6984 641 <para>Takes a boolean. When true, enables netlink IP address miss notifications.</para>
798d3a52
ZJS		 642 </listitem>
643 </varlistentry>
644 <varlistentry>
645 <term><varname>RouteShortCircuit=</varname></term>
646 <listitem>
9b6ffef3 647 <para>Takes a boolean. When true, route short circuiting is turned
798d3a52
ZJS		 648 on.</para>
649 </listitem>
650 </varlistentry>
cffacc74 651 <varlistentry>
53c06862 652 <term><varname>UDPChecksum=</varname></term>
cffacc74 653 <listitem>
9b6ffef3 654 <para>Takes a boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
cffacc74
SS		 655 </listitem>
656 </varlistentry>
657 <varlistentry>
658 <term><varname>UDP6ZeroChecksumTx=</varname></term>
659 <listitem>
9b6ffef3 660 <para>Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
cffacc74
SS		 661 </listitem>
662 </varlistentry>
663 <varlistentry>
53c06862 664 <term><varname>UDP6ZeroChecksumRx=</varname></term>
cffacc74 665 <listitem>
9b6ffef3 666 <para>Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
16441027
SS		 667 </listitem>
668 </varlistentry>
669 <varlistentry>
53c06862 670 <term><varname>RemoteChecksumTx=</varname></term>
16441027 671 <listitem>
9b6ffef3 672 <para>Takes a boolean. When true, remote transmit checksum offload of VXLAN is turned on.</para>
16441027
SS		 673 </listitem>
674 </varlistentry>
675 <varlistentry>
53c06862 676 <term><varname>RemoteChecksumRx=</varname></term>
16441027 677 <listitem>
9b6ffef3 678 <para>Takes a boolean. When true, remote receive checksum offload in VXLAN is turned on.</para>
cffacc74
SS		 679 </listitem>
680 </varlistentry>
488d0ba1
YW		 681 <varlistentry>
682 <term><varname>GroupPolicyExtension=</varname></term>
683 <listitem>
684 <para>Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism
685 across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
686 <ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
687 VXLAN Group Policy </ulink> document. Defaults to false.</para>
688 </listitem>
689 </varlistentry>
690 <varlistentry>
691 <term><varname>GenericProtocolExtension=</varname></term>
692 <listitem>
693 <para>Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol
694 to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE
695 Header, see the <ulink url="https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07">
696 Generic Protocol Extension for VXLAN </ulink> document. If destination port is not specified and
697 Generic Protocol Extension is set then default port of 4790 is used. Defaults to false.</para>
698 </listitem>
699 </varlistentry>
700 <varlistentry>
701 <term><varname>DestinationPort=</varname></term>
702 <listitem>
703 <para>Configures the default destination UDP port on a per-device basis.
704 If destination port is not specified then Linux kernel default will be used.
705 Set destination port 4789 to get the IANA assigned value. If not set or if the
706 destination port is assigned the empty string the default port of 4789 is used.</para>
707 </listitem>
708 </varlistentry>
709 <varlistentry>
710 <term><varname>PortRange=</varname></term>
ea0288d1
SS		 711 <listitem>
712 <para>Configures VXLAN port range. VXLAN bases source
713 UDP port based on flow to help the receiver to be able
714 to load balance based on outer header flow. It
715 restricts the port range to the normal UDP local
716 ports, and allows overriding via configuration.</para>
717 </listitem>
718 </varlistentry>
488d0ba1
YW		 719 <varlistentry>
720 <term><varname>FlowLabel=</varname></term>
d8653945
SS		 721 <listitem>
722 <para>Specifies the flow label to use in outgoing packets.
723 The valid range is 0-1048575.
724 </para>
725 </listitem>
488d0ba1 726 </varlistentry>
1189c00a
SS		 727 <varlistentry>
728 <term><varname>IPDoNotFragment=</varname></term>
729 <listitem>
11fcfc53 730 <para>Allows setting the IPv4 Do not Fragment (DF) bit in outgoing packets, or to inherit its
1189c00a
SS		 731 value from the IPv4 inner header. Takes a boolean value, or <literal>inherit</literal>. Set
732 to <literal>inherit</literal> if the encapsulated protocol is IPv6. When unset, the kernel's
733 default will be used.</para>
734 </listitem>
d8653945 735 </varlistentry>
798d3a52
ZJS		 736 </variablelist>
737 </refsect1>
488d0ba1 738
6598e046
SS		 739 <refsect1>
740 <title>[GENEVE] Section Options</title>
488d0ba1 741
bdac5608 742 <para>The [GENEVE] section only applies for
6598e046
SS		 743 netdevs of kind <literal>geneve</literal>, and accepts the
744 following keys:</para>
745
746 <variablelist class='network-directives'>
747 <varlistentry>
748 <term><varname>Id=</varname></term>
749 <listitem>
328184d1 750 <para>Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215]. This field is mandatory.</para>
6598e046
SS		 751 </listitem>
752 </varlistentry>
753 <varlistentry>
754 <term><varname>Remote=</varname></term>
755 <listitem>
756 <para>Specifies the unicast destination IP address to use in outgoing packets.</para>
757 </listitem>
758 </varlistentry>
759 <varlistentry>
760 <term><varname>TOS=</varname></term>
761 <listitem>
98616735 762 <para>Specifies the TOS value to use in outgoing packets. Ranges [1-255].</para>
6598e046
SS		 763 </listitem>
764 </varlistentry>
765 <varlistentry>
766 <term><varname>TTL=</varname></term>
767 <listitem>
bdac5608 768 <para>Accepts the same values as in the [VXLAN] section, except that when unset
e9dd6984 769 or set to 0, the kernel's default will be used, meaning that packet TTL will be set from
328184d1 770 <filename>/proc/sys/net/ipv4/ip_default_ttl</filename>.</para>
6598e046
SS		 771 </listitem>
772 </varlistentry>
773 <varlistentry>
774 <term><varname>UDPChecksum=</varname></term>
775 <listitem>
e9dd6984
ZJS		 776 <para>Takes a boolean. When true, specifies that UDP checksum is calculated for transmitted packets
777 over IPv4.</para>
6598e046
SS		 778 </listitem>
779 </varlistentry>
780 <varlistentry>
781 <term><varname>UDP6ZeroChecksumTx=</varname></term>
782 <listitem>
9b6ffef3 783 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
6598e046
SS		 784 </listitem>
785 </varlistentry>
786 <varlistentry>
787 <term><varname>UDP6ZeroChecksumRx=</varname></term>
788 <listitem>
9b6ffef3 789 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
6598e046
SS		 790 </listitem>
791 </varlistentry>
488d0ba1
YW		 792 <varlistentry>
793 <term><varname>DestinationPort=</varname></term>
794 <listitem>
795 <para>Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default
796 port of 6081 is used.</para>
797 </listitem>
798 </varlistentry>
799 <varlistentry>
800 <term><varname>FlowLabel=</varname></term>
6598e046
SS		 801 <listitem>
802 <para>Specifies the flow label to use in outgoing packets.</para>
803 </listitem>
488d0ba1
YW		 804 </varlistentry>
805 <varlistentry>
806 <term><varname>IPDoNotFragment=</varname></term>
aac35019 807 <listitem>
bdac5608 808 <para>Accepts the same key in [VXLAN] section.</para>
aac35019 809 </listitem>
488d0ba1 810 </varlistentry>
6598e046
SS		 811 </variablelist>
812 </refsect1>
488d0ba1 813
3a56e697
SS		 814 <refsect1>
815 <title>[L2TP] Section Options</title>
488d0ba1 816
bdac5608 817 <para>The [L2TP] section only applies for
3a56e697
SS		 818 netdevs of kind <literal>l2tp</literal>, and accepts the
819 following keys:</para>
820
821 <variablelist class='network-directives'>
