]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.netdev.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
network: simplify the condition about xfrm
[thirdparty/systemd.git] / man / systemd.netdev.xml
CommitLineData
eac684ef 1<?xml version='1.0'?> <!--*-nxml-*-->
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791 4<!-- SPDX-License-Identifier: LGPL-2.1+ -->
eac684ef
TG		 5
6<refentry id="systemd.netdev" conditional='ENABLE_NETWORKD'>
7
798d3a52
ZJS		 8 <refentryinfo>
9 <title>systemd.network</title>
10 <productname>systemd</productname>
798d3a52
ZJS		 11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>systemd.netdev</refentrytitle>
15 <manvolnum>5</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>systemd.netdev</refname>
20 <refpurpose>Virtual Network Device configuration</refpurpose>
21 </refnamediv>
22
23 <refsynopsisdiv>
24 <para><filename><replaceable>netdev</replaceable>.netdev</filename></para>
25 </refsynopsisdiv>
26
27 <refsect1>
28 <title>Description</title>
29
30 <para>Network setup is performed by
31 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
32 </para>
33
bac150e9
ZJS		 34 <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
35 other extensions are ignored. Virtual network devices are created as soon as networkd is
36 started. If a netdev with the specified name already exists, networkd will use that as-is rather
37 than create its own. Note that the settings of the pre-existing netdev will not be changed by
798d3a52
ZJS		 38 networkd.</para>
39
bac150e9
ZJS		 40 <para>The <filename>.netdev</filename> files are read from the files located in the system
41 network directory <filename>/usr/lib/systemd/network</filename>, the volatile runtime network
42 directory <filename>/run/systemd/network</filename> and the local administration network
43 directory <filename>/etc/systemd/network</filename>. All configuration files are collectively
44 sorted and processed in lexical order, regardless of the directories in which they live.
45 However, files with identical filenames replace each other. Files in <filename>/etc</filename>
46 have the highest priority, files in <filename>/run</filename> take precedence over files with
47 the same name in <filename>/usr/lib</filename>. This can be used to override a system-supplied
48 configuration file with a local file if needed. As a special case, an empty file (file size 0)
49 or symlink with the same name pointing to <filename>/dev/null</filename> disables the
50 configuration file entirely (it is "masked").</para>
51
52 <para>Along with the netdev file <filename>foo.netdev</filename>, a "drop-in" directory
53 <filename>foo.netdev.d/</filename> may exist. All files with the suffix <literal>.conf</literal>
54 from this directory will be parsed after the file itself is parsed. This is useful to alter or
55 add configuration settings, without having to modify the main configuration file. Each drop-in
56 file must have appropriate section headers.</para>
57
58 <para>In addition to <filename>/etc/systemd/network</filename>, drop-in <literal>.d</literal>
59 directories can be placed in <filename>/usr/lib/systemd/network</filename> or
60 <filename>/run/systemd/network</filename> directories. Drop-in files in
61 <filename>/etc</filename> take precedence over those in <filename>/run</filename> which in turn
62 take precedence over those in <filename>/usr/lib</filename>. Drop-in files under any of these
63 directories take precedence over the main netdev file wherever located. (Of course, since
64 <filename>/run</filename> is temporary and <filename>/usr/lib</filename> is for vendors, it is
65 unlikely drop-ins should be used in either of those places.)</para>
798d3a52
ZJS		 66 </refsect1>
67
68 <refsect1>
69 <title>Supported netdev kinds</title>
70
71 <para>The following kinds of virtual network devices may be
72 configured in <filename>.netdev</filename> files:</para>
73
74 <table>
75 <title>Supported kinds of virtual network devices</title>
76
77 <tgroup cols='2'>
78 <colspec colname='kind' />
79 <colspec colname='explanation' />
80 <thead><row>
81 <entry>Kind</entry>
82 <entry>Description</entry>
83 </row></thead>
84 <tbody>
85 <row><entry><varname>bond</varname></entry>
86 <entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.Local configuration</entry></row>
87
88 <row><entry><varname>bridge</varname></entry>
a8eaaee7 89 <entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
798d3a52
ZJS		 90
91 <row><entry><varname>dummy</varname></entry>
92 <entry>A dummy device drops all packets sent to it.</entry></row>
93
94 <row><entry><varname>gre</varname></entry>
95 <entry>A Level 3 GRE tunnel over IPv4. See <ulink url="https://tools.ietf.org/html/rfc2784">RFC 2784</ulink> for details.</entry></row>
96
97 <row><entry><varname>gretap</varname></entry>
98 <entry>A Level 2 GRE tunnel over IPv4.</entry></row>
99
2266864b 100 <row><entry><varname>erspan</varname></entry>
d653a359 101 <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch and the destination switch.</entry></row>
2266864b 102
798d3a52
ZJS		 103 <row><entry><varname>ip6gre</varname></entry>
104 <entry>A Level 3 GRE tunnel over IPv6.</entry></row>
105
106 <row><entry><varname>ip6tnl</varname></entry>
107 <entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
108
109 <row><entry><varname>ip6gretap</varname></entry>
037a3ded 110 <entry>A Level 2 GRE tunnel over IPv6.</entry></row>
798d3a52
ZJS		 111
112 <row><entry><varname>ipip</varname></entry>
113 <entry>An IPv4 over IPv4 tunnel.</entry></row>
114
115 <row><entry><varname>ipvlan</varname></entry>
116 <entry>An ipvlan device is a stacked device which receives packets from its underlying device based on IP address filtering.</entry></row>
117
69c317a0
SS		 118 <row><entry><varname>ipvtap</varname></entry>
119 <entry>An ipvtap device is a stacked device which receives packets from its underlying device based on IP address filtering and can be accessed using the tap user space interface.</entry></row>
120
798d3a52
ZJS		 121 <row><entry><varname>macvlan</varname></entry>
122 <entry>A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
123
0371f2df
SS		 124 <row><entry><varname>macvtap</varname></entry>
125 <entry>A macvtap device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
126
798d3a52
ZJS		 127 <row><entry><varname>sit</varname></entry>
128 <entry>An IPv6 over IPv4 tunnel.</entry></row>
129
130 <row><entry><varname>tap</varname></entry>
131 <entry>A persistent Level 2 tunnel between a network device and a device node.</entry></row>
132
133 <row><entry><varname>tun</varname></entry>
134 <entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
135
136 <row><entry><varname>veth</varname></entry>
a8eaaee7 137 <entry>An Ethernet tunnel between a pair of network devices.</entry></row>
798d3a52
ZJS		 138
139 <row><entry><varname>vlan</varname></entry>
140 <entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
141
142 <row><entry><varname>vti</varname></entry>
143 <entry>An IPv4 over IPSec tunnel.</entry></row>
144
5cc0748e
SS		 145 <row><entry><varname>vti6</varname></entry>
146 <entry>An IPv6 over IPSec tunnel.</entry></row>
147
798d3a52
ZJS		 148 <row><entry><varname>vxlan</varname></entry>
149 <entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
20897a0d 150
6598e046
SS		 151 <row><entry><varname>geneve</varname></entry>
152 <entry>A GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev driver.</entry></row>
153
3a56e697
SS		 154 <row><entry><varname>l2tp</varname></entry>
155 <entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
156
81962db7
SS		 157 <row><entry><varname>macsec</varname></entry>
158 <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
159
20897a0d 160 <row><entry><varname>vrf</varname></entry>
92c918b0
SS		 161 <entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
162
163 <row><entry><varname>vcan</varname></entry>
ba9fa3bc 164 <entry>The virtual CAN driver (vcan). Similar to the network loopback devices, vcan offers a virtual local CAN interface.</entry></row>
20897a0d 165
d6df583c
SS		 166 <row><entry><varname>vxcan</varname></entry>
167 <entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
168 </entry></row>
169
e5719363
JT		 170 <row><entry><varname>wireguard</varname></entry>
171 <entry>WireGuard Secure Network Tunnel.</entry></row>
172
56e7fb50 173 <row><entry><varname>netdevsim</varname></entry>
d61e4c5b
YW		 174 <entry>A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces.</entry></row>
175
176 <row><entry><varname>nlmon</varname></entry>
177 <entry>A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages.</entry></row>
53cb501a
SS		 178
179 <row><entry><varname>fou</varname></entry>
180 <entry>Foo-over-UDP tunneling.</entry></row>
181
98d20a17 182 <row><entry><varname>xfrm</varname></entry>
183 <entry>A virtual tunnel interface like vti/vti6 but with several advantages.</entry></row>
184
798d3a52
ZJS		 185 </tbody>
186 </tgroup>
187 </table>
188
189 </refsect1>
190
191 <refsect1>
192 <title>[Match] Section Options</title>
193
194 <para>A virtual network device is only created if the
195 <literal>[Match]</literal> section matches the current
196 environment, or if the section is empty. The following keys are
197 accepted:</para>
198
199 <variablelist class='network-directives'>
200 <varlistentry>
201 <term><varname>Host=</varname></term>
202 <listitem>
d689bbca
YW		 203 <para>Matches against the hostname or machine ID of the host. See
204 <literal>ConditionHost=</literal> in
798d3a52 205 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 206 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
207 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 208 </para>
209 </listitem>
210 </varlistentry>
211 <varlistentry>
212 <term><varname>Virtualization=</varname></term>
213 <listitem>
d689bbca
YW		 214 <para>Checks whether the system is executed in a virtualized environment and optionally test
215 whether it is a specific implementation. See <literal>ConditionVirtualization=</literal> in
798d3a52 216 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 217 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
218 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 219 </para>
220 </listitem>
221 </varlistentry>
222 <varlistentry>
223 <term><varname>KernelCommandLine=</varname></term>
224 <listitem>
d689bbca 225 <para>Checks whether a specific kernel command line option is set. See
798d3a52
ZJS		 226 <literal>ConditionKernelCommandLine=</literal> in
227 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 228 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
229 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 230 </para>
231 </listitem>
232 </varlistentry>
5022f08a
LP		 233 <varlistentry>
234 <term><varname>KernelVersion=</varname></term>
235 <listitem>
d689bbca
YW		 236 <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a
237 certain expression. See <literal>ConditionKernelVersion=</literal> in
238 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
239 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
240 If an empty string is assigned, then previously assigned value is cleared.
5022f08a
LP		 241 </para>
242 </listitem>
243 </varlistentry>
798d3a52
ZJS		 244 <varlistentry>
245 <term><varname>Architecture=</varname></term>
246 <listitem>
d689bbca
YW		 247 <para>Checks whether the system is running on a specific architecture. See
248 <literal>ConditionArchitecture=</literal> in
798d3a52 249 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
d689bbca
YW		 250 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
251 If an empty string is assigned, then previously assigned value is cleared.
798d3a52
ZJS		 252 </para>
253 </listitem>
254 </varlistentry>
255 </variablelist>
798d3a52
ZJS		 256 </refsect1>
257
258 <refsect1>
259 <title>[NetDev] Section Options</title>
260
488d0ba1
YW		 261 <para>The <literal>[NetDev]</literal> section accepts the
262 following keys:</para>
263
264 <variablelist class='network-directives'>
265 <varlistentry>
266 <term><varname>Description=</varname></term>
267 <listitem>
268 <para>A free-form description of the netdev.</para>
269 </listitem>
270 </varlistentry>
271 <varlistentry>
272 <term><varname>Name=</varname></term>
273 <listitem>
274 <para>The interface name used when creating the netdev.
