]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.netdev.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add IFLA_BR_MCAST_IGMP_VERSION
[thirdparty/systemd.git] / man / systemd.netdev.xml
CommitLineData
eac684ef 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791 4<!-- SPDX-License-Identifier: LGPL-2.1+ -->
eac684ef
TG		 5
6<refentry id="systemd.netdev" conditional='ENABLE_NETWORKD'>
7
798d3a52
ZJS		 8 <refentryinfo>
9 <title>systemd.network</title>
10 <productname>systemd</productname>
798d3a52
ZJS		 11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>systemd.netdev</refentrytitle>
15 <manvolnum>5</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>systemd.netdev</refname>
20 <refpurpose>Virtual Network Device configuration</refpurpose>
21 </refnamediv>
22
23 <refsynopsisdiv>
24 <para><filename><replaceable>netdev</replaceable>.netdev</filename></para>
25 </refsynopsisdiv>
26
27 <refsect1>
28 <title>Description</title>
29
30 <para>Network setup is performed by
31 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
32 </para>
33
bac150e9
ZJS		 34 <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
35 other extensions are ignored. Virtual network devices are created as soon as networkd is
36 started. If a netdev with the specified name already exists, networkd will use that as-is rather
37 than create its own. Note that the settings of the pre-existing netdev will not be changed by
798d3a52
ZJS		 38 networkd.</para>
39
bac150e9
ZJS		 40 <para>The <filename>.netdev</filename> files are read from the files located in the system
41 network directory <filename>/usr/lib/systemd/network</filename>, the volatile runtime network
42 directory <filename>/run/systemd/network</filename> and the local administration network
43 directory <filename>/etc/systemd/network</filename>. All configuration files are collectively
44 sorted and processed in lexical order, regardless of the directories in which they live.
45 However, files with identical filenames replace each other. Files in <filename>/etc</filename>
46 have the highest priority, files in <filename>/run</filename> take precedence over files with
47 the same name in <filename>/usr/lib</filename>. This can be used to override a system-supplied
48 configuration file with a local file if needed. As a special case, an empty file (file size 0)
49 or symlink with the same name pointing to <filename>/dev/null</filename> disables the
50 configuration file entirely (it is "masked").</para>
51
52 <para>Along with the netdev file <filename>foo.netdev</filename>, a "drop-in" directory
53 <filename>foo.netdev.d/</filename> may exist. All files with the suffix <literal>.conf</literal>
54 from this directory will be parsed after the file itself is parsed. This is useful to alter or
55 add configuration settings, without having to modify the main configuration file. Each drop-in
56 file must have appropriate section headers.</para>
57
58 <para>In addition to <filename>/etc/systemd/network</filename>, drop-in <literal>.d</literal>
59 directories can be placed in <filename>/usr/lib/systemd/network</filename> or
60 <filename>/run/systemd/network</filename> directories. Drop-in files in
61 <filename>/etc</filename> take precedence over those in <filename>/run</filename> which in turn
62 take precedence over those in <filename>/usr/lib</filename>. Drop-in files under any of these
63 directories take precedence over the main netdev file wherever located. (Of course, since
64 <filename>/run</filename> is temporary and <filename>/usr/lib</filename> is for vendors, it is
65 unlikely drop-ins should be used in either of those places.)</para>
798d3a52
ZJS		 66 </refsect1>
67
68 <refsect1>
69 <title>Supported netdev kinds</title>
70
71 <para>The following kinds of virtual network devices may be
72 configured in <filename>.netdev</filename> files:</para>
73
74 <table>
75 <title>Supported kinds of virtual network devices</title>
76
77 <tgroup cols='2'>
78 <colspec colname='kind' />
79 <colspec colname='explanation' />
80 <thead><row>
81 <entry>Kind</entry>
82 <entry>Description</entry>
83 </row></thead>
84 <tbody>
85 <row><entry><varname>bond</varname></entry>
86 <entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.Local configuration</entry></row>
87
88 <row><entry><varname>bridge</varname></entry>
a8eaaee7 89 <entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
798d3a52
ZJS		 90
91 <row><entry><varname>dummy</varname></entry>
92 <entry>A dummy device drops all packets sent to it.</entry></row>
93
94 <row><entry><varname>gre</varname></entry>
95 <entry>A Level 3 GRE tunnel over IPv4. See <ulink url="https://tools.ietf.org/html/rfc2784">RFC 2784</ulink> for details.</entry></row>
96
97 <row><entry><varname>gretap</varname></entry>
98 <entry>A Level 2 GRE tunnel over IPv4.</entry></row>
99
2266864b 100 <row><entry><varname>erspan</varname></entry>
d653a359 101 <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch and the destination switch.</entry></row>
2266864b 102
798d3a52
ZJS		 103 <row><entry><varname>ip6gre</varname></entry>
104 <entry>A Level 3 GRE tunnel over IPv6.</entry></row>
105
106 <row><entry><varname>ip6tnl</varname></entry>
107 <entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
108
109 <row><entry><varname>ip6gretap</varname></entry>
037a3ded 110 <entry>A Level 2 GRE tunnel over IPv6.</entry></row>
798d3a52
ZJS		 111
112 <row><entry><varname>ipip</varname></entry>
113 <entry>An IPv4 over IPv4 tunnel.</entry></row>
114
115 <row><entry><varname>ipvlan</varname></entry>
116 <entry>An ipvlan device is a stacked device which receives packets from its underlying device based on IP address filtering.</entry></row>
117
69c317a0
SS		 118 <row><entry><varname>ipvtap</varname></entry>
119 <entry>An ipvtap device is a stacked device which receives packets from its underlying device based on IP address filtering and can be accessed using the tap user space interface.</entry></row>
120
798d3a52
ZJS		 121 <row><entry><varname>macvlan</varname></entry>
122 <entry>A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
123
0371f2df
SS		 124 <row><entry><varname>macvtap</varname></entry>
125 <entry>A macvtap device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
126
798d3a52
ZJS		 127 <row><entry><varname>sit</varname></entry>
128 <entry>An IPv6 over IPv4 tunnel.</entry></row>
129
130 <row><entry><varname>tap</varname></entry>
131 <entry>A persistent Level 2 tunnel between a network device and a device node.</entry></row>
132
133 <row><entry><varname>tun</varname></entry>
134 <entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
135
136 <row><entry><varname>veth</varname></entry>
a8eaaee7 137 <entry>An Ethernet tunnel between a pair of network devices.</entry></row>
798d3a52
ZJS		 138
139 <row><entry><varname>vlan</varname></entry>
140 <entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
141
142 <row><entry><varname>vti</varname></entry>
143 <entry>An IPv4 over IPSec tunnel.</entry></row>
144
5cc0748e
SS		 145 <row><entry><varname>vti6</varname></entry>
146 <entry>An IPv6 over IPSec tunnel.</entry></row>
147
798d3a52
ZJS		 148 <row><entry><varname>vxlan</varname></entry>
149 <entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
20897a0d 150
6598e046
SS		 151 <row><entry><varname>geneve</varname></entry>
152 <entry>A GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev driver.</entry></row>
153
3a56e697
SS		 154 <row><entry><varname>l2tp</varname></entry>
155 <entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
156
81962db7
SS		 157 <row><entry><varname>macsec</varname></entry>
158 <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
159
20897a0d 160 <row><entry><varname>vrf</varname></entry>
92c918b0
SS		 161 <entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
162
163 <row><entry><varname>vcan</varname></entry>
ba9fa3bc 164 <entry>The virtual CAN driver (vcan). Similar to the network loopback devices, vcan offers a virtual local CAN interface.</entry></row>
20897a0d 165
d6df583c
SS		 166 <row><entry><varname>vxcan</varname></entry>
167 <entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
168 </entry></row>
169
e5719363
JT		 170 <row><entry><varname>wireguard</varname></entry>
171 <entry>WireGuard Secure Network Tunnel.</entry></row>
172
56e7fb50 173 <row><entry><varname>netdevsim</varname></entry>
d61e4c5b
YW		 174 <entry>A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces.</entry></row>
175
176 <row><entry><varname>nlmon</varname></entry>
177 <entry>A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages.</entry></row>
53cb501a
SS		 178
179 <row><entry><varname>fou</varname></entry>
180 <entry>Foo-over-UDP tunneling.</entry></row>
181
98d20a17 182 <row><entry><varname>xfrm</varname></entry>
183 <entry>A virtual tunnel interface like vti/vti6 but with several advantages.</entry></row>
184
798d3a52
ZJS		 185 </tbody>
186 </tgroup>
187 </table>
188
189 </refsect1>
190
191 <refsect1>
192 <title>[Match] Section Options</title>
193
194 <para>A virtual network device is only created if the
195 <literal>[Match]</literal> section matches the current
196 environment, or if the section is empty. The following keys are
197 accepted:</para>
198
199 <variablelist class='network-directives'>
200 <varlistentry>
201 <term><varname>Host=</varname></term>
202 <listitem>
d689bbca
YW		 203 <para>Matches against the hostname or machine ID of the host. See
204 <literal>ConditionHost=</literal> in
798d3a52 205 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 206 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
207 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 208 </para>
209 </listitem>
210 </varlistentry>
211 <varlistentry>
212 <term><varname>Virtualization=</varname></term>
213 <listitem>
d689bbca
YW		 214 <para>Checks whether the system is executed in a virtualized environment and optionally test
215 whether it is a specific implementation. See <literal>ConditionVirtualization=</literal> in
798d3a52 216 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 217 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
218 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 219 </para>
220 </listitem>
221 </varlistentry>
222 <varlistentry>
223 <term><varname>KernelCommandLine=</varname></term>
224 <listitem>
d689bbca 225 <para>Checks whether a specific kernel command line option is set. See
798d3a52
ZJS		 226 <literal>ConditionKernelCommandLine=</literal> in
227 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 228 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
229 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 230 </para>
231 </listitem>
232 </varlistentry>
5022f08a
LP		 233 <varlistentry>
234 <term><varname>KernelVersion=</varname></term>
235 <listitem>
d689bbca
YW		 236 <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a
237 certain expression. See <literal>ConditionKernelVersion=</literal> in
238 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
239 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
240 If an empty string is assigned, then previously assigned value is cleared.
5022f08a
LP		 241 </para>
242 </listitem>
243 </varlistentry>
798d3a52
ZJS		 244 <varlistentry>
245 <term><varname>Architecture=</varname></term>
246 <listitem>
d689bbca
YW		 247 <para>Checks whether the system is running on a specific architecture. See
248 <literal>ConditionArchitecture=</literal> in
798d3a52 249 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 250 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
251 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 252 </para>
253 </listitem>
254 </varlistentry>
255 </variablelist>
798d3a52
ZJS		 256 </refsect1>
257
258 <refsect1>
259 <title>[NetDev] Section Options</title>
260
488d0ba1
YW		 261 <para>The <literal>[NetDev]</literal> section accepts the
262 following keys:</para>
263
264 <variablelist class='network-directives'>
265 <varlistentry>
266 <term><varname>Description=</varname></term>
267 <listitem>
268 <para>A free-form description of the netdev.</para>
269 </listitem>
270 </varlistentry>
271 <varlistentry>
272 <term><varname>Name=</varname></term>
273 <listitem>
274 <para>The interface name used when creating the netdev.