822 <varlistentry>
823 <term><varname>TunnelId=</varname></term>
824 <listitem>
e9dd6984
ZJS		 825 <para>Specifies the tunnel identifier. Takes an number in the range 1–4294967295. The value used
826 must match the <literal>PeerTunnelId=</literal> value being used at the peer. This setting is
827 compulsory.</para>
3a56e697
SS		 828 </listitem>
829 </varlistentry>
830 <varlistentry>
831 <term><varname>PeerTunnelId=</varname></term>
832 <listitem>
e9dd6984
ZJS		 833 <para>Specifies the peer tunnel id. Takes a number in the range 1—4294967295. The value used must
834 match the <literal>PeerTunnelId=</literal> value being used at the peer. This setting is
835 compulsory.</para>
3a56e697
SS		 836 </listitem>
837 </varlistentry>
838 <varlistentry>
839 <term><varname>Remote=</varname></term>
840 <listitem>
e9dd6984 841 <para>Specifies the IP address of the remote peer. This setting is compulsory.</para>
3a56e697
SS		 842 </listitem>
843 </varlistentry>
844 <varlistentry>
845 <term><varname>Local=</varname></term>
846 <listitem>
d053d08a
YW		 847 <para>Specifies the IP address of the local interface. Takes an IP address, or the special values
848 <literal>auto</literal>, <literal>static</literal>, or <literal>dynamic</literal>. When an address
849 is set, then the local interface must have the address. If <literal>auto</literal>, then one of the
850 addresses on the local interface is used. Similarly, if <literal>static</literal> or
851 <literal>dynamic</literal> is set, then one of the static or dynamic addresses on the local
852 interface is used. Defaults to <literal>auto</literal>.</para>
3a56e697
SS		 853 </listitem>
854 </varlistentry>
855 <varlistentry>
856 <term><varname>EncapsulationType=</varname></term>
857 <listitem>
e9dd6984
ZJS		 858 <para>Specifies the encapsulation type of the tunnel. Takes one of <literal>udp</literal> or
859 <literal>ip</literal>.</para>
3a56e697
SS		 860 </listitem>
861 </varlistentry>
862 <varlistentry>
863 <term><varname>UDPSourcePort=</varname></term>
864 <listitem>
e9dd6984
ZJS		 865 <para>Specifies the UDP source port to be used for the tunnel. When UDP encapsulation is selected
866 it's mandatory. Ignored when IP encapsulation is selected.</para>
3a56e697
SS		 867 </listitem>
868 </varlistentry>
869 <varlistentry>
c14faa94 870 <term><varname>UDPDestinationPort=</varname></term>
3a56e697 871 <listitem>
e9dd6984 872 <para>Specifies destination port. When UDP encapsulation is selected it's mandatory. Ignored when IP
3a56e697
SS		 873 encapsulation is selected.</para>
874 </listitem>
875 </varlistentry>
876 <varlistentry>
877 <term><varname>UDPChecksum=</varname></term>
878 <listitem>
e9dd6984
ZJS		 879 <para>Takes a boolean. When true, specifies that UDP checksum is calculated for transmitted packets
880 over IPv4.</para>
3a56e697
SS		 881 </listitem>
882 </varlistentry>
883 <varlistentry>
884 <term><varname>UDP6ZeroChecksumTx=</varname></term>
885 <listitem>
886 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
887 </listitem>
888 </varlistentry>
889 <varlistentry>
890 <term><varname>UDP6ZeroChecksumRx=</varname></term>
891 <listitem>
892 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
893 </listitem>
894 </varlistentry>
895 </variablelist>
896 </refsect1>
488d0ba1 897
3a56e697
SS		 898 <refsect1>
899 <title>[L2TPSession] Section Options</title>
488d0ba1 900
bdac5608 901 <para>The [L2TPSession] section only applies for
3a56e697
SS		 902 netdevs of kind <literal>l2tp</literal>, and accepts the
903 following keys:</para>
904 <variablelist class='network-directives'>
905 <varlistentry>
906 <term><varname>Name=</varname></term>
907 <listitem>
e9dd6984 908 <para>Specifies the name of the session. This setting is compulsory.</para>
3a56e697
SS		 909 </listitem>
910 </varlistentry>
911 <varlistentry>
912 <term><varname>SessionId=</varname></term>
913 <listitem>
e9dd6984
ZJS		 914 <para>Specifies the session identifier. Takes an number in the range 1–4294967295. The value used
915 must match the <literal>SessionId=</literal> value being used at the peer. This setting is
916 compulsory.</para>
3a56e697
SS		 917 </listitem>
918 </varlistentry>
919 <varlistentry>
920 <term><varname>PeerSessionId=</varname></term>
921 <listitem>
e9dd6984
ZJS		 922 <para>Specifies the peer session identifier. Takes an number in the range 1–4294967295.
923 The value used must match the <literal>PeerSessionId=</literal> value being used at the peer.
924 This setting is compulsory.</para>
3a56e697
SS		 925 </listitem>
926 </varlistentry>
927 <varlistentry>
928 <term><varname>Layer2SpecificHeader=</varname></term>
929 <listitem>
930 <para>Specifies layer2specific header type of the session. One of <literal>none</literal> or <literal>default</literal>. Defaults to <literal>default</literal>.</para>
931 </listitem>
932 </varlistentry>
933 </variablelist>
934 </refsect1>
488d0ba1 935
81962db7
SS		 936 <refsect1>
937 <title>[MACsec] Section Options</title>
488d0ba1 938
bdac5608 939 <para>The [MACsec] section only applies for network devices of kind
81962db7
SS		 940 <literal>macsec</literal>, and accepts the following keys:</para>
941
942 <variablelist class='network-directives'>
943 <varlistentry>
944 <term><varname>Port=</varname></term>
945 <listitem>
946 <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
947 secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
948 </para>
949 </listitem>
950 </varlistentry>
951 <varlistentry>
952 <term><varname>Encrypt=</varname></term>
953 <listitem>
954 <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
955 </listitem>
956 </varlistentry>
957 </variablelist>
958 </refsect1>
488d0ba1 959
81962db7
SS		 960 <refsect1>
961 <title>[MACsecReceiveChannel] Section Options</title>
bdac5608 962 <para>The [MACsecReceiveChannel] section only applies for network devices of
81962db7
SS		 963 kind <literal>macsec</literal>, and accepts the following keys:</para>
964
965 <variablelist class='network-directives'>
966 <varlistentry>
967 <term><varname>Port=</varname></term>
968 <listitem>
969 <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
970 secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
971 compulsory, and is not set by default.</para>
972 </listitem>
973 </varlistentry>
974 <varlistentry>
975 <term><varname>MACAddress=</varname></term>
976 <listitem>
977 <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
e9dd6984 978 used to make secure channel identifier (SCI). This setting is compulsory, and is not set by
81962db7
SS		 979 default.</para>
980 </listitem>
981 </varlistentry>
982 </variablelist>
983 </refsect1>
488d0ba1 984
81962db7
SS		 985 <refsect1>
986 <title>[MACsecTransmitAssociation] Section Options</title>
488d0ba1 987
bdac5608 988 <para>The [MACsecTransmitAssociation] section only applies for network devices
81962db7
SS		 989 of kind <literal>macsec</literal>, and accepts the following keys:</para>
990
991 <variablelist class='network-directives'>
992 <varlistentry>
993 <term><varname>PacketNumber=</varname></term>
994 <listitem>
995 <para>Specifies the packet number to be used for replay protection and the construction of
996 the initialization vector (along with the secure channel identifier [SCI]). Takes a value
997 between 1-4,294,967,295. Defaults to unset.
