Merge branch 'master' into net-next

[mirror_iproute2.git] / man / man8 / ip-link.8.in

.TH IP\-LINK 8 "13 Dec 2012" "iproute2" "Linux"
.SH "NAME"
ip-link \- network device configuration
.SH "SYNOPSIS"
.sp
.ad l
.in +8
.ti -8
.B ip link
.RI  " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.BI "ip link add"
.RB "[ " link
.IR DEVICE " ]"
.RB "[ " name " ]"
.I NAME
.br
.RB "[ " txqueuelen
.IR PACKETS " ]"
.br
.RB "[ " address
.IR LLADDR " ]"
.RB "[ " broadcast
.IR LLADDR " ]"
.br
.RB "[ " mtu
.IR MTU " ]"
.RB "[ " index
.IR IDX " ]"
.br
.RB "[ " numtxqueues
.IR QUEUE_COUNT " ]"
.RB "[ " numrxqueues
.IR QUEUE_COUNT " ]"
.br
.BI type " TYPE"
.RI "[ " ARGS " ]"

.ti -8
.BR "ip link delete " {
.IR DEVICE " | "
.BI "group " GROUP
}
.BI type " TYPE"
.RI "[ " ARGS " ]"

.ti -8
.BR "ip link set " {
.IR DEVICE " | "
.BI "group " GROUP
}
.br
.RB "[ { " up " | " down " } ]"
.br
.RB "[ " type
.IR "ETYPE TYPE_ARGS" " ]"
.br
.RB "[ " arp " { " on " | " off " } ]"
.br
.RB "[ " dynamic " { " on " | " off " } ]"
.br
.RB "[ " multicast " { " on " | " off " } ]"
.br
.RB "[ " allmulticast " { " on " | " off " } ]"
.br
.RB "[ " promisc " { " on " | " off " } ]"
.br
.RB "[ " protodown " { " on " | " off " } ]"
.br
.RB "[ " trailers " { " on " | " off " } ]"
.br
.RB "[ " txqueuelen
.IR PACKETS " ]"
.br
.RB "[ " name
.IR NEWNAME " ]"
.br
.RB "[ " address
.IR LLADDR " ]"
.br
.RB "[ " broadcast
.IR LLADDR " ]"
.br
.RB "[ " mtu
.IR MTU " ]"
.br
.RB "[ " netns " {"
.IR PID " | " NETNSNAME " } ]"
.br
.RB "[ " link-netnsid
.IR ID " ]"
.br
.RB "[ " alias
.IR NAME  " ]"
.br
.RB "[ " vf
.IR NUM " ["
.B  mac
.IR LLADDR " ]"
.br
.in +9
.RI "[ " VFVLAN-LIST " ]"
.br
.RB "[ " rate
.IR TXRATE " ]"
.br
.RB "[ " max_tx_rate
.IR TXRATE " ]"
.br
.RB "[ " min_tx_rate
.IR TXRATE " ]"
.br
.RB "[ " spoofchk " { " on " | " off " } ]"
.br
.RB "[ " query_rss " { " on " | " off " } ]"
.br
.RB "[ " state " { " auto " | " enable " | " disable " } ]"
.br
.RB "[ " trust " { " on " | " off " } ]"
.br
.RB "[ " node_guid " eui64 ]"
.br
.RB "[ " port_guid " eui64 ] ]"
.br
.in -9
.RB "[ " master
.IR DEVICE " ]"
.br
.RB "[ " nomaster " ]"
.br
.RB "[ " vrf
.IR NAME " ]"
.br
.RB "[ " addrgenmode " { " eui64 " | " none " | " stable_secret " | " random " } ]"
.br
.RB "[ " macaddr " { " flush " | { " add " | " del " } "
.IR MACADDR " | set [ "
.IR MACADDR " [ "
.IR MACADDR " [ ... ] ] ] } ]"
.br

.ti -8
.B ip link show
.RI "[ " DEVICE " | "
.B group
.IR GROUP " ] ["
.BR up " ] ["
.B master
.IR DEVICE " ] ["
.B type
.IR ETYPE " ]"
.B vrf
.IR NAME " ]"

.ti -8
.B ip link help
.RI "[ " TYPE " ]"

.ti -8
.IR TYPE " := [ "
.BR bridge " | "
.BR bond " | "
.BR can " | "
.BR dummy " | "
.BR hsr " | "
.BR ifb " | "
.BR ipoib " |"
.BR macvlan  " | "
.BR macvtap  " | "
.BR vcan " | "
.BR veth " | "
.BR vlan " | "
.BR vxlan " |"
.BR ip6tnl " |"
.BR ipip " |"
.BR sit " |"
.BR gre " |"
.BR gretap " |"
.BR ip6gre " |"
.BR ip6gretap " |"
.BR vti " |"
.BR nlmon " |"
.BR ipvlan " |"
.BR lowpan " |"
.BR geneve " |"
.BR vrf " |"
.BR macsec " ]"

.ti -8
.IR ETYPE " := [ " TYPE " |"
.BR bridge_slave " | " bond_slave " ]"

.ti -8
.IR VFVLAN-LIST " := [ "  VFVLAN-LIST " ] " VFVLAN

.ti -8
.IR VFVLAN " := "
.RB "[ " vlan
.IR VLANID " [ "
.B qos
.IR VLAN-QOS " ] ["
.B proto
.IR VLAN-PROTO " ] ]"

.SH "DESCRIPTION"
.SS ip link add - add virtual link

.TP
.BI link " DEVICE "
specifies the physical device to act operate on.