275 This option is compulsory.</para>
276 </listitem>
277 </varlistentry>
278 <varlistentry>
279 <term><varname>Kind=</varname></term>
280 <listitem>
281 <para>The netdev kind. This option is compulsory. See the
282 <literal>Supported netdev kinds</literal> section for the
283 valid keys.</para>
284 </listitem>
285 </varlistentry>
286 <varlistentry>
287 <term><varname>MTUBytes=</varname></term>
288 <listitem>
289 <para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G,
290 are supported and are understood to the base of 1024. For <literal>tun</literal> or
291 <literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
292 <literal>[NetDev]</literal> section. Please specify it in <literal>[Link]</literal> section of
293 corresponding
294 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
295 files.</para>
296 </listitem>
297 </varlistentry>
298 <varlistentry>
299 <term><varname>MACAddress=</varname></term>
300 <listitem>
301 <para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
302 devices, setting <varname>MACAddress=</varname> in the <literal>[NetDev]</literal> section is not
303 supported. Please specify it in <literal>[Link]</literal> section of the corresponding
304 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
305 file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
306 physical interface. For other kind of netdevs, if this option is not set, then MAC address is
307 generated based on the interface name and the
308 <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
309 </para>
310 </listitem>
311 </varlistentry>
312 </variablelist>
798d3a52
ZJS		 313 </refsect1>
314
488d0ba1 315 <refsect1>
3428fe07
SS		 316 <title>[Bridge] Section Options</title>
317
488d0ba1
YW		 318 <para>The <literal>[Bridge]</literal> section only applies for
319 netdevs of kind <literal>bridge</literal>, and accepts the
320 following keys:</para>
321
322 <variablelist class='network-directives'>
323 <varlistentry>
324 <term><varname>HelloTimeSec=</varname></term>
325 <listitem>
326 <para>HelloTimeSec specifies the number of seconds between two hello packets
327 sent out by the root bridge and the designated bridges. Hello packets are
328 used to communicate information about the topology throughout the entire
329 bridged local area network.</para>
330 </listitem>
331 </varlistentry>
332 <varlistentry>
333 <term><varname>MaxAgeSec=</varname></term>
334 <listitem>
335 <para>MaxAgeSec specifies the number of seconds of maximum message age.
336 If the last seen (received) hello packet is more than this number of
337 seconds old, the bridge in question will start the takeover procedure
338 in attempt to become the Root Bridge itself.</para>
339 </listitem>
340 </varlistentry>
341 <varlistentry>
342 <term><varname>ForwardDelaySec=</varname></term>
343 <listitem>
344 <para>ForwardDelaySec specifies the number of seconds spent in each
345 of the Listening and Learning states before the Forwarding state is entered.</para>
346 </listitem>
347 </varlistentry>
348 <varlistentry>
349 <term><varname>AgeingTimeSec=</varname></term>
350 <listitem>
351 <para>This specifies the number of seconds a MAC Address will be kept in
352 the forwarding database after having a packet received from this MAC Address.</para>
353 </listitem>
354 </varlistentry>
355 <varlistentry>
356 <term><varname>Priority=</varname></term>
357 <listitem>
358 <para>The priority of the bridge. An integer between 0 and 65535. A lower value
359 means higher priority. The bridge having the lowest priority will be elected as root bridge.</para>
360 </listitem>
361 </varlistentry>
362 <varlistentry>
363 <term><varname>GroupForwardMask=</varname></term>
364 <listitem>
365 <para>A 16-bit bitmask represented as an integer which allows forwarding of link
366 local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND
367 is performed between the specified bitmask and the exponentiation of 2^X, the
368 lower nibble of the last octet of the MAC address. For example, a value of 8
369 would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para>
370 </listitem>
371 </varlistentry>
372 <varlistentry>
373 <term><varname>DefaultPVID=</varname></term>
374 <listitem>
375 <para>This specifies the default port VLAN ID of a newly attached bridge port.
376 Set this to an integer in the range 1–4094 or <literal>none</literal> to disable the PVID.</para>
377 </listitem>
378 </varlistentry>
379 <varlistentry>
380 <term><varname>MulticastQuerier=</varname></term>
381 <listitem>
382 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
383 If enabled, the kernel will send general ICMP queries from a zero source address.
384 This feature should allow faster convergence on startup, but it causes some
385 multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
386 When unset, the kernel's default will be used.
387 </para>
388 </listitem>
389 </varlistentry>
390 <varlistentry>
391 <term><varname>MulticastSnooping=</varname></term>
392 <listitem>
393 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
394 If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
395 between hosts and multicast routers. When unset, the kernel's default will be used.
396 </para>
397 </listitem>
398 </varlistentry>
399 <varlistentry>
400 <term><varname>VLANFiltering=</varname></term>
401 <listitem>
402 <para>Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
403 If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used.
404 </para>
405 </listitem>
406 </varlistentry>
407 <varlistentry>
408 <term><varname>STP=</varname></term>
409 <listitem>
410 <para>Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP).
411 When unset, the kernel's default will be used.
412 </para>
413 </listitem>
414 </varlistentry>
415 </variablelist>
3428fe07
SS		 416 </refsect1>
417
798d3a52
ZJS		 418 <refsect1>
419 <title>[VLAN] Section Options</title>
420
488d0ba1
YW		 421 <para>The <literal>[VLAN]</literal> section only applies for
422 netdevs of kind <literal>vlan</literal>, and accepts the
423 following key:</para>
424
425 <variablelist class='network-directives'>
426 <varlistentry>
427 <term><varname>Id=</varname></term>
428 <listitem>
429 <para>The VLAN ID to use. An integer in the range 0–4094.
430 This option is compulsory.</para>
431 </listitem>
432 </varlistentry>
433 <varlistentry>
434 <term><varname>GVRP=</varname></term>
435 <listitem>
436 <para>Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that
437 allows automatic learning of VLANs on a network.
438 When unset, the kernel's default will be used.
439 </para>
440 </listitem>
441 </varlistentry>
442 <varlistentry>
443 <term><varname>MVRP=</varname></term>
444 <listitem>
445 <para>Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN
446 Registration Protocol (GVRP) is a standards-based Layer 2 network protocol,
447 for automatic configuration of VLAN information on switches. It was defined
448 in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used.
449 </para>
450 </listitem>
451 </varlistentry>
452 <varlistentry>
453 <term><varname>LooseBinding=</varname></term>
454 <listitem>
455 <para>Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed
456 from the parent to the associated VLANs, but the VLAN device state is not changed.
457 When unset, the kernel's default will be used.</para>
458 </listitem>
459 </varlistentry>
460 <varlistentry>
461 <term><varname>ReorderHeader=</varname></term>
462 <listitem>
463 <para>Takes a boolean. The VLAN reorder header is set VLAN interfaces behave like physical interfaces.
464 When unset, the kernel's default will be used.</para>
465 </listitem>
466 </varlistentry>
467 </variablelist>
798d3a52
ZJS		 468 </refsect1>
469
470 <refsect1>
471 <title>[MACVLAN] Section Options</title>
472
473 <para>The <literal>[MACVLAN]</literal> section only applies for
474 netdevs of kind <literal>macvlan</literal>, and accepts the
475 following key:</para>
476
477 <variablelist class='network-directives'>
478 <varlistentry>
479 <term><varname>Mode=</varname></term>
480 <listitem>
481 <para>The MACVLAN mode to use. The supported options are
482 <literal>private</literal>,
483 <literal>vepa</literal>,
484 <literal>bridge</literal>, and
485 <literal>passthru</literal>.
486 </para>
487 </listitem>
488 </varlistentry>
489 </variablelist>
798d3a52
ZJS		 490 </refsect1>
491
488d0ba1 492 <refsect1>
0371f2df
SS		 493 <title>[MACVTAP] Section Options</title>
494
495 <para>The <literal>[MACVTAP]</literal> section applies for
496 netdevs of kind <literal>macvtap</literal> and accepts the
96d49011 497 same key as <literal>[MACVLAN]</literal>.</para>
488d0ba1 498 </refsect1>
0371f2df 499
798d3a52
ZJS		 500 <refsect1>
501 <title>[IPVLAN] Section Options</title>
502
503 <para>The <literal>[IPVLAN]</literal> section only applies for
504 netdevs of kind <literal>ipvlan</literal>, and accepts the
505 following key:</para>
506
507 <variablelist class='network-directives'>
508 <varlistentry>
509 <term><varname>Mode=</varname></term>
488d0ba1
YW		 510 <listitem>
511 <para>The IPVLAN mode to use. The supported options are
512 <literal>L2</literal>,<literal>L3</literal> and <literal>L3S</literal>.
513 </para>
514 </listitem>
d384826f 515 </varlistentry>
488d0ba1 516 <varlistentry>
d384826f 517 <term><varname>Flags=</varname></term>
488d0ba1
YW		 518 <listitem>
519 <para>The IPVLAN flags to use. The supported options are
520 <literal>bridge</literal>,<literal>private</literal> and <literal>vepa</literal>.
521 </para>
522 </listitem>
798d3a52
ZJS		 523 </varlistentry>
524 </variablelist>
798d3a52
ZJS		 525 </refsect1>
526
69c317a0
SS		 527 <refsect1>
528 <title>[IPVTAP] Section Options</title>
529
530 <para>The <literal>[IPVTAP]</literal> section only applies for
531 netdevs of kind <literal>ipvtap</literal> and accepts the
532 same key as <literal>[IPVLAN]</literal>.</para>
69c317a0
SS		 533 </refsect1>
534
798d3a52
ZJS		 535 <refsect1>
536 <title>[VXLAN] Section Options</title>
488d0ba1 537
798d3a52
ZJS		 538 <para>The <literal>[VXLAN]</literal> section only applies for
539 netdevs of kind <literal>vxlan</literal>, and accepts the
540 following keys:</para>
541
542 <variablelist class='network-directives'>
543 <varlistentry>
6f213e4a 544 <term><varname>VNI=</varname></term>
798d3a52 545 <listitem>
6f213e4a 546 <para>The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number in the range 1-16777215.</para>
798d3a52
ZJS		 547 </listitem>
548 </varlistentry>
549 <varlistentry>
d35e5d37 550 <term><varname>Remote=</varname></term>
798d3a52 551 <listitem>
bf443be9 552 <para>Configures destination IP address.</para>
798d3a52
ZJS		 553 </listitem>
554 </varlistentry>
555 <varlistentry>
d35e5d37
SS		 556 <term><varname>Local=</varname></term>
557 <listitem>
558 <para>Configures local IP address.</para>
559 </listitem>
83cb24ac
SS		 560 </varlistentry>
561 <varlistentry>
562 <term><varname>Group=</varname></term>
563 <listitem>
564 <para>Configures VXLAN multicast group IP address. All members of a VXLAN must use the same multicast group address.</para>
565 </listitem>
d35e5d37 566 </varlistentry>
488d0ba1 567 <varlistentry>
798d3a52
ZJS		 568 <term><varname>TOS=</varname></term>
569 <listitem>
570 <para>The Type Of Service byte value for a vxlan interface.</para>
571 </listitem>
572 </varlistentry>
573 <varlistentry>
574 <term><varname>TTL=</varname></term>
575 <listitem>
f4a8ca32
SS		 576 <para>A fixed Time To Live N on Virtual eXtensible Local Area Network packets.