275 This option is compulsory.</para>
276 </listitem>
277 </varlistentry>
278 <varlistentry>
279 <term><varname>Kind=</varname></term>
280 <listitem>
281 <para>The netdev kind. This option is compulsory. See the
282 <literal>Supported netdev kinds</literal> section for the
283 valid keys.</para>
284 </listitem>
285 </varlistentry>
286 <varlistentry>
287 <term><varname>MTUBytes=</varname></term>
288 <listitem>
289 <para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G,
290 are supported and are understood to the base of 1024. For <literal>tun</literal> or
291 <literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
292 <literal>[NetDev]</literal> section. Please specify it in <literal>[Link]</literal> section of
293 corresponding
294 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
295 files.</para>
296 </listitem>
297 </varlistentry>
298 <varlistentry>
299 <term><varname>MACAddress=</varname></term>
300 <listitem>
301 <para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
302 devices, setting <varname>MACAddress=</varname> in the <literal>[NetDev]</literal> section is not
303 supported. Please specify it in <literal>[Link]</literal> section of the corresponding
304 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
305 file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
306 physical interface. For other kind of netdevs, if this option is not set, then MAC address is
307 generated based on the interface name and the
308 <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
309 </para>
310 </listitem>
311 </varlistentry>
312 </variablelist>
798d3a52
ZJS		 313 </refsect1>
314
488d0ba1 315 <refsect1>
3428fe07
SS		 316 <title>[Bridge] Section Options</title>
317
488d0ba1
YW		 318 <para>The <literal>[Bridge]</literal> section only applies for
319 netdevs of kind <literal>bridge</literal>, and accepts the
320 following keys:</para>
321
322 <variablelist class='network-directives'>
323 <varlistentry>
324 <term><varname>HelloTimeSec=</varname></term>
325 <listitem>
326 <para>HelloTimeSec specifies the number of seconds between two hello packets
327 sent out by the root bridge and the designated bridges. Hello packets are
328 used to communicate information about the topology throughout the entire
329 bridged local area network.</para>
330 </listitem>
331 </varlistentry>
332 <varlistentry>
333 <term><varname>MaxAgeSec=</varname></term>
334 <listitem>
335 <para>MaxAgeSec specifies the number of seconds of maximum message age.
336 If the last seen (received) hello packet is more than this number of
337 seconds old, the bridge in question will start the takeover procedure
338 in attempt to become the Root Bridge itself.</para>
339 </listitem>
340 </varlistentry>
341 <varlistentry>
342 <term><varname>ForwardDelaySec=</varname></term>
343 <listitem>
344 <para>ForwardDelaySec specifies the number of seconds spent in each
345 of the Listening and Learning states before the Forwarding state is entered.</para>
346 </listitem>
347 </varlistentry>
348 <varlistentry>
349 <term><varname>AgeingTimeSec=</varname></term>
350 <listitem>
351 <para>This specifies the number of seconds a MAC Address will be kept in
352 the forwarding database after having a packet received from this MAC Address.</para>
353 </listitem>
354 </varlistentry>
355 <varlistentry>
356 <term><varname>Priority=</varname></term>
357 <listitem>
358 <para>The priority of the bridge. An integer between 0 and 65535. A lower value
359 means higher priority. The bridge having the lowest priority will be elected as root bridge.</para>
360 </listitem>
361 </varlistentry>
362 <varlistentry>
363 <term><varname>GroupForwardMask=</varname></term>
364 <listitem>
365 <para>A 16-bit bitmask represented as an integer which allows forwarding of link
366 local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND
367 is performed between the specified bitmask and the exponentiation of 2^X, the
368 lower nibble of the last octet of the MAC address. For example, a value of 8
369 would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para>
370 </listitem>
371 </varlistentry>
372 <varlistentry>
373 <term><varname>DefaultPVID=</varname></term>
374 <listitem>
375 <para>This specifies the default port VLAN ID of a newly attached bridge port.
376 Set this to an integer in the range 1–4094 or <literal>none</literal> to disable the PVID.</para>
377 </listitem>
378 </varlistentry>
379 <varlistentry>
380 <term><varname>MulticastQuerier=</varname></term>
381 <listitem>
382 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
383 If enabled, the kernel will send general ICMP queries from a zero source address.
384 This feature should allow faster convergence on startup, but it causes some
385 multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
386 When unset, the kernel's default will be used.
387 </para>
388 </listitem>
389 </varlistentry>
390 <varlistentry>
391 <term><varname>MulticastSnooping=</varname></term>
392 <listitem>
393 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
394 If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
395 between hosts and multicast routers. When unset, the kernel's default will be used.
396 </para>
397 </listitem>
398 </varlistentry>
399 <varlistentry>
400 <term><varname>VLANFiltering=</varname></term>
401 <listitem>
402 <para>Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
403 If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used.
404 </para>
405 </listitem>
406 </varlistentry>
407 <varlistentry>
408 <term><varname>STP=</varname></term>
409 <listitem>
410 <para>Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP).
411 When unset, the kernel's default will be used.
412 </para>
413 </listitem>
414 </varlistentry>
415 </variablelist>
3428fe07
SS		 416 </refsect1>
417
798d3a52
ZJS		 418 <refsect1>
419 <title>[VLAN] Section Options</title>
420
488d0ba1
YW		 421 <para>The <literal>[VLAN]</literal> section only applies for
422 netdevs of kind <literal>vlan</literal>, and accepts the
423 following key:</para>
424
425 <variablelist class='network-directives'>
426 <varlistentry>
427 <term><varname>Id=</varname></term>
428 <listitem>
429 <para>The VLAN ID to use. An integer in the range 0–4094.
430 This option is compulsory.</para>
431 </listitem>
432 </varlistentry>
433 <varlistentry>
434 <term><varname>GVRP=</varname></term>
435 <listitem>
436 <para>Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that
437 allows automatic learning of VLANs on a network.
438 When unset, the kernel's default will be used.
439 </para>
440 </listitem>
441 </varlistentry>
442 <varlistentry>
443 <term><varname>MVRP=</varname></term>
444 <listitem>
445 <para>Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN
446 Registration Protocol (GVRP) is a standards-based Layer 2 network protocol,
447 for automatic configuration of VLAN information on switches. It was defined
448 in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used.
449 </para>
450 </listitem>
451 </varlistentry>
452 <varlistentry>
453 <term><varname>LooseBinding=</varname></term>
454 <listitem>
455 <para>Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed
456 from the parent to the associated VLANs, but the VLAN device state is not changed.
457 When unset, the kernel's default will be used.</para>
458 </listitem>
459 </varlistentry>
460 <varlistentry>
461 <term><varname>ReorderHeader=</varname></term>
462 <listitem>
463 <para>Takes a boolean. The VLAN reorder header is set VLAN interfaces behave like physical interfaces.
464 When unset, the kernel's default will be used.</para>
465 </listitem>
466 </varlistentry>
467 </variablelist>
798d3a52
ZJS		 468 </refsect1>
469
470 <refsect1>
471 <title>[MACVLAN] Section Options</title>
472
473 <para>The <literal>[MACVLAN]</literal> section only applies for
474 netdevs of kind <literal>macvlan</literal>, and accepts the
475 following key:</para>
476
477 <variablelist class='network-directives'>
478 <varlistentry>
479 <term><varname>Mode=</varname></term>
480 <listitem>
481 <para>The MACVLAN mode to use. The supported options are
482 <literal>private</literal>,
483 <literal>vepa</literal>,
484 <literal>bridge</literal>, and
485 <literal>passthru</literal>.
486 </para>
487 </listitem>
488 </varlistentry>
489 </variablelist>
798d3a52
ZJS		 490 </refsect1>
491
488d0ba1 492 <refsect1>
0371f2df
SS		 493 <title>[MACVTAP] Section Options</title>
494
495 <para>The <literal>[MACVTAP]</literal> section applies for
496 netdevs of kind <literal>macvtap</literal> and accepts the
96d49011 497 same key as <literal>[MACVLAN]</literal>.</para>
488d0ba1 498 </refsect1>
0371f2df 499
798d3a52
ZJS		 500 <refsect1>
501 <title>[IPVLAN] Section Options</title>
502
503 <para>The <literal>[IPVLAN]</literal> section only applies for
504 netdevs of kind <literal>ipvlan</literal>, and accepts the
505 following key:</para>
506
507 <variablelist class='network-directives'>
508 <varlistentry>
509 <term><varname>Mode=</varname></term>
488d0ba1
YW		 510 <listitem>
511 <para>The IPVLAN mode to use. The supported options are
512 <literal>L2</literal>,<literal>L3</literal> and <literal>L3S</literal>.
513 </para>
514 </listitem>
d384826f 515 </varlistentry>
488d0ba1 516 <varlistentry>
d384826f 517 <term><varname>Flags=</varname></term>
488d0ba1
YW		 518 <listitem>
519 <para>The IPVLAN flags to use. The supported options are
520 <literal>bridge</literal>,<literal>private</literal> and <literal>vepa</literal>.
