mirror of
https://github.com/systemd/systemd.git
synced 2025-01-07 21:18:41 +03:00
1644 lines
64 KiB
XML
1644 lines
64 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||
|
||
<!--
|
||
SPDX-License-Identifier: LGPL-2.1+
|
||
-->
|
||
|
||
<refentry id="systemd.netdev" conditional='ENABLE_NETWORKD'>
|
||
|
||
<refentryinfo>
|
||
<title>systemd.network</title>
|
||
<productname>systemd</productname>
|
||
</refentryinfo>
|
||
|
||
<refmeta>
|
||
<refentrytitle>systemd.netdev</refentrytitle>
|
||
<manvolnum>5</manvolnum>
|
||
</refmeta>
|
||
|
||
<refnamediv>
|
||
<refname>systemd.netdev</refname>
|
||
<refpurpose>Virtual Network Device configuration</refpurpose>
|
||
</refnamediv>
|
||
|
||
<refsynopsisdiv>
|
||
<para><filename><replaceable>netdev</replaceable>.netdev</filename></para>
|
||
</refsynopsisdiv>
|
||
|
||
<refsect1>
|
||
<title>Description</title>
|
||
|
||
<para>Network setup is performed by
|
||
<citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
||
</para>
|
||
|
||
<para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
|
||
other extensions are ignored. Virtual network devices are created as soon as networkd is
|
||
started. If a netdev with the specified name already exists, networkd will use that as-is rather
|
||
than create its own. Note that the settings of the pre-existing netdev will not be changed by
|
||
networkd.</para>
|
||
|
||
<para>The <filename>.netdev</filename> files are read from the files located in the system
|
||
network directory <filename>/usr/lib/systemd/network</filename>, the volatile runtime network
|
||
directory <filename>/run/systemd/network</filename> and the local administration network
|
||
directory <filename>/etc/systemd/network</filename>. All configuration files are collectively
|
||
sorted and processed in lexical order, regardless of the directories in which they live.
|
||
However, files with identical filenames replace each other. Files in <filename>/etc</filename>
|
||
have the highest priority, files in <filename>/run</filename> take precedence over files with
|
||
the same name in <filename>/usr/lib</filename>. This can be used to override a system-supplied
|
||
configuration file with a local file if needed. As a special case, an empty file (file size 0)
|
||
or symlink with the same name pointing to <filename>/dev/null</filename> disables the
|
||
configuration file entirely (it is "masked").</para>
|
||
|
||
<para>Along with the netdev file <filename>foo.netdev</filename>, a "drop-in" directory
|
||
<filename>foo.netdev.d/</filename> may exist. All files with the suffix <literal>.conf</literal>
|
||
from this directory will be parsed after the file itself is parsed. This is useful to alter or
|
||
add configuration settings, without having to modify the main configuration file. Each drop-in
|
||
file must have appropriate section headers.</para>
|
||
|
||
<para>In addition to <filename>/etc/systemd/network</filename>, drop-in <literal>.d</literal>
|
||
directories can be placed in <filename>/usr/lib/systemd/network</filename> or
|
||
<filename>/run/systemd/network</filename> directories. Drop-in files in
|
||
<filename>/etc</filename> take precedence over those in <filename>/run</filename> which in turn
|
||
take precedence over those in <filename>/usr/lib</filename>. Drop-in files under any of these
|
||
directories take precedence over the main netdev file wherever located. (Of course, since
|
||
<filename>/run</filename> is temporary and <filename>/usr/lib</filename> is for vendors, it is
|
||
unlikely drop-ins should be used in either of those places.)</para>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Supported netdev kinds</title>
|
||
|
||
<para>The following kinds of virtual network devices may be
|
||
configured in <filename>.netdev</filename> files:</para>
|
||
|
||
<table>
|
||
<title>Supported kinds of virtual network devices</title>
|
||
|
||
<tgroup cols='2'>
|
||
<colspec colname='kind' />
|
||
<colspec colname='explanation' />
|
||
<thead><row>
|
||
<entry>Kind</entry>
|
||
<entry>Description</entry>
|
||
</row></thead>
|
||
<tbody>
|
||
<row><entry><varname>bond</varname></entry>
|
||
<entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.Local configuration</entry></row>
|
||
|
||
<row><entry><varname>bridge</varname></entry>
|
||
<entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
|
||
|
||
<row><entry><varname>dummy</varname></entry>
|
||
<entry>A dummy device drops all packets sent to it.</entry></row>
|
||
|
||
<row><entry><varname>gre</varname></entry>
|
||
<entry>A Level 3 GRE tunnel over IPv4. See <ulink url="https://tools.ietf.org/html/rfc2784">RFC 2784</ulink> for details.</entry></row>
|
||
|
||
<row><entry><varname>gretap</varname></entry>
|
||
<entry>A Level 2 GRE tunnel over IPv4.</entry></row>
|
||
|
||
<row><entry><varname>ip6gre</varname></entry>
|
||
<entry>A Level 3 GRE tunnel over IPv6.</entry></row>
|
||
|
||
<row><entry><varname>ip6tnl</varname></entry>
|
||
<entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
|
||
|
||
<row><entry><varname>ip6gretap</varname></entry>
|
||
<entry>A Level 2 GRE tunnel over IPv6.</entry></row>
|
||
|
||
<row><entry><varname>ipip</varname></entry>
|
||
<entry>An IPv4 over IPv4 tunnel.</entry></row>
|
||
|
||
<row><entry><varname>ipvlan</varname></entry>
|
||
<entry>An ipvlan device is a stacked device which receives packets from its underlying device based on IP address filtering.</entry></row>
|
||
|
||
<row><entry><varname>macvlan</varname></entry>
|
||
<entry>A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
|
||
|
||
<row><entry><varname>macvtap</varname></entry>
|
||
<entry>A macvtap device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
|
||
|
||
<row><entry><varname>sit</varname></entry>
|
||
<entry>An IPv6 over IPv4 tunnel.</entry></row>
|
||
|
||
<row><entry><varname>tap</varname></entry>
|
||
<entry>A persistent Level 2 tunnel between a network device and a device node.</entry></row>
|