577 Takes <literal>inherit</literal> or a number in the range 0–255. 0 is a special
578 value meaning inherit the inner protocol's TTL value. <literal>inherit</literal>
579 means that it will inherit the outer protocol's TTL value.</para>
798d3a52
ZJS		 580 </listitem>
581 </varlistentry>
582 <varlistentry>
583 <term><varname>MacLearning=</varname></term>
584 <listitem>
9b6ffef3 585 <para>Takes a boolean. When true, enables dynamic MAC learning
798d3a52
ZJS		 586 to discover remote MAC addresses.</para>
587 </listitem>
588 </varlistentry>
589 <varlistentry>
590 <term><varname>FDBAgeingSec=</varname></term>
591 <listitem>
592 <para>The lifetime of Forwarding Database entry learnt by
b938cb90 593 the kernel, in seconds.</para>
798d3a52
ZJS		 594 </listitem>
595 </varlistentry>
596 <varlistentry>
3d276dd2
SS		 597 <term><varname>MaximumFDBEntries=</varname></term>
598 <listitem>
599 <para>Configures maximum number of FDB entries.</para>
600 </listitem>
601 </varlistentry>
798d3a52 602 <varlistentry>
7dd6974c 603 <term><varname>ReduceARPProxy=</varname></term>
798d3a52 604 <listitem>
9b6ffef3 605 <para>Takes a boolean. When true, bridge-connected VXLAN tunnel
7dd6974c
SS		 606 endpoint answers ARP requests from the local bridge on behalf
607 of remote Distributed Overlay Virtual Ethernet
608 <ulink url="https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet">
609 (DVOE)</ulink> clients. Defaults to false.</para>
798d3a52
ZJS		 610 </listitem>
611 </varlistentry>
612 <varlistentry>
613 <term><varname>L2MissNotification=</varname></term>
614 <listitem>
9b6ffef3 615 <para>Takes a boolean. When true, enables netlink LLADDR miss
798d3a52
ZJS		 616 notifications.</para>
617 </listitem>
618 </varlistentry>
619 <varlistentry>
620 <term><varname>L3MissNotification=</varname></term>
621 <listitem>
9b6ffef3 622 <para>Takes a boolean. When true, enables netlink IP address miss
798d3a52
ZJS		 623 notifications.</para>
624 </listitem>
625 </varlistentry>
626 <varlistentry>
627 <term><varname>RouteShortCircuit=</varname></term>
628 <listitem>
9b6ffef3 629 <para>Takes a boolean. When true, route short circuiting is turned
798d3a52
ZJS		 630 on.</para>
631 </listitem>
632 </varlistentry>
cffacc74 633 <varlistentry>
53c06862 634 <term><varname>UDPChecksum=</varname></term>
cffacc74 635 <listitem>
9b6ffef3 636 <para>Takes a boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
cffacc74
SS		 637 </listitem>
638 </varlistentry>
639 <varlistentry>
640 <term><varname>UDP6ZeroChecksumTx=</varname></term>
641 <listitem>
9b6ffef3 642 <para>Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
cffacc74
SS		 643 </listitem>
644 </varlistentry>
645 <varlistentry>
53c06862 646 <term><varname>UDP6ZeroChecksumRx=</varname></term>
cffacc74 647 <listitem>
9b6ffef3 648 <para>Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
16441027
SS		 649 </listitem>
650 </varlistentry>
651 <varlistentry>
53c06862 652 <term><varname>RemoteChecksumTx=</varname></term>
16441027 653 <listitem>
9b6ffef3 654 <para>Takes a boolean. When true, remote transmit checksum offload of VXLAN is turned on.</para>
16441027
SS		 655 </listitem>
656 </varlistentry>
657 <varlistentry>
53c06862 658 <term><varname>RemoteChecksumRx=</varname></term>
16441027 659 <listitem>
9b6ffef3 660 <para>Takes a boolean. When true, remote receive checksum offload in VXLAN is turned on.</para>
cffacc74
SS		 661 </listitem>
662 </varlistentry>
488d0ba1
YW		 663 <varlistentry>
664 <term><varname>GroupPolicyExtension=</varname></term>
665 <listitem>
666 <para>Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism
667 across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
668 <ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
669 VXLAN Group Policy </ulink> document. Defaults to false.</para>
670 </listitem>
671 </varlistentry>
672 <varlistentry>
673 <term><varname>GenericProtocolExtension=</varname></term>
674 <listitem>
675 <para>Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol
676 to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE
677 Header, see the <ulink url="https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07">
678 Generic Protocol Extension for VXLAN </ulink> document. If destination port is not specified and
679 Generic Protocol Extension is set then default port of 4790 is used. Defaults to false.</para>
680 </listitem>
681 </varlistentry>
682 <varlistentry>
683 <term><varname>DestinationPort=</varname></term>
684 <listitem>
685 <para>Configures the default destination UDP port on a per-device basis.
686 If destination port is not specified then Linux kernel default will be used.
687 Set destination port 4789 to get the IANA assigned value. If not set or if the
688 destination port is assigned the empty string the default port of 4789 is used.</para>
689 </listitem>
690 </varlistentry>
691 <varlistentry>
692 <term><varname>PortRange=</varname></term>
ea0288d1
SS		 693 <listitem>
694 <para>Configures VXLAN port range. VXLAN bases source
695 UDP port based on flow to help the receiver to be able
696 to load balance based on outer header flow. It
697 restricts the port range to the normal UDP local
698 ports, and allows overriding via configuration.</para>
699 </listitem>
700 </varlistentry>
488d0ba1
YW		 701 <varlistentry>
702 <term><varname>FlowLabel=</varname></term>
d8653945
SS		 703 <listitem>
704 <para>Specifies the flow label to use in outgoing packets.
705 The valid range is 0-1048575.
706 </para>
707 </listitem>
488d0ba1 708 </varlistentry>
1189c00a
SS		 709 <varlistentry>
710 <term><varname>IPDoNotFragment=</varname></term>
711 <listitem>
712 <para>Allows to set the IPv4 Do not Fragment (DF) bit in outgoing packets, or to inherit its
713 value from the IPv4 inner header. Takes a boolean value, or <literal>inherit</literal>. Set
714 to <literal>inherit</literal> if the encapsulated protocol is IPv6. When unset, the kernel's
715 default will be used.</para>
716 </listitem>
d8653945 717 </varlistentry>
798d3a52
ZJS		 718 </variablelist>
719 </refsect1>
488d0ba1 720
6598e046
SS		 721 <refsect1>
722 <title>[GENEVE] Section Options</title>
488d0ba1 723
6598e046
SS		 724 <para>The <literal>[GENEVE]</literal> section only applies for
725 netdevs of kind <literal>geneve</literal>, and accepts the
726 following keys:</para>
727
728 <variablelist class='network-directives'>
729 <varlistentry>
730 <term><varname>Id=</varname></term>
731 <listitem>
328184d1 732 <para>Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215]. This field is mandatory.</para>
6598e046
SS		 733 </listitem>
734 </varlistentry>
735 <varlistentry>
736 <term><varname>Remote=</varname></term>
737 <listitem>
738 <para>Specifies the unicast destination IP address to use in outgoing packets.</para>
739 </listitem>
740 </varlistentry>
741 <varlistentry>
742 <term><varname>TOS=</varname></term>
743 <listitem>
98616735 744 <para>Specifies the TOS value to use in outgoing packets. Ranges [1-255].</para>
6598e046
SS		 745 </listitem>
746 </varlistentry>
747 <varlistentry>
748 <term><varname>TTL=</varname></term>
749 <listitem>
d70c9bbd
SS		 750 <para>Accepts the same key in <literal>[VXLAN]</literal> section except when unset or
751 set to 0, the kernel's default will be used meaning that packets TTL will be set from
328184d1 752 <filename>/proc/sys/net/ipv4/ip_default_ttl</filename>.</para>
6598e046
SS		 753 </listitem>
754 </varlistentry>
755 <varlistentry>
756 <term><varname>UDPChecksum=</varname></term>
757 <listitem>
9b6ffef3 758 <para>Takes a boolean. When true, specifies if UDP checksum is calculated for transmitted packets over IPv4.</para>
6598e046
SS		 759 </listitem>
760 </varlistentry>
761 <varlistentry>
762 <term><varname>UDP6ZeroChecksumTx=</varname></term>
763 <listitem>
9b6ffef3 764 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
6598e046
SS		 765 </listitem>
766 </varlistentry>
767 <varlistentry>
768 <term><varname>UDP6ZeroChecksumRx=</varname></term>
769 <listitem>
9b6ffef3 770 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
6598e046
SS		 771 </listitem>
772 </varlistentry>
488d0ba1
YW		 773 <varlistentry>
774 <term><varname>DestinationPort=</varname></term>
775 <listitem>
776 <para>Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default
777 port of 6081 is used.</para>
778 </listitem>
779 </varlistentry>
780 <varlistentry>
781 <term><varname>FlowLabel=</varname></term>
6598e046
SS		 782 <listitem>
783 <para>Specifies the flow label to use in outgoing packets.</para>
784 </listitem>
488d0ba1
YW		 785 </varlistentry>
786 <varlistentry>
787 <term><varname>IPDoNotFragment=</varname></term>
aac35019
SS		 788 <listitem>
789 <para>Accepts the same key in <literal>[VXLAN]</literal> section.</para>
790 </listitem>
488d0ba1 791 </varlistentry>
6598e046
SS		 792 </variablelist>
793 </refsect1>
488d0ba1 794
3a56e697
SS		 795 <refsect1>
796 <title>[L2TP] Section Options</title>
488d0ba1 797
3a56e697
SS		 798 <para>The <literal>[L2TP]</literal> section only applies for
799 netdevs of kind <literal>l2tp</literal>, and accepts the
800 following keys:</para>
801
802 <variablelist class='network-directives'>
803 <varlistentry>
804 <term><varname>TunnelId=</varname></term>
805 <listitem>
806 <para>Specifies the tunnel id. The value used must match the <literal>PeerTunnelId=</literal> value being used at the peer.