521 </para>
522 </listitem>
798d3a52
ZJS		 523 </varlistentry>
524 </variablelist>
798d3a52
ZJS		 525 </refsect1>
526
69c317a0
SS		 527 <refsect1>
528 <title>[IPVTAP] Section Options</title>
529
530 <para>The <literal>[IPVTAP]</literal> section only applies for
531 netdevs of kind <literal>ipvtap</literal> and accepts the
532 same key as <literal>[IPVLAN]</literal>.</para>
69c317a0
SS		 533 </refsect1>
534
798d3a52
ZJS		 535 <refsect1>
536 <title>[VXLAN] Section Options</title>
488d0ba1 537
798d3a52
ZJS		 538 <para>The <literal>[VXLAN]</literal> section only applies for
539 netdevs of kind <literal>vxlan</literal>, and accepts the
540 following keys:</para>
541
542 <variablelist class='network-directives'>
543 <varlistentry>
6f213e4a 544 <term><varname>VNI=</varname></term>
798d3a52 545 <listitem>
6f213e4a 546 <para>The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number in the range 1-16777215.</para>
798d3a52
ZJS		 547 </listitem>
548 </varlistentry>
549 <varlistentry>
d35e5d37 550 <term><varname>Remote=</varname></term>
798d3a52 551 <listitem>
bf443be9 552 <para>Configures destination IP address.</para>
798d3a52
ZJS		 553 </listitem>
554 </varlistentry>
555 <varlistentry>
d35e5d37
SS		 556 <term><varname>Local=</varname></term>
557 <listitem>
558 <para>Configures local IP address.</para>
559 </listitem>
83cb24ac
SS		 560 </varlistentry>
561 <varlistentry>
562 <term><varname>Group=</varname></term>
563 <listitem>
564 <para>Configures VXLAN multicast group IP address. All members of a VXLAN must use the same multicast group address.</para>
565 </listitem>
d35e5d37 566 </varlistentry>
488d0ba1 567 <varlistentry>
798d3a52
ZJS		 568 <term><varname>TOS=</varname></term>
569 <listitem>
570 <para>The Type Of Service byte value for a vxlan interface.</para>
571 </listitem>
572 </varlistentry>
573 <varlistentry>
574 <term><varname>TTL=</varname></term>
575 <listitem>
f4a8ca32
SS		 576 <para>A fixed Time To Live N on Virtual eXtensible Local Area Network packets.
577 Takes <literal>inherit</literal> or a number in the range 0–255. 0 is a special
578 value meaning inherit the inner protocol's TTL value. <literal>inherit</literal>
579 means that it will inherit the outer protocol's TTL value.</para>
798d3a52
ZJS		 580 </listitem>
581 </varlistentry>
582 <varlistentry>
583 <term><varname>MacLearning=</varname></term>
584 <listitem>
9b6ffef3 585 <para>Takes a boolean. When true, enables dynamic MAC learning
798d3a52
ZJS		 586 to discover remote MAC addresses.</para>
587 </listitem>
588 </varlistentry>
589 <varlistentry>
590 <term><varname>FDBAgeingSec=</varname></term>
591 <listitem>
592 <para>The lifetime of Forwarding Database entry learnt by
b938cb90 593 the kernel, in seconds.</para>
798d3a52
ZJS		 594 </listitem>
595 </varlistentry>
596 <varlistentry>
3d276dd2
SS		 597 <term><varname>MaximumFDBEntries=</varname></term>
598 <listitem>
599 <para>Configures maximum number of FDB entries.</para>
600 </listitem>
601 </varlistentry>
798d3a52 602 <varlistentry>
7dd6974c 603 <term><varname>ReduceARPProxy=</varname></term>
798d3a52 604 <listitem>
9b6ffef3 605 <para>Takes a boolean. When true, bridge-connected VXLAN tunnel
7dd6974c
SS		 606 endpoint answers ARP requests from the local bridge on behalf
607 of remote Distributed Overlay Virtual Ethernet
608 <ulink url="https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet">
609 (DVOE)</ulink> clients. Defaults to false.</para>
798d3a52
ZJS		 610 </listitem>
611 </varlistentry>
612 <varlistentry>
613 <term><varname>L2MissNotification=</varname></term>
614 <listitem>
9b6ffef3 615 <para>Takes a boolean. When true, enables netlink LLADDR miss
798d3a52
ZJS		 616 notifications.</para>
617 </listitem>
618 </varlistentry>
619 <varlistentry>
620 <term><varname>L3MissNotification=</varname></term>
621 <listitem>
9b6ffef3 622 <para>Takes a boolean. When true, enables netlink IP address miss
798d3a52
ZJS		 623 notifications.</para>
624 </listitem>
625 </varlistentry>
626 <varlistentry>
627 <term><varname>RouteShortCircuit=</varname></term>
628 <listitem>
9b6ffef3 629 <para>Takes a boolean. When true, route short circuiting is turned
798d3a52
ZJS		 630 on.</para>
631 </listitem>
632 </varlistentry>
cffacc74 633 <varlistentry>
53c06862 634 <term><varname>UDPChecksum=</varname></term>
cffacc74 635 <listitem>
9b6ffef3 636 <para>Takes a boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
cffacc74
SS		 637 </listitem>
638 </varlistentry>
639 <varlistentry>
640 <term><varname>UDP6ZeroChecksumTx=</varname></term>
641 <listitem>
9b6ffef3 642 <para>Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
cffacc74
SS		 643 </listitem>
644 </varlistentry>
645 <varlistentry>
53c06862 646 <term><varname>UDP6ZeroChecksumRx=</varname></term>
cffacc74 647 <listitem>
9b6ffef3 648 <para>Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
16441027
SS		 649 </listitem>
650 </varlistentry>
651 <varlistentry>
53c06862 652 <term><varname>RemoteChecksumTx=</varname></term>
16441027 653 <listitem>
9b6ffef3 654 <para>Takes a boolean. When true, remote transmit checksum offload of VXLAN is turned on.</para>
16441027
SS		 655 </listitem>
656 </varlistentry>
657 <varlistentry>
53c06862 658 <term><varname>RemoteChecksumRx=</varname></term>
16441027 659 <listitem>
9b6ffef3 660 <para>Takes a boolean. When true, remote receive checksum offload in VXLAN is turned on.</para>
cffacc74
SS		 661 </listitem>
662 </varlistentry>
488d0ba1
YW		 663 <varlistentry>
664 <term><varname>GroupPolicyExtension=</varname></term>
665 <listitem>
666 <para>Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism
667 across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
668 <ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
669 VXLAN Group Policy </ulink> document. Defaults to false.</para>
670 </listitem>
671 </varlistentry>
672 <varlistentry>
673 <term><varname>GenericProtocolExtension=</varname></term>
674 <listitem>
675 <para>Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol
676 to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE
677 Header, see the <ulink url="https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07">
678 Generic Protocol Extension for VXLAN </ulink> document. If destination port is not specified and
679 Generic Protocol Extension is set then default port of 4790 is used. Defaults to false.</para>
680 </listitem>
681 </varlistentry>
682 <varlistentry>
683 <term><varname>DestinationPort=</varname></term>
684 <listitem>
685 <para>Configures the default destination UDP port on a per-device basis.
686 If destination port is not specified then Linux kernel default will be used.
687 Set destination port 4789 to get the IANA assigned value. If not set or if the
688 destination port is assigned the empty string the default port of 4789 is used.</para>
689 </listitem>
690 </varlistentry>
691 <varlistentry>
692 <term><varname>PortRange=</varname></term>
ea0288d1
SS		 693 <listitem>
694 <para>Configures VXLAN port range. VXLAN bases source
695 UDP port based on flow to help the receiver to be able
696 to load balance based on outer header flow. It
697 restricts the port range to the normal UDP local
698 ports, and allows overriding via configuration.</para>
699 </listitem>
700 </varlistentry>
488d0ba1
YW		 701 <varlistentry>
702 <term><varname>FlowLabel=</varname></term>
d8653945
SS		 703 <listitem>
704 <para>Specifies the flow label to use in outgoing packets.
705 The valid range is 0-1048575.
706 </para>
707 </listitem>
488d0ba1 708 </varlistentry>
1189c00a
SS		 709 <varlistentry>
710 <term><varname>IPDoNotFragment=</varname></term>
711 <listitem>
712 <para>Allows to set the IPv4 Do not Fragment (DF) bit in outgoing packets, or to inherit its
713 value from the IPv4 inner header. Takes a boolean value, or <literal>inherit</literal>. Set
714 to <literal>inherit</literal> if the encapsulated protocol is IPv6. When unset, the kernel's
715 default will be used.</para>
716 </listitem>
d8653945 717 </varlistentry>
798d3a52
ZJS		 718 </variablelist>
719 </refsect1>
488d0ba1 720
6598e046
SS		 721 <refsect1>
722 <title>[GENEVE] Section Options</title>
488d0ba1 723
6598e046
SS		 724 <para>The <literal>[GENEVE]</literal> section only applies for
725 netdevs of kind <literal>geneve</literal>, and accepts the
726 following keys:</para>
727
728 <variablelist class='network-directives'>
729 <varlistentry>
730 <term><varname>Id=</varname></term>
731 <listitem>
328184d1 732 <para>Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215]. This field is mandatory.</para>
6598e046
SS		 733 </listitem>
734 </varlistentry>
735 <varlistentry>
736 <term><varname>Remote=</varname></term>
737 <listitem>
738 <para>Specifies the unicast destination IP address to use in outgoing packets.</para>
739 </listitem>
740 </varlistentry>
741 <varlistentry>
742 <term><varname>TOS=</varname></term>
743 <listitem>
98616735 744 <para>Specifies the TOS value to use in outgoing packets. Ranges [1-255].</para>
6598e046
SS		 745 </listitem>
746 </varlistentry>
747 <varlistentry>
748 <term><varname>TTL=</varname></term>
749 <listitem>
d70c9bbd
SS		 750 <para>Accepts the same key in <literal>[VXLAN]</literal> section except when unset or
751 set to 0, the kernel's default will be used meaning that packets TTL will be set from
328184d1 752 <filename>/proc/sys/net/ipv4/ip_default_ttl</filename>.</para>
6598e046
SS		 753 </listitem>
754 </varlistentry>
755 <varlistentry>
756 <term><varname>UDPChecksum=</varname></term>
757 <listitem>
9b6ffef3 758 <para>Takes a boolean. When true, specifies if UDP checksum is calculated for transmitted packets over IPv4.</para>
6598e046
SS		 759 </listitem>
760 </varlistentry>
761 <varlistentry>
762 <term><varname>UDP6ZeroChecksumTx=</varname></term>
763 <listitem>
9b6ffef3 764 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
6598e046
SS		 765 </listitem>
766 </varlistentry>
767 <varlistentry>
768 <term><varname>UDP6ZeroChecksumRx=</varname></term>
769 <listitem>
9b6ffef3 770 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
6598e046
SS		 771 </listitem>
772 </varlistentry>
488d0ba1
YW		 773 <varlistentry>
774 <term><varname>DestinationPort=</varname></term>
775 <listitem>
776 <para>Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default
777 port of 6081 is used.</para>
778 </listitem>
779 </varlistentry>
780 <varlistentry>
781 <term><varname>FlowLabel=</varname></term>
6598e046
SS		 782 <listitem>
783 <para>Specifies the flow label to use in outgoing packets.</para>
784 </listitem>
488d0ba1
YW		 785 </varlistentry>
786 <varlistentry>
787 <term><varname>IPDoNotFragment=</varname></term>
aac35019
SS		 788 <listitem>
789 <para>Accepts the same key in <literal>[VXLAN]</literal> section.</para>
790 </listitem>
488d0ba1 791 </varlistentry>
6598e046
SS		 792 </variablelist>
793 </refsect1>
488d0ba1 794
3a56e697
SS		 795 <refsect1>
796 <title>[L2TP] Section Options</title>
488d0ba1 797
3a56e697
SS		 798 <para>The <literal>[L2TP]</literal> section only applies for
799 netdevs of kind <literal>l2tp</literal>, and accepts the
800 following keys:</para>
801
802 <variablelist class='network-directives'>
803 <varlistentry>
804 <term><varname>TunnelId=</varname></term>
805 <listitem>
806 <para>Specifies the tunnel id. The value used must match the <literal>PeerTunnelId=</literal> value being used at the peer.