998 </para>
999 </listitem>
1000 </varlistentry>
1001 <varlistentry>
1002 <term><varname>KeyId=</varname></term>
1003 <listitem>
1004 <para>Specifies the identification for the key. Takes a number between 0-255. This option
1005 is compulsory, and is not set by default.</para>
1006 </listitem>
1007 </varlistentry>
1008 <varlistentry>
1009 <term><varname>Key=</varname></term>
1010 <listitem>
1011 <para>Specifies the encryption key used in the transmission channel. The same key must be
e9dd6984 1012 configured on the peer’s matching receive channel. This setting is compulsory, and is not set
81962db7
SS		 1013 by default. Takes a 128-bit key encoded in a hexadecimal string, for example
1014 <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
1015 </listitem>
1016 </varlistentry>
eb4705fb
YW		 1017 <varlistentry>
1018 <term><varname>KeyFile=</varname></term>
1019 <listitem>
1020 <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
1021 string, which will be used in the transmission channel. When this option is specified,
1022 <varname>Key=</varname> is ignored. Note that the file must be readable by the user
1023 <literal>systemd-network</literal>, so it should be, e.g., owned by
1024 <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
1025 </listitem>
1026 </varlistentry>
a7b9c52f
YW		 1027 <varlistentry>
1028 <term><varname>Activate=</varname></term>
1029 <listitem>
1030 <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
1031 unset.</para>
1032 </listitem>
1033 </varlistentry>
b0e13c31
YW		 1034 <varlistentry>
1035 <term><varname>UseForEncoding=</varname></term>
1036 <listitem>
1037 <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
bdac5608 1038 one [MACsecTransmitAssociation] section can enable this option. When enabled,
b0e13c31
YW		 1039 <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
1040 </listitem>
1041 </varlistentry>
81962db7
SS		 1042 </variablelist>
1043 </refsect1>
488d0ba1 1044
81962db7
SS		 1045 <refsect1>
1046 <title>[MACsecReceiveAssociation] Section Options</title>
488d0ba1 1047
bdac5608 1048 <para>The [MACsecReceiveAssociation] section only applies for
81962db7
SS		 1049 network devices of kind <literal>macsec</literal>, and accepts the
1050 following keys:</para>
1051
1052 <variablelist class='network-directives'>
1053 <varlistentry>
1054 <term><varname>Port=</varname></term>
1055 <listitem>
bdac5608 1056 <para>Accepts the same key in [MACsecReceiveChannel] section.</para>
81962db7
SS		 1057 </listitem>
1058 </varlistentry>
1059 <varlistentry>
1060 <term><varname>MACAddress=</varname></term>
1061 <listitem>
bdac5608 1062 <para>Accepts the same key in [MACsecReceiveChannel] section.</para>
81962db7
SS		 1063 </listitem>
1064 </varlistentry>
1065 <varlistentry>
1066 <term><varname>PacketNumber=</varname></term>
1067 <listitem>
bdac5608 1068 <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
81962db7
SS		 1069 </listitem>
1070 </varlistentry>
1071 <varlistentry>
1072 <term><varname>KeyId=</varname></term>
1073 <listitem>
bdac5608 1074 <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
81962db7
SS		 1075 </listitem>
1076 </varlistentry>
1077 <varlistentry>
1078 <term><varname>Key=</varname></term>
1079 <listitem>
bdac5608 1080 <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
81962db7
SS		 1081 </listitem>
1082 </varlistentry>
eb4705fb
YW		 1083 <varlistentry>
1084 <term><varname>KeyFile=</varname></term>
1085 <listitem>
bdac5608 1086 <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
eb4705fb
YW		 1087 </listitem>
1088 </varlistentry>
a7b9c52f
YW		 1089 <varlistentry>
1090 <term><varname>Activate=</varname></term>
1091 <listitem>
bdac5608 1092 <para>Accepts the same key in [MACsecTransmitAssociation] section.</para>
a7b9c52f
YW		 1093 </listitem>
1094 </varlistentry>
81962db7
SS		 1095 </variablelist>
1096 </refsect1>
488d0ba1 1097
798d3a52
ZJS		 1098 <refsect1>
1099 <title>[Tunnel] Section Options</title>
1100
bdac5608 1101 <para>The [Tunnel] section only applies for
798d3a52
ZJS		 1102 netdevs of kind
1103 <literal>ipip</literal>,
1104 <literal>sit</literal>,
1105 <literal>gre</literal>,
1106 <literal>gretap</literal>,
1107 <literal>ip6gre</literal>,
1108 <literal>ip6gretap</literal>,
5cc0748e 1109 <literal>vti</literal>,
af555aa3
YW		 1110 <literal>vti6</literal>,
1111 <literal>ip6tnl</literal>, and
1112 <literal>erspan</literal> and accepts
798d3a52
ZJS		 1113 the following keys:</para>
1114
1115 <variablelist class='network-directives'>
1116 <varlistentry>
1117 <term><varname>Local=</varname></term>
1118 <listitem>
8643885f
YW		 1119 <para>A static local address for tunneled packets. It must be an address on another interface of
1120 this host, or the special value <literal>any</literal>.</para>
798d3a52
ZJS		 1121 </listitem>
1122 </varlistentry>
1123 <varlistentry>
1124 <term><varname>Remote=</varname></term>
1125 <listitem>
8643885f
YW		 1126 <para>The remote endpoint of the tunnel. Takes an IP address or the special value
1127 <literal>any</literal>.</para>
798d3a52
ZJS		 1128 </listitem>
1129 </varlistentry>
1130 <varlistentry>
1131 <term><varname>TOS=</varname></term>
1132 <listitem>
1133 <para>The Type Of Service byte value for a tunnel interface.
b938cb90 1134 For details about the TOS, see the
798d3a52
ZJS		 1135 <ulink url="http://tools.ietf.org/html/rfc1349"> Type of
1136 Service in the Internet Protocol Suite </ulink> document.
1137 </para>
1138 </listitem>
1139 </varlistentry>
1140 <varlistentry>
1141 <term><varname>TTL=</varname></term>
1142 <listitem>
1143 <para>A fixed Time To Live N on tunneled packets. N is a
b938cb90 1144 number in the range 1–255. 0 is a special value meaning that
798d3a52 1145 packets inherit the TTL value. The default value for IPv4
e9dd6984 1146 tunnels is 0 (inherit). The default value for IPv6 tunnels is
798d3a52
ZJS		 1147 64.</para>
1148 </listitem>
1149 </varlistentry>
1150 <varlistentry>
1151 <term><varname>DiscoverPathMTU=</varname></term>
1152 <listitem>
9b6ffef3 1153 <para>Takes a boolean. When true, enables Path MTU Discovery on
798d3a52
ZJS		 1154 the tunnel.</para>
1155 </listitem>
1156 </varlistentry>
276de526
SS		 1157 <varlistentry>
1158 <term><varname>IPv6FlowLabel=</varname></term>
1159 <listitem>
a8eaaee7 1160 <para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
276de526 1161 RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
a8eaaee7
JE		 1162 RFC 2460</ulink>), which is used by a node to label packets of a flow.
1163 It is only used for IPv6 tunnels.
1164 A flow label of zero is used to indicate packets that have
1165 not been labeled.
1166 It can be configured to a value in the range 0–0xFFFFF, or be
1167 set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
276de526
SS		 1168 </listitem>
1169 </varlistentry>
9b0ca30a 1170 <varlistentry>
a9b70f9d 1171 <term><varname>CopyDSCP=</varname></term>
9b0ca30a 1172 <listitem>
9b6ffef3 1173 <para>Takes a boolean. When true, the Differentiated Service Code
3cf4bcab 1174 Point (DSCP) field will be copied to the inner header from
a9b70f9d 1175 outer header during the decapsulation of an IPv6 tunnel
3cf4bcab
ZJS		 1176 packet. DSCP is a field in an IP packet that enables different
1177 levels of service to be assigned to network traffic.
1178 Defaults to <literal>no</literal>.
9b0ca30a
SS		 1179 </para>
1180 </listitem>
1181 </varlistentry>
dae398a8
SS		 1182 <varlistentry>
1183 <term><varname>EncapsulationLimit=</varname></term>
1184 <listitem>
1185 <para>The Tunnel Encapsulation Limit option specifies how many additional
1186 levels of encapsulation are permitted to be prepended to the packet.
1187 For example, a Tunnel Encapsulation Limit option containing a limit
1188 value of zero means that a packet carrying that option may not enter
1189 another tunnel before exiting the current tunnel.