807 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
808 </listitem>
809 </varlistentry>
810 <varlistentry>
811 <term><varname>PeerTunnelId=</varname></term>
812 <listitem>
813 <para>Specifies the peer tunnel id. The value used must match the <literal>PeerTunnelId=</literal> value being used at the peer.
814 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
815 </listitem>
816 </varlistentry>
817 <varlistentry>
818 <term><varname>Remote=</varname></term>
819 <listitem>
820 <para>Specifies the IP address of the remote peer. This option is compulsory.</para>
821 </listitem>
822 </varlistentry>
823 <varlistentry>
824 <term><varname>Local=</varname></term>
825 <listitem>
d053d08a
YW		 826 <para>Specifies the IP address of the local interface. Takes an IP address, or the special values
827 <literal>auto</literal>, <literal>static</literal>, or <literal>dynamic</literal>. When an address
828 is set, then the local interface must have the address. If <literal>auto</literal>, then one of the
829 addresses on the local interface is used. Similarly, if <literal>static</literal> or
830 <literal>dynamic</literal> is set, then one of the static or dynamic addresses on the local
831 interface is used. Defaults to <literal>auto</literal>.</para>
3a56e697
SS		 832 </listitem>
833 </varlistentry>
834 <varlistentry>
835 <term><varname>EncapsulationType=</varname></term>
836 <listitem>
837 <para>Specifies the encapsulation type of the tunnel. Takes one of <literal>udp</literal> or <literal>ip</literal>.</para>
838 </listitem>
839 </varlistentry>
840 <varlistentry>
841 <term><varname>UDPSourcePort=</varname></term>
842 <listitem>
843 <para>Specifies the UDP source port to be used for the tunnel. When UDP encapsulation is selected it's mandotory. Ignored when ip
844 encapsulation is selected.</para>
845 </listitem>
846 </varlistentry>
847 <varlistentry>
848 <term><varname>DestinationPort=</varname></term>
849 <listitem>
850 <para>Specifies destination port. When UDP encapsulation is selected it's mandotory. Ignored when ip
851 encapsulation is selected.</para>
852 </listitem>
853 </varlistentry>
854 <varlistentry>
855 <term><varname>UDPChecksum=</varname></term>
856 <listitem>
857 <para>Takes a boolean. When true, specifies if UDP checksum is calculated for transmitted packets over IPv4.</para>
858 </listitem>
859 </varlistentry>
860 <varlistentry>
861 <term><varname>UDP6ZeroChecksumTx=</varname></term>
862 <listitem>
863 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
864 </listitem>
865 </varlistentry>
866 <varlistentry>
867 <term><varname>UDP6ZeroChecksumRx=</varname></term>
868 <listitem>
869 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
870 </listitem>
871 </varlistentry>
872 </variablelist>
873 </refsect1>
488d0ba1 874
3a56e697
SS		 875 <refsect1>
876 <title>[L2TPSession] Section Options</title>
488d0ba1 877
3a56e697
SS		 878 <para>The <literal>[L2TPSession]</literal> section only applies for
879 netdevs of kind <literal>l2tp</literal>, and accepts the
880 following keys:</para>
881 <variablelist class='network-directives'>
882 <varlistentry>
883 <term><varname>Name=</varname></term>
884 <listitem>
5238e957 885 <para>Specifies the name of the session. This option is compulsory.</para>
3a56e697
SS		 886 </listitem>
887 </varlistentry>
888 <varlistentry>
889 <term><varname>SessionId=</varname></term>
890 <listitem>
5238e957 891 <para>Specifies the session id. The value used must match the <literal>SessionId=</literal> value being used at the peer.
3a56e697
SS		 892 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
893 </listitem>
894 </varlistentry>
895 <varlistentry>
896 <term><varname>PeerSessionId=</varname></term>
897 <listitem>
898 <para>Specifies the peer session id. The value used must match the <literal>PeerSessionId=</literal> value being used at the peer.
899 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
900 </listitem>
901 </varlistentry>
902 <varlistentry>
903 <term><varname>Layer2SpecificHeader=</varname></term>
904 <listitem>
905 <para>Specifies layer2specific header type of the session. One of <literal>none</literal> or <literal>default</literal>. Defaults to <literal>default</literal>.</para>
906 </listitem>
907 </varlistentry>
908 </variablelist>
909 </refsect1>
488d0ba1 910
81962db7
SS		 911 <refsect1>
912 <title>[MACsec] Section Options</title>
488d0ba1 913
81962db7
SS		 914 <para>The <literal>[MACsec]</literal> section only applies for network devices of kind
915 <literal>macsec</literal>, and accepts the following keys:</para>
916
917 <variablelist class='network-directives'>
918 <varlistentry>
919 <term><varname>Port=</varname></term>
920 <listitem>
921 <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
922 secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
923 </para>
924 </listitem>
925 </varlistentry>
926 <varlistentry>
927 <term><varname>Encrypt=</varname></term>
928 <listitem>
929 <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
930 </listitem>
931 </varlistentry>
932 </variablelist>
933 </refsect1>
488d0ba1 934
81962db7
SS		 935 <refsect1>
936 <title>[MACsecReceiveChannel] Section Options</title>
937 <para>The <literal>[MACsecReceiveChannel]</literal> section only applies for network devices of
938 kind <literal>macsec</literal>, and accepts the following keys:</para>
939
940 <variablelist class='network-directives'>
941 <varlistentry>
942 <term><varname>Port=</varname></term>
943 <listitem>
944 <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
945 secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
946 compulsory, and is not set by default.</para>
947 </listitem>
948 </varlistentry>
949 <varlistentry>
950 <term><varname>MACAddress=</varname></term>
951 <listitem>
952 <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
953 used to make secure channel identifier (SCI). This option is compulsory, and is not set by
954 default.</para>
955 </listitem>
956 </varlistentry>
957 </variablelist>
958 </refsect1>
488d0ba1 959
81962db7
SS		 960 <refsect1>
961 <title>[MACsecTransmitAssociation] Section Options</title>
488d0ba1 962
81962db7
SS		 963 <para>The <literal>[MACsecTransmitAssociation]</literal> section only applies for network devices
964 of kind <literal>macsec</literal>, and accepts the following keys:</para>
965
966 <variablelist class='network-directives'>
967 <varlistentry>
968 <term><varname>PacketNumber=</varname></term>
969 <listitem>
970 <para>Specifies the packet number to be used for replay protection and the construction of
971 the initialization vector (along with the secure channel identifier [SCI]). Takes a value
972 between 1-4,294,967,295. Defaults to unset.
973 </para>
974 </listitem>
975 </varlistentry>
976 <varlistentry>
977 <term><varname>KeyId=</varname></term>
978 <listitem>
979 <para>Specifies the identification for the key. Takes a number between 0-255. This option
980 is compulsory, and is not set by default.</para>
981 </listitem>
982 </varlistentry>
983 <varlistentry>
984 <term><varname>Key=</varname></term>
985 <listitem>
986 <para>Specifies the encryption key used in the transmission channel. The same key must be
987 configured on the peer’s matching receive channel. This option is compulsory, and is not set
988 by default. Takes a 128-bit key encoded in a hexadecimal string, for example
989 <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
990 </listitem>
991 </varlistentry>
eb4705fb
YW		 992 <varlistentry>
993 <term><varname>KeyFile=</varname></term>
994 <listitem>
995 <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
996 string, which will be used in the transmission channel. When this option is specified,
997 <varname>Key=</varname> is ignored. Note that the file must be readable by the user
998 <literal>systemd-network</literal>, so it should be, e.g., owned by
999 <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
1000 </listitem>
1001 </varlistentry>
a7b9c52f
YW		 1002 <varlistentry>
1003 <term><varname>Activate=</varname></term>
1004 <listitem>
1005 <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
1006 unset.</para>
1007 </listitem>
1008 </varlistentry>
b0e13c31
YW		 1009 <varlistentry>
1010 <term><varname>UseForEncoding=</varname></term>
1011 <listitem>
1012 <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
1013 one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
1014 <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
1015 </listitem>
1016 </varlistentry>
81962db7
SS		 1017 </variablelist>
1018 </refsect1>
488d0ba1 1019
81962db7
SS		 1020 <refsect1>
1021 <title>[MACsecReceiveAssociation] Section Options</title>
488d0ba1 1022
81962db7
SS		 1023 <para>The <literal>[MACsecReceiveAssociation]</literal> section only applies for
1024 network devices of kind <literal>macsec</literal>, and accepts the
1025 following keys:</para>
1026
1027 <variablelist class='network-directives'>
1028 <varlistentry>
1029 <term><varname>Port=</varname></term>
1030 <listitem>
1031 <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
1032 </listitem>
1033 </varlistentry>
1034 <varlistentry>
1035 <term><varname>MACAddress=</varname></term>
1036 <listitem>
1037 <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
1038 </listitem>
1039 </varlistentry>
1040 <varlistentry>
1041 <term><varname>PacketNumber=</varname></term>
1042 <listitem>
1043 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1044 </listitem>
1045 </varlistentry>
1046 <varlistentry>
1047 <term><varname>KeyId=</varname></term>
1048 <listitem>
1049 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1050 </listitem>
1051 </varlistentry>
1052 <varlistentry>
1053 <term><varname>Key=</varname></term>
1054 <listitem>
1055 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1056 </listitem>
1057 </varlistentry>
eb4705fb
YW		 1058 <varlistentry>
1059 <term><varname>KeyFile=</varname></term>
1060 <listitem>
1061 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1062 </listitem>
1063 </varlistentry>
a7b9c52f
YW		 1064 <varlistentry>
1065 <term><varname>Activate=</varname></term>
1066 <listitem>
1067 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1068 </listitem>
1069 </varlistentry>
81962db7
SS		 1070 </variablelist>
1071 </refsect1>
488d0ba1 1072
798d3a52
ZJS		 1073 <refsect1>
1074 <title>[Tunnel] Section Options</title>
1075
1076 <para>The <literal>[Tunnel]</literal> section only applies for
1077 netdevs of kind
1078 <literal>ipip</literal>,
1079 <literal>sit</literal>,
1080 <literal>gre</literal>,
1081 <literal>gretap</literal>,
1082 <literal>ip6gre</literal>,
1083 <literal>ip6gretap</literal>,
5cc0748e 1084 <literal>vti</literal>,
af555aa3
YW		 1085 <literal>vti6</literal>,
1086 <literal>ip6tnl</literal>, and
1087 <literal>erspan</literal> and accepts
798d3a52
ZJS		 1088 the following keys:</para>
1089
1090 <variablelist class='network-directives'>
1091 <varlistentry>
1092 <term><varname>Local=</varname></term>
1093 <listitem>
8643885f
YW		 1094 <para>A static local address for tunneled packets. It must be an address on another interface of
1095 this host, or the special value <literal>any</literal>.</para>
798d3a52
ZJS		 1096 </listitem>
1097 </varlistentry>
1098 <varlistentry>
1099 <term><varname>Remote=</varname></term>
1100 <listitem>
8643885f
YW		 1101 <para>The remote endpoint of the tunnel. Takes an IP address or the special value
1102 <literal>any</literal>.</para>
798d3a52
ZJS		 1103 </listitem>
1104 </varlistentry>
1105 <varlistentry>
1106 <term><varname>TOS=</varname></term>
1107 <listitem>
1108 <para>The Type Of Service byte value for a tunnel interface.