807 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
808 </listitem>
809 </varlistentry>
810 <varlistentry>
811 <term><varname>PeerTunnelId=</varname></term>
812 <listitem>
813 <para>Specifies the peer tunnel id. The value used must match the <literal>PeerTunnelId=</literal> value being used at the peer.
814 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
815 </listitem>
816 </varlistentry>
817 <varlistentry>
818 <term><varname>Remote=</varname></term>
819 <listitem>
820 <para>Specifies the IP address of the remote peer. This option is compulsory.</para>
821 </listitem>
822 </varlistentry>
823 <varlistentry>
824 <term><varname>Local=</varname></term>
825 <listitem>
d053d08a
YW		 826 <para>Specifies the IP address of the local interface. Takes an IP address, or the special values
827 <literal>auto</literal>, <literal>static</literal>, or <literal>dynamic</literal>. When an address
828 is set, then the local interface must have the address. If <literal>auto</literal>, then one of the
829 addresses on the local interface is used. Similarly, if <literal>static</literal> or
830 <literal>dynamic</literal> is set, then one of the static or dynamic addresses on the local
831 interface is used. Defaults to <literal>auto</literal>.</para>
3a56e697
SS		 832 </listitem>
833 </varlistentry>
834 <varlistentry>
835 <term><varname>EncapsulationType=</varname></term>
836 <listitem>
837 <para>Specifies the encapsulation type of the tunnel. Takes one of <literal>udp</literal> or <literal>ip</literal>.</para>
838 </listitem>
839 </varlistentry>
840 <varlistentry>
841 <term><varname>UDPSourcePort=</varname></term>
842 <listitem>
843 <para>Specifies the UDP source port to be used for the tunnel. When UDP encapsulation is selected it's mandotory. Ignored when ip
844 encapsulation is selected.</para>
845 </listitem>
846 </varlistentry>
847 <varlistentry>
848 <term><varname>DestinationPort=</varname></term>
849 <listitem>
850 <para>Specifies destination port. When UDP encapsulation is selected it's mandotory. Ignored when ip
851 encapsulation is selected.</para>
852 </listitem>
853 </varlistentry>
854 <varlistentry>
855 <term><varname>UDPChecksum=</varname></term>
856 <listitem>
857 <para>Takes a boolean. When true, specifies if UDP checksum is calculated for transmitted packets over IPv4.</para>
858 </listitem>
859 </varlistentry>
860 <varlistentry>
861 <term><varname>UDP6ZeroChecksumTx=</varname></term>
862 <listitem>
863 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
864 </listitem>
865 </varlistentry>
866 <varlistentry>
867 <term><varname>UDP6ZeroChecksumRx=</varname></term>
868 <listitem>
869 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
870 </listitem>
871 </varlistentry>
872 </variablelist>
873 </refsect1>
488d0ba1 874
3a56e697
SS		 875 <refsect1>
876 <title>[L2TPSession] Section Options</title>
488d0ba1 877
3a56e697
SS		 878 <para>The <literal>[L2TPSession]</literal> section only applies for
879 netdevs of kind <literal>l2tp</literal>, and accepts the
880 following keys:</para>
881 <variablelist class='network-directives'>
882 <varlistentry>
883 <term><varname>Name=</varname></term>
884 <listitem>
5238e957 885 <para>Specifies the name of the session. This option is compulsory.</para>
3a56e697
SS		 886 </listitem>
887 </varlistentry>
888 <varlistentry>
889 <term><varname>SessionId=</varname></term>
890 <listitem>
5238e957 891 <para>Specifies the session id. The value used must match the <literal>SessionId=</literal> value being used at the peer.
3a56e697
SS		 892 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
893 </listitem>
894 </varlistentry>
895 <varlistentry>
896 <term><varname>PeerSessionId=</varname></term>
897 <listitem>
898 <para>Specifies the peer session id. The value used must match the <literal>PeerSessionId=</literal> value being used at the peer.
899 Ranges a number between 1 and 4294967295). This option is compulsory.</para>
900 </listitem>
901 </varlistentry>
902 <varlistentry>
903 <term><varname>Layer2SpecificHeader=</varname></term>
904 <listitem>
905 <para>Specifies layer2specific header type of the session. One of <literal>none</literal> or <literal>default</literal>. Defaults to <literal>default</literal>.</para>
906 </listitem>
907 </varlistentry>
908 </variablelist>
909 </refsect1>
488d0ba1 910
81962db7
SS		 911 <refsect1>
912 <title>[MACsec] Section Options</title>
488d0ba1 913
81962db7
SS		 914 <para>The <literal>[MACsec]</literal> section only applies for network devices of kind
915 <literal>macsec</literal>, and accepts the following keys:</para>
916
917 <variablelist class='network-directives'>
918 <varlistentry>
919 <term><varname>Port=</varname></term>
920 <listitem>
921 <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
922 secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
923 </para>
924 </listitem>
925 </varlistentry>
926 <varlistentry>
927 <term><varname>Encrypt=</varname></term>
928 <listitem>
929 <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
930 </listitem>
931 </varlistentry>
932 </variablelist>
933 </refsect1>
488d0ba1 934
81962db7
SS		 935 <refsect1>
936 <title>[MACsecReceiveChannel] Section Options</title>
937 <para>The <literal>[MACsecReceiveChannel]</literal> section only applies for network devices of
938 kind <literal>macsec</literal>, and accepts the following keys:</para>
939
940 <variablelist class='network-directives'>
941 <varlistentry>
942 <term><varname>Port=</varname></term>
943 <listitem>
944 <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
945 secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
946 compulsory, and is not set by default.</para>
947 </listitem>
948 </varlistentry>
949 <varlistentry>
950 <term><varname>MACAddress=</varname></term>
951 <listitem>
952 <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
953 used to make secure channel identifier (SCI). This option is compulsory, and is not set by
954 default.</para>
955 </listitem>
956 </varlistentry>
957 </variablelist>
958 </refsect1>
488d0ba1 959
81962db7
SS		 960 <refsect1>
961 <title>[MACsecTransmitAssociation] Section Options</title>
488d0ba1 962
81962db7
SS		 963 <para>The <literal>[MACsecTransmitAssociation]</literal> section only applies for network devices
964 of kind <literal>macsec</literal>, and accepts the following keys:</para>
965
966 <variablelist class='network-directives'>
967 <varlistentry>
968 <term><varname>PacketNumber=</varname></term>
969 <listitem>
970 <para>Specifies the packet number to be used for replay protection and the construction of
971 the initialization vector (along with the secure channel identifier [SCI]). Takes a value
972 between 1-4,294,967,295. Defaults to unset.
973 </para>
974 </listitem>
975 </varlistentry>
976 <varlistentry>
977 <term><varname>KeyId=</varname></term>
978 <listitem>
979 <para>Specifies the identification for the key. Takes a number between 0-255. This option
980 is compulsory, and is not set by default.</para>
981 </listitem>
982 </varlistentry>
983 <varlistentry>
984 <term><varname>Key=</varname></term>
985 <listitem>
986 <para>Specifies the encryption key used in the transmission channel. The same key must be
987 configured on the peer’s matching receive channel. This option is compulsory, and is not set
988 by default. Takes a 128-bit key encoded in a hexadecimal string, for example
989 <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
990 </listitem>
991 </varlistentry>
eb4705fb
YW		 992 <varlistentry>
993 <term><varname>KeyFile=</varname></term>
994 <listitem>
995 <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
996 string, which will be used in the transmission channel. When this option is specified,
997 <varname>Key=</varname> is ignored. Note that the file must be readable by the user
998 <literal>systemd-network</literal>, so it should be, e.g., owned by
999 <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
1000 </listitem>
1001 </varlistentry>
a7b9c52f
YW		 1002 <varlistentry>
1003 <term><varname>Activate=</varname></term>
1004 <listitem>
1005 <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
1006 unset.</para>
1007 </listitem>
1008 </varlistentry>
b0e13c31
YW		 1009 <varlistentry>
1010 <term><varname>UseForEncoding=</varname></term>
1011 <listitem>
1012 <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
1013 one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
1014 <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
1015 </listitem>
1016 </varlistentry>
81962db7
SS		 1017 </variablelist>
1018 </refsect1>
488d0ba1 1019
81962db7
SS		 1020 <refsect1>
1021 <title>[MACsecReceiveAssociation] Section Options</title>
488d0ba1 1022
81962db7
SS		 1023 <para>The <literal>[MACsecReceiveAssociation]</literal> section only applies for
1024 network devices of kind <literal>macsec</literal>, and accepts the
1025 following keys:</para>
1026
1027 <variablelist class='network-directives'>
1028 <varlistentry>
1029 <term><varname>Port=</varname></term>
1030 <listitem>
1031 <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
1032 </listitem>
1033 </varlistentry>
1034 <varlistentry>
1035 <term><varname>MACAddress=</varname></term>
1036 <listitem>
1037 <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
1038 </listitem>
1039 </varlistentry>
1040 <varlistentry>
1041 <term><varname>PacketNumber=</varname></term>
1042 <listitem>
1043 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1044 </listitem>
1045 </varlistentry>
1046 <varlistentry>
1047 <term><varname>KeyId=</varname></term>
1048 <listitem>
1049 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1050 </listitem>
1051 </varlistentry>
1052 <varlistentry>
1053 <term><varname>Key=</varname></term>
1054 <listitem>
1055 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1056 </listitem>
1057 </varlistentry>
eb4705fb
YW		 1058 <varlistentry>
1059 <term><varname>KeyFile=</varname></term>
1060 <listitem>
1061 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1062 </listitem>
1063 </varlistentry>
a7b9c52f
YW		 1064 <varlistentry>
1065 <term><varname>Activate=</varname></term>
1066 <listitem>
1067 <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
1068 </listitem>
1069 </varlistentry>
81962db7
SS		 1070 </variablelist>
1071 </refsect1>
488d0ba1 1072
798d3a52
ZJS		 1073 <refsect1>
1074 <title>[Tunnel] Section Options</title>
1075
1076 <para>The <literal>[Tunnel]</literal> section only applies for
1077 netdevs of kind
1078 <literal>ipip</literal>,
1079 <literal>sit</literal>,
1080 <literal>gre</literal>,
1081 <literal>gretap</literal>,
1082 <literal>ip6gre</literal>,
1083 <literal>ip6gretap</literal>,
5cc0748e 1084 <literal>vti</literal>,
af555aa3
YW		 1085 <literal>vti6</literal>,
1086 <literal>ip6tnl</literal>, and
1087 <literal>erspan</literal> and accepts
798d3a52
ZJS		 1088 the following keys:</para>
1089
1090 <variablelist class='network-directives'>
1091 <varlistentry>
1092 <term><varname>Local=</varname></term>
1093 <listitem>
8643885f
YW		 1094 <para>A static local address for tunneled packets. It must be an address on another interface of
1095 this host, or the special value <literal>any</literal>.</para>
798d3a52
ZJS		 1096 </listitem>
1097 </varlistentry>
1098 <varlistentry>
1099 <term><varname>Remote=</varname></term>
1100 <listitem>
8643885f
YW		 1101 <para>The remote endpoint of the tunnel. Takes an IP address or the special value
1102 <literal>any</literal>.</para>
798d3a52
ZJS		 1103 </listitem>
1104 </varlistentry>
1105 <varlistentry>
1106 <term><varname>TOS=</varname></term>
1107 <listitem>
1108 <para>The Type Of Service byte value for a tunnel interface.