.I NAME
specifies the name of the new virtual device.

.I TYPE
specifies the type of the new device.
.sp
Link types:

.in +8
.B bridge
- Ethernet Bridge device
.sp
.B bond
- Bonding device
.B can
- Controller Area Network interface
.sp
.B dummy
- Dummy network interface
.sp
.B hsr
- High-availability Seamless Redundancy device
.sp
.B ifb
- Intermediate Functional Block device
.sp
.B ipoib
- IP over Infiniband device
.sp
.B macvlan
- Virtual interface base on link layer address (MAC)
.sp
.B macvtap
- Virtual interface based on link layer address (MAC) and TAP.
.sp
.B vcan
- Virtual Controller Area Network interface
.sp
.B veth
- Virtual ethernet interface
.sp
.BR vlan
- 802.1q tagged virtual LAN interface
.sp
.BR vxlan
- Virtual eXtended LAN
.sp
.BR ip6tnl
- Virtual tunnel interface IPv4|IPv6 over IPv6
.sp
.BR ipip
- Virtual tunnel interface IPv4 over IPv4
.sp
.BR sit
- Virtual tunnel interface IPv6 over IPv4
.sp
.BR gre
- Virtual tunnel interface GRE over IPv4
.sp
.BR gretap
- Virtual L2 tunnel interface GRE over IPv4
.sp
.BR ip6gre
- Virtual tunnel interface GRE over IPv6
.sp
.BR ip6gretap
- Virtual L2 tunnel interface GRE over IPv6
.sp
.BR vti
- Virtual tunnel interface
.sp
.BR nlmon
- Netlink monitoring device
.sp
.BR ipvlan
- Interface for L3 (IPv6/IPv4) based VLANs
.sp
.BR lowpan
- Interface for 6LoWPAN (IPv6) over IEEE 802.15.4 / Bluetooth
.sp
.BR geneve
- GEneric NEtwork Virtualization Encapsulation
.sp
.BR macsec
- Interface for IEEE 802.1AE MAC Security (MACsec)
.sp
.BR vrf
- Interface for L3 VRF domains
.in -8

.TP
.BI numtxqueues " QUEUE_COUNT "
specifies the number of transmit queues for new device.

.TP
.BI numrxqueues " QUEUE_COUNT "
specifies the number of receive queues for new device.

.TP
.BI index " IDX "
specifies the desired index of the new virtual device. The link creation fails, if the index is busy.

.TP
VLAN Type Support
For a link of type
.I VLAN
the following additional arguments are supported:

.BI "ip link add
.BI link " DEVICE "
.BI name " NAME "
.B "type vlan"
[
.BI protocol " VLAN_PROTO "
]
.BI id " VLANID "
[
.BR reorder_hdr " { " on " | " off " } "
]
[
.BR gvrp " { " on " | " off " } "
]
[
.BR mvrp " { " on " | " off " } "
]
[
.BR loose_binding " { " on " | " off " } "
]
[
.BI ingress-qos-map " QOS-MAP "
]
[
.BI egress-qos-map " QOS-MAP "
]

.in +8
.sp
.BI protocol " VLAN_PROTO "
- either 802.1Q or 802.1ad.

.BI id " VLANID "
- specifies the VLAN Identifer to use. Note that numbers with a leading " 0 " or " 0x " are interpreted as octal or hexadeimal, respectively.

.BR reorder_hdr " { " on " | " off " } "
- specifies whether ethernet headers are reordered or not (default is
.BR on ")."

.in +4
If
.BR reorder_hdr " is " on
then VLAN header will be not inserted immediately but only before passing to the
physical device (if this device does not support VLAN offloading), the similar
on the RX direction - by default the packet will be untagged before being
received by VLAN device. Reordering allows to accelerate tagging on egress and
to hide VLAN header on ingress so the packet looks like regular Ethernet packet,
at the same time it might be confusing for packet capture as the VLAN header
does not exist within the packet.

VLAN offloading can be checked by
.BR ethtool "(8):"
.in +4
.sp
.B ethtool -k
<phy_dev> |
.RB grep " tx-vlan-offload"
.sp
.in -4
where <phy_dev> is the physical device to which VLAN device is bound.
.in -4

.BR gvrp " { " on " | " off " } "
- specifies whether this VLAN should be registered using GARP VLAN Registration Protocol.

.BR mvrp " { " on " | " off " } "
- specifies whether this VLAN should be registered using Multiple VLAN Registration Protocol.

.BR loose_binding " { " on " | " off " } "
- specifies whether the VLAN device state is bound to the physical device state.

.BI ingress-qos-map " QOS-MAP "
- defines a mapping of VLAN header prio field to the Linux internal packet
priority on incoming frames. The format is FROM:TO with multiple mappings
separated by spaces.