b938cb90 1109 For details about the TOS, see the
798d3a52
ZJS		 1110 <ulink url="http://tools.ietf.org/html/rfc1349"> Type of
1111 Service in the Internet Protocol Suite </ulink> document.
1112 </para>
1113 </listitem>
1114 </varlistentry>
1115 <varlistentry>
1116 <term><varname>TTL=</varname></term>
1117 <listitem>
1118 <para>A fixed Time To Live N on tunneled packets. N is a
b938cb90 1119 number in the range 1–255. 0 is a special value meaning that
798d3a52 1120 packets inherit the TTL value. The default value for IPv4
b938cb90 1121 tunnels is: inherit. The default value for IPv6 tunnels is
798d3a52
ZJS		 1122 64.</para>
1123 </listitem>
1124 </varlistentry>
1125 <varlistentry>
1126 <term><varname>DiscoverPathMTU=</varname></term>
1127 <listitem>
9b6ffef3 1128 <para>Takes a boolean. When true, enables Path MTU Discovery on
798d3a52
ZJS		 1129 the tunnel.</para>
1130 </listitem>
1131 </varlistentry>
276de526
SS		 1132 <varlistentry>
1133 <term><varname>IPv6FlowLabel=</varname></term>
1134 <listitem>
a8eaaee7 1135 <para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
276de526 1136 RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
a8eaaee7
JE		 1137 RFC 2460</ulink>), which is used by a node to label packets of a flow.
1138 It is only used for IPv6 tunnels.
1139 A flow label of zero is used to indicate packets that have
1140 not been labeled.
1141 It can be configured to a value in the range 0–0xFFFFF, or be
1142 set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
276de526
SS		 1143 </listitem>
1144 </varlistentry>
9b0ca30a 1145 <varlistentry>
a9b70f9d 1146 <term><varname>CopyDSCP=</varname></term>
9b0ca30a 1147 <listitem>
9b6ffef3 1148 <para>Takes a boolean. When true, the Differentiated Service Code
3cf4bcab 1149 Point (DSCP) field will be copied to the inner header from
a9b70f9d 1150 outer header during the decapsulation of an IPv6 tunnel
3cf4bcab
ZJS		 1151 packet. DSCP is a field in an IP packet that enables different
1152 levels of service to be assigned to network traffic.
1153 Defaults to <literal>no</literal>.
9b0ca30a
SS		 1154 </para>
1155 </listitem>
1156 </varlistentry>
dae398a8
SS		 1157 <varlistentry>
1158 <term><varname>EncapsulationLimit=</varname></term>
1159 <listitem>
1160 <para>The Tunnel Encapsulation Limit option specifies how many additional
1161 levels of encapsulation are permitted to be prepended to the packet.
1162 For example, a Tunnel Encapsulation Limit option containing a limit
1163 value of zero means that a packet carrying that option may not enter
1164 another tunnel before exiting the current tunnel.
1165 (see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
b938cb90 1166 The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
dae398a8
SS		 1167 </para>
1168 </listitem>
1169 </varlistentry>
1d710029
SS		 1170 <varlistentry>
1171 <term><varname>Key=</varname></term>
1172 <listitem>
1173 <para>The <varname>Key=</varname> parameter specifies the same key to use in
1174 both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
1175 The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
1176 It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
1177 and control path) in ip xfrm (framework used to implement IPsec protocol).
1178 See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
c65c01c4
YW		 1179 ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
1180 GRE, GRETAP, and ERSPAN tunnels.</para>
1d710029
SS		 1181 </listitem>
1182 </varlistentry>
1183 <varlistentry>
1184 <term><varname>InputKey=</varname></term>
1185 <listitem>
1186 <para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
c65c01c4
YW		 1187 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1188 and ERSPAN tunnels.</para>
1d710029
SS		 1189 </listitem>
1190 </varlistentry>
1191 <varlistentry>
1192 <term><varname>OutputKey=</varname></term>
1193 <listitem>
1194 <para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
c65c01c4
YW		 1195 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1196 and ERSPAN tunnels.</para>
1d710029
SS		 1197 </listitem>
1198 </varlistentry>
798d3a52
ZJS		 1199 <varlistentry>
1200 <term><varname>Mode=</varname></term>
1201 <listitem>
a8eaaee7 1202 <para>An <literal>ip6tnl</literal> tunnel can be in one of three
798d3a52
ZJS		 1203 modes
1204 <literal>ip6ip6</literal> for IPv6 over IPv6,
1205 <literal>ipip6</literal> for IPv4 over IPv6 or
1206 <literal>any</literal> for either.
1207 </para>
1208 </listitem>
1209 </varlistentry>
4d7fa6de
SS		 1210 <varlistentry>
1211 <term><varname>Independent=</varname></term>
1212 <listitem>
9b6ffef3 1213 <para>Takes a boolean. When true tunnel does not require .network file. Created as "tunnel@NONE".
4d7fa6de
SS		 1214 Defaults to <literal>false</literal>.
1215 </para>
1216 </listitem>
1217 </varlistentry>
8c9c703c
YW		 1218 <varlistentry>
1219 <term><varname>AssignToLoopback=</varname></term>
1220 <listitem>
1221 <para>Takes a boolean. If set to <literal>yes</literal>, the loopback interface <literal>lo</literal>
1222 is used as the underlying device of the tunnel interface. Defaults to <literal>no</literal>.</para>
1223 </listitem>
1224 </varlistentry>
3a4f3e42
SS		 1225 <varlistentry>
1226 <term><varname>AllowLocalRemote=</varname></term>
1227 <listitem>
9b6ffef3 1228 <para>Takes a boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
025314d9 1229 When unset, the kernel's default will be used.
3a4f3e42
SS		 1230 </para>
1231 </listitem>
1232 </varlistentry>
53cb501a
SS		 1233 <varlistentry>
1234 <term><varname>FooOverUDP=</varname></term>
1235 <listitem>
9b6ffef3 1236 <para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
0b145817
YW		 1237 Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
1238 For more detail information see
53cb501a
SS		 1239 <ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
1240 </listitem>
1241 </varlistentry>
1242 <varlistentry>
1243 <term><varname>FOUDestinationPort=</varname></term>
1244 <listitem>
6f520e74 1245 <para>This setting specifies the UDP destination port for encapsulation.
0b145817 1246 This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
53cb501a
SS		 1247 </listitem>
1248 </varlistentry>
1249 <varlistentry>
1250 <term><varname>FOUSourcePort=</varname></term>
1251 <listitem>
6f520e74
ZJS		 1252 <para>This setting specifies the UDP source port for encapsulation. Defaults to <constant>0</constant>
1253 — that is, the source port for packets is left to the network stack to decide.</para>
53cb501a
SS		 1254 </listitem>
1255 </varlistentry>
1256 <varlistentry>
1257 <term><varname>Encapsulation=</varname></term>
1258 <listitem>
0b145817 1259 <para>Accepts the same key as in the <literal>[FooOverUDP]</literal> section.</para>
53cb501a
SS		 1260 </listitem>
1261 </varlistentry>
d067cab3
DA		 1262 <varlistentry>
1263 <term><varname>IPv6RapidDeploymentPrefix=</varname></term>
1264 <listitem>
1265 <para>Reconfigure the tunnel for <ulink url="https://tools.ietf.org/html/rfc5569">IPv6 Rapid
1266 Deployment</ulink>, also known as 6rd. The value is an ISP-specific IPv6 prefix with a non-zero length. Only
1267 applicable to SIT tunnels.</para>
1268 </listitem>
1269 </varlistentry>
918049ad
SS		 1270 <varlistentry>
1271 <term><varname>ISATAP=</varname></term>
1272 <listitem>
1273 <para>Takes a boolean. If set, configures the tunnel as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnel.
1274 Only applicable to SIT tunnels. When unset, the kernel's default will be used.</para>
1275 </listitem>
1276 </varlistentry>
2266864b
SS		 1277 <varlistentry>
1278 <term><varname>SerializeTunneledPackets=</varname></term>
1279 <listitem>
c65c01c4
YW		 1280 <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for GRE,
1281 GRETAP, and ERSPAN tunnels. When unset, the kernel's default will be used.
2266864b
SS		 1282 </para>
1283 </listitem>
1284 </varlistentry>
1285 <varlistentry>
1286 <term><varname>ERSPANIndex=</varname></term>
1287 <listitem>
1288 <para>Specifies the ERSPAN index field for the interface, an integer in the range 1-1048575 associated with
1289 the ERSPAN traffic's source port and direction. This field is mandatory.
1290 </para>
1291 </listitem>
1292 </varlistentry>
798d3a52
ZJS		 1293 </variablelist>
1294 </refsect1>
53cb501a
SS		 1295
1296 <refsect1>
1297 <title>[FooOverUDP] Section Options</title>
1298
1299 <para>The <literal>[FooOverUDP]</literal> section only applies for
1300 netdevs of kind <literal>fou</literal> and accepts the
1301 following keys:</para>
1302
1303 <variablelist class='network-directives'>
53cb501a
SS		 1304 <varlistentry>
1305 <term><varname>Encapsulation=</varname></term>
1306 <listitem>
1307 <para>Specifies the encapsulation mechanism used to store networking packets of various protocols inside the UDP packets. Supports the following values:
1308
1309 <literal>FooOverUDP</literal> provides the simplest no frills model of UDP encapsulation, it simply encapsulates
1310 packets directly in the UDP payload.
1311 <literal>GenericUDPEncapsulation</literal> is a generic and extensible encapsulation, it allows encapsulation of packets for any IP
1312 protocol and optional data as part of the encapsulation.