1190 (see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
b938cb90 1191 The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
dae398a8
SS		 1192 </para>
1193 </listitem>
1194 </varlistentry>
1d710029
SS		 1195 <varlistentry>
1196 <term><varname>Key=</varname></term>
1197 <listitem>
1198 <para>The <varname>Key=</varname> parameter specifies the same key to use in
1199 both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
1200 The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
1201 It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
e9dd6984 1202 and control path) in IP XFRM (framework used to implement IPsec protocol).
1d710029 1203 See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
c65c01c4
YW		 1204 ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
1205 GRE, GRETAP, and ERSPAN tunnels.</para>
1d710029
SS		 1206 </listitem>
1207 </varlistentry>
1208 <varlistentry>
1209 <term><varname>InputKey=</varname></term>
1210 <listitem>
1211 <para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
c65c01c4
YW		 1212 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1213 and ERSPAN tunnels.</para>
1d710029
SS		 1214 </listitem>
1215 </varlistentry>
1216 <varlistentry>
1217 <term><varname>OutputKey=</varname></term>
1218 <listitem>
1219 <para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
c65c01c4
YW		 1220 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1221 and ERSPAN tunnels.</para>
1d710029
SS		 1222 </listitem>
1223 </varlistentry>
798d3a52
ZJS		 1224 <varlistentry>
1225 <term><varname>Mode=</varname></term>
1226 <listitem>
a8eaaee7 1227 <para>An <literal>ip6tnl</literal> tunnel can be in one of three
798d3a52
ZJS		 1228 modes
1229 <literal>ip6ip6</literal> for IPv6 over IPv6,
1230 <literal>ipip6</literal> for IPv4 over IPv6 or
1231 <literal>any</literal> for either.
1232 </para>
1233 </listitem>
1234 </varlistentry>
4d7fa6de
SS		 1235 <varlistentry>
1236 <term><varname>Independent=</varname></term>
1237 <listitem>
9b6ffef3 1238 <para>Takes a boolean. When true tunnel does not require .network file. Created as "tunnel@NONE".
4d7fa6de
SS		 1239 Defaults to <literal>false</literal>.
1240 </para>
1241 </listitem>
1242 </varlistentry>
8c9c703c
YW		 1243 <varlistentry>
1244 <term><varname>AssignToLoopback=</varname></term>
1245 <listitem>
1246 <para>Takes a boolean. If set to <literal>yes</literal>, the loopback interface <literal>lo</literal>
1247 is used as the underlying device of the tunnel interface. Defaults to <literal>no</literal>.</para>
1248 </listitem>
1249 </varlistentry>
3a4f3e42
SS		 1250 <varlistentry>
1251 <term><varname>AllowLocalRemote=</varname></term>
1252 <listitem>
9b6ffef3 1253 <para>Takes a boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
025314d9 1254 When unset, the kernel's default will be used.
3a4f3e42
SS		 1255 </para>
1256 </listitem>
1257 </varlistentry>
53cb501a
SS		 1258 <varlistentry>
1259 <term><varname>FooOverUDP=</varname></term>
1260 <listitem>
9b6ffef3 1261 <para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
0b145817
YW		 1262 Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
1263 For more detail information see
53cb501a
SS		 1264 <ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
1265 </listitem>
1266 </varlistentry>
1267 <varlistentry>
1268 <term><varname>FOUDestinationPort=</varname></term>
1269 <listitem>
6f520e74 1270 <para>This setting specifies the UDP destination port for encapsulation.
0b145817 1271 This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
53cb501a
SS		 1272 </listitem>
1273 </varlistentry>
1274 <varlistentry>
1275 <term><varname>FOUSourcePort=</varname></term>
1276 <listitem>
6f520e74
ZJS		 1277 <para>This setting specifies the UDP source port for encapsulation. Defaults to <constant>0</constant>
1278 — that is, the source port for packets is left to the network stack to decide.</para>
53cb501a
SS		 1279 </listitem>
1280 </varlistentry>
1281 <varlistentry>
1282 <term><varname>Encapsulation=</varname></term>
1283 <listitem>
bdac5608 1284 <para>Accepts the same key as in the [FooOverUDP] section.</para>
53cb501a
SS		 1285 </listitem>
1286 </varlistentry>
d067cab3
DA		 1287 <varlistentry>
1288 <term><varname>IPv6RapidDeploymentPrefix=</varname></term>
1289 <listitem>
1290 <para>Reconfigure the tunnel for <ulink url="https://tools.ietf.org/html/rfc5569">IPv6 Rapid
1291 Deployment</ulink>, also known as 6rd. The value is an ISP-specific IPv6 prefix with a non-zero length. Only
1292 applicable to SIT tunnels.</para>
1293 </listitem>
1294 </varlistentry>
918049ad
SS		 1295 <varlistentry>
1296 <term><varname>ISATAP=</varname></term>
1297 <listitem>
1298 <para>Takes a boolean. If set, configures the tunnel as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnel.
1299 Only applicable to SIT tunnels. When unset, the kernel's default will be used.</para>
1300 </listitem>
1301 </varlistentry>
2266864b
SS		 1302 <varlistentry>
1303 <term><varname>SerializeTunneledPackets=</varname></term>
1304 <listitem>
c65c01c4
YW		 1305 <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for GRE,
1306 GRETAP, and ERSPAN tunnels. When unset, the kernel's default will be used.
2266864b
SS		 1307 </para>
1308 </listitem>
1309 </varlistentry>
1310 <varlistentry>
1311 <term><varname>ERSPANIndex=</varname></term>
1312 <listitem>
1313 <para>Specifies the ERSPAN index field for the interface, an integer in the range 1-1048575 associated with
1314 the ERSPAN traffic's source port and direction. This field is mandatory.
1315 </para>
1316 </listitem>
1317 </varlistentry>
798d3a52
ZJS		 1318 </variablelist>
1319 </refsect1>
53cb501a
SS		 1320
1321 <refsect1>
1322 <title>[FooOverUDP] Section Options</title>
1323
bdac5608 1324 <para>The [FooOverUDP] section only applies for
53cb501a
SS		 1325 netdevs of kind <literal>fou</literal> and accepts the
1326 following keys:</para>
1327
1328 <variablelist class='network-directives'>
53cb501a
SS		 1329 <varlistentry>
1330 <term><varname>Encapsulation=</varname></term>
1331 <listitem>
e9dd6984
ZJS		 1332 <para>Specifies the encapsulation mechanism used to store networking packets of various protocols
1333 inside the UDP packets. Supports the following values:
53cb501a 1334
e9dd6984
ZJS		 1335 <literal>FooOverUDP</literal> provides the simplest no frills model of UDP encapsulation, it simply
1336 encapsulates packets directly in the UDP payload. <literal>GenericUDPEncapsulation</literal> is a
1337 generic and extensible encapsulation, it allows encapsulation of packets for any IP protocol and
1338 optional data as part of the encapsulation. For more detailed information see <ulink
1339 url="https://lwn.net/Articles/615044">Generic UDP Encapsulation</ulink>. Defaults to
1340 <literal>FooOverUDP</literal>.