.BI egress-qos-map " QOS-MAP "
- defines a mapping of Linux internal packet priority to VLAN header prio field
but for outgoing frames. The format is the same as for ingress-qos-map.
.in +4

Linux packet priority can be set by
.BR iptables "(8)":
.in +4
.sp
.B iptables
-t mangle -A POSTROUTING [...] -j CLASSIFY --set-class 0:4
.sp
.in -4
and this "4" priority can be used in the egress qos mapping to set VLAN prio "5":
.sp
.in +4
.B ip
link set veth0.10 type vlan egress 4:5
.in -4
.in -4
.in -8

.TP
VXLAN Type Support
For a link of type
.I VXLAN
the following additional arguments are supported:

.BI "ip link add " DEVICE
.BI type " vxlan " id " VNI"
[
.BI dev " PHYS_DEV "
.RB " ] [ { " group " | " remote " } "
.I IPADDR
] [
.B local
.RI "{ "IPADDR " | "any " } "
] [
.BI ttl " TTL "
] [
.BI tos " TOS "
] [
.BI flowlabel " FLOWLABEL "
] [
.BI dstport " PORT "
] [
.BI srcport " MIN MAX "
] [
.RB [ no ] learning
] [
.RB [ no ] proxy
] [
.RB [ no ] rsc
] [
.RB [ no ] l2miss
] [
.RB [ no ] l3miss
] [
.RB [ no ] udpcsum
] [
.RB [ no ] udp6zerocsumtx
] [
.RB [ no ] udp6zerocsumrx
] [
.BI ageing " SECONDS "
] [
.BI maxaddress " NUMBER "
] [
.RB [ no ] external
] [
.B gbp
] [
.B gpe
]

.in +8
.sp
.BI  id " VNI "
- specifies the VXLAN Network Identifer (or VXLAN Segment
Identifier) to use.

.BI dev " PHYS_DEV"
- specifies the physical device to use for tunnel endpoint communication.

.sp
.BI group " IPADDR"
- specifies the multicast IP address to join.
This parameter cannot be specified with the
.B remote
parameter.

.sp
.BI remote " IPADDR"
- specifies the unicast destination IP address to use in outgoing packets
when the destination link layer address is not known in the VXLAN device
forwarding database. This parameter cannot be specified with the
.B group
parameter.

.sp
.BI local " IPADDR"
- specifies the source IP address to use in outgoing packets.

.sp
.BI ttl " TTL"
- specifies the TTL value to use in outgoing packets.

.sp
.BI tos " TOS"
- specifies the TOS value to use in outgoing packets.

.sp
.BI flowlabel " FLOWLABEL"
- specifies the flow label to use in outgoing packets.

.sp
.BI dstport " PORT"
- specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint.

.sp
.BI srcport " MIN MAX"
- specifies the range of port numbers to use as UDP
source ports to communicate to the remote VXLAN tunnel endpoint.

.sp
.RB [ no ] learning
- specifies if unknown source link layer addresses and IP addresses
are entered into the VXLAN device forwarding database.

.sp
.RB [ no ] rsc
- specifies if route short circuit is turned on.

.sp
.RB [ no ] proxy
- specifies ARP proxy is turned on.

.sp
.RB [ no ] l2miss
- specifies if netlink LLADDR miss notifications are generated.

.sp
.RB [ no ] l3miss
- specifies if netlink IP ADDR miss notifications are generated.

.sp
.RB [ no ] udpcsum
- specifies if UDP checksum is calculated for transmitted packets over IPv4.

.sp
.RB [ no ] udp6zerocsumtx
- skip UDP checksum calculation for transmitted packets over IPv6.

.sp
.RB [ no ] udp6zerocsumrx
- allow incoming UDP packets over IPv6 with zero checksum field.

.sp
.BI ageing " SECONDS"
- specifies the lifetime in seconds of FDB entries learnt by the kernel.

.sp
.BI maxaddress " NUMBER"
- specifies the maximum number of FDB entries.

.sp
.RB [ no ] external
- specifies whether an external control plane
.RB "(e.g. " "ip route encap" )
or the internal FDB should be used.

.sp
.B gbp
- enables the Group Policy extension (VXLAN-GBP).

.in +4
Allows to transport group policy context across VXLAN network peers.
If enabled, includes the mark of a packet in the VXLAN header for outgoing
packets and fills the packet mark based on the information found in the
VXLAN header for incomming packets.

Format of upper 16 bits of packet mark (flags);

.in +2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.br
|-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
.br
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

.B D :=
Don't Learn bit. When set, this bit indicates that the egress
VTEP MUST NOT learn the source address of the encapsulated frame.

.B A :=
Indicates that the group policy has already been applied to
this packet. Policies MUST NOT be applied by devices when the A bit is set.
.in -2

Format of lower 16 bits of packet mark (policy ID):

.in +2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.br
|        Group Policy ID        |
.br
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.in -2

Example:
  iptables -A OUTPUT [...] -j MARK --set-mark 0x800FF

.in -4

.sp
.B gpe
- enables the Generic Protocol extension (VXLAN-GPE). Currently, this is
only supported together with the
.B external
keyword.