1313 For more detailed information see <ulink url="https://lwn.net/Articles/615044">Generic UDP Encapsulation</ulink>.
1314 Defaults to <literal>FooOverUDP</literal>.
1315 </para>
1316 </listitem>
1317 </varlistentry>
1318 <varlistentry>
1319 <term><varname>Port=</varname></term>
1320 <listitem>
1321 <para>Specifies the port number, where the IP encapsulation packets will arrive. Please take note that the packets
1322 will arrive with the encapsulation will be removed. Then they will be manually fed back into the network stack, and sent ahead
1323 for delivery to the real destination. This option is mandatory.</para>
1324 </listitem>
488d0ba1 1325 </varlistentry>
8f02c9b0
SS		 1326 <varlistentry>
1327 <term><varname>PeerPort=</varname></term>
1328 <listitem>
1329 <para>Specifies the peer port number. Defaults to unset. Note that when peer port is set <literal>Peer=</literal> address is mandotory.</para>
1330 </listitem>
488d0ba1 1331 </varlistentry>
0b145817
YW		 1332 <varlistentry>
1333 <term><varname>Protocol=</varname></term>
1334 <listitem>
1335 <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
1336 at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
1337 and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
1338 <literal>ipip</literal>, or an integer within the range 1-255. When
1339 <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
1340 </listitem>
1341 </varlistentry>
4502a61c
SS		 1342 <varlistentry>
1343 <term><varname>Peer=</varname></term>
1344 <listitem>
8f02c9b0 1345 <para>Configures peer IP address. Note that when peer address is set <literal>PeerPort=</literal> is mandotory.</para>
4502a61c
SS		 1346 </listitem>
1347 </varlistentry>
1348 <varlistentry>
1349 <term><varname>Local=</varname></term>
1350 <listitem>
1351 <para>Configures local IP address.</para>
1352 </listitem>
1353 </varlistentry>
0b145817 1354 </variablelist>
53cb501a 1355 </refsect1>
488d0ba1 1356
798d3a52
ZJS		 1357 <refsect1>
1358 <title>[Peer] Section Options</title>
1359
488d0ba1
YW		 1360 <para>The <literal>[Peer]</literal> section only applies for
1361 netdevs of kind <literal>veth</literal> and accepts the
1362 following keys:</para>
1363
1364 <variablelist class='network-directives'>
1365 <varlistentry>
1366 <term><varname>Name=</varname></term>
1367 <listitem>
1368 <para>The interface name used when creating the netdev.
1369 This option is compulsory.</para>
1370 </listitem>
1371 </varlistentry>
1372 <varlistentry>
1373 <term><varname>MACAddress=</varname></term>
1374 <listitem>
1375 <para>The peer MACAddress, if not set, it is generated in
1376 the same way as the MAC address of the main
1377 interface.</para>
1378 </listitem>
1379 </varlistentry>
1380 </variablelist>
798d3a52 1381 </refsect1>
488d0ba1 1382
d6df583c 1383 <refsect1>
488d0ba1
YW		 1384 <title>[VXCAN] Section Options</title>
1385
1386 <para>The <literal>[VXCAN]</literal> section only applies for
1387 netdevs of kind <literal>vxcan</literal> and accepts the
1388 following key:</para>
1389
1390 <variablelist class='network-directives'>
1391 <varlistentry>
1392 <term><varname>Peer=</varname></term>
1393 <listitem>
1394 <para>The peer interface name used when creating the netdev.
1395 This option is compulsory.</para>
1396 </listitem>
1397 </varlistentry>
1398 </variablelist>
d6df583c 1399 </refsect1>
488d0ba1 1400
798d3a52
ZJS		 1401 <refsect1>
1402 <title>[Tun] Section Options</title>
1403
1404 <para>The <literal>[Tun]</literal> section only applies for
1405 netdevs of kind <literal>tun</literal>, and accepts the following
1406 keys:</para>
1407
1408 <variablelist class='network-directives'>
798d3a52
ZJS		 1409 <varlistentry>
1410 <term><varname>MultiQueue=</varname></term>
9b6ffef3 1411 <listitem><para>Takes a boolean. Configures whether
798d3a52
ZJS		 1412 to use multiple file descriptors (queues) to parallelize
1413 packets sending and receiving. Defaults to
1414 <literal>no</literal>.</para>
1415 </listitem>
1416 </varlistentry>
1417 <varlistentry>
1418 <term><varname>PacketInfo=</varname></term>
9b6ffef3 1419 <listitem><para>Takes a boolean. Configures whether
ff9b60f3 1420 packets should be prepended with four extra bytes (two flag
b938cb90 1421 bytes and two protocol bytes). If disabled, it indicates that
798d3a52
ZJS		 1422 the packets will be pure IP packets. Defaults to
1423 <literal>no</literal>.</para>
1424 </listitem>
1425 </varlistentry>
43f78da4 1426 <varlistentry>
2aba142e 1427 <term><varname>VNetHeader=</varname></term>
9b6ffef3 1428 <listitem><para>Takes a boolean. Configures
75eed300 1429 IFF_VNET_HDR flag for a tun or tap device. It allows sending
43f78da4
SS		 1430 and receiving larger Generic Segmentation Offload (GSO)
1431 packets. This may increase throughput significantly.
1432 Defaults to
1433 <literal>no</literal>.</para>
1434 </listitem>
1435 </varlistentry>
798d3a52
ZJS		 1436 <varlistentry>
1437 <term><varname>User=</varname></term>
1438 <listitem><para>User to grant access to the
1439 <filename>/dev/net/tun</filename> device.</para>
1440 </listitem>
1441 </varlistentry>
1442 <varlistentry>
1443 <term><varname>Group=</varname></term>
1444 <listitem><para>Group to grant access to the
1445 <filename>/dev/net/tun</filename> device.</para>
1446 </listitem>
1447 </varlistentry>
798d3a52 1448 </variablelist>
798d3a52
ZJS		 1449 </refsect1>
1450
1451 <refsect1>
1452 <title>[Tap] Section Options</title>
1453
1454 <para>The <literal>[Tap]</literal> section only applies for
1455 netdevs of kind <literal>tap</literal>, and accepts the same keys
1456 as the <literal>[Tun]</literal> section.</para>
1457 </refsect1>
1458
e5719363
JT		 1459 <refsect1>
1460 <title>[WireGuard] Section Options</title>
1461
1462 <para>The <literal>[WireGuard]</literal> section accepts the following
1463 keys:</para>
1464
1465 <variablelist class='network-directives'>
1466 <varlistentry>
1467 <term><varname>PrivateKey=</varname></term>
1468 <listitem>
1469 <para>The Base64 encoded private key for the interface. It can be
488d0ba1
YW		 1470 generated using the <command>wg genkey</command> command
1471 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
1472 This option or <varname>PrivateKeyFile=</varname> is mandatory to use WireGuard.
1473 Note that because this information is secret, you may want to set
1474 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
1475 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1476 </listitem>
1477 </varlistentry>
76df7779
YW		 1478 <varlistentry>
1479 <term><varname>PrivateKeyFile=</varname></term>
1480 <listitem>
a3945c63 1481 <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
cb31e7c8 1482 When this option is specified, then <varname>PrivateKey=</varname> is ignored.
76df7779
YW		 1483 Note that the file must be readable by the user <literal>systemd-network</literal>, so it
1484 should be, e.g., owned by <literal>root:systemd-network</literal> with a
1485 <literal>0640</literal> file mode.</para>
1486 </listitem>
1487 </varlistentry>
e5719363
JT		 1488 <varlistentry>
1489 <term><varname>ListenPort=</varname></term>
1490 <listitem>
1491 <para>Sets UDP port for listening. Takes either value between 1 and 65535
488d0ba1
YW		 1492 or <literal>auto</literal>. If <literal>auto</literal> is specified,
1493 the port is automatically generated based on interface name.
1494 Defaults to <literal>auto</literal>.</para>
e5719363
JT		 1495 </listitem>
1496 </varlistentry>
1497 <varlistentry>
1c30b174 1498 <term><varname>FirewallMark=</varname></term>
e5719363 1499 <listitem>
1c30b174 1500 <para>Sets a firewall mark on outgoing WireGuard packets from this interface. Takes a number between 1 and 4294967295.</para>
e5719363
JT		 1501 </listitem>
1502 </varlistentry>
1503 </variablelist>
1504 </refsect1>
1505
1506 <refsect1>
1507 <title>[WireGuardPeer] Section Options</title>
1508
1509 <para>The <literal>[WireGuardPeer]</literal> section accepts the following
1510 keys:</para>
1511
1512 <variablelist class='network-directives'>
1513 <varlistentry>
1514 <term><varname>PublicKey=</varname></term>
1515 <listitem>
1516 <para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
488d0ba1
YW		 1517 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
1518 from a private key, and usually transmitted out of band to the
1519 author of the configuration file. This option is mandatory for this
1520 section.</para>
e5719363
JT		 1521 </listitem>
1522 </varlistentry>
1523 <varlistentry>
1524 <term><varname>PresharedKey=</varname></term>
1525 <listitem>
1526 <para>Optional preshared key for the interface. It can be generated
488d0ba1
YW		 1527 by the <command>wg genpsk</command> command. This option adds an
1528 additional layer of symmetric-key cryptography to be mixed into the
1529 already existing public-key cryptography, for post-quantum
1530 resistance.
1531 Note that because this information is secret, you may want to set
1532 the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
1533 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1534 </listitem>
1535 </varlistentry>
a3945c63
YW		 1536 <varlistentry>
1537 <term><varname>PresharedKeyFile=</varname></term>
1538 <listitem>
1539 <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
1540 peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
1541 Note that the file must be readable by the user <literal>systemd-network</literal>, so it
1542 should be, e.g., owned by <literal>root:systemd-network</literal> with a
1543 <literal>0640</literal> file mode.</para>
1544 </listitem>
1545 </varlistentry>
e5719363
JT		 1546 <varlistentry>
1547 <term><varname>AllowedIPs=</varname></term>
1548 <listitem>
1549 <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
488d0ba1
YW		 1550 from which this peer is allowed to send incoming traffic and to
1551 which outgoing traffic for this peer is directed. The catch-all
1552 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
1553 ::/0 may be specified for matching all IPv6 addresses. </para>
e5719363
JT		 1554 </listitem>
1555 </varlistentry>
1556 <varlistentry>
1557 <term><varname>Endpoint=</varname></term>
1558 <listitem>
1559 <para>Sets an endpoint IP address or hostname, followed by a colon, and then
488d0ba1
YW		 1560 a port number. This endpoint will be updated automatically once to
1561 the most recent source IP address and port of correctly
1562 authenticated packets from the peer at configuration time.</para>
e5719363
JT		 1563 </listitem>
1564 </varlistentry>
1565 <varlistentry>
1566 <term><varname>PersistentKeepalive=</varname></term>
1567 <listitem>
1568 <para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
488d0ba1
YW		 1569 to send an authenticated empty packet to the peer for the purpose
1570 of keeping a stateful firewall or NAT mapping valid persistently.