||
|
||
<row><entry><varname>tun</varname></entry>
|
||
<entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
|
||
|
||
<row><entry><varname>veth</varname></entry>
|
||
<entry>An Ethernet tunnel between a pair of network devices.</entry></row>
|
||
|
||
<row><entry><varname>vlan</varname></entry>
|
||
<entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
|
||
|
||
<row><entry><varname>vti</varname></entry>
|
||
<entry>An IPv4 over IPSec tunnel.</entry></row>
|
||
|
||
<row><entry><varname>vti6</varname></entry>
|
||
<entry>An IPv6 over IPSec tunnel.</entry></row>
|
||
|
||
<row><entry><varname>vxlan</varname></entry>
|
||
<entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
|
||
|
||
<row><entry><varname>geneve</varname></entry>
|
||
<entry>A GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev driver.</entry></row>
|
||
|
||
<row><entry><varname>vrf</varname></entry>
|
||
<entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
|
||
|
||
<row><entry><varname>vcan</varname></entry>
|
||
<entry>The virtual CAN driver (vcan). Similar to the network loopback devices, vcan offers a virtual local CAN interface.</entry></row>
|
||
|
||
<row><entry><varname>vxcan</varname></entry>
|
||
<entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
|
||
</entry></row>
|
||
|
||
<row><entry><varname>wireguard</varname></entry>
|
||
<entry>WireGuard Secure Network Tunnel.</entry></row>
|
||
|
||
<row><entry><varname>netdevsim</varname></entry>
|
||
<entry> A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces.</entry></row>
|
||
|
||
<row><entry><varname>fou</varname></entry>
|
||
<entry>Foo-over-UDP tunneling.</entry></row>
|
||
|
||
</tbody>
|
||
</tgroup>
|
||
</table>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[Match] Section Options</title>
|
||
|
||
<para>A virtual network device is only created if the
|
||
<literal>[Match]</literal> section matches the current
|
||
environment, or if the section is empty. The following keys are
|
||
accepted:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Host=</varname></term>
|
||
<listitem>
|
||
<para>Matches against the hostname or machine ID of the
|
||
host. See <literal>ConditionHost=</literal> in
|
||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Virtualization=</varname></term>
|
||
<listitem>
|
||
<para>Checks whether the system is executed in a virtualized
|
||
environment and optionally test whether it is a specific
|
||
implementation. See
|
||
<literal>ConditionVirtualization=</literal> in
|
||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>KernelCommandLine=</varname></term>
|
||
<listitem>
|
||
<para>Checks whether a specific kernel command line option
|
||
is set (or if prefixed with the exclamation mark unset). See
|
||
<literal>ConditionKernelCommandLine=</literal> in
|
||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>KernelVersion=</varname></term>
|
||
<listitem>
|
||
<para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a certain
|
||
expression (or if prefixed with the exclamation mark does not match it). See
|
||
<literal>ConditionKernelVersion=</literal> in
|
||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Architecture=</varname></term>
|
||
<listitem>
|
||
<para>Checks whether the system is running on a specific
|
||
architecture. See <literal>ConditionArchitecture=</literal> in
|
||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[NetDev] Section Options</title>
|
||
|
||
<para>The <literal>[NetDev]</literal> section accepts the
|
||
following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Description=</varname></term>
|
||
<listitem>
|
||
<para>A free-form description of the netdev.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Name=</varname></term>
|
||
<listitem>
|
||
<para>The interface name used when creating the netdev.
|
||
This option is compulsory.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Kind=</varname></term>
|
||
<listitem>
|
||
<para>The netdev kind. This option is compulsory. See the
|
||
<literal>Supported netdev kinds</literal> section for the
|
||
valid keys.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MTUBytes=</varname></term>
|
||
<listitem>
|
||
<para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G,
|
||
are supported and are understood to the base of 1024. For <literal>tun</literal> or
|
||
<literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
|
||
<literal>[NetDev]</literal> section. Please specify it in <literal>[Link]</literal> section of
|
||
corresponding
|
||
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
files.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MACAddress=</varname></term>
|
||
<listitem>
|
||
<para>The MAC address to use for the device. If none is
|
||
given, one is generated based on the interface name and
|
||
the
|
||
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||
For <literal>tun</literal> or <literal>tap</literal> devices, <varname>MACAddress=</varname> setting
|
||
is not currently supported in <literal>[NetDev]</literal> section. Please specify it in
|
||
<literal>[Link]</literal> section of corresponding
|
||
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
files.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[Bridge] Section Options</title>
|
||
|
||
<para>The <literal>[Bridge]</literal> section only applies for
|
||
netdevs of kind <literal>bridge</literal>, and accepts the
|
||
following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>HelloTimeSec=</varname></term>
|
||
<listitem>
|
||
<para>HelloTimeSec specifies the number of seconds between two hello packets
|
||
sent out by the root bridge and the designated bridges. Hello packets are
|
||
used to communicate information about the topology throughout the entire
|
||
bridged local area network.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MaxAgeSec=</varname></term>
|
||
<listitem>
|
||
<para>MaxAgeSec specifies the number of seconds of maximum message age.