.in -8

.TP
GRE, IPIP, SIT Type Support
For a link of types
.I GRE/IPIP/SIT
the following additional arguments are supported:

.BI "ip link add " DEVICE
.BR type " { " gre " | " ipip " | " sit " }"
.BI " remote " ADDR " local " ADDR
[
.BR encap " { " fou " | " gue " | " none " }"
] [
.BR encap-sport " { " \fIPORT " | " auto " }"
] [
.BI "encap-dport " PORT
] [
.RB [ no ] encap-csum
] [
.RB [ no ] encap-remcsum
]

.in +8
.sp
.BI  remote " ADDR "
- specifies the remote address of the tunnel.

.sp
.BI  local " ADDR "
- specifies the fixed local address for tunneled packets.
It must be an address on another interface on this host.

.sp
.BR encap " { " fou " | " gue " | " none " }"
- specifies type of secondary UDP encapsulation. "fou" indicates
Foo-Over-UDP, "gue" indicates Generic UDP Encapsulation.

.sp
.BR encap-sport " { " \fIPORT " | " auto " }"
- specifies the source port in UDP encapsulation.
.IR PORT
indicates the port by number, "auto"
indicates that the port number should be chosen automatically
(the kernel picks a flow based on the flow hash of the
encapsulated packet).

.sp
.RB [ no ] encap-csum
- specifies if UDP checksums are enabled in the secondary
encapsulation.

.sp
.RB [ no ] encap-remcsum
- specifies if Remote Checksum Offload is enabled. This is only
applicable for Generic UDP Encapsulation.

.in -8

.TP
IP6GRE/IP6GRETAP Type Support
For a link of type
.I IP6GRE/IP6GRETAP
the following additional arguments are supported:

.BI "ip link add " DEVICE
.BR type " { " ip6gre " | " ip6gretap " }"
.BI remote " ADDR " local " ADDR"
[
.RB [ i | o ] seq
] [
.RB [ i | o ] key
.I KEY
] [
.RB [ i | o ] csum
] [
.BI hoplimit " TTL "
] [
.BI encaplimit " ELIM "
] [
.BI tclass " TCLASS "
] [
.BI flowlabel " FLOWLABEL "
] [
.BI "dscp inherit"
] [
.BI dev " PHYS_DEV "
]

.in +8
.sp
.BI  remote " ADDR "
- specifies the remote IPv6 address of the tunnel.

.sp
.BI  local " ADDR "
- specifies the fixed local IPv6 address for tunneled packets.
It must be an address on another interface on this host.

.sp
.RB  [ i | o ] seq
- serialize packets.
The
.B oseq
flag enables sequencing of outgoing packets.
The
.B iseq
flag requires that all input packets are serialized.

.sp
.RB  [ i | o ] key " \fIKEY"
- use keyed GRE with key
.IR KEY ". "KEY
is either a number or an IPv4 address-like dotted quad.
The
.B key
parameter specifies the same key to use in both directions.
The
.BR ikey " and " okey
parameters specify different keys for input and output.

.sp
.RB  [ i | o ] csum
- generate/require checksums for tunneled packets.
The
.B ocsum
flag calculates checksums for outgoing packets.
The
.B icsum
flag requires that all input packets have the correct
checksum. The
.B csum
flag is equivalent to the combination
.BR "icsum ocsum" .

.sp
.BI  hoplimit " TTL"
- specifies Hop Limit value to use in outgoing packets.

.sp
.BI  encaplimit " ELIM"
- specifies a fixed encapsulation limit. Default is 4.

.sp
.BI  flowlabel " FLOWLABEL"
- specifies a fixed flowlabel.

.sp
.BI  tclass " TCLASS"
- specifies the traffic class field on
tunneled packets, which can be specified as either a two-digit
hex value (e.g. c0) or a predefined string (e.g. internet).
The value
.B inherit
causes the field to be copied from the original IP header. The
values
.BI "inherit/" STRING
or
.BI "inherit/" 00 ".." ff
will set the field to
.I STRING
or
.IR 00 ".." ff
when tunneling non-IP packets. The default value is 00.

.in -8

.TP
IPoIB Type Support
For a link of type
.I IPoIB
the following additional arguments are supported:

.BI "ip link add " DEVICE " name " NAME
.BR "type ipoib " [ " pkey \fIPKEY" " ] [ " mode " \fIMODE \fR]"

.in +8
.sp
.BI  pkey " PKEY "
- specifies the IB P-Key to use.

.BI  mode " MODE "
- specifies the mode (datagram or connected) to use.

.TP
GENEVE Type Support
For a link of type
.I GENEVE
the following additional arguments are supported:

.BI "ip link add " DEVICE
.BI type " geneve " id " VNI " remote " IPADDR"
[
.BI ttl " TTL "
] [
.BI tos " TOS "
] [
.BI flowlabel " FLOWLABEL "
] [
.BI dstport " PORT"
] [
.RB [ no ] external
] [
.RB [ no ] udpcsum
] [
.RB [ no ] udp6zerocsumtx
] [
.RB [ no ] udp6zerocsumrx
]

.in +8
.sp
.BI  id " VNI "
- specifies the Virtual Network Identifer to use.