1571 For example, if the interface very rarely sends traffic, but it
1572 might at anytime receive traffic from a peer, and it is behind NAT,
1573 the interface might benefit from having a persistent keepalive
1574 interval of 25 seconds. If set to 0 or "off", this option is
1575 disabled. By default or when unspecified, this option is off.
1576 Most users will not need this.</para>
e5719363
JT		 1577 </listitem>
1578 </varlistentry>
1579 </variablelist>
1580 </refsect1>
1581
798d3a52
ZJS		 1582 <refsect1>
1583 <title>[Bond] Section Options</title>
1584
1585 <para>The <literal>[Bond]</literal> section accepts the following
1586 key:</para>
1587
1588 <variablelist class='network-directives'>
1589 <varlistentry>
1590 <term><varname>Mode=</varname></term>
1591 <listitem>
1592 <para>Specifies one of the bonding policies. The default is
1593 <literal>balance-rr</literal> (round robin). Possible values are
1594 <literal>balance-rr</literal>,
1595 <literal>active-backup</literal>,
1596 <literal>balance-xor</literal>,
1597 <literal>broadcast</literal>,
1598 <literal>802.3ad</literal>,
1599 <literal>balance-tlb</literal>, and
1600 <literal>balance-alb</literal>.
1601 </para>
1602 </listitem>
1603 </varlistentry>
1604
1605 <varlistentry>
1606 <term><varname>TransmitHashPolicy=</varname></term>
1607 <listitem>
1608 <para>Selects the transmit hash policy to use for slave
1609 selection in balance-xor, 802.3ad, and tlb modes. Possible
1610 values are
1611 <literal>layer2</literal>,
1612 <literal>layer3+4</literal>,
1613 <literal>layer2+3</literal>,
4d89618a 1614 <literal>encap2+3</literal>, and
798d3a52
ZJS		 1615 <literal>encap3+4</literal>.
1616 </para>
1617 </listitem>
1618 </varlistentry>
1619
1620 <varlistentry>
1621 <term><varname>LACPTransmitRate=</varname></term>
1622 <listitem>
1623 <para>Specifies the rate with which link partner transmits
1624 Link Aggregation Control Protocol Data Unit packets in
1625 802.3ad mode. Possible values are <literal>slow</literal>,
1626 which requests partner to transmit LACPDUs every 30 seconds,
1627 and <literal>fast</literal>, which requests partner to
1628 transmit LACPDUs every second. The default value is
1629 <literal>slow</literal>.</para>
1630 </listitem>
1631 </varlistentry>
1632
1633 <varlistentry>
1634 <term><varname>MIIMonitorSec=</varname></term>
1635 <listitem>
1636 <para>Specifies the frequency that Media Independent
1637 Interface link monitoring will occur. A value of zero
dd2b607b 1638 disables MII link monitoring. This value is rounded down to
798d3a52
ZJS		 1639 the nearest millisecond. The default value is 0.</para>
1640 </listitem>
1641 </varlistentry>
1642
1643 <varlistentry>
1644 <term><varname>UpDelaySec=</varname></term>
1645 <listitem>
1646 <para>Specifies the delay before a link is enabled after a
1647 link up status has been detected. This value is rounded down
1648 to a multiple of MIIMonitorSec. The default value is
1649 0.</para>
1650 </listitem>
1651 </varlistentry>
1652
1653 <varlistentry>
1654 <term><varname>DownDelaySec=</varname></term>
1655 <listitem>
1656 <para>Specifies the delay before a link is disabled after a
1657 link down status has been detected. This value is rounded
1658 down to a multiple of MIIMonitorSec. The default value is
1659 0.</para>
1660 </listitem>
1661 </varlistentry>
1662
81bd37a8 1663 <varlistentry>
38422da7 1664 <term><varname>LearnPacketIntervalSec=</varname></term>
81bd37a8
SS		 1665 <listitem>
1666 <para>Specifies the number of seconds between instances where the bonding
a8eaaee7
JE		 1667 driver sends learning packets to each slave peer switch.
1668 The valid range is 1–0x7fffffff; the default value is 1. This option
1669 has an effect only for the balance-tlb and balance-alb modes.</para>
81bd37a8
SS		 1670 </listitem>
1671 </varlistentry>
1672
1673 <varlistentry>
1674 <term><varname>AdSelect=</varname></term>
1675 <listitem>
1676 <para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
1677 <literal>stable</literal>,
a8eaaee7
JE		 1678 <literal>bandwidth</literal> and
1679 <literal>count</literal>.
81bd37a8
SS		 1680 </para>
1681 </listitem>
1682 </varlistentry>
1683
99f68ef0 1684 <varlistentry>
db688b7e 1685 <term><varname>AdActorSystemPriority=</varname></term>
99f68ef0 1686 <listitem>
db688b7e 1687 <para>Specifies the 802.3ad actor system priority. Ranges [1-65535].</para>
99f68ef0
TJ		 1688 </listitem>
1689 </varlistentry>
1690
1691 <varlistentry>
1692 <term><varname>AdUserPortKey=</varname></term>
1693 <listitem>
1694 <para>Specifies the 802.3ad user defined portion of the port key. Ranges [0-1023].</para>
1695 </listitem>
1696 </varlistentry>
1697
1698 <varlistentry>
1699 <term><varname>AdActorSystem=</varname></term>
1700 <listitem>
1701 <para>Specifies the 802.3ad system mac address. This can not be either NULL or Multicast.</para>
1702 </listitem>
1703 </varlistentry>
1704
81bd37a8 1705 <varlistentry>
38422da7 1706 <term><varname>FailOverMACPolicy=</varname></term>
81bd37a8 1707 <listitem>
a8eaaee7
JE		 1708 <para>Specifies whether the active-backup mode should set all slaves to
1709 the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
81bd37a8
SS		 1710 bond's MAC address in accordance with the selected policy. The default policy is none.
1711 Possible values are
1712 <literal>none</literal>,
a8eaaee7
JE		 1713 <literal>active</literal> and
1714 <literal>follow</literal>.
81bd37a8
SS		 1715 </para>
1716 </listitem>
1717 </varlistentry>
1718
1719 <varlistentry>
38422da7 1720 <term><varname>ARPValidate=</varname></term>
81bd37a8
SS		 1721 <listitem>
1722 <para>Specifies whether or not ARP probes and replies should be
38422da7 1723 validated in any mode that supports ARP monitoring, or whether
81bd37a8
SS		 1724 non-ARP traffic should be filtered (disregarded) for link
1725 monitoring purposes. Possible values are
1726 <literal>none</literal>,
1727 <literal>active</literal>,
a8eaaee7
JE		 1728 <literal>backup</literal> and
1729 <literal>all</literal>.
81bd37a8
SS		 1730 </para>
1731 </listitem>
1732 </varlistentry>
1733
1734 <varlistentry>
38422da7 1735 <term><varname>ARPIntervalSec=</varname></term>
81bd37a8
SS		 1736 <listitem>
1737 <para>Specifies the ARP link monitoring frequency in milliseconds.
1738 A value of 0 disables ARP monitoring. The default value is 0.
1739 </para>
1740 </listitem>
1741 </varlistentry>
1742
1743 <varlistentry>
38422da7 1744 <term><varname>ARPIPTargets=</varname></term>
81bd37a8
SS		 1745 <listitem>
1746 <para>Specifies the IP addresses to use as ARP monitoring peers when
38422da7 1747 ARPIntervalSec is greater than 0. These are the targets of the ARP request
81bd37a8 1748 sent to determine the health of the link to the targets.
a8eaaee7 1749 Specify these values in IPv4 dotted decimal format. At least one IP
81bd37a8
SS		 1750 address must be given for ARP monitoring to function. The
1751 maximum number of targets that can be specified is 16. The
1752 default value is no IP addresses.
1753 </para>
1754 </listitem>
1755 </varlistentry>
1756
1757 <varlistentry>
38422da7 1758 <term><varname>ARPAllTargets=</varname></term>
81bd37a8 1759 <listitem>
38422da7 1760 <para>Specifies the quantity of ARPIPTargets that must be reachable
81bd37a8
SS		 1761 in order for the ARP monitor to consider a slave as being up.
1762 This option affects only active-backup mode for slaves with
38422da7 1763 ARPValidate enabled. Possible values are
a8eaaee7
JE		 1764 <literal>any</literal> and
1765 <literal>all</literal>.
81bd37a8
SS		 1766 </para>
1767 </listitem>
1768 </varlistentry>
1769
1770 <varlistentry>
38422da7 1771 <term><varname>PrimaryReselectPolicy=</varname></term>
81bd37a8
SS		 1772 <listitem>
1773 <para>Specifies the reselection policy for the primary slave. This
1774 affects how the primary slave is chosen to become the active slave
1775 when failure of the active slave or recovery of the primary slave
1776 occurs. This option is designed to prevent flip-flopping between
1777 the primary slave and other slaves. Possible values are
1778 <literal>always</literal>,
a8eaaee7
JE		 1779 <literal>better</literal> and
1780 <literal>failure</literal>.
81bd37a8
SS		 1781 </para>
1782 </listitem>
1783 </varlistentry>
1784
1785 <varlistentry>
1786 <term><varname>ResendIGMP=</varname></term>
1787 <listitem>
1788 <para>Specifies the number of IGMP membership reports to be issued after
1789 a failover event. One membership report is issued immediately after
1790 the failover, subsequent packets are sent in each 200ms interval.
b938cb90 1791 The valid range is 0–255. Defaults to 1. A value of 0
81bd37a8
SS		 1792 prevents the IGMP membership report from being issued in response
1793 to the failover event.
1794 </para>
1795 </listitem>
1796 </varlistentry>
1797
1798 <varlistentry>
1799 <term><varname>PacketsPerSlave=</varname></term>
1800 <listitem>
b938cb90 1801 <para>Specify the number of packets to transmit through a slave before
488d0ba1
YW		 1802 moving to the next one. When set to 0, then a slave is chosen at
1803 random. The valid range is 0–65535. Defaults to 1. This option
1804 only has effect when in balance-rr mode.
81bd37a8
SS		 1805 </para>
1806 </listitem>
1807 </varlistentry>
1808
1809 <varlistentry>
38422da7 1810 <term><varname>GratuitousARP=</varname></term>
81bd37a8
SS		 1811 <listitem>
1812 <para>Specify the number of peer notifications (gratuitous ARPs and
488d0ba1
YW		 1813 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1814 failover event. As soon as the link is up on the new slave,
1815 a peer notification is sent on the bonding device and each
1816 VLAN sub-device. This is repeated at each link monitor interval
1817 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
1818 greater than 1. The valid range is 0–255. The default value is 1.