53cb501a
SS		 1341 </para>
1342 </listitem>
1343 </varlistentry>
1344 <varlistentry>
1345 <term><varname>Port=</varname></term>
1346 <listitem>
e9dd6984
ZJS		 1347 <para>Specifies the port number, where the IP encapsulation packets will arrive. Please take note
1348 that the packets will arrive with the encapsulation will be removed. Then they will be manually fed
1349 back into the network stack, and sent ahead for delivery to the real destination. This option is
1350 mandatory.</para>
53cb501a 1351 </listitem>
488d0ba1 1352 </varlistentry>
8f02c9b0
SS		 1353 <varlistentry>
1354 <term><varname>PeerPort=</varname></term>
1355 <listitem>
e9dd6984
ZJS		 1356 <para>Specifies the peer port number. Defaults to unset. Note that when peer port is set
1357 <literal>Peer=</literal> address is mandatory.</para>
8f02c9b0 1358 </listitem>
488d0ba1 1359 </varlistentry>
0b145817
YW		 1360 <varlistentry>
1361 <term><varname>Protocol=</varname></term>
1362 <listitem>
1363 <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
1364 at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
1365 and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
1366 <literal>ipip</literal>, or an integer within the range 1-255. When
1367 <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
1368 </listitem>
1369 </varlistentry>
4502a61c
SS		 1370 <varlistentry>
1371 <term><varname>Peer=</varname></term>
1372 <listitem>
e9dd6984
ZJS		 1373 <para>Configures peer IP address. Note that when peer address is set <literal>PeerPort=</literal>
1374 is mandatory.</para>
4502a61c
SS		 1375 </listitem>
1376 </varlistentry>
1377 <varlistentry>
1378 <term><varname>Local=</varname></term>
1379 <listitem>
1380 <para>Configures local IP address.</para>
1381 </listitem>
1382 </varlistentry>
0b145817 1383 </variablelist>
53cb501a 1384 </refsect1>
488d0ba1 1385
798d3a52
ZJS		 1386 <refsect1>
1387 <title>[Peer] Section Options</title>
1388
bdac5608 1389 <para>The [Peer] section only applies for
488d0ba1
YW		 1390 netdevs of kind <literal>veth</literal> and accepts the
1391 following keys:</para>
1392
1393 <variablelist class='network-directives'>
1394 <varlistentry>
1395 <term><varname>Name=</varname></term>
1396 <listitem>
1397 <para>The interface name used when creating the netdev.
e9dd6984 1398 This setting is compulsory.</para>
488d0ba1
YW		 1399 </listitem>
1400 </varlistentry>
1401 <varlistentry>
1402 <term><varname>MACAddress=</varname></term>
1403 <listitem>
1404 <para>The peer MACAddress, if not set, it is generated in
1405 the same way as the MAC address of the main
1406 interface.</para>
1407 </listitem>
1408 </varlistentry>
1409 </variablelist>
798d3a52 1410 </refsect1>
488d0ba1 1411
d6df583c 1412 <refsect1>
488d0ba1
YW		 1413 <title>[VXCAN] Section Options</title>
1414
bdac5608 1415 <para>The [VXCAN] section only applies for
488d0ba1
YW		 1416 netdevs of kind <literal>vxcan</literal> and accepts the
1417 following key:</para>
1418
1419 <variablelist class='network-directives'>
1420 <varlistentry>
1421 <term><varname>Peer=</varname></term>
1422 <listitem>
1423 <para>The peer interface name used when creating the netdev.
e9dd6984 1424 This setting is compulsory.</para>
488d0ba1
YW		 1425 </listitem>
1426 </varlistentry>
1427 </variablelist>
d6df583c 1428 </refsect1>
488d0ba1 1429
798d3a52
ZJS		 1430 <refsect1>
1431 <title>[Tun] Section Options</title>
1432
bdac5608 1433 <para>The [Tun] section only applies for
798d3a52
ZJS		 1434 netdevs of kind <literal>tun</literal>, and accepts the following
1435 keys:</para>
1436
1437 <variablelist class='network-directives'>
798d3a52
ZJS		 1438 <varlistentry>
1439 <term><varname>MultiQueue=</varname></term>
9b6ffef3 1440 <listitem><para>Takes a boolean. Configures whether
798d3a52
ZJS		 1441 to use multiple file descriptors (queues) to parallelize
1442 packets sending and receiving. Defaults to
1443 <literal>no</literal>.</para>
1444 </listitem>
1445 </varlistentry>
1446 <varlistentry>
1447 <term><varname>PacketInfo=</varname></term>
9b6ffef3 1448 <listitem><para>Takes a boolean. Configures whether
ff9b60f3 1449 packets should be prepended with four extra bytes (two flag
b938cb90 1450 bytes and two protocol bytes). If disabled, it indicates that
798d3a52
ZJS		 1451 the packets will be pure IP packets. Defaults to
1452 <literal>no</literal>.</para>
1453 </listitem>
1454 </varlistentry>
43f78da4 1455 <varlistentry>
2aba142e 1456 <term><varname>VNetHeader=</varname></term>
9b6ffef3 1457 <listitem><para>Takes a boolean. Configures
75eed300 1458 IFF_VNET_HDR flag for a tun or tap device. It allows sending
43f78da4
SS		 1459 and receiving larger Generic Segmentation Offload (GSO)
1460 packets. This may increase throughput significantly.
1461 Defaults to
1462 <literal>no</literal>.</para>
1463 </listitem>
1464 </varlistentry>
798d3a52
ZJS		 1465 <varlistentry>
1466 <term><varname>User=</varname></term>
1467 <listitem><para>User to grant access to the
1468 <filename>/dev/net/tun</filename> device.</para>
1469 </listitem>
1470 </varlistentry>
1471 <varlistentry>
1472 <term><varname>Group=</varname></term>
1473 <listitem><para>Group to grant access to the
1474 <filename>/dev/net/tun</filename> device.</para>
1475 </listitem>
1476 </varlistentry>
798d3a52 1477 </variablelist>
798d3a52
ZJS		 1478 </refsect1>
1479
1480 <refsect1>
1481 <title>[Tap] Section Options</title>
1482
bdac5608 1483 <para>The [Tap] section only applies for
798d3a52 1484 netdevs of kind <literal>tap</literal>, and accepts the same keys
bdac5608 1485 as the [Tun] section.</para>
798d3a52
ZJS		 1486 </refsect1>
1487
e5719363
JT		 1488 <refsect1>
1489 <title>[WireGuard] Section Options</title>
1490
bdac5608 1491 <para>The [WireGuard] section accepts the following
e5719363
JT		 1492 keys:</para>
1493
1494 <variablelist class='network-directives'>
1495 <varlistentry>
1496 <term><varname>PrivateKey=</varname></term>
1497 <listitem>
1498 <para>The Base64 encoded private key for the interface. It can be
488d0ba1
YW		 1499 generated using the <command>wg genkey</command> command
1500 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
1501 This option or <varname>PrivateKeyFile=</varname> is mandatory to use WireGuard.
1502 Note that because this information is secret, you may want to set
1503 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
1504 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1505 </listitem>
1506 </varlistentry>
76df7779
YW		 1507 <varlistentry>
1508 <term><varname>PrivateKeyFile=</varname></term>
1509 <listitem>
a3945c63 1510 <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
cb31e7c8 1511 When this option is specified, then <varname>PrivateKey=</varname> is ignored.
76df7779
YW		 1512 Note that the file must be readable by the user <literal>systemd-network</literal>, so it
1513 should be, e.g., owned by <literal>root:systemd-network</literal> with a
1514 <literal>0640</literal> file mode.</para>
1515 </listitem>
1516 </varlistentry>
e5719363
JT		 1517 <varlistentry>
1518 <term><varname>ListenPort=</varname></term>
1519 <listitem>
1520 <para>Sets UDP port for listening. Takes either value between 1 and 65535
488d0ba1
YW		 1521 or <literal>auto</literal>. If <literal>auto</literal> is specified,
1522 the port is automatically generated based on interface name.
1523 Defaults to <literal>auto</literal>.</para>
e5719363
JT		 1524 </listitem>
1525 </varlistentry>
1526 <varlistentry>
1c30b174 1527 <term><varname>FirewallMark=</varname></term>
e5719363 1528 <listitem>
1c30b174 1529 <para>Sets a firewall mark on outgoing WireGuard packets from this interface. Takes a number between 1 and 4294967295.</para>
e5719363
JT		 1530 </listitem>
1531 </varlistentry>
1532 </variablelist>
1533 </refsect1>
1534
1535 <refsect1>
1536 <title>[WireGuardPeer] Section Options</title>
1537
bdac5608 1538 <para>The [WireGuardPeer] section accepts the following
e5719363
JT		 1539 keys:</para>
1540
1541 <variablelist class='network-directives'>
1542 <varlistentry>
1543 <term><varname>PublicKey=</varname></term>
1544 <listitem>
1545 <para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
488d0ba1
YW		 1546 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
1547 from a private key, and usually transmitted out of band to the
1548 author of the configuration file. This option is mandatory for this
1549 section.</para>
e5719363
JT		 1550 </listitem>
1551 </varlistentry>
1552 <varlistentry>
1553 <term><varname>PresharedKey=</varname></term>
1554 <listitem>
1555 <para>Optional preshared key for the interface. It can be generated
488d0ba1
YW		 1556 by the <command>wg genpsk</command> command. This option adds an
1557 additional layer of symmetric-key cryptography to be mixed into the
1558 already existing public-key cryptography, for post-quantum
1559 resistance.