|
||
If the last seen (received) hello packet is more than this number of
|
||
seconds old, the bridge in question will start the takeover procedure
|
||
in attempt to become the Root Bridge itself.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>ForwardDelaySec=</varname></term>
|
||
<listitem>
|
||
<para>ForwardDelaySec specifies the number of seconds spent in each
|
||
of the Listening and Learning states before the Forwarding state is entered.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>AgeingTimeSec=</varname></term>
|
||
<listitem>
|
||
<para>This specifies the number of seconds a MAC Address will be kept in
|
||
the forwarding database after having a packet received from this MAC Address.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Priority=</varname></term>
|
||
<listitem>
|
||
<para>The priority of the bridge. An integer between 0 and 65535. A lower value
|
||
means higher priority. The bridge having the lowest priority will be elected as root bridge.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>GroupForwardMask=</varname></term>
|
||
<listitem>
|
||
<para>A 16-bit bitmask represented as an integer which allows forwarding of link
|
||
local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND
|
||
is performed between the specified bitmask and the exponentiation of 2^X, the
|
||
lower nibble of the last octet of the MAC address. For example, a value of 8
|
||
would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>DefaultPVID=</varname></term>
|
||
<listitem>
|
||
<para>This specifies the default port VLAN ID of a newly attached bridge port.
|
||
Set this to an integer in the range 1–4094 or <literal>none</literal> to disable the PVID.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MulticastQuerier=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
|
||
If enabled, the kernel will send general ICMP queries from a zero source address.
|
||
This feature should allow faster convergence on startup, but it causes some
|
||
multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
|
||
When unset, the kernel's default setting applies.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MulticastSnooping=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
|
||
If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
|
||
between hosts and multicast routers. When unset, the kernel's default setting applies.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>VLANFiltering=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
|
||
If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's
|
||
default setting applies.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>STP=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. This enables the bridge's Spanning Tree Protocol (STP). When unset,
|
||
the kernel's default setting applies.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[VLAN] Section Options</title>
|
||
|
||
<para>The <literal>[VLAN]</literal> section only applies for
|
||
netdevs of kind <literal>vlan</literal>, and accepts the
|
||
following key:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Id=</varname></term>
|
||
<listitem>
|
||
<para>The VLAN ID to use. An integer in the range 0–4094.
|
||
This option is compulsory.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>GVRP=</varname></term>
|
||
<listitem>
|
||
<para>The Generic VLAN Registration Protocol (GVRP) is a protocol that
|
||
allows automatic learning of VLANs on a network. A boolean. When unset,
|
||
the kernel's default setting applies.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MVRP=</varname></term>
|
||
<listitem>
|
||
<para>Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN
|
||
Registration Protocol (GVRP) is a standards-based Layer 2 network protocol,
|
||
for automatic configuration of VLAN information on switches. It was defined
|
||
in the 802.1ak amendment to 802.1Q-2005. A boolean. When unset, the kernel's
|
||
default setting applies.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>LooseBinding=</varname></term>
|
||
<listitem>
|
||
<para>The VLAN loose binding mode, in which only the operational state is passed
|
||
from the parent to the associated VLANs, but the VLAN device state is not changed.
|
||
A boolean. When unset, the kernel's default setting applies.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>ReorderHeader=</varname></term>
|
||
<listitem>
|
||
<para>The VLAN reorder header is set VLAN interfaces behave like physical interfaces.
|
||
A boolean. When unset, the kernel's default setting applies.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[MACVLAN] Section Options</title>
|
||
|
||
<para>The <literal>[MACVLAN]</literal> section only applies for
|
||
netdevs of kind <literal>macvlan</literal>, and accepts the
|
||
following key:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Mode=</varname></term>
|
||
<listitem>
|
||
<para>The MACVLAN mode to use. The supported options are
|
||
<literal>private</literal>,
|
||
<literal>vepa</literal>,
|
||
<literal>bridge</literal>, and
|
||
<literal>passthru</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[MACVTAP] Section Options</title>
|
||
|
||
<para>The <literal>[MACVTAP]</literal> section applies for
|
||
netdevs of kind <literal>macvtap</literal> and accepts the
|
||
same key as <literal>[MACVLAN]</literal>.</para>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[IPVLAN] Section Options</title>
|
||
|
||
<para>The <literal>[IPVLAN]</literal> section only applies for
|
||
netdevs of kind <literal>ipvlan</literal>, and accepts the
|
||
following key:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Mode=</varname></term>
|
||
<listitem>
|
||
<para>The IPVLAN mode to use. The supported options are
|
||
<literal>L2</literal>,<literal>L3</literal> and <literal>L3S</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Flags=</varname></term>
|
||
<listitem>
|
||
<para>The IPVLAN flags to use. The supported options are
|
||
<literal>bridge</literal>,<literal>private</literal> and <literal>vepa</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[VXLAN] Section Options</title>
|
||
<para>The <literal>[VXLAN]</literal> section only applies for
|
||
netdevs of kind <literal>vxlan</literal>, and accepts the
|
||
following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Id=</varname></term>
|
||
<listitem>
|
||
<para>The VXLAN ID to use.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Remote=</varname></term>
|
||
<listitem>
|
||
<para>Configures destination IP address.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Local=</varname></term>
|
||
<listitem>
|
||
<para>Configures local IP address.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>TOS=</varname></term>
|
||
<listitem>
|
||
<para>The Type Of Service byte value for a vxlan interface.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>TTL=</varname></term>
|
||
<listitem>
|
||
<para>A fixed Time To Live N on Virtual eXtensible Local
|
||
Area Network packets. N is a number in the range 1–255. 0
|
||
is a special value meaning that packets inherit the TTL
|
||