.sp
.BI remote " IPADDR"
- specifies the unicast destination IP address to use in outgoing packets.

.sp
.BI ttl " TTL"
- specifies the TTL value to use in outgoing packets.

.sp
.BI tos " TOS"
- specifies the TOS value to use in outgoing packets.

.sp
.BI flowlabel " FLOWLABEL"
- specifies the flow label to use in outgoing packets.

.sp
.BI dstport " PORT"
- select a destination port other than the default of 6081.

.sp
.RB [ no ] external
- make this tunnel externally controlled (or not, which is the default). This
flag is mutually exclusive with the
.BR id ,
.BR remote ,
.BR ttl ,
.BR tos " and " flowlabel
options.

.sp
.RB [ no ] udpcsum
- specifies if UDP checksum is calculated for transmitted packets over IPv4.

.sp
.RB [ no ] udp6zerocsumtx
- skip UDP checksum calculation for transmitted packets over IPv6.

.sp
.RB [ no ] udp6zerocsumrx
- allow incoming UDP packets over IPv6 with zero checksum field.

.in -8

.TP
MACVLAN and MACVTAP Type Support
For a link of type
.I MACVLAN
or
.I MACVTAP
the following additional arguments are supported:

.BI "ip link add link " DEVICE " name " NAME
.BR type " { " macvlan " | " macvtap " } "
.BR mode " { " private " | " vepa " | " bridge " | " passthru
.RB " [ " nopromisc " ] | " source " } "

.in +8
.sp
.BR type " { " macvlan " | " macvtap " } "
- specifies the link type to use.
.BR macvlan " creates just a virtual interface, while "
.BR macvtap " in addition creates a character device "
.BR /dev/tapX " to be used just like a " tuntap " device."

.B mode private
- Do not allow communication between
.B macvlan
instances on the same physical interface, even if the external switch supports
hairpin mode.

.B mode vepa
- Virtual Ethernet Port Aggregator mode. Data from one
.B macvlan
instance to the other on the same physical interface is transmitted over the
physical interface. Either the attached switch needs to support hairpin mode,
or there must be a TCP/IP router forwarding the packets in order to allow
communication. This is the default mode.

.B mode bridge
- In bridge mode, all endpoints are directly connected to each other,
communication is not redirected through the physical interface's peer.

.BR mode " " passthru " [ " nopromisc " ] "
- This mode gives more power to a single endpoint, usually in
.BR macvtap " mode. It is not allowed for more than one endpoint on the same "
physical interface. All traffic will be forwarded to this endpoint, allowing
virtio guests to change MAC address or set promiscuous mode in order to bridge
the interface or create vlan interfaces on top of it. By default, this mode
forces the underlying interface into promiscuous mode. Passing the
.BR nopromisc " flag prevents this, so the promisc flag may be controlled "
using standard tools.

.B mode source
- allows one to set a list of allowed mac address, which is used to match
against source mac address from received frames on underlying interface. This
allows creating mac based VLAN associations, instead of standard port or tag
based. The feature is useful to deploy 802.1x mac based behavior,
where drivers of underlying interfaces doesn't allows that.
.in -8

.TP
High-availability Seamless Redundancy (HSR) Support
For a link of type
.I HSR
the following additional arguments are supported:

.BI "ip link add link " DEVICE " name " NAME " type hsr"
.BI slave1 " SLAVE1-IF " slave2 " SLAVE2-IF "
.RB [ " supervision"
.IR ADDR-BYTE " ] ["
.BR version " { " 0 " | " 1 " } ]"

.in +8
.sp
.BR type " hsr "
- specifies the link type to use, here HSR.

.BI slave1 " SLAVE1-IF "
- Specifies the physical device used for the first of the two ring ports.

.BI slave2 " SLAVE2-IF "
- Specifies the physical device used for the second of the two ring ports.

.BI supervision " ADDR-BYTE"
- The last byte of the multicast address used for HSR supervision frames.
Default option is "0", possible values 0-255.

.BR version " { " 0 " | " 1 " }"
- Selects the protocol version of the interface. Default option is "0", which
corresponds to the 2010 version of the HSR standard. Option "1" activates the
2012 version.
.in -8

.TP
MACsec Type Support
For a link of type
.I MACsec
the following additional arguments are supported:

.BI "ip link add link " DEVICE " name " NAME " type macsec"
[ [
.BI address " <lladdr>"
]
.BI port " PORT"
|
.BI sci " SCI"
] [
.BI cipher " CIPHER_SUITE"
] [
.BR icvlen " { "
.IR 8..16 " } ] ["
.BR encrypt " {"
.BR on " | " off " } ] [ "
.BR send_sci " { " on " | " off " } ] ["
.BR end_station " { " on " | " off " } ] ["
.BR scb " { " on " | " off " } ] ["
.BR protect " { " on " | " off " } ] ["
.BR replay " { " on " | " off " }"
.BR window " { "
.IR 0..2^32-1 " } ] ["
.BR validate " { " strict " | " check " | " disabled " } ] ["
.BR encodingsa " { "
.IR 0..3 " } ]"

.in +8
.sp
.BI address " <lladdr> "
- sets the system identifier component of secure channel for this MACsec device.