1560 Note that because this information is secret, you may want to set
8aa36b1d 1561 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
488d0ba1 1562 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1563 </listitem>
1564 </varlistentry>
a3945c63
YW		 1565 <varlistentry>
1566 <term><varname>PresharedKeyFile=</varname></term>
1567 <listitem>
1568 <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
1569 peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
1570 Note that the file must be readable by the user <literal>systemd-network</literal>, so it
1571 should be, e.g., owned by <literal>root:systemd-network</literal> with a
1572 <literal>0640</literal> file mode.</para>
1573 </listitem>
1574 </varlistentry>
e5719363
JT		 1575 <varlistentry>
1576 <term><varname>AllowedIPs=</varname></term>
1577 <listitem>
1578 <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
488d0ba1
YW		 1579 from which this peer is allowed to send incoming traffic and to
1580 which outgoing traffic for this peer is directed. The catch-all
1581 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
1582 ::/0 may be specified for matching all IPv6 addresses. </para>
e5719363
JT		 1583 </listitem>
1584 </varlistentry>
1585 <varlistentry>
1586 <term><varname>Endpoint=</varname></term>
1587 <listitem>
1588 <para>Sets an endpoint IP address or hostname, followed by a colon, and then
488d0ba1
YW		 1589 a port number. This endpoint will be updated automatically once to
1590 the most recent source IP address and port of correctly
1591 authenticated packets from the peer at configuration time.</para>
e5719363
JT		 1592 </listitem>
1593 </varlistentry>
1594 <varlistentry>
1595 <term><varname>PersistentKeepalive=</varname></term>
1596 <listitem>
1597 <para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
488d0ba1
YW		 1598 to send an authenticated empty packet to the peer for the purpose
1599 of keeping a stateful firewall or NAT mapping valid persistently.
1600 For example, if the interface very rarely sends traffic, but it
1601 might at anytime receive traffic from a peer, and it is behind NAT,
1602 the interface might benefit from having a persistent keepalive
1603 interval of 25 seconds. If set to 0 or "off", this option is
1604 disabled. By default or when unspecified, this option is off.
1605 Most users will not need this.</para>
e5719363
JT		 1606 </listitem>
1607 </varlistentry>
1608 </variablelist>
1609 </refsect1>
1610
798d3a52
ZJS		 1611 <refsect1>
1612 <title>[Bond] Section Options</title>
1613
bdac5608 1614 <para>The [Bond] section accepts the following
798d3a52
ZJS		 1615 key:</para>
1616
1617 <variablelist class='network-directives'>
1618 <varlistentry>
1619 <term><varname>Mode=</varname></term>
1620 <listitem>
1621 <para>Specifies one of the bonding policies. The default is
1622 <literal>balance-rr</literal> (round robin). Possible values are
1623 <literal>balance-rr</literal>,
1624 <literal>active-backup</literal>,
1625 <literal>balance-xor</literal>,
1626 <literal>broadcast</literal>,
1627 <literal>802.3ad</literal>,
1628 <literal>balance-tlb</literal>, and
1629 <literal>balance-alb</literal>.
1630 </para>
1631 </listitem>
1632 </varlistentry>
1633
1634 <varlistentry>
1635 <term><varname>TransmitHashPolicy=</varname></term>
1636 <listitem>
1637 <para>Selects the transmit hash policy to use for slave
1638 selection in balance-xor, 802.3ad, and tlb modes. Possible
1639 values are
1640 <literal>layer2</literal>,
1641 <literal>layer3+4</literal>,
1642 <literal>layer2+3</literal>,
4d89618a 1643 <literal>encap2+3</literal>, and
798d3a52
ZJS		 1644 <literal>encap3+4</literal>.
1645 </para>
1646 </listitem>
1647 </varlistentry>
1648
1649 <varlistentry>
1650 <term><varname>LACPTransmitRate=</varname></term>
1651 <listitem>
1652 <para>Specifies the rate with which link partner transmits
1653 Link Aggregation Control Protocol Data Unit packets in
1654 802.3ad mode. Possible values are <literal>slow</literal>,
1655 which requests partner to transmit LACPDUs every 30 seconds,
1656 and <literal>fast</literal>, which requests partner to
1657 transmit LACPDUs every second. The default value is
1658 <literal>slow</literal>.</para>
1659 </listitem>
1660 </varlistentry>
1661
1662 <varlistentry>
1663 <term><varname>MIIMonitorSec=</varname></term>
1664 <listitem>
1665 <para>Specifies the frequency that Media Independent
1666 Interface link monitoring will occur. A value of zero
dd2b607b 1667 disables MII link monitoring. This value is rounded down to
798d3a52
ZJS		 1668 the nearest millisecond. The default value is 0.</para>
1669 </listitem>
1670 </varlistentry>
1671
1672 <varlistentry>
1673 <term><varname>UpDelaySec=</varname></term>
1674 <listitem>
1675 <para>Specifies the delay before a link is enabled after a
1676 link up status has been detected. This value is rounded down
1677 to a multiple of MIIMonitorSec. The default value is
1678 0.</para>
1679 </listitem>
1680 </varlistentry>
1681
1682 <varlistentry>
1683 <term><varname>DownDelaySec=</varname></term>
1684 <listitem>
1685 <para>Specifies the delay before a link is disabled after a
1686 link down status has been detected. This value is rounded
1687 down to a multiple of MIIMonitorSec. The default value is
1688 0.</para>
1689 </listitem>
1690 </varlistentry>
1691
81bd37a8 1692 <varlistentry>
38422da7 1693 <term><varname>LearnPacketIntervalSec=</varname></term>
81bd37a8
SS		 1694 <listitem>
1695 <para>Specifies the number of seconds between instances where the bonding
a8eaaee7
JE		 1696 driver sends learning packets to each slave peer switch.
1697 The valid range is 1–0x7fffffff; the default value is 1. This option
1698 has an effect only for the balance-tlb and balance-alb modes.</para>
81bd37a8
SS		 1699 </listitem>
1700 </varlistentry>
1701
1702 <varlistentry>
1703 <term><varname>AdSelect=</varname></term>
1704 <listitem>
1705 <para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
1706 <literal>stable</literal>,
a8eaaee7
JE		 1707 <literal>bandwidth</literal> and
1708 <literal>count</literal>.
81bd37a8
SS		 1709 </para>
1710 </listitem>
1711 </varlistentry>
1712
99f68ef0 1713 <varlistentry>
db688b7e 1714 <term><varname>AdActorSystemPriority=</varname></term>
99f68ef0 1715 <listitem>
e9dd6984 1716 <para>Specifies the 802.3ad actor system priority. Takes a number in the range 1—65535.</para>
99f68ef0
TJ		 1717 </listitem>
1718 </varlistentry>
1719
1720 <varlistentry>
1721 <term><varname>AdUserPortKey=</varname></term>
1722 <listitem>
e9dd6984
ZJS		 1723 <para>Specifies the 802.3ad user defined portion of the port key. Takes a number in the range
1724 0–1023.</para>
99f68ef0
TJ		 1725 </listitem>
1726 </varlistentry>
1727
1728 <varlistentry>
1729 <term><varname>AdActorSystem=</varname></term>
1730 <listitem>
1731 <para>Specifies the 802.3ad system mac address. This can not be either NULL or Multicast.</para>
1732 </listitem>
1733 </varlistentry>
1734
81bd37a8 1735 <varlistentry>
38422da7 1736 <term><varname>FailOverMACPolicy=</varname></term>
81bd37a8 1737 <listitem>
a8eaaee7
JE		 1738 <para>Specifies whether the active-backup mode should set all slaves to
1739 the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
81bd37a8
SS		 1740 bond's MAC address in accordance with the selected policy. The default policy is none.