value.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MacLearning=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, enables dynamic MAC learning
|
||
to discover remote MAC addresses.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FDBAgeingSec=</varname></term>
|
||
<listitem>
|
||
<para>The lifetime of Forwarding Database entry learnt by
|
||
the kernel, in seconds.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MaximumFDBEntries=</varname></term>
|
||
<listitem>
|
||
<para>Configures maximum number of FDB entries.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>ReduceARPProxy=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, bridge-connected VXLAN tunnel
|
||
endpoint answers ARP requests from the local bridge on behalf
|
||
of remote Distributed Overlay Virtual Ethernet
|
||
<ulink url="https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet">
|
||
(DVOE)</ulink> clients. Defaults to false.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>L2MissNotification=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, enables netlink LLADDR miss
|
||
notifications.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>L3MissNotification=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, enables netlink IP address miss
|
||
notifications.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>RouteShortCircuit=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, route short circuiting is turned
|
||
on.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>UDPChecksum=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>UDP6ZeroChecksumTx=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>UDP6ZeroChecksumRx=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>RemoteChecksumTx=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, remote transmit checksum offload of VXLAN is turned on.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>RemoteChecksumRx=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, remote receive checksum offload in VXLAN is turned on.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>GroupPolicyExtension=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, it enables Group Policy VXLAN extension security label mechanism
|
||
across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
|
||
<ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
|
||
VXLAN Group Policy </ulink> document. Defaults to false.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>DestinationPort=</varname></term>
|
||
<listitem>
|
||
<para>Configures the default destination UDP port on a per-device basis.
|
||
If destination port is not specified then Linux kernel default will be used.
|
||
Set destination port 4789 to get the IANA assigned value. If not set or if the
|
||
destination port is assigned the empty string the default port of 4789 is used.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>PortRange=</varname></term>
|
||
<listitem>
|
||
<para>Configures VXLAN port range. VXLAN bases source
|
||
UDP port based on flow to help the receiver to be able
|
||
to load balance based on outer header flow. It
|
||
restricts the port range to the normal UDP local
|
||
ports, and allows overriding via configuration.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FlowLabel=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the flow label to use in outgoing packets.
|
||
The valid range is 0-1048575.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
<refsect1>
|
||
<title>[GENEVE] Section Options</title>
|
||
<para>The <literal>[GENEVE]</literal> section only applies for
|
||
netdevs of kind <literal>geneve</literal>, and accepts the
|
||
following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Id=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the Virtual Network Identifier (VNI) to use. Ranges [0-16777215].</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Remote=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the unicast destination IP address to use in outgoing packets.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>TOS=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the TOS value to use in outgoing packets. Ranges [1-255].</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>TTL=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the TTL value to use in outgoing packets. Ranges [1-255].</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>UDPChecksum=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, specifies if UDP checksum is calculated for transmitted packets over IPv4.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>UDP6ZeroChecksumTx=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>UDP6ZeroChecksumRx=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>DestinationPort=</varname></term>
|
||
<listitem>
|
||
<para>Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default
|
||
port of 6081 is used.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FlowLabel=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the flow label to use in outgoing packets.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
<refsect1>
|
||
<title>[Tunnel] Section Options</title>
|
||
|
||
<para>The <literal>[Tunnel]</literal> section only applies for
|
||
netdevs of kind
|
||
<literal>ipip</literal>,
|
||
<literal>sit</literal>,
|
||
<literal>gre</literal>,
|
||
<literal>gretap</literal>,
|
||
<literal>ip6gre</literal>,
|
||
<literal>ip6gretap</literal>,
|
||
<literal>vti</literal>,
|
||
<literal>vti6</literal>, and
|
||
<literal>ip6tnl</literal> and accepts
|
||
the following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Local=</varname></term>
|
||
<listitem>
|
||
<para>A static local address for tunneled packets. It must
|
||
be an address on another interface of this host.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Remote=</varname></term>
|
||
<listitem>
|
||
<para>The remote endpoint of the tunnel.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>TOS=</varname></term>
|
||
<listitem>
|
||
<para>The Type Of Service byte value for a tunnel interface.
|
||
For details about the TOS, see the
|
||
<ulink url="http://tools.ietf.org/html/rfc1349"> Type of
|
||
Service in the Internet Protocol Suite </ulink> document.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>TTL=</varname></term>
|
||
<listitem>
|
||
<para>A fixed Time To Live N on tunneled packets. N is a
|
||
number in the range 1–255. 0 is a special value meaning that
|
||
packets inherit the TTL value. The default value for IPv4
|
||
tunnels is: inherit. The default value for IPv6 tunnels is
|
||
64.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>DiscoverPathMTU=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, enables Path MTU Discovery on
|
||
the tunnel.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>IPv6FlowLabel=</varname></term>
|
||
<listitem>
|
||
<para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
|
||
RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
|
||
RFC 2460</ulink>), which is used by a node to label packets of a flow.
|
||
It is only used for IPv6 tunnels.
|
||
A flow label of zero is used to indicate packets that have
|
||
not been labeled.