b938cb90 1109 For details about the TOS, see the
798d3a52
ZJS		 1110 <ulink url="http://tools.ietf.org/html/rfc1349"> Type of
1111 Service in the Internet Protocol Suite </ulink> document.
1112 </para>
1113 </listitem>
1114 </varlistentry>
1115 <varlistentry>
1116 <term><varname>TTL=</varname></term>
1117 <listitem>
1118 <para>A fixed Time To Live N on tunneled packets. N is a
b938cb90 1119 number in the range 1–255. 0 is a special value meaning that
798d3a52 1120 packets inherit the TTL value. The default value for IPv4
b938cb90 1121 tunnels is: inherit. The default value for IPv6 tunnels is
798d3a52
ZJS		 1122 64.</para>
1123 </listitem>
1124 </varlistentry>
1125 <varlistentry>
1126 <term><varname>DiscoverPathMTU=</varname></term>
1127 <listitem>
9b6ffef3 1128 <para>Takes a boolean. When true, enables Path MTU Discovery on
798d3a52
ZJS		 1129 the tunnel.</para>
1130 </listitem>
1131 </varlistentry>
276de526
SS		 1132 <varlistentry>
1133 <term><varname>IPv6FlowLabel=</varname></term>
1134 <listitem>
a8eaaee7 1135 <para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
276de526 1136 RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
a8eaaee7
JE		 1137 RFC 2460</ulink>), which is used by a node to label packets of a flow.
1138 It is only used for IPv6 tunnels.
1139 A flow label of zero is used to indicate packets that have
1140 not been labeled.
1141 It can be configured to a value in the range 0–0xFFFFF, or be
1142 set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
276de526
SS		 1143 </listitem>
1144 </varlistentry>
9b0ca30a 1145 <varlistentry>
a9b70f9d 1146 <term><varname>CopyDSCP=</varname></term>
9b0ca30a 1147 <listitem>
9b6ffef3 1148 <para>Takes a boolean. When true, the Differentiated Service Code
3cf4bcab 1149 Point (DSCP) field will be copied to the inner header from
a9b70f9d 1150 outer header during the decapsulation of an IPv6 tunnel
3cf4bcab
ZJS		 1151 packet. DSCP is a field in an IP packet that enables different
1152 levels of service to be assigned to network traffic.
1153 Defaults to <literal>no</literal>.
9b0ca30a
SS		 1154 </para>
1155 </listitem>
1156 </varlistentry>
dae398a8
SS		 1157 <varlistentry>
1158 <term><varname>EncapsulationLimit=</varname></term>
1159 <listitem>
1160 <para>The Tunnel Encapsulation Limit option specifies how many additional
1161 levels of encapsulation are permitted to be prepended to the packet.
1162 For example, a Tunnel Encapsulation Limit option containing a limit
1163 value of zero means that a packet carrying that option may not enter
1164 another tunnel before exiting the current tunnel.
1165 (see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
b938cb90 1166 The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
dae398a8
SS		 1167 </para>
1168 </listitem>
1169 </varlistentry>
1d710029
SS		 1170 <varlistentry>
1171 <term><varname>Key=</varname></term>
1172 <listitem>
1173 <para>The <varname>Key=</varname> parameter specifies the same key to use in
1174 both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
1175 The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
1176 It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
1177 and control path) in ip xfrm (framework used to implement IPsec protocol).
1178 See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
c65c01c4
YW		 1179 ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
1180 GRE, GRETAP, and ERSPAN tunnels.</para>
1d710029
SS		 1181 </listitem>
1182 </varlistentry>
1183 <varlistentry>
1184 <term><varname>InputKey=</varname></term>
1185 <listitem>
1186 <para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
c65c01c4
YW		 1187 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1188 and ERSPAN tunnels.</para>
1d710029
SS		 1189 </listitem>
1190 </varlistentry>
1191 <varlistentry>
1192 <term><varname>OutputKey=</varname></term>
1193 <listitem>
1194 <para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
c65c01c4
YW		 1195 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1196 and ERSPAN tunnels.</para>
1d710029
SS		 1197 </listitem>
1198 </varlistentry>
798d3a52
ZJS		 1199 <varlistentry>
1200 <term><varname>Mode=</varname></term>
1201 <listitem>
a8eaaee7 1202 <para>An <literal>ip6tnl</literal> tunnel can be in one of three
798d3a52
ZJS		 1203 modes
1204 <literal>ip6ip6</literal> for IPv6 over IPv6,
1205 <literal>ipip6</literal> for IPv4 over IPv6 or
1206 <literal>any</literal> for either.
1207 </para>
1208 </listitem>
1209 </varlistentry>
4d7fa6de
SS		 1210 <varlistentry>
1211 <term><varname>Independent=</varname></term>
1212 <listitem>
9b6ffef3 1213 <para>Takes a boolean. When true tunnel does not require .network file. Created as "tunnel@NONE".
4d7fa6de
SS		 1214 Defaults to <literal>false</literal>.
1215 </para>
1216 </listitem>
1217 </varlistentry>
3a4f3e42
SS		 1218 <varlistentry>
1219 <term><varname>AllowLocalRemote=</varname></term>
1220 <listitem>
9b6ffef3 1221 <para>Takes a boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
025314d9 1222 When unset, the kernel's default will be used.
3a4f3e42
SS		 1223 </para>
1224 </listitem>
1225 </varlistentry>
53cb501a
SS		 1226 <varlistentry>
1227 <term><varname>FooOverUDP=</varname></term>
1228 <listitem>
9b6ffef3 1229 <para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
0b145817
YW		 1230 Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
1231 For more detail information see
53cb501a
SS		 1232 <ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
1233 </listitem>
1234 </varlistentry>
1235 <varlistentry>
1236 <term><varname>FOUDestinationPort=</varname></term>
1237 <listitem>
6f520e74 1238 <para>This setting specifies the UDP destination port for encapsulation.
0b145817 1239 This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
53cb501a
SS		 1240 </listitem>
1241 </varlistentry>
1242 <varlistentry>
1243 <term><varname>FOUSourcePort=</varname></term>
1244 <listitem>
6f520e74
ZJS		 1245 <para>This setting specifies the UDP source port for encapsulation. Defaults to <constant>0</constant>
1246 — that is, the source port for packets is left to the network stack to decide.</para>
53cb501a
SS		 1247 </listitem>
1248 </varlistentry>
1249 <varlistentry>
1250 <term><varname>Encapsulation=</varname></term>
1251 <listitem>
0b145817 1252 <para>Accepts the same key as in the <literal>[FooOverUDP]</literal> section.</para>
53cb501a
SS		 1253 </listitem>
1254 </varlistentry>
d067cab3
DA		 1255 <varlistentry>
1256 <term><varname>IPv6RapidDeploymentPrefix=</varname></term>
1257 <listitem>
1258 <para>Reconfigure the tunnel for <ulink url="https://tools.ietf.org/html/rfc5569">IPv6 Rapid
1259 Deployment</ulink>, also known as 6rd. The value is an ISP-specific IPv6 prefix with a non-zero length. Only
1260 applicable to SIT tunnels.</para>
1261 </listitem>
1262 </varlistentry>
918049ad
SS		 1263 <varlistentry>
1264 <term><varname>ISATAP=</varname></term>
1265 <listitem>
1266 <para>Takes a boolean. If set, configures the tunnel as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnel.
1267 Only applicable to SIT tunnels. When unset, the kernel's default will be used.</para>
1268 </listitem>
1269 </varlistentry>
2266864b
SS		 1270 <varlistentry>
1271 <term><varname>SerializeTunneledPackets=</varname></term>
1272 <listitem>
c65c01c4
YW		 1273 <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for GRE,
1274 GRETAP, and ERSPAN tunnels. When unset, the kernel's default will be used.
2266864b
SS		 1275 </para>
1276 </listitem>
1277 </varlistentry>
1278 <varlistentry>
1279 <term><varname>ERSPANIndex=</varname></term>
1280 <listitem>
1281 <para>Specifies the ERSPAN index field for the interface, an integer in the range 1-1048575 associated with
1282 the ERSPAN traffic's source port and direction. This field is mandatory.
1283 </para>
1284 </listitem>
1285 </varlistentry>
798d3a52
ZJS		 1286 </variablelist>
1287 </refsect1>
53cb501a
SS		 1288
1289 <refsect1>
1290 <title>[FooOverUDP] Section Options</title>
1291
1292 <para>The <literal>[FooOverUDP]</literal> section only applies for
1293 netdevs of kind <literal>fou</literal> and accepts the
1294 following keys:</para>
1295
1296 <variablelist class='network-directives'>
53cb501a
SS		 1297 <varlistentry>
1298 <term><varname>Encapsulation=</varname></term>
1299 <listitem>
1300 <para>Specifies the encapsulation mechanism used to store networking packets of various protocols inside the UDP packets. Supports the following values:
1301
1302 <literal>FooOverUDP</literal> provides the simplest no frills model of UDP encapsulation, it simply encapsulates
1303 packets directly in the UDP payload.
1304 <literal>GenericUDPEncapsulation</literal> is a generic and extensible encapsulation, it allows encapsulation of packets for any IP
1305 protocol and optional data as part of the encapsulation.