1741 Possible values are
1742 <literal>none</literal>,
a8eaaee7
JE		 1743 <literal>active</literal> and
1744 <literal>follow</literal>.
81bd37a8
SS		 1745 </para>
1746 </listitem>
1747 </varlistentry>
1748
1749 <varlistentry>
38422da7 1750 <term><varname>ARPValidate=</varname></term>
81bd37a8
SS		 1751 <listitem>
1752 <para>Specifies whether or not ARP probes and replies should be
38422da7 1753 validated in any mode that supports ARP monitoring, or whether
81bd37a8
SS		 1754 non-ARP traffic should be filtered (disregarded) for link
1755 monitoring purposes. Possible values are
1756 <literal>none</literal>,
1757 <literal>active</literal>,
a8eaaee7
JE		 1758 <literal>backup</literal> and
1759 <literal>all</literal>.
81bd37a8
SS		 1760 </para>
1761 </listitem>
1762 </varlistentry>
1763
1764 <varlistentry>
38422da7 1765 <term><varname>ARPIntervalSec=</varname></term>
81bd37a8 1766 <listitem>
06c52cc2
ZJS		 1767 <para>Specifies the ARP link monitoring frequency. A value of 0 disables ARP monitoring. The
1768 default value is 0, and the default unit seconds.
81bd37a8
SS		 1769 </para>
1770 </listitem>
1771 </varlistentry>
1772
1773 <varlistentry>
38422da7 1774 <term><varname>ARPIPTargets=</varname></term>
81bd37a8
SS		 1775 <listitem>
1776 <para>Specifies the IP addresses to use as ARP monitoring peers when
38422da7 1777 ARPIntervalSec is greater than 0. These are the targets of the ARP request
81bd37a8 1778 sent to determine the health of the link to the targets.
a8eaaee7 1779 Specify these values in IPv4 dotted decimal format. At least one IP
81bd37a8
SS		 1780 address must be given for ARP monitoring to function. The
1781 maximum number of targets that can be specified is 16. The
1782 default value is no IP addresses.
1783 </para>
1784 </listitem>
1785 </varlistentry>
1786
1787 <varlistentry>
38422da7 1788 <term><varname>ARPAllTargets=</varname></term>
81bd37a8 1789 <listitem>
38422da7 1790 <para>Specifies the quantity of ARPIPTargets that must be reachable
81bd37a8
SS		 1791 in order for the ARP monitor to consider a slave as being up.
1792 This option affects only active-backup mode for slaves with
38422da7 1793 ARPValidate enabled. Possible values are
a8eaaee7
JE		 1794 <literal>any</literal> and
1795 <literal>all</literal>.
81bd37a8
SS		 1796 </para>
1797 </listitem>
1798 </varlistentry>
1799
1800 <varlistentry>
38422da7 1801 <term><varname>PrimaryReselectPolicy=</varname></term>
81bd37a8
SS		 1802 <listitem>
1803 <para>Specifies the reselection policy for the primary slave. This
1804 affects how the primary slave is chosen to become the active slave
1805 when failure of the active slave or recovery of the primary slave
1806 occurs. This option is designed to prevent flip-flopping between
1807 the primary slave and other slaves. Possible values are
1808 <literal>always</literal>,
a8eaaee7
JE		 1809 <literal>better</literal> and
1810 <literal>failure</literal>.
81bd37a8
SS		 1811 </para>
1812 </listitem>
1813 </varlistentry>
1814
1815 <varlistentry>
1816 <term><varname>ResendIGMP=</varname></term>
1817 <listitem>
1818 <para>Specifies the number of IGMP membership reports to be issued after
1819 a failover event. One membership report is issued immediately after
1820 the failover, subsequent packets are sent in each 200ms interval.
b938cb90 1821 The valid range is 0–255. Defaults to 1. A value of 0
81bd37a8
SS		 1822 prevents the IGMP membership report from being issued in response
1823 to the failover event.
1824 </para>
1825 </listitem>
1826 </varlistentry>
1827
1828 <varlistentry>
1829 <term><varname>PacketsPerSlave=</varname></term>
1830 <listitem>
b938cb90 1831 <para>Specify the number of packets to transmit through a slave before
488d0ba1
YW		 1832 moving to the next one. When set to 0, then a slave is chosen at
1833 random. The valid range is 0–65535. Defaults to 1. This option
1834 only has effect when in balance-rr mode.
81bd37a8
SS		 1835 </para>
1836 </listitem>
1837 </varlistentry>
1838
1839 <varlistentry>
38422da7 1840 <term><varname>GratuitousARP=</varname></term>
81bd37a8
SS		 1841 <listitem>
1842 <para>Specify the number of peer notifications (gratuitous ARPs and
488d0ba1
YW		 1843 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1844 failover event. As soon as the link is up on the new slave,
1845 a peer notification is sent on the bonding device and each
1846 VLAN sub-device. This is repeated at each link monitor interval
1847 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
1848 greater than 1. The valid range is 0–255. The default value is 1.
1849 These options affect only the active-backup mode.
81bd37a8
SS		 1850 </para>
1851 </listitem>
1852 </varlistentry>
1853
1854 <varlistentry>
1855 <term><varname>AllSlavesActive=</varname></term>
1856 <listitem>
9b6ffef3 1857 <para>Takes a boolean. Specifies that duplicate frames (received on inactive ports)
a8eaaee7 1858 should be dropped when false, or delivered when true. Normally, bonding will drop
81bd37a8
SS		 1859 duplicate frames (received on inactive ports), which is desirable for
1860 most users. But there are some times it is nice to allow duplicate
1861 frames to be delivered. The default value is false (drop duplicate frames
1862 received on inactive ports).
1863 </para>
1864 </listitem>
1865 </varlistentry>
1866
fde60a42
SS		 1867 <varlistentry>
1868 <term><varname>DynamicTransmitLoadBalancing=</varname></term>
1869 <listitem>
1870 <para>Takes a boolean. Specifies if dynamic shuffling of flows is enabled. Applies only
1871 for balance-tlb mode. Defaults to unset.
1872 </para>
1873 </listitem>
1874 </varlistentry>
1875
81bd37a8
SS		 1876 <varlistentry>
1877 <term><varname>MinLinks=</varname></term>
1878 <listitem>
1879 <para>Specifies the minimum number of links that must be active before
1880 asserting carrier. The default value is 0.
1881 </para>
1882 </listitem>
1883 </varlistentry>
798d3a52 1884 </variablelist>
81bd37a8
SS		 1885
1886 <para>For more detail information see
1887 <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">
1888 Linux Ethernet Bonding Driver HOWTO</ulink></para>
b8d88b26 1889 </refsect1>
81bd37a8 1890
98d20a17 1891 <refsect1>
1892 <title>[Xfrm] Section Options</title>
1893
bdac5608 1894 <para>The [Xfrm] section accepts the following
98d20a17 1895 keys:</para>
1896
1897 <variablelist class='network-directives'>
1898 <varlistentry>
1899 <term><varname>InterfaceId=</varname></term>
1900 <listitem>
1901 <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
1902 Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
1903 </listitem>
1904 </varlistentry>
1905 <varlistentry>
1906 <term><varname>Independent=</varname></term>
1907 <listitem>
1908 <para>Takes a boolean. If set to <literal>no</literal>, the xfrm interface should have an
1909 underlying device which can be used for hardware offloading. Defaults to <literal>no</literal>.