|
||
It can be configured to a value in the range 0–0xFFFFF, or be
|
||
set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>CopyDSCP=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true, the Differentiated Service Code
|
||
Point (DSCP) field will be copied to the inner header from
|
||
outer header during the decapsulation of an IPv6 tunnel
|
||
packet. DSCP is a field in an IP packet that enables different
|
||
levels of service to be assigned to network traffic.
|
||
Defaults to <literal>no</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>EncapsulationLimit=</varname></term>
|
||
<listitem>
|
||
<para>The Tunnel Encapsulation Limit option specifies how many additional
|
||
levels of encapsulation are permitted to be prepended to the packet.
|
||
For example, a Tunnel Encapsulation Limit option containing a limit
|
||
value of zero means that a packet carrying that option may not enter
|
||
another tunnel before exiting the current tunnel.
|
||
(see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
|
||
The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Key=</varname></term>
|
||
<listitem>
|
||
<para>The <varname>Key=</varname> parameter specifies the same key to use in
|
||
both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
|
||
The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
|
||
It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
|
||
and control path) in ip xfrm (framework used to implement IPsec protocol).
|
||
See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
|
||
ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6
|
||
tunnels.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>InputKey=</varname></term>
|
||
<listitem>
|
||
<para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
|
||
The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6 tunnels.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>OutputKey=</varname></term>
|
||
<listitem>
|
||
<para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
|
||
The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6 tunnels.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Mode=</varname></term>
|
||
<listitem>
|
||
<para>An <literal>ip6tnl</literal> tunnel can be in one of three
|
||
modes
|
||
<literal>ip6ip6</literal> for IPv6 over IPv6,
|
||
<literal>ipip6</literal> for IPv4 over IPv6 or
|
||
<literal>any</literal> for either.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Independent=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true tunnel does not require .network file. Created as "tunnel@NONE".
|
||
Defaults to <literal>false</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>AllowLocalRemote=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
|
||
Defaults to unset.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FooOverUDP=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
|
||
Defaults to false. For more detail information see
|
||
<ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FOUDestinationPort=</varname></term>
|
||
<listitem>
|
||
<para>The <varname>FOUDestinationPort=</varname> specifies the UDP destination port for encapsulation.
|
||
This field is mandatory and is not set by default.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FOUSourcePort=</varname></term>
|
||
<listitem>
|
||
<para>The <constant>FOUSourcePort=</constant> specifies the UDP source port for encapsulation. Defaults to <varname>0</varname>,
|
||
that is, the source port for packets is left to the network stack to decide.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Encapsulation=</varname></term>
|
||
<listitem>
|
||
<para>Accepts the same key as <literal>[FooOverUDP]</literal></para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>IPv6RapidDeploymentPrefix=</varname></term>
|
||
<listitem>
|
||
<para>Reconfigure the tunnel for <ulink url="https://tools.ietf.org/html/rfc5569">IPv6 Rapid
|
||
Deployment</ulink>, also known as 6rd. The value is an ISP-specific IPv6 prefix with a non-zero length. Only
|
||
applicable to SIT tunnels.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[FooOverUDP] Section Options</title>
|
||
|
||
<para>The <literal>[FooOverUDP]</literal> section only applies for
|
||
netdevs of kind <literal>fou</literal> and accepts the
|
||
following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Protocol=</varname></term>
|
||
<listitem>
|
||
<para>The <varname>Protocol=</varname> specifies the protocol number of the
|
||
packets arriving at the UDP port. This field is mandatory and is not set by default. Valid range is 1-255.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Encapsulation=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the encapsulation mechanism used to store networking packets of various protocols inside the UDP packets. Supports the following values:
|
||
|
||
<literal>FooOverUDP</literal> provides the simplest no frills model of UDP encapsulation, it simply encapsulates
|
||
packets directly in the UDP payload.
|
||
<literal>GenericUDPEncapsulation</literal> is a generic and extensible encapsulation, it allows encapsulation of packets for any IP
|
||
protocol and optional data as part of the encapsulation.
|
||
For more detailed information see <ulink url="https://lwn.net/Articles/615044">Generic UDP Encapsulation</ulink>.
|
||
Defaults to <literal>FooOverUDP</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Port=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the port number, where the IP encapsulation packets will arrive. Please take note that the packets
|
||
will arrive with the encapsulation will be removed. Then they will be manually fed back into the network stack, and sent ahead
|
||
for delivery to the real destination. This option is mandatory.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
<refsect1>
|
||
<title>[Peer] Section Options</title>
|
||
|
||
<para>The <literal>[Peer]</literal> section only applies for
|
||
netdevs of kind <literal>veth</literal> and accepts the
|
||
following keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Name=</varname></term>
|
||
<listitem>
|
||
<para>The interface name used when creating the netdev.
|
||
This option is compulsory.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MACAddress=</varname></term>
|
||
<listitem>
|
||
<para>The peer MACAddress, if not set, it is generated in
|
||
the same way as the MAC address of the main
|
||
interface.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
<refsect1>
|
||
<title>[VXCAN] Section Options</title>
|
||
<para>The <literal>[VXCAN]</literal> section only applies for
|
||
netdevs of kind <literal>vxcan</literal> and accepts the
|
||
following key:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Peer=</varname></term>
|
||
<listitem>
|
||
<para>The peer interface name used when creating the netdev.