.sp
.BI port " PORT "
- sets the port number component of secure channel for this MACsec device, in a
range from 1 to 65535 inclusive. Numbers with a leading " 0 " or " 0x " are
interpreted as octal and hexadecimal, respectively.

.sp
.BI sci " SCI "
- sets the secure channel identifier for this MACsec device.
.I SCI
is a 64bit wide number in hexadecimal format.

.sp
.BI cipher " CIPHER_SUITE "
- defines the cipher suite to use.

.sp
.BI icvlen " LENGTH "
- sets the length of the Integrity Check Value (ICV).

.sp
.BR "encrypt on " or " encrypt off"
- switches between authenticated encryption, or authenticity mode only.

.sp
.BR "send_sci on " or " send_sci off"
- specifies whether the SCI is included in every packet, or only when it is necessary.

.sp
.BR "end_station on " or " end_station off"
- sets the End Station bit.

.sp
.BR "scb on " or " scb off"
- sets the Single Copy Broadcast bit.

.sp
.BR "protect on " or " protect off"
- enables MACsec protection on the device.

.sp
.BR "replay on " or " replay off"
- enables replay protection on the device.

.in +8

.sp
.BI window " SIZE "
- sets the size of the replay window.

.in -8

.sp
.BR "validate strict " or " validate check " or " validate disabled"
- sets the validation mode on the device.

.sp
.BI encodingsa " AN "
- sets the active secure association for transmission.

.in -8

.TP
VRF Type Support
For a link of type
.I VRF
the following additional arguments are supported:

.BI "ip link add " DEVICE " type vrf table " TABLE

.in +8
.sp
.BR table " table id associated with VRF device"

.in -8

.SS ip link delete - delete virtual link

.TP
.BI dev " DEVICE "
specifies the virtual device to act operate on.

.TP
.BI group " GROUP "
specifies the group of virtual links to delete. Group 0 is not allowed to be
deleted since it is the default group.

.TP
.BI type " TYPE "
specifies the type of the device.

.SS ip link set - change device attributes

.PP
.B Warning:
If multiple parameter changes are requested,
.B ip
aborts immediately after any of the changes have failed.
This is the only case when
.B ip
can move the system to an unpredictable state. The solution
is to avoid changing several parameters with one
.B ip link set
call.

.TP
.BI dev " DEVICE "
.I DEVICE
specifies network device to operate on. When configuring SR-IOV Virtual Function
(VF) devices, this keyword should specify the associated Physical Function (PF)
device.

.TP
.BI group " GROUP "
.I GROUP
has a dual role: If both group and dev are present, then move the device to the
specified group. If only a group is specified, then the command operates on
all devices in that group.

.TP
.BR up " and " down
change the state of the device to
.B UP
or
.BR "DOWN" .

.TP
.BR "arp on " or " arp off"
change the
.B NOARP
flag on the device.

.TP
.BR "multicast on " or " multicast off"
change the
.B MULTICAST
flag on the device.

.TP
.BR "protodown on " or " protodown off"
change the
.B PROTODOWN
state on the device. Indicates that a protocol error has been detected on the port. Switch drivers can react to this error by doing a phys down on the switch port.

.TP
.BR "dynamic on " or " dynamic off"
change the
.B DYNAMIC
flag on the device. Indicates that address can change when interface goes down (currently
.B NOT
used by the Linux).

.TP
.BI name " NAME"
change the name of the device. This operation is not
recommended if the device is running or has some addresses
already configured.

.TP
.BI txqueuelen " NUMBER"
.TP
.BI txqlen " NUMBER"
change the transmit queue length of the device.

.TP
.BI mtu " NUMBER"
change the
.I MTU
of the device.

.TP
.BI address " LLADDRESS"
change the station address of the interface.

.TP
.BI broadcast " LLADDRESS"
.TP
.BI brd " LLADDRESS"
.TP
.BI peer " LLADDRESS"
change the link layer broadcast address or the peer address when
the interface is
.IR "POINTOPOINT" .

.TP
.BI netns " NETNSNAME " \fR| " PID"
move the device to the network namespace associated with name
.IR "NETNSNAME " or
.RI process " PID".

Some devices are not allowed to change network namespace: loopback, bridge,
ppp, wireless. These are network namespace local devices. In such case
.B ip
tool will return "Invalid argument" error. It is possible to find out if device is local
to a single network namespace by checking
.B netns-local
flag in the output of the
.BR ethtool ":"

.in +8
.B ethtool -k
.I DEVICE
.in -8

To change network namespace for wireless devices the
.B iw
tool can be used. But it allows to change network namespace only for physical devices and by process
.IR PID .

.TP
.BI alias " NAME"
give the device a symbolic name for easy reference.

.TP
.BI group " GROUP"
specify the group the device belongs to.
The available groups are listed in file
.BR "@SYSCONFDIR@/group" .