1819 These options affect only the active-backup mode.
81bd37a8
SS		 1820 </para>
1821 </listitem>
1822 </varlistentry>
1823
1824 <varlistentry>
1825 <term><varname>AllSlavesActive=</varname></term>
1826 <listitem>
9b6ffef3 1827 <para>Takes a boolean. Specifies that duplicate frames (received on inactive ports)
a8eaaee7 1828 should be dropped when false, or delivered when true. Normally, bonding will drop
81bd37a8
SS		 1829 duplicate frames (received on inactive ports), which is desirable for
1830 most users. But there are some times it is nice to allow duplicate
1831 frames to be delivered. The default value is false (drop duplicate frames
1832 received on inactive ports).
1833 </para>
1834 </listitem>
1835 </varlistentry>
1836
fde60a42
SS		 1837 <varlistentry>
1838 <term><varname>DynamicTransmitLoadBalancing=</varname></term>
1839 <listitem>
1840 <para>Takes a boolean. Specifies if dynamic shuffling of flows is enabled. Applies only
1841 for balance-tlb mode. Defaults to unset.
1842 </para>
1843 </listitem>
1844 </varlistentry>
1845
81bd37a8
SS		 1846 <varlistentry>
1847 <term><varname>MinLinks=</varname></term>
1848 <listitem>
1849 <para>Specifies the minimum number of links that must be active before
1850 asserting carrier. The default value is 0.
1851 </para>
1852 </listitem>
1853 </varlistentry>
798d3a52 1854 </variablelist>
81bd37a8
SS		 1855
1856 <para>For more detail information see
1857 <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">
1858 Linux Ethernet Bonding Driver HOWTO</ulink></para>
b8d88b26 1859 </refsect1>
81bd37a8 1860
98d20a17 1861 <refsect1>
1862 <title>[Xfrm] Section Options</title>
1863
1864 <para>The <literal>[Xfrm]</literal> section accepts the following
1865 keys:</para>
1866
1867 <variablelist class='network-directives'>
1868 <varlistentry>
1869 <term><varname>InterfaceId=</varname></term>
1870 <listitem>
1871 <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
1872 Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
1873 </listitem>
1874 </varlistentry>
1875 <varlistentry>
1876 <term><varname>Independent=</varname></term>
1877 <listitem>
1878 <para>Takes a boolean. If set to <literal>no</literal>, the xfrm interface should have an
1879 underlying device which can be used for hardware offloading. Defaults to <literal>no</literal>.
1880 See <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1881 for how to configure the underlying device.</para>
1882 </listitem>
1883 </varlistentry>
1884 </variablelist>
1885
1886 <para>For more detail information see
1887 <ulink url="https://lwn.net/Articles/757391">
1888 Virtual xfrm interfaces</ulink></para>
1889 </refsect1>
1890
b8d88b26
FP		 1891 <refsect1>
1892 <title>[VRF] Section Options</title>
1893 <para>The <literal>[VRF]</literal> section only applies for
1894 netdevs of kind <literal>vrf</literal> and accepts the
1895 following key:</para>
1896
1897 <variablelist class='network-directives'>
1898 <varlistentry>
1899 <term><varname>Table=</varname></term>
1900 <listitem>
1901 <para>The numeric routing table identifier. This option is compulsory.</para>
1902 </listitem>
1903 </varlistentry>
1904 </variablelist>
798d3a52
ZJS		 1905 </refsect1>
1906
1907 <refsect1>
48847676 1908 <title>Examples</title>
798d3a52 1909 <example>
6c1695be 1910 <title>/etc/systemd/network/25-bridge.netdev</title>
798d3a52
ZJS		 1911
1912 <programlisting>[NetDev]
eac684ef
TG		 1913Name=bridge0
1914Kind=bridge</programlisting>
798d3a52 1915 </example>
eac684ef 1916
798d3a52 1917 <example>
6c1695be 1918 <title>/etc/systemd/network/25-vlan1.netdev</title>
eac684ef 1919
798d3a52 1920 <programlisting>[Match]
eac684ef
TG		 1921Virtualization=no
1922
1923[NetDev]
1924Name=vlan1
1925Kind=vlan
1926
1927[VLAN]
1928Id=1</programlisting>
798d3a52
ZJS		 1929 </example>
1930 <example>
6c1695be 1931 <title>/etc/systemd/network/25-ipip.netdev</title>
798d3a52 1932 <programlisting>[NetDev]
b35a2909
TG		 1933Name=ipip-tun
1934Kind=ipip
1935MTUBytes=1480
1936
1937[Tunnel]
1938Local=192.168.223.238
1939Remote=192.169.224.239
1940TTL=64</programlisting>
798d3a52 1941 </example>
53cb501a
SS		 1942 <example>
1943 <title>/etc/systemd/network/1-fou-tunnel.netdev</title>
1944 <programlisting>[NetDev]
1945Name=fou-tun
1946Kind=fou
1947
1948[FooOverUDP]
1949Port=5555
1950Protocol=4
1951 </programlisting>
1952 </example>
1953 <example>
1954 <title>/etc/systemd/network/25-fou-ipip.netdev</title>
1955 <programlisting>[NetDev]
53cb501a
SS		 1956Name=ipip-tun
1957Kind=ipip
1958
1959[Tunnel]
964c4eda 1960Independent=yes
53cb501a
SS		 1961Local=10.65.208.212
1962Remote=10.65.208.211
964c4eda 1963FooOverUDP=yes
53cb501a
SS		 1964FOUDestinationPort=5555
1965 </programlisting>
1966 </example>
798d3a52 1967 <example>
6c1695be 1968 <title>/etc/systemd/network/25-tap.netdev</title>
798d3a52 1969 <programlisting>[NetDev]
30ae9dfd
SS		 1970Name=tap-test
1971Kind=tap
1972
1973[Tap]
964c4eda
LP		 1974MultiQueue=yes
1975PacketInfo=yes</programlisting> </example>
eac684ef 1976
798d3a52 1977 <example>
6c1695be 1978 <title>/etc/systemd/network/25-sit.netdev</title>
798d3a52 1979 <programlisting>[NetDev]
b35a2909
TG		 1980Name=sit-tun
1981Kind=sit
1982MTUBytes=1480
1983
1984[Tunnel]
1985Local=10.65.223.238
1986Remote=10.65.223.239</programlisting>
798d3a52 1987 </example>
eac684ef 1988
d067cab3
DA		 1989 <example>
1990 <title>/etc/systemd/network/25-6rd.netdev</title>
1991 <programlisting>[NetDev]
1992Name=6rd-tun
1993Kind=sit
1994MTUBytes=1480
1995
1996[Tunnel]
1997Local=10.65.223.238
1998IPv6RapidDeploymentPrefix=2602::/24</programlisting>
1999 </example>
2000
798d3a52 2001 <example>
6c1695be 2002 <title>/etc/systemd/network/25-gre.netdev</title>
798d3a52 2003 <programlisting>[NetDev]
b35a2909
TG		 2004Name=gre-tun
2005Kind=gre
2006MTUBytes=1480
2007
2008[Tunnel]
2009Local=10.65.223.238
2010Remote=10.65.223.239</programlisting>
798d3a52 2011 </example>
b35a2909 2012
798d3a52 2013 <example>
6c1695be 2014 <title>/etc/systemd/network/25-vti.netdev</title>
b35a2909 2015
798d3a52 2016 <programlisting>[NetDev]
b35a2909
TG		 2017Name=vti-tun
2018Kind=vti
2019MTUBytes=1480
2020
2021[Tunnel]
2022Local=10.65.223.238
2023Remote=10.65.223.239</programlisting>
798d3a52 2024 </example>
b35a2909 2025
798d3a52 2026 <example>
6c1695be 2027 <title>/etc/systemd/network/25-veth.netdev</title>
798d3a52 2028 <programlisting>[NetDev]
b35a2909
TG		 2029Name=veth-test
2030Kind=veth
2031
2032[Peer]
2033Name=veth-peer</programlisting>
798d3a52 2034 </example>
b35a2909 2035
d94facdc 2036 <example>
6c1695be 2037 <title>/etc/systemd/network/25-bond.netdev</title>
d94facdc
MH		 2038 <programlisting>[NetDev]
2039Name=bond1
2040Kind=bond
2041
2042[Bond]
2043Mode=802.3ad
2044TransmitHashPolicy=layer3+4
2045MIIMonitorSec=1s
2046LACPTransmitRate=fast
2047</programlisting>
2048 </example>
2049
798d3a52 2050 <example>
6c1695be 2051 <title>/etc/systemd/network/25-dummy.netdev</title>
798d3a52 2052 <programlisting>[NetDev]
9e358851
TG		 2053Name=dummy-test
2054Kind=dummy
2055MACAddress=12:34:56:78:9a:bc</programlisting>
798d3a52 2056 </example>
20897a0d
AR		 2057 <example>
2058 <title>/etc/systemd/network/25-vrf.netdev</title>
037a3ded 2059 <para>Create a VRF interface with table 42.</para>
20897a0d
AR		 2060 <programlisting>[NetDev]
2061Name=vrf-test
2062Kind=vrf
798d3a52 2063
20897a0d 2064[VRF]
362f6336 2065Table=42</programlisting>
20897a0d 2066 </example>
42125eda
SS		 2067
2068 <example>
2069 <title>/etc/systemd/network/25-macvtap.netdev</title>
2070 <para>Create a MacVTap device.</para>
2071 <programlisting>[NetDev]
2072Name=macvtap-test
2073Kind=macvtap
2074 </programlisting>
2075 </example>
e5719363
JT		 2076 <example>
2077 <title>/etc/systemd/network/25-wireguard.netdev</title>
2078 <programlisting>[NetDev]
2079Name=wg0
2080Kind=wireguard
2081
2082[WireGuard]
2083PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
2084ListenPort=51820
2085
2086[WireGuardPeer]
2087PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
2088AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
2089Endpoint=wireguard.example.com:51820</programlisting>
2090 </example>
98d20a17 2091
2092 <example>
2093 <title>/etc/systemd/network/27-xfrm.netdev</title>
2094 <programlisting>[Xfrm]
2095Name=xfrm0
2096Kind=xfrm
2097
2098[Xfrm]
2099Independent=yes</programlisting>
2100 </example>
798d3a52 2101 </refsect1>
488d0ba1 2102
798d3a52
ZJS		 2103 <refsect1>
2104 <title>See Also</title>
2105 <para>
2106 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
2107 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
2108 <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2109 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
2110 </para>
2111 </refsect1>
eac684ef
TG		 2112
2113</refentry>
Unnamed repository; edit this file 'description' to name the repository.