1306 For more detailed information see <ulink url="https://lwn.net/Articles/615044">Generic UDP Encapsulation</ulink>.
1307 Defaults to <literal>FooOverUDP</literal>.
1308 </para>
1309 </listitem>
1310 </varlistentry>
1311 <varlistentry>
1312 <term><varname>Port=</varname></term>
1313 <listitem>
1314 <para>Specifies the port number, where the IP encapsulation packets will arrive. Please take note that the packets
1315 will arrive with the encapsulation will be removed. Then they will be manually fed back into the network stack, and sent ahead
1316 for delivery to the real destination. This option is mandatory.</para>
1317 </listitem>
488d0ba1 1318 </varlistentry>
8f02c9b0
SS		 1319 <varlistentry>
1320 <term><varname>PeerPort=</varname></term>
1321 <listitem>
1322 <para>Specifies the peer port number. Defaults to unset. Note that when peer port is set <literal>Peer=</literal> address is mandotory.</para>
1323 </listitem>
488d0ba1 1324 </varlistentry>
0b145817
YW		 1325 <varlistentry>
1326 <term><varname>Protocol=</varname></term>
1327 <listitem>
1328 <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
1329 at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
1330 and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
1331 <literal>ipip</literal>, or an integer within the range 1-255. When
1332 <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
1333 </listitem>
1334 </varlistentry>
4502a61c
SS		 1335 <varlistentry>
1336 <term><varname>Peer=</varname></term>
1337 <listitem>
8f02c9b0 1338 <para>Configures peer IP address. Note that when peer address is set <literal>PeerPort=</literal> is mandotory.</para>
4502a61c
SS		 1339 </listitem>
1340 </varlistentry>
1341 <varlistentry>
1342 <term><varname>Local=</varname></term>
1343 <listitem>
1344 <para>Configures local IP address.</para>
1345 </listitem>
1346 </varlistentry>
0b145817 1347 </variablelist>
53cb501a 1348 </refsect1>
488d0ba1 1349
798d3a52
ZJS		 1350 <refsect1>
1351 <title>[Peer] Section Options</title>
1352
488d0ba1
YW		 1353 <para>The <literal>[Peer]</literal> section only applies for
1354 netdevs of kind <literal>veth</literal> and accepts the
1355 following keys:</para>
1356
1357 <variablelist class='network-directives'>
1358 <varlistentry>
1359 <term><varname>Name=</varname></term>
1360 <listitem>
1361 <para>The interface name used when creating the netdev.
1362 This option is compulsory.</para>
1363 </listitem>
1364 </varlistentry>
1365 <varlistentry>
1366 <term><varname>MACAddress=</varname></term>
1367 <listitem>
1368 <para>The peer MACAddress, if not set, it is generated in
1369 the same way as the MAC address of the main
1370 interface.</para>
1371 </listitem>
1372 </varlistentry>
1373 </variablelist>
798d3a52 1374 </refsect1>
488d0ba1 1375
d6df583c 1376 <refsect1>
488d0ba1
YW		 1377 <title>[VXCAN] Section Options</title>
1378
1379 <para>The <literal>[VXCAN]</literal> section only applies for
1380 netdevs of kind <literal>vxcan</literal> and accepts the
1381 following key:</para>
1382
1383 <variablelist class='network-directives'>
1384 <varlistentry>
1385 <term><varname>Peer=</varname></term>
1386 <listitem>
1387 <para>The peer interface name used when creating the netdev.
1388 This option is compulsory.</para>
1389 </listitem>
1390 </varlistentry>
1391 </variablelist>
d6df583c 1392 </refsect1>
488d0ba1 1393
798d3a52
ZJS		 1394 <refsect1>
1395 <title>[Tun] Section Options</title>
1396
1397 <para>The <literal>[Tun]</literal> section only applies for
1398 netdevs of kind <literal>tun</literal>, and accepts the following
1399 keys:</para>
1400
1401 <variablelist class='network-directives'>
798d3a52
ZJS		 1402 <varlistentry>
1403 <term><varname>MultiQueue=</varname></term>
9b6ffef3 1404 <listitem><para>Takes a boolean. Configures whether
798d3a52
ZJS		 1405 to use multiple file descriptors (queues) to parallelize
1406 packets sending and receiving. Defaults to
1407 <literal>no</literal>.</para>
1408 </listitem>
1409 </varlistentry>
1410 <varlistentry>
1411 <term><varname>PacketInfo=</varname></term>
9b6ffef3 1412 <listitem><para>Takes a boolean. Configures whether
ff9b60f3 1413 packets should be prepended with four extra bytes (two flag
b938cb90 1414 bytes and two protocol bytes). If disabled, it indicates that
798d3a52
ZJS		 1415 the packets will be pure IP packets. Defaults to
1416 <literal>no</literal>.</para>
1417 </listitem>
1418 </varlistentry>
43f78da4 1419 <varlistentry>
2aba142e 1420 <term><varname>VNetHeader=</varname></term>
9b6ffef3 1421 <listitem><para>Takes a boolean. Configures
75eed300 1422 IFF_VNET_HDR flag for a tun or tap device. It allows sending
43f78da4
SS		 1423 and receiving larger Generic Segmentation Offload (GSO)
1424 packets. This may increase throughput significantly.
1425 Defaults to
1426 <literal>no</literal>.</para>
1427 </listitem>
1428 </varlistentry>
798d3a52
ZJS		 1429 <varlistentry>
1430 <term><varname>User=</varname></term>
1431 <listitem><para>User to grant access to the
1432 <filename>/dev/net/tun</filename> device.</para>
1433 </listitem>
1434 </varlistentry>
1435 <varlistentry>
1436 <term><varname>Group=</varname></term>
1437 <listitem><para>Group to grant access to the
1438 <filename>/dev/net/tun</filename> device.</para>
1439 </listitem>
1440 </varlistentry>
798d3a52 1441 </variablelist>
798d3a52
ZJS		 1442 </refsect1>
1443
1444 <refsect1>
1445 <title>[Tap] Section Options</title>
1446
1447 <para>The <literal>[Tap]</literal> section only applies for
1448 netdevs of kind <literal>tap</literal>, and accepts the same keys
1449 as the <literal>[Tun]</literal> section.</para>
1450 </refsect1>
1451
e5719363
JT		 1452 <refsect1>
1453 <title>[WireGuard] Section Options</title>
1454
1455 <para>The <literal>[WireGuard]</literal> section accepts the following
1456 keys:</para>
1457
1458 <variablelist class='network-directives'>
1459 <varlistentry>
1460 <term><varname>PrivateKey=</varname></term>
1461 <listitem>
1462 <para>The Base64 encoded private key for the interface. It can be
488d0ba1
YW		 1463 generated using the <command>wg genkey</command> command
1464 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
1465 This option or <varname>PrivateKeyFile=</varname> is mandatory to use WireGuard.
1466 Note that because this information is secret, you may want to set
1467 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
1468 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1469 </listitem>
1470 </varlistentry>
76df7779
YW		 1471 <varlistentry>
1472 <term><varname>PrivateKeyFile=</varname></term>
1473 <listitem>
a3945c63 1474 <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
cb31e7c8 1475 When this option is specified, then <varname>PrivateKey=</varname> is ignored.
76df7779
YW		 1476 Note that the file must be readable by the user <literal>systemd-network</literal>, so it
1477 should be, e.g., owned by <literal>root:systemd-network</literal> with a
1478 <literal>0640</literal> file mode.</para>
1479 </listitem>
1480 </varlistentry>
e5719363
JT		 1481 <varlistentry>
1482 <term><varname>ListenPort=</varname></term>
1483 <listitem>
1484 <para>Sets UDP port for listening. Takes either value between 1 and 65535
488d0ba1
YW		 1485 or <literal>auto</literal>. If <literal>auto</literal> is specified,
1486 the port is automatically generated based on interface name.
1487 Defaults to <literal>auto</literal>.</para>
e5719363
JT		 1488 </listitem>
1489 </varlistentry>
1490 <varlistentry>
1c30b174 1491 <term><varname>FirewallMark=</varname></term>
e5719363 1492 <listitem>
1c30b174 1493 <para>Sets a firewall mark on outgoing WireGuard packets from this interface. Takes a number between 1 and 4294967295.</para>
e5719363
JT		 1494 </listitem>
1495 </varlistentry>
1496 </variablelist>
1497 </refsect1>
1498
1499 <refsect1>
1500 <title>[WireGuardPeer] Section Options</title>
1501
1502 <para>The <literal>[WireGuardPeer]</literal> section accepts the following
1503 keys:</para>
1504
1505 <variablelist class='network-directives'>
1506 <varlistentry>
1507 <term><varname>PublicKey=</varname></term>
1508 <listitem>
1509 <para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
488d0ba1
YW		 1510 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
1511 from a private key, and usually transmitted out of band to the
1512 author of the configuration file. This option is mandatory for this
1513 section.</para>
e5719363
JT		 1514 </listitem>
1515 </varlistentry>
1516 <varlistentry>
1517 <term><varname>PresharedKey=</varname></term>
1518 <listitem>
1519 <para>Optional preshared key for the interface. It can be generated
488d0ba1
YW		 1520 by the <command>wg genpsk</command> command. This option adds an
1521 additional layer of symmetric-key cryptography to be mixed into the
1522 already existing public-key cryptography, for post-quantum
1523 resistance.
1524 Note that because this information is secret, you may want to set
1525 the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
1526 with a <literal>0640</literal> file mode.</para>
e5719363
JT		 1527 </listitem>
1528 </varlistentry>
a3945c63
YW		 1529 <varlistentry>
1530 <term><varname>PresharedKeyFile=</varname></term>
1531 <listitem>
1532 <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
1533 peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
1534 Note that the file must be readable by the user <literal>systemd-network</literal>, so it
1535 should be, e.g., owned by <literal>root:systemd-network</literal> with a
1536 <literal>0640</literal> file mode.</para>
1537 </listitem>
1538 </varlistentry>
e5719363
JT		 1539 <varlistentry>
1540 <term><varname>AllowedIPs=</varname></term>
1541 <listitem>
1542 <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
488d0ba1
YW		 1543 from which this peer is allowed to send incoming traffic and to
1544 which outgoing traffic for this peer is directed. The catch-all
1545 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
1546 ::/0 may be specified for matching all IPv6 addresses. </para>
e5719363
JT		 1547 </listitem>
1548 </varlistentry>
1549 <varlistentry>
1550 <term><varname>Endpoint=</varname></term>
1551 <listitem>
1552 <para>Sets an endpoint IP address or hostname, followed by a colon, and then
488d0ba1
YW		 1553 a port number. This endpoint will be updated automatically once to
1554 the most recent source IP address and port of correctly
1555 authenticated packets from the peer at configuration time.</para>
e5719363
JT		 1556 </listitem>
1557 </varlistentry>
1558 <varlistentry>
1559 <term><varname>PersistentKeepalive=</varname></term>
1560 <listitem>
1561 <para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
488d0ba1
YW		 1562 to send an authenticated empty packet to the peer for the purpose
1563 of keeping a stateful firewall or NAT mapping valid persistently.