|
||
This option is compulsory.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
<refsect1>
|
||
<title>[Tun] Section Options</title>
|
||
|
||
<para>The <literal>[Tun]</literal> section only applies for
|
||
netdevs of kind <literal>tun</literal>, and accepts the following
|
||
keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>OneQueue=</varname></term>
|
||
<listitem><para>Takes a boolean argument. Configures whether
|
||
all packets are queued at the device (enabled), or a fixed
|
||
number of packets are queued at the device and the rest at the
|
||
<literal>qdisc</literal>. Defaults to
|
||
<literal>no</literal>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>MultiQueue=</varname></term>
|
||
<listitem><para>Takes a boolean argument. Configures whether
|
||
to use multiple file descriptors (queues) to parallelize
|
||
packets sending and receiving. Defaults to
|
||
<literal>no</literal>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>PacketInfo=</varname></term>
|
||
<listitem><para>Takes a boolean argument. Configures whether
|
||
packets should be prepended with four extra bytes (two flag
|
||
bytes and two protocol bytes). If disabled, it indicates that
|
||
the packets will be pure IP packets. Defaults to
|
||
<literal>no</literal>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>VNetHeader=</varname></term>
|
||
<listitem><para>Takes a boolean argument. Configures
|
||
IFF_VNET_HDR flag for a tap device. It allows sending
|
||
and receiving larger Generic Segmentation Offload (GSO)
|
||
packets. This may increase throughput significantly.
|
||
Defaults to
|
||
<literal>no</literal>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>User=</varname></term>
|
||
<listitem><para>User to grant access to the
|
||
<filename>/dev/net/tun</filename> device.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Group=</varname></term>
|
||
<listitem><para>Group to grant access to the
|
||
<filename>/dev/net/tun</filename> device.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
</variablelist>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[Tap] Section Options</title>
|
||
|
||
<para>The <literal>[Tap]</literal> section only applies for
|
||
netdevs of kind <literal>tap</literal>, and accepts the same keys
|
||
as the <literal>[Tun]</literal> section.</para>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[WireGuard] Section Options</title>
|
||
|
||
<para>The <literal>[WireGuard]</literal> section accepts the following
|
||
keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>PrivateKey=</varname></term>
|
||
<listitem>
|
||
<para>The Base64 encoded private key for the interface. It can be
|
||
generated using the <command>wg genkey</command> command
|
||
(see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
|
||
This option is mandatory to use WireGuard.
|
||
Note that because this information is secret, you may want to set
|
||
the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
|
||
with a <literal>0640</literal> file mode.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>ListenPort=</varname></term>
|
||
<listitem>
|
||
<para>Sets UDP port for listening. Takes either value between 1 and 65535
|
||
or <literal>auto</literal>. If <literal>auto</literal> is specified,
|
||
the port is automatically generated based on interface name.
|
||
Defaults to <literal>auto</literal>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>FwMark=</varname></term>
|
||
<listitem>
|
||
<para>Sets a firewall mark on outgoing WireGuard packets from this interface.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[WireGuardPeer] Section Options</title>
|
||
|
||
<para>The <literal>[WireGuardPeer]</literal> section accepts the following
|
||
keys:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>PublicKey=</varname></term>
|
||
<listitem>
|
||
<para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
|
||
(see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
|
||
from a private key, and usually transmitted out of band to the
|
||
author of the configuration file. This option is mandatory for this
|
||
section.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>PresharedKey=</varname></term>
|
||
<listitem>
|
||
<para>Optional preshared key for the interface. It can be generated
|
||
by the <command>wg genpsk</command> command. This option adds an
|
||
additional layer of symmetric-key cryptography to be mixed into the
|
||
already existing public-key cryptography, for post-quantum
|
||
resistance.
|
||
Note that because this information is secret, you may want to set
|
||
the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
|
||
with a <literal>0640</literal> file mode.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>AllowedIPs=</varname></term>
|
||
<listitem>
|
||
<para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
|
||
from which this peer is allowed to send incoming traffic and to
|
||
which outgoing traffic for this peer is directed. The catch-all
|
||
0.0.0.0/0 may be specified for matching all IPv4 addresses, and
|
||
::/0 may be specified for matching all IPv6 addresses. </para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>Endpoint=</varname></term>
|
||
<listitem>
|
||
<para>Sets an endpoint IP address or hostname, followed by a colon, and then
|
||
a port number. This endpoint will be updated automatically once to
|
||
the most recent source IP address and port of correctly
|
||
authenticated packets from the peer at configuration time.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term><varname>PersistentKeepalive=</varname></term>
|
||
<listitem>
|
||
<para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
|
||
to send an authenticated empty packet to the peer for the purpose
|
||
of keeping a stateful firewall or NAT mapping valid persistently.
|
||
For example, if the interface very rarely sends traffic, but it
|
||
might at anytime receive traffic from a peer, and it is behind NAT,
|
||
the interface might benefit from having a persistent keepalive
|
||
interval of 25 seconds. If set to 0 or "off", this option is
|
||
disabled. By default or when unspecified, this option is off.