.TP
.BI vf " NUM"
specify a Virtual Function device to be configured. The associated PF device
must be specified using the
.B dev
parameter.

.in +8
.BI mac " LLADDRESS"
- change the station address for the specified VF. The
.B vf
parameter must be specified.

.sp
.BI vlan " VLANID"
- change the assigned VLAN for the specified VF. When specified, all traffic
sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
will be filtered for the specified VLAN ID, and will have all VLAN tags
stripped before being passed to the VF. Setting this parameter to 0 disables
VLAN tagging and filtering. The
.B vf
parameter must be specified.

.sp
.BI qos " VLAN-QOS"
- assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
tags transmitted by the VF will include the specified priority bits in the
VLAN tag. If not specified, the value is assumed to be 0. Both the
.B vf
and
.B vlan
parameters must be specified. Setting both
.B vlan
and
.B qos
as 0 disables VLAN tagging and filtering for the VF.

.sp
.BI proto " VLAN-PROTO"
- assign VLAN PROTOCOL for the VLAN tag, either 802.1Q or 802.1ad.
Setting to 802.1ad, all traffic sent from the VF will be tagged with VLAN S-Tag.
Incoming traffic will have VLAN S-Tags stripped before being passed to the VF.
Setting to 802.1ad also enables an option to concatenate another VLAN tag, so both
S-TAG and C-TAG will be inserted/stripped for outgoing/incoming traffic, respectively.
If not specified, the value is assumed to be 802.1Q. Both the
.B vf
and
.B vlan
parameters must be specified.

.sp
.BI rate " TXRATE"
-- change the allowed transmit bandwidth, in Mbps, for the specified VF.
Setting this parameter to 0 disables rate limiting.
.B vf
parameter must be specified.
Please use new API
.B "max_tx_rate"
option instead.

.sp
.BI max_tx_rate " TXRATE"
- change the allowed maximum transmit bandwidth, in Mbps, for the specified VF.
.B vf
parameter must be specified.

.sp
.BI min_tx_rate " TXRATE"
- change the allowed minimum transmit bandwidth, in Mbps, for the specified VF.
Minimum TXRATE should be always <= Maximum TXRATE.
.B vf
parameter must be specified.

.sp
.BI spoofchk " on|off"
- turn packet spoof checking on or off for the specified VF.
.sp
.BI query_rss " on|off"
- toggle the ability of querying the RSS configuration of a specific VF. VF RSS information like RSS hash key may be considered sensitive on some devices where this information is shared between VF and PF and thus its querying may be prohibited by default.
.sp
.BI state " auto|enable|disable"
- set the virtual link state as seen by the specified VF. Setting to auto means a
reflection of the PF link state, enable lets the VF to communicate with other VFs on
this host even if the PF link state is down, disable causes the HW to drop any packets
sent by the VF.
.sp
.BI trust " on|off"
- trust the specified VF user. This enables that VF user can set a specific feature
which may impact security and/or performance. (e.g. VF multicast promiscuous mode)
.sp
.BI node_guid " eui64"
- configure node GUID for the VF.
.sp
.BI port_guid " eui64"
- configure port GUID for the VF.
.in -8

.TP
.BI master " DEVICE"
set master device of the device (enslave device).

.TP
.BI nomaster
unset master device of the device (release device).

.TP
.BI addrgenmode " eui64|none|stable_secret|random"
set the IPv6 address generation mode

.I eui64
- use a Modified EUI-64 format interface identifier

.I none
- disable automatic address generation

.I stable_secret
- generate the interface identifier based on a preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret

.I random
- like stable_secret, but auto-generate a new random secret if none is set

.TP
.BR "link-netnsid "
set peer netnsid for a cross-netns interface

.TP
.BI type " ETYPE TYPE_ARGS"
Change type-specific settings. For a list of supported types and arguments refer
to the description of
.B "ip link add"
above. In addition to that, it is possible to manipulate settings to slave
devices:

.TP
Bridge Slave Support
For a link with master
.B bridge
the following additional arguments are supported:

.B "ip link set type bridge_slave"
[
.BI state " STATE"
] [
.BI priority " PRIO"
] [
.BI cost " COST"
] [
.BR guard " { " on " | " off " }"
] [
.BR hairpin " { " on " | " off " }"
] [
.BR fastleave " { " on " | " off " }"
] [
.BR root_block " { " on " | " off " }"
] [
.BR learning " { " on " | " off " }"
] [
.BR flood " { " on " | " off " }"
] [
.BR proxy_arp " { " on " | " off " }"
] [
.BR proxy_arp_wifi " { " on " | " off " }"
] [
.BI mcast_router " MULTICAST_ROUTER"
] [
.BR mcast_fast_leave " { " on " | " off "}"
] [
.BR mcast_flood " { " on " | " off " } ]"

.in +8
.sp
.BI state " STATE"
- Set port state.
.I STATE
is a number representing the following states:
.BR 0 " (disabled),"
.BR 1 " (listening),"
.BR 2 " (learning),"
.BR 3 " (forwarding),"
.BR 4 " (blocking)."

.BI priority " PRIO"
- set port priority (a 16bit unsigned value).