1564 For example, if the interface very rarely sends traffic, but it
1565 might at anytime receive traffic from a peer, and it is behind NAT,
1566 the interface might benefit from having a persistent keepalive
1567 interval of 25 seconds. If set to 0 or "off", this option is
1568 disabled. By default or when unspecified, this option is off.
1569 Most users will not need this.</para>
e5719363
JT		 1570 </listitem>
1571 </varlistentry>
1572 </variablelist>
1573 </refsect1>
1574
798d3a52
ZJS		 1575 <refsect1>
1576 <title>[Bond] Section Options</title>
1577
1578 <para>The <literal>[Bond]</literal> section accepts the following
1579 key:</para>
1580
1581 <variablelist class='network-directives'>
1582 <varlistentry>
1583 <term><varname>Mode=</varname></term>
1584 <listitem>
1585 <para>Specifies one of the bonding policies. The default is
1586 <literal>balance-rr</literal> (round robin). Possible values are
1587 <literal>balance-rr</literal>,
1588 <literal>active-backup</literal>,
1589 <literal>balance-xor</literal>,
1590 <literal>broadcast</literal>,
1591 <literal>802.3ad</literal>,
1592 <literal>balance-tlb</literal>, and
1593 <literal>balance-alb</literal>.
1594 </para>
1595 </listitem>
1596 </varlistentry>
1597
1598 <varlistentry>
1599 <term><varname>TransmitHashPolicy=</varname></term>
1600 <listitem>
1601 <para>Selects the transmit hash policy to use for slave
1602 selection in balance-xor, 802.3ad, and tlb modes. Possible
1603 values are
1604 <literal>layer2</literal>,
1605 <literal>layer3+4</literal>,
1606 <literal>layer2+3</literal>,
4d89618a 1607 <literal>encap2+3</literal>, and
798d3a52
ZJS		 1608 <literal>encap3+4</literal>.
1609 </para>
1610 </listitem>
1611 </varlistentry>
1612
1613 <varlistentry>
1614 <term><varname>LACPTransmitRate=</varname></term>
1615 <listitem>
1616 <para>Specifies the rate with which link partner transmits
1617 Link Aggregation Control Protocol Data Unit packets in
1618 802.3ad mode. Possible values are <literal>slow</literal>,
1619 which requests partner to transmit LACPDUs every 30 seconds,
1620 and <literal>fast</literal>, which requests partner to
1621 transmit LACPDUs every second. The default value is
1622 <literal>slow</literal>.</para>
1623 </listitem>
1624 </varlistentry>
1625
1626 <varlistentry>
1627 <term><varname>MIIMonitorSec=</varname></term>
1628 <listitem>
1629 <para>Specifies the frequency that Media Independent
1630 Interface link monitoring will occur. A value of zero
dd2b607b 1631 disables MII link monitoring. This value is rounded down to
798d3a52
ZJS		 1632 the nearest millisecond. The default value is 0.</para>
1633 </listitem>
1634 </varlistentry>
1635
1636 <varlistentry>
1637 <term><varname>UpDelaySec=</varname></term>
1638 <listitem>
1639 <para>Specifies the delay before a link is enabled after a
1640 link up status has been detected. This value is rounded down
1641 to a multiple of MIIMonitorSec. The default value is
1642 0.</para>
1643 </listitem>
1644 </varlistentry>
1645
1646 <varlistentry>
1647 <term><varname>DownDelaySec=</varname></term>
1648 <listitem>
1649 <para>Specifies the delay before a link is disabled after a
1650 link down status has been detected. This value is rounded
1651 down to a multiple of MIIMonitorSec. The default value is
1652 0.</para>
1653 </listitem>
1654 </varlistentry>
1655
81bd37a8 1656 <varlistentry>
38422da7 1657 <term><varname>LearnPacketIntervalSec=</varname></term>
81bd37a8
SS		 1658 <listitem>
1659 <para>Specifies the number of seconds between instances where the bonding
a8eaaee7
JE		 1660 driver sends learning packets to each slave peer switch.
1661 The valid range is 1–0x7fffffff; the default value is 1. This option
1662 has an effect only for the balance-tlb and balance-alb modes.</para>
81bd37a8
SS		 1663 </listitem>
1664 </varlistentry>
1665
1666 <varlistentry>
1667 <term><varname>AdSelect=</varname></term>
1668 <listitem>
1669 <para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
1670 <literal>stable</literal>,
a8eaaee7
JE		 1671 <literal>bandwidth</literal> and
1672 <literal>count</literal>.
81bd37a8
SS		 1673 </para>
1674 </listitem>
1675 </varlistentry>
1676
99f68ef0 1677 <varlistentry>
db688b7e 1678 <term><varname>AdActorSystemPriority=</varname></term>
99f68ef0 1679 <listitem>
db688b7e 1680 <para>Specifies the 802.3ad actor system priority. Ranges [1-65535].</para>
99f68ef0
TJ		 1681 </listitem>
1682 </varlistentry>
1683
1684 <varlistentry>
1685 <term><varname>AdUserPortKey=</varname></term>
1686 <listitem>
1687 <para>Specifies the 802.3ad user defined portion of the port key. Ranges [0-1023].</para>
1688 </listitem>
1689 </varlistentry>
1690
1691 <varlistentry>
1692 <term><varname>AdActorSystem=</varname></term>
1693 <listitem>
1694 <para>Specifies the 802.3ad system mac address. This can not be either NULL or Multicast.</para>
1695 </listitem>
1696 </varlistentry>
1697
81bd37a8 1698 <varlistentry>
38422da7 1699 <term><varname>FailOverMACPolicy=</varname></term>
81bd37a8 1700 <listitem>
a8eaaee7
JE		 1701 <para>Specifies whether the active-backup mode should set all slaves to
1702 the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
81bd37a8
SS		 1703 bond's MAC address in accordance with the selected policy. The default policy is none.
1704 Possible values are
1705 <literal>none</literal>,
a8eaaee7
JE		 1706 <literal>active</literal> and
1707 <literal>follow</literal>.
81bd37a8
SS		 1708 </para>
1709 </listitem>
1710 </varlistentry>
1711
1712 <varlistentry>
38422da7 1713 <term><varname>ARPValidate=</varname></term>
81bd37a8
SS		 1714 <listitem>
1715 <para>Specifies whether or not ARP probes and replies should be
38422da7 1716 validated in any mode that supports ARP monitoring, or whether
81bd37a8
SS		 1717 non-ARP traffic should be filtered (disregarded) for link
1718 monitoring purposes. Possible values are
1719 <literal>none</literal>,
1720 <literal>active</literal>,
a8eaaee7
JE		 1721 <literal>backup</literal> and
1722 <literal>all</literal>.
81bd37a8
SS		 1723 </para>
1724 </listitem>
1725 </varlistentry>
1726
1727 <varlistentry>
38422da7 1728 <term><varname>ARPIntervalSec=</varname></term>
81bd37a8
SS		 1729 <listitem>
1730 <para>Specifies the ARP link monitoring frequency in milliseconds.
1731 A value of 0 disables ARP monitoring. The default value is 0.
1732 </para>
1733 </listitem>
1734 </varlistentry>
1735
1736 <varlistentry>
38422da7 1737 <term><varname>ARPIPTargets=</varname></term>
81bd37a8
SS		 1738 <listitem>
1739 <para>Specifies the IP addresses to use as ARP monitoring peers when
38422da7 1740 ARPIntervalSec is greater than 0. These are the targets of the ARP request
81bd37a8 1741 sent to determine the health of the link to the targets.
a8eaaee7 1742 Specify these values in IPv4 dotted decimal format. At least one IP
81bd37a8
SS		 1743 address must be given for ARP monitoring to function. The
1744 maximum number of targets that can be specified is 16. The
1745 default value is no IP addresses.
1746 </para>
1747 </listitem>
1748 </varlistentry>
1749
1750 <varlistentry>
38422da7 1751 <term><varname>ARPAllTargets=</varname></term>
81bd37a8 1752 <listitem>
38422da7 1753 <para>Specifies the quantity of ARPIPTargets that must be reachable
81bd37a8
SS		 1754 in order for the ARP monitor to consider a slave as being up.
1755 This option affects only active-backup mode for slaves with
38422da7 1756 ARPValidate enabled. Possible values are
a8eaaee7
JE		 1757 <literal>any</literal> and
1758 <literal>all</literal>.
81bd37a8
SS		 1759 </para>
1760 </listitem>
1761 </varlistentry>
1762
1763 <varlistentry>
38422da7 1764 <term><varname>PrimaryReselectPolicy=</varname></term>
81bd37a8
SS		 1765 <listitem>
1766 <para>Specifies the reselection policy for the primary slave. This
1767 affects how the primary slave is chosen to become the active slave
1768 when failure of the active slave or recovery of the primary slave
1769 occurs. This option is designed to prevent flip-flopping between
1770 the primary slave and other slaves. Possible values are
1771 <literal>always</literal>,
a8eaaee7
JE		 1772 <literal>better</literal> and
1773 <literal>failure</literal>.
81bd37a8
SS		 1774 </para>
1775 </listitem>
1776 </varlistentry>
1777
1778 <varlistentry>
1779 <term><varname>ResendIGMP=</varname></term>
1780 <listitem>
1781 <para>Specifies the number of IGMP membership reports to be issued after
1782 a failover event. One membership report is issued immediately after
1783 the failover, subsequent packets are sent in each 200ms interval.
b938cb90 1784 The valid range is 0–255. Defaults to 1. A value of 0
81bd37a8
SS		 1785 prevents the IGMP membership report from being issued in response
1786 to the failover event.
1787 </para>
1788 </listitem>
1789 </varlistentry>
1790
1791 <varlistentry>
1792 <term><varname>PacketsPerSlave=</varname></term>
1793 <listitem>
b938cb90 1794 <para>Specify the number of packets to transmit through a slave before
488d0ba1
YW		 1795 moving to the next one. When set to 0, then a slave is chosen at
1796 random. The valid range is 0–65535. Defaults to 1. This option
1797 only has effect when in balance-rr mode.
81bd37a8
SS		 1798 </para>
1799 </listitem>
1800 </varlistentry>
1801
1802 <varlistentry>
38422da7 1803 <term><varname>GratuitousARP=</varname></term>
81bd37a8
SS		 1804 <listitem>
1805 <para>Specify the number of peer notifications (gratuitous ARPs and
488d0ba1
YW		 1806 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1807 failover event. As soon as the link is up on the new slave,
1808 a peer notification is sent on the bonding device and each
1809 VLAN sub-device. This is repeated at each link monitor interval
1810 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
1811 greater than 1. The valid range is 0–255. The default value is 1.