|
||
Most users will not need this.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>[Bond] Section Options</title>
|
||
|
||
<para>The <literal>[Bond]</literal> section accepts the following
|
||
key:</para>
|
||
|
||
<variablelist class='network-directives'>
|
||
<varlistentry>
|
||
<term><varname>Mode=</varname></term>
|
||
<listitem>
|
||
<para>Specifies one of the bonding policies. The default is
|
||
<literal>balance-rr</literal> (round robin). Possible values are
|
||
<literal>balance-rr</literal>,
|
||
<literal>active-backup</literal>,
|
||
<literal>balance-xor</literal>,
|
||
<literal>broadcast</literal>,
|
||
<literal>802.3ad</literal>,
|
||
<literal>balance-tlb</literal>, and
|
||
<literal>balance-alb</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>TransmitHashPolicy=</varname></term>
|
||
<listitem>
|
||
<para>Selects the transmit hash policy to use for slave
|
||
selection in balance-xor, 802.3ad, and tlb modes. Possible
|
||
values are
|
||
<literal>layer2</literal>,
|
||
<literal>layer3+4</literal>,
|
||
<literal>layer2+3</literal>,
|
||
<literal>encap2+3</literal>, and
|
||
<literal>encap3+4</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>LACPTransmitRate=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the rate with which link partner transmits
|
||
Link Aggregation Control Protocol Data Unit packets in
|
||
802.3ad mode. Possible values are <literal>slow</literal>,
|
||
which requests partner to transmit LACPDUs every 30 seconds,
|
||
and <literal>fast</literal>, which requests partner to
|
||
transmit LACPDUs every second. The default value is
|
||
<literal>slow</literal>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>MIIMonitorSec=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the frequency that Media Independent
|
||
Interface link monitoring will occur. A value of zero
|
||
disables MII link monitoring. This value is rounded down to
|
||
the nearest millisecond. The default value is 0.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>UpDelaySec=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the delay before a link is enabled after a
|
||
link up status has been detected. This value is rounded down
|
||
to a multiple of MIIMonitorSec. The default value is
|
||
0.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>DownDelaySec=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the delay before a link is disabled after a
|
||
link down status has been detected. This value is rounded
|
||
down to a multiple of MIIMonitorSec. The default value is
|
||
0.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>LearnPacketIntervalSec=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the number of seconds between instances where the bonding
|
||
driver sends learning packets to each slave peer switch.
|
||
The valid range is 1–0x7fffffff; the default value is 1. This option
|
||
has an effect only for the balance-tlb and balance-alb modes.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>AdSelect=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
|
||
<literal>stable</literal>,
|
||
<literal>bandwidth</literal> and
|
||
<literal>count</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>AdActorSystemPriority=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the 802.3ad actor system priority. Ranges [1-65535].</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>AdUserPortKey=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the 802.3ad user defined portion of the port key. Ranges [0-1023].</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>AdActorSystem=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the 802.3ad system mac address. This can not be either NULL or Multicast.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>FailOverMACPolicy=</varname></term>
|
||
<listitem>
|
||
<para>Specifies whether the active-backup mode should set all slaves to
|
||
the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
|
||
bond's MAC address in accordance with the selected policy. The default policy is none.
|
||
Possible values are
|
||
<literal>none</literal>,
|
||
<literal>active</literal> and
|
||
<literal>follow</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>ARPValidate=</varname></term>
|
||
<listitem>
|
||
<para>Specifies whether or not ARP probes and replies should be
|
||
validated in any mode that supports ARP monitoring, or whether
|
||
non-ARP traffic should be filtered (disregarded) for link
|
||
monitoring purposes. Possible values are
|
||
<literal>none</literal>,
|
||
<literal>active</literal>,
|
||
<literal>backup</literal> and
|
||
<literal>all</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>ARPIntervalSec=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the ARP link monitoring frequency in milliseconds.
|
||
A value of 0 disables ARP monitoring. The default value is 0.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>ARPIPTargets=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the IP addresses to use as ARP monitoring peers when
|
||
ARPIntervalSec is greater than 0. These are the targets of the ARP request
|
||
sent to determine the health of the link to the targets.
|
||
Specify these values in IPv4 dotted decimal format. At least one IP
|
||
address must be given for ARP monitoring to function. The
|
||
maximum number of targets that can be specified is 16. The
|
||
default value is no IP addresses.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>ARPAllTargets=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the quantity of ARPIPTargets that must be reachable
|
||
in order for the ARP monitor to consider a slave as being up.
|
||
This option affects only active-backup mode for slaves with
|
||
ARPValidate enabled. Possible values are
|
||
<literal>any</literal> and
|
||
<literal>all</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>PrimaryReselectPolicy=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the reselection policy for the primary slave. This
|
||
affects how the primary slave is chosen to become the active slave
|
||
when failure of the active slave or recovery of the primary slave
|
||
occurs. This option is designed to prevent flip-flopping between
|
||
the primary slave and other slaves. Possible values are
|
||
<literal>always</literal>,
|
||
<literal>better</literal> and
|
||
<literal>failure</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>ResendIGMP=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the number of IGMP membership reports to be issued after
|
||
a failover event. One membership report is issued immediately after
|
||
the failover, subsequent packets are sent in each 200ms interval.
|
||
The valid range is 0–255. Defaults to 1. A value of 0
|
||
prevents the IGMP membership report from being issued in response
|
||
to the failover event.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>PacketsPerSlave=</varname></term>
|
||
<listitem>
|
||
<para>Specify the number of packets to transmit through a slave before
|
||
moving to the next one. When set to 0, then a slave is chosen at
|
||
random. The valid range is 0–65535. Defaults to 1. This option
|
||
only has effect when in balance-rr mode.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>GratuitousARP=</varname></term>
|
||
<listitem>
|
||
<para>Specify the number of peer notifications (gratuitous ARPs and
|
||
unsolicited IPv6 Neighbor Advertisements) to be issued after a
|
||
failover event. As soon as the link is up on the new slave,
|
||
a peer notification is sent on the bonding device and each
|
||
VLAN sub-device. This is repeated at each link monitor interval
|
||
(ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
|
||
greater than 1. The valid range is 0–255. The default value is 1.