1910 See <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1911 for how to configure the underlying device.</para>
1912 </listitem>
1913 </varlistentry>
1914 </variablelist>
1915
1916 <para>For more detail information see
e9dd6984 1917 <ulink url="https://lwn.net/Articles/757391">Virtual XFRM Interfaces</ulink>.</para>
98d20a17 1918 </refsect1>
1919
b8d88b26
FP		 1920 <refsect1>
1921 <title>[VRF] Section Options</title>
bdac5608 1922 <para>The [VRF] section only applies for
b8d88b26
FP		 1923 netdevs of kind <literal>vrf</literal> and accepts the
1924 following key:</para>
1925
1926 <variablelist class='network-directives'>
1927 <varlistentry>
1928 <term><varname>Table=</varname></term>
1929 <listitem>
e9dd6984 1930 <para>The numeric routing table identifier. This setting is compulsory.</para>
b8d88b26
FP		 1931 </listitem>
1932 </varlistentry>
1933 </variablelist>
798d3a52
ZJS		 1934 </refsect1>
1935
1936 <refsect1>
48847676 1937 <title>Examples</title>
798d3a52 1938 <example>
6c1695be 1939 <title>/etc/systemd/network/25-bridge.netdev</title>
798d3a52
ZJS		 1940
1941 <programlisting>[NetDev]
eac684ef
TG		 1942Name=bridge0
1943Kind=bridge</programlisting>
798d3a52 1944 </example>
eac684ef 1945
798d3a52 1946 <example>
6c1695be 1947 <title>/etc/systemd/network/25-vlan1.netdev</title>
eac684ef 1948
798d3a52 1949 <programlisting>[Match]
eac684ef
TG		 1950Virtualization=no
1951
1952[NetDev]
1953Name=vlan1
1954Kind=vlan
1955
1956[VLAN]
1957Id=1</programlisting>
798d3a52
ZJS		 1958 </example>
1959 <example>
6c1695be 1960 <title>/etc/systemd/network/25-ipip.netdev</title>
798d3a52 1961 <programlisting>[NetDev]
b35a2909
TG		 1962Name=ipip-tun
1963Kind=ipip
1964MTUBytes=1480
1965
1966[Tunnel]
1967Local=192.168.223.238
1968Remote=192.169.224.239
1969TTL=64</programlisting>
798d3a52 1970 </example>
53cb501a
SS		 1971 <example>
1972 <title>/etc/systemd/network/1-fou-tunnel.netdev</title>
1973 <programlisting>[NetDev]
1974Name=fou-tun
1975Kind=fou
1976
1977[FooOverUDP]
1978Port=5555
1979Protocol=4
1980 </programlisting>
1981 </example>
1982 <example>
1983 <title>/etc/systemd/network/25-fou-ipip.netdev</title>
1984 <programlisting>[NetDev]
53cb501a
SS		 1985Name=ipip-tun
1986Kind=ipip
1987
1988[Tunnel]
964c4eda 1989Independent=yes
53cb501a
SS		 1990Local=10.65.208.212
1991Remote=10.65.208.211
964c4eda 1992FooOverUDP=yes
53cb501a
SS		 1993FOUDestinationPort=5555
1994 </programlisting>
1995 </example>
798d3a52 1996 <example>
6c1695be 1997 <title>/etc/systemd/network/25-tap.netdev</title>
798d3a52 1998 <programlisting>[NetDev]
30ae9dfd
SS		 1999Name=tap-test
2000Kind=tap
2001
2002[Tap]
964c4eda
LP		 2003MultiQueue=yes
2004PacketInfo=yes</programlisting> </example>
eac684ef 2005
798d3a52 2006 <example>
6c1695be 2007 <title>/etc/systemd/network/25-sit.netdev</title>
798d3a52 2008 <programlisting>[NetDev]
b35a2909
TG		 2009Name=sit-tun
2010Kind=sit
2011MTUBytes=1480
2012
2013[Tunnel]
2014Local=10.65.223.238
2015Remote=10.65.223.239</programlisting>
798d3a52 2016 </example>
eac684ef 2017
d067cab3
DA		 2018 <example>
2019 <title>/etc/systemd/network/25-6rd.netdev</title>
2020 <programlisting>[NetDev]
2021Name=6rd-tun
2022Kind=sit
2023MTUBytes=1480
2024
2025[Tunnel]
2026Local=10.65.223.238
2027IPv6RapidDeploymentPrefix=2602::/24</programlisting>
2028 </example>
2029
798d3a52 2030 <example>
6c1695be 2031 <title>/etc/systemd/network/25-gre.netdev</title>
798d3a52 2032 <programlisting>[NetDev]
b35a2909
TG		 2033Name=gre-tun
2034Kind=gre
2035MTUBytes=1480
2036
2037[Tunnel]
2038Local=10.65.223.238
2039Remote=10.65.223.239</programlisting>
798d3a52 2040 </example>
b35a2909 2041
21bba27d 2042 <example>
2043 <title>/etc/systemd/network/25-ip6gre.netdev</title>
2044 <programlisting>[NetDev]
2045Name=ip6gre-tun
2046Kind=ip6gre
2047
2048[Tunnel]
2049Key=123</programlisting>
2050 </example>
2051
798d3a52 2052 <example>
6c1695be 2053 <title>/etc/systemd/network/25-vti.netdev</title>
b35a2909 2054
798d3a52 2055 <programlisting>[NetDev]
b35a2909
TG		 2056Name=vti-tun
2057Kind=vti
2058MTUBytes=1480
2059
2060[Tunnel]
2061Local=10.65.223.238
2062Remote=10.65.223.239</programlisting>
798d3a52 2063 </example>
b35a2909 2064
798d3a52 2065 <example>
6c1695be 2066 <title>/etc/systemd/network/25-veth.netdev</title>
798d3a52 2067 <programlisting>[NetDev]
b35a2909
TG		 2068Name=veth-test
2069Kind=veth
2070
2071[Peer]
2072Name=veth-peer</programlisting>
798d3a52 2073 </example>
b35a2909 2074
d94facdc 2075 <example>
6c1695be 2076 <title>/etc/systemd/network/25-bond.netdev</title>
d94facdc
MH		 2077 <programlisting>[NetDev]
2078Name=bond1
2079Kind=bond
2080
2081[Bond]
2082Mode=802.3ad
2083TransmitHashPolicy=layer3+4
2084MIIMonitorSec=1s
2085LACPTransmitRate=fast
2086</programlisting>
2087 </example>
2088
798d3a52 2089 <example>
6c1695be 2090 <title>/etc/systemd/network/25-dummy.netdev</title>
798d3a52 2091 <programlisting>[NetDev]
9e358851
TG		 2092Name=dummy-test
2093Kind=dummy
2094MACAddress=12:34:56:78:9a:bc</programlisting>
798d3a52 2095 </example>
20897a0d
AR		 2096 <example>
2097 <title>/etc/systemd/network/25-vrf.netdev</title>
037a3ded 2098 <para>Create a VRF interface with table 42.</para>
20897a0d
AR		 2099 <programlisting>[NetDev]
2100Name=vrf-test
2101Kind=vrf
798d3a52 2102
20897a0d 2103[VRF]
362f6336 2104Table=42</programlisting>
20897a0d 2105 </example>
42125eda
SS		 2106
2107 <example>
2108 <title>/etc/systemd/network/25-macvtap.netdev</title>
2109 <para>Create a MacVTap device.</para>
2110 <programlisting>[NetDev]
2111Name=macvtap-test
2112Kind=macvtap
2113 </programlisting>
2114 </example>
e5719363
JT		 2115 <example>
2116 <title>/etc/systemd/network/25-wireguard.netdev</title>
2117 <programlisting>[NetDev]
2118Name=wg0
2119Kind=wireguard
2120
2121[WireGuard]
2122PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
2123ListenPort=51820
2124
2125[WireGuardPeer]
2126PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
2127AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
2128Endpoint=wireguard.example.com:51820</programlisting>
2129 </example>
98d20a17 2130
2131 <example>
2132 <title>/etc/systemd/network/27-xfrm.netdev</title>
a15e1a5d 2133 <programlisting>[NetDev]
98d20a17 2134Name=xfrm0
2135Kind=xfrm
2136
2137[Xfrm]
2138Independent=yes</programlisting>
2139 </example>
798d3a52 2140 </refsect1>
488d0ba1 2141
798d3a52
ZJS		 2142 <refsect1>
2143 <title>See Also</title>
2144 <para>
2145 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
2146 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
2147 <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2148 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
2149 </para>
2150 </refsect1>
eac684ef
TG		 2151
2152</refentry>
Unnamed repository; edit this file 'description' to name the repository.