1812 These options affect only the active-backup mode.
81bd37a8
SS		 1813 </para>
1814 </listitem>
1815 </varlistentry>
1816
1817 <varlistentry>
1818 <term><varname>AllSlavesActive=</varname></term>
1819 <listitem>
9b6ffef3 1820 <para>Takes a boolean. Specifies that duplicate frames (received on inactive ports)
a8eaaee7 1821 should be dropped when false, or delivered when true. Normally, bonding will drop
81bd37a8
SS		 1822 duplicate frames (received on inactive ports), which is desirable for
1823 most users. But there are some times it is nice to allow duplicate
1824 frames to be delivered. The default value is false (drop duplicate frames
1825 received on inactive ports).
1826 </para>
1827 </listitem>
1828 </varlistentry>
1829
fde60a42
SS		 1830 <varlistentry>
1831 <term><varname>DynamicTransmitLoadBalancing=</varname></term>
1832 <listitem>
1833 <para>Takes a boolean. Specifies if dynamic shuffling of flows is enabled. Applies only
1834 for balance-tlb mode. Defaults to unset.
1835 </para>
1836 </listitem>
1837 </varlistentry>
1838
81bd37a8
SS		 1839 <varlistentry>
1840 <term><varname>MinLinks=</varname></term>
1841 <listitem>
1842 <para>Specifies the minimum number of links that must be active before
1843 asserting carrier. The default value is 0.
1844 </para>
1845 </listitem>
1846 </varlistentry>
798d3a52 1847 </variablelist>
81bd37a8
SS		 1848
1849 <para>For more detail information see
1850 <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">
1851 Linux Ethernet Bonding Driver HOWTO</ulink></para>
b8d88b26 1852 </refsect1>
81bd37a8 1853
98d20a17 1854 <refsect1>
1855 <title>[Xfrm] Section Options</title>
1856
1857 <para>The <literal>[Xfrm]</literal> section accepts the following
1858 keys:</para>
1859
1860 <variablelist class='network-directives'>
1861 <varlistentry>
1862 <term><varname>InterfaceId=</varname></term>
1863 <listitem>
1864 <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
1865 Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
1866 </listitem>
1867 </varlistentry>
1868 <varlistentry>
1869 <term><varname>Independent=</varname></term>
1870 <listitem>
1871 <para>Takes a boolean. If set to <literal>no</literal>, the xfrm interface should have an
1872 underlying device which can be used for hardware offloading. Defaults to <literal>no</literal>.
1873 See <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1874 for how to configure the underlying device.</para>
1875 </listitem>
1876 </varlistentry>
1877 </variablelist>
1878
1879 <para>For more detail information see
1880 <ulink url="https://lwn.net/Articles/757391">
1881 Virtual xfrm interfaces</ulink></para>
1882 </refsect1>
1883
b8d88b26
FP		 1884 <refsect1>
1885 <title>[VRF] Section Options</title>
1886 <para>The <literal>[VRF]</literal> section only applies for
1887 netdevs of kind <literal>vrf</literal> and accepts the
1888 following key:</para>
1889
1890 <variablelist class='network-directives'>
1891 <varlistentry>
1892 <term><varname>Table=</varname></term>
1893 <listitem>
1894 <para>The numeric routing table identifier. This option is compulsory.</para>
1895 </listitem>
1896 </varlistentry>
1897 </variablelist>
798d3a52
ZJS		 1898 </refsect1>
1899
1900 <refsect1>
48847676 1901 <title>Examples</title>
798d3a52 1902 <example>
6c1695be 1903 <title>/etc/systemd/network/25-bridge.netdev</title>
798d3a52
ZJS		 1904
1905 <programlisting>[NetDev]
eac684ef
TG		 1906Name=bridge0
1907Kind=bridge</programlisting>
798d3a52 1908 </example>
eac684ef 1909
798d3a52 1910 <example>
6c1695be 1911 <title>/etc/systemd/network/25-vlan1.netdev</title>
eac684ef 1912
798d3a52 1913 <programlisting>[Match]
eac684ef
TG		 1914Virtualization=no
1915
1916[NetDev]
1917Name=vlan1
1918Kind=vlan
1919
1920[VLAN]
1921Id=1</programlisting>
798d3a52
ZJS		 1922 </example>
1923 <example>
6c1695be 1924 <title>/etc/systemd/network/25-ipip.netdev</title>
798d3a52 1925 <programlisting>[NetDev]
b35a2909
TG		 1926Name=ipip-tun
1927Kind=ipip
1928MTUBytes=1480
1929
1930[Tunnel]
1931Local=192.168.223.238
1932Remote=192.169.224.239
1933TTL=64</programlisting>
798d3a52 1934 </example>
53cb501a
SS		 1935 <example>
1936 <title>/etc/systemd/network/1-fou-tunnel.netdev</title>
1937 <programlisting>[NetDev]
1938Name=fou-tun
1939Kind=fou
1940
1941[FooOverUDP]
1942Port=5555
1943Protocol=4
1944 </programlisting>
1945 </example>
1946 <example>
1947 <title>/etc/systemd/network/25-fou-ipip.netdev</title>
1948 <programlisting>[NetDev]
53cb501a
SS		 1949Name=ipip-tun
1950Kind=ipip
1951
1952[Tunnel]
964c4eda 1953Independent=yes
53cb501a
SS		 1954Local=10.65.208.212
1955Remote=10.65.208.211
964c4eda 1956FooOverUDP=yes
53cb501a
SS		 1957FOUDestinationPort=5555
1958 </programlisting>
1959 </example>
798d3a52 1960 <example>
6c1695be 1961 <title>/etc/systemd/network/25-tap.netdev</title>
798d3a52 1962 <programlisting>[NetDev]
30ae9dfd
SS		 1963Name=tap-test
1964Kind=tap
1965
1966[Tap]
964c4eda
LP		 1967MultiQueue=yes
1968PacketInfo=yes</programlisting> </example>
eac684ef 1969
798d3a52 1970 <example>
6c1695be 1971 <title>/etc/systemd/network/25-sit.netdev</title>
798d3a52 1972 <programlisting>[NetDev]
b35a2909
TG		 1973Name=sit-tun
1974Kind=sit
1975MTUBytes=1480
1976
1977[Tunnel]
1978Local=10.65.223.238
1979Remote=10.65.223.239</programlisting>
798d3a52 1980 </example>
eac684ef 1981
d067cab3
DA		 1982 <example>
1983 <title>/etc/systemd/network/25-6rd.netdev</title>
1984 <programlisting>[NetDev]
1985Name=6rd-tun
1986Kind=sit
1987MTUBytes=1480
1988
1989[Tunnel]
1990Local=10.65.223.238
1991IPv6RapidDeploymentPrefix=2602::/24</programlisting>
1992 </example>
1993
798d3a52 1994 <example>
6c1695be 1995 <title>/etc/systemd/network/25-gre.netdev</title>
798d3a52 1996 <programlisting>[NetDev]
b35a2909
TG		 1997Name=gre-tun
1998Kind=gre
1999MTUBytes=1480
2000
2001[Tunnel]
2002Local=10.65.223.238
2003Remote=10.65.223.239</programlisting>
798d3a52 2004 </example>
b35a2909 2005
798d3a52 2006 <example>
6c1695be 2007 <title>/etc/systemd/network/25-vti.netdev</title>
b35a2909 2008
798d3a52 2009 <programlisting>[NetDev]
b35a2909
TG		 2010Name=vti-tun
2011Kind=vti
2012MTUBytes=1480
2013
2014[Tunnel]
2015Local=10.65.223.238
2016Remote=10.65.223.239</programlisting>
798d3a52 2017 </example>
b35a2909 2018
798d3a52 2019 <example>
6c1695be 2020 <title>/etc/systemd/network/25-veth.netdev</title>
798d3a52 2021 <programlisting>[NetDev]
b35a2909
TG		 2022Name=veth-test
2023Kind=veth
2024
2025[Peer]
2026Name=veth-peer</programlisting>
798d3a52 2027 </example>
b35a2909 2028
d94facdc 2029 <example>
6c1695be 2030 <title>/etc/systemd/network/25-bond.netdev</title>
d94facdc
MH		 2031 <programlisting>[NetDev]
2032Name=bond1
2033Kind=bond
2034
2035[Bond]
2036Mode=802.3ad
2037TransmitHashPolicy=layer3+4
2038MIIMonitorSec=1s
2039LACPTransmitRate=fast
2040</programlisting>
2041 </example>
2042
798d3a52 2043 <example>
6c1695be 2044 <title>/etc/systemd/network/25-dummy.netdev</title>
798d3a52 2045 <programlisting>[NetDev]
9e358851
TG		 2046Name=dummy-test
2047Kind=dummy
2048MACAddress=12:34:56:78:9a:bc</programlisting>
798d3a52 2049 </example>
20897a0d
AR		 2050 <example>
2051 <title>/etc/systemd/network/25-vrf.netdev</title>
037a3ded 2052 <para>Create a VRF interface with table 42.</para>
20897a0d
AR		 2053 <programlisting>[NetDev]
2054Name=vrf-test
2055Kind=vrf
798d3a52 2056
20897a0d 2057[VRF]
362f6336 2058Table=42</programlisting>
20897a0d 2059 </example>
42125eda
SS		 2060
2061 <example>
2062 <title>/etc/systemd/network/25-macvtap.netdev</title>
2063 <para>Create a MacVTap device.</para>
2064 <programlisting>[NetDev]
2065Name=macvtap-test
2066Kind=macvtap
2067 </programlisting>
2068 </example>
e5719363
JT		 2069 <example>
2070 <title>/etc/systemd/network/25-wireguard.netdev</title>
2071 <programlisting>[NetDev]
2072Name=wg0
2073Kind=wireguard
2074
2075[WireGuard]
2076PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
2077ListenPort=51820
2078
2079[WireGuardPeer]
2080PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
2081AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
2082Endpoint=wireguard.example.com:51820</programlisting>
2083 </example>
98d20a17 2084
2085 <example>
2086 <title>/etc/systemd/network/27-xfrm.netdev</title>
2087 <programlisting>[Xfrm]
2088Name=xfrm0
2089Kind=xfrm
2090
2091[Xfrm]
2092Independent=yes</programlisting>
2093 </example>
798d3a52 2094 </refsect1>
488d0ba1 2095
798d3a52
ZJS		 2096 <refsect1>
2097 <title>See Also</title>
2098 <para>
2099 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
2100 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
2101 <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2102 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
2103 </para>
2104 </refsect1>
eac684ef
TG		 2105
2106</refentry>
Unnamed repository; edit this file 'description' to name the repository.