.BI cost " COST"
- set port cost (a 32bit unsigned value).

.BR guard " { " on " | " off " }"
- block incoming BPDU packets on this port.

.BR hairpin " { " on " | " off " }"
- enable hairpin mode on this port. This will allow incoming packets on this
port to be reflected back.

.BR fastleave " { " on " | " off " }"
- enable multicast fast leave on this port.

.BR root_block " { " on " | " off " }"
- block this port from becoming the bridge's root port.

.BR learning " { " on " | " off " }"
- allow MAC address learning on this port.

.BR flood " { " on " | " off " }"
- open the flood gates on this port, i.e. forward all unicast frames to this
port also. Requires
.BR proxy_arp " and " proxy_arp_wifi
to be turned off.

.BR proxy_arp " { " on " | " off " }"
- enable proxy ARP on this port.

.BR proxy_arp_wifi " { " on " | " off " }"
- enable proxy ARP on this port which meets extended requirements by IEEE
802.11 and Hotspot 2.0 specifications.

.BI mcast_router " MULTICAST_ROUTER"
- configure this port for having multicast routers attached. A port with a
multicast router will receive all multicast traffic.
.I MULTICAST_ROUTER
may be either
.B 0
to disable multicast routers on this port,
.B 1
to let the system detect the presence of of routers (this is the default),
.B 2
to permanently enable multicast traffic forwarding on this port or
.B 3
to enable multicast routers temporarily on this port, not depending on incoming
queries.

.BR mcast_fast_leave " { " on " | " off " }"
- this is a synonym to the
.B fastleave
option above.

.BR mcast_flood " { " on " | " off " }"
- controls whether a given port will be flooded with multicast traffic for which there is no MDB entry.

.in -8

.TP
Bonding Slave Support
For a link with master
.B bond
the following additional arguments are supported:

.B "ip link set type bond_slave"
[
.BI queue_id " ID"
]

.in +8
.sp
.BI queue_id " ID"
- set the slave's queue ID (a 16bit unsigned value).

.in -8

.TP
MACVLAN and MACVTAP Support
Modify list of allowed macaddr for link in source mode.

.B "ip link set type { macvlan | macvap } "
[
.BI macaddr " " "" COMMAND " " MACADDR " ..."
]

Commands:
.in +8
.B add
- add MACADDR to allowed list
.sp
.B set
- replace allowed list
.sp
.B del
- remove MACADDR from allowed list
.sp
.B flush
- flush whole allowed list
.sp
.in -8


.SS  ip link show - display device attributes

.TP
.BI dev " NAME " (default)
.I NAME
specifies the network device to show.
If this argument is omitted all devices in the default group are listed.

.TP
.BI group " GROUP "
.I GROUP
specifies what group of devices to show.

.TP
.B up
only display running interfaces.

.TP
.BI master " DEVICE "
.I DEVICE
specifies the master device which enslaves devices to show.

.TP
.BI vrf " NAME "
.I NAME
speficies the VRF which enslaves devices to show.

.TP
.BI type " TYPE "
.I TYPE
specifies the type of devices to show.

Note that the type name is not checked against the list of supported types -
instead it is sent as-is to the kernel. Later it is used to filter the returned
interface list by comparing it with the relevant attribute in case the kernel
didn't filter already. Therefore any string is accepted, but may lead to empty
output.

.SS  ip link help - display help

.PP
.I "TYPE"
specifies which help of link type to dislpay.

.SS
.I GROUP
may be a number or a string from the file
.B @SYSCONFDIR@/group
which can be manually filled.

.SH "EXAMPLES"
.PP
ip link show
.RS 4
Shows the state of all network interfaces on the system.
.RE
.PP
ip link show type bridge
.RS 4
Shows the bridge devices.
.RE
.PP
ip link show type vlan
.RS 4
Shows the vlan devices.
.RE
.PP
ip link show master br0
.RS 4
Shows devices enslaved by br0
.RE
.PP
ip link set dev ppp0 mtu 1400
.RS 4
Change the MTU the ppp0 device.
.RE
.PP
ip link add link eth0 name eth0.10 type vlan id 10
.RS 4
Creates a new vlan device eth0.10 on device eth0.
.RE
.PP
ip link delete dev eth0.10
.RS 4
Removes vlan device.
.RE

ip link help gre
.RS 4
Display help for the gre link type.
.RE
.PP
ip link add name tun1 type ipip remote 192.168.1.1
local 192.168.1.2 ttl 225 encap gue encap-sport auto
encap-dport 5555 encap-csum encap-remcsum
.RS 4
Creates an IPIP that is encapsulated with Generic UDP Encapsulation,
and the outer UDP checksum and remote checksum offload are enabled.

.RE
.PP
ip link add link wpan0 lowpan0 type lowpan
.RS 4
Creates a 6LoWPAN interface named lowpan0 on the underlying
IEEE 802.15.4 device wpan0.
.RE

.SH SEE ALSO
.br
.BR ip (8),
.BR ip-netns (8),
.BR ethtool (8),
.BR iptables (8)

.SH AUTHOR
Original Manpage by Michail Litvak <mci@owl.openwall.com>