|
||
These options affect only the active-backup mode.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>AllSlavesActive=</varname></term>
|
||
<listitem>
|
||
<para>A boolean. Specifies that duplicate frames (received on inactive ports)
|
||
should be dropped when false, or delivered when true. Normally, bonding will drop
|
||
duplicate frames (received on inactive ports), which is desirable for
|
||
most users. But there are some times it is nice to allow duplicate
|
||
frames to be delivered. The default value is false (drop duplicate frames
|
||
received on inactive ports).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><varname>MinLinks=</varname></term>
|
||
<listitem>
|
||
<para>Specifies the minimum number of links that must be active before
|
||
asserting carrier. The default value is 0.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<para>For more detail information see
|
||
<ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">
|
||
Linux Ethernet Bonding Driver HOWTO</ulink></para>
|
||
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Examples</title>
|
||
<example>
|
||
<title>/etc/systemd/network/25-bridge.netdev</title>
|
||
|
||
<programlisting>[NetDev]
|
||
Name=bridge0
|
||
Kind=bridge</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-vlan1.netdev</title>
|
||
|
||
<programlisting>[Match]
|
||
Virtualization=no
|
||
|
||
[NetDev]
|
||
Name=vlan1
|
||
Kind=vlan
|
||
|
||
[VLAN]
|
||
Id=1</programlisting>
|
||
</example>
|
||
<example>
|
||
<title>/etc/systemd/network/25-ipip.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=ipip-tun
|
||
Kind=ipip
|
||
MTUBytes=1480
|
||
|
||
[Tunnel]
|
||
Local=192.168.223.238
|
||
Remote=192.169.224.239
|
||
TTL=64</programlisting>
|
||
</example>
|
||
<example>
|
||
<title>/etc/systemd/network/1-fou-tunnel.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=fou-tun
|
||
Kind=fou
|
||
|
||
[FooOverUDP]
|
||
Port=5555
|
||
Protocol=4
|
||
</programlisting>
|
||
</example>
|
||
<example>
|
||
<title>/etc/systemd/network/25-fou-ipip.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=ipip-tun
|
||
Kind=ipip
|
||
|
||
[Tunnel]
|
||
Independent=yes
|
||
Local=10.65.208.212
|
||
Remote=10.65.208.211
|
||
FooOverUDP=yes
|
||
FOUDestinationPort=5555
|
||
</programlisting>
|
||
</example>
|
||
<example>
|
||
<title>/etc/systemd/network/25-tap.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=tap-test
|
||
Kind=tap
|
||
|
||
[Tap]
|
||
MultiQueue=yes
|
||
PacketInfo=yes</programlisting> </example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-sit.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=sit-tun
|
||
Kind=sit
|
||
MTUBytes=1480
|
||
|
||
[Tunnel]
|
||
Local=10.65.223.238
|
||
Remote=10.65.223.239</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-6rd.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=6rd-tun
|
||
Kind=sit
|
||
MTUBytes=1480
|
||
|
||
[Tunnel]
|
||
Local=10.65.223.238
|
||
IPv6RapidDeploymentPrefix=2602::/24</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-gre.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=gre-tun
|
||
Kind=gre
|
||
MTUBytes=1480
|
||
|
||
[Tunnel]
|
||
Local=10.65.223.238
|
||
Remote=10.65.223.239</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-vti.netdev</title>
|
||
|
||
<programlisting>[NetDev]
|
||
Name=vti-tun
|
||
Kind=vti
|
||
MTUBytes=1480
|
||
|
||
[Tunnel]
|
||
Local=10.65.223.238
|
||
Remote=10.65.223.239</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-veth.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=veth-test
|
||
Kind=veth
|
||
|
||
[Peer]
|
||
Name=veth-peer</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-bond.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=bond1
|
||
Kind=bond
|
||
|
||
[Bond]
|
||
Mode=802.3ad
|
||
TransmitHashPolicy=layer3+4
|
||
MIIMonitorSec=1s
|
||
LACPTransmitRate=fast
|
||
</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-dummy.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=dummy-test
|
||
Kind=dummy
|
||
MACAddress=12:34:56:78:9a:bc</programlisting>
|
||
</example>
|
||
<example>
|
||
<title>/etc/systemd/network/25-vrf.netdev</title>
|
||
<para>Create a VRF interface with table 42.</para>
|
||
<programlisting>[NetDev]
|
||
Name=vrf-test
|
||
Kind=vrf
|
||
|
||
[VRF]
|
||
Table=42</programlisting>
|
||
</example>
|
||
|
||
<example>
|
||
<title>/etc/systemd/network/25-macvtap.netdev</title>
|
||
<para>Create a MacVTap device.</para>
|
||
<programlisting>[NetDev]
|
||
Name=macvtap-test
|
||
Kind=macvtap
|
||
</programlisting>
|
||
</example>
|
||
<example>
|
||
<title>/etc/systemd/network/25-wireguard.netdev</title>
|
||
<programlisting>[NetDev]
|
||
Name=wg0
|
||
Kind=wireguard
|
||
|
||
[WireGuard]
|
||
PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
|
||
ListenPort=51820
|
||
|
||
[WireGuardPeer]
|
||
PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
|
||
AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
|
||
Endpoint=wireguard.example.com:51820</programlisting>
|
||
</example>
|
||
</refsect1>
|
||
<refsect1>
|
||
<title>See Also</title>
|
||
<para>
|
||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
</para>
|
||
</refsect1>
|
||
|
||
</refentry>
|