]> git.proxmox.com Git - systemd.git/blame - man/systemd.netdev.xml
projects / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
New upstream version 249~rc1
[systemd.git] / man / systemd.netdev.xml
CommitLineData
60f067b4 1<?xml version='1.0'?> <!--*-nxml-*-->
bb4f798a 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
e735f4d4 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
a032b68d 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
60f067b4
JS		 5
6<refentry id="systemd.netdev" conditional='ENABLE_NETWORKD'>
7
e735f4d4
MP		 8 <refentryinfo>
9 <title>systemd.network</title>
10 <productname>systemd</productname>
e735f4d4
MP		 11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>systemd.netdev</refentrytitle>
15 <manvolnum>5</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>systemd.netdev</refname>
20 <refpurpose>Virtual Network Device configuration</refpurpose>
21 </refnamediv>
22
23 <refsynopsisdiv>
24 <para><filename><replaceable>netdev</replaceable>.netdev</filename></para>
25 </refsynopsisdiv>
26
27 <refsect1>
28 <title>Description</title>
29
46cdbd49 30 <para>A plain ini-style text file that encodes configuration about a virtual network device, used by
e735f4d4 31 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
a10f5d05 32 See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
46cdbd49 33 for a general description of the syntax.</para>
e735f4d4 34
8a584da2
MP		 35 <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
36 other extensions are ignored. Virtual network devices are created as soon as networkd is
37 started. If a netdev with the specified name already exists, networkd will use that as-is rather
38 than create its own. Note that the settings of the pre-existing netdev will not be changed by
e735f4d4
MP		 39 networkd.</para>
40
8a584da2
MP		 41 <para>The <filename>.netdev</filename> files are read from the files located in the system
42 network directory <filename>/usr/lib/systemd/network</filename>, the volatile runtime network
43 directory <filename>/run/systemd/network</filename> and the local administration network
44 directory <filename>/etc/systemd/network</filename>. All configuration files are collectively
45 sorted and processed in lexical order, regardless of the directories in which they live.
a032b68d
MB		 46 However, files with identical filenames replace each other. Files in <filename>/etc/</filename>
47 have the highest priority, files in <filename>/run/</filename> take precedence over files with
48 the same name in <filename>/usr/lib/</filename>. This can be used to override a system-supplied
8a584da2
MP		 49 configuration file with a local file if needed. As a special case, an empty file (file size 0)
50 or symlink with the same name pointing to <filename>/dev/null</filename> disables the
51 configuration file entirely (it is "masked").</para>
52
53 <para>Along with the netdev file <filename>foo.netdev</filename>, a "drop-in" directory
54 <filename>foo.netdev.d/</filename> may exist. All files with the suffix <literal>.conf</literal>
8b3d4ff0
MB		 55 from this directory will be merged in the alphanumeric order and parsed after the main file itself
56 has been parsed. This is useful to alter or add configuration settings, without having to modify
57 the main configuration file. Each drop-in file must have appropriate section headers.</para>
8a584da2
MP		 58
59 <para>In addition to <filename>/etc/systemd/network</filename>, drop-in <literal>.d</literal>
60 directories can be placed in <filename>/usr/lib/systemd/network</filename> or
61 <filename>/run/systemd/network</filename> directories. Drop-in files in
a032b68d
MB		 62 <filename>/etc/</filename> take precedence over those in <filename>/run/</filename> which in turn
63 take precedence over those in <filename>/usr/lib/</filename>. Drop-in files under any of these
8a584da2 64 directories take precedence over the main netdev file wherever located. (Of course, since
a032b68d 65 <filename>/run/</filename> is temporary and <filename>/usr/lib/</filename> is for vendors, it is
8a584da2 66 unlikely drop-ins should be used in either of those places.)</para>
e735f4d4
MP		 67 </refsect1>
68
69 <refsect1>
70 <title>Supported netdev kinds</title>
71
72 <para>The following kinds of virtual network devices may be
73 configured in <filename>.netdev</filename> files:</para>
74
75 <table>
76 <title>Supported kinds of virtual network devices</title>
77
78 <tgroup cols='2'>
79 <colspec colname='kind' />
80 <colspec colname='explanation' />
81 <thead><row>
82 <entry>Kind</entry>
83 <entry>Description</entry>
84 </row></thead>
85 <tbody>
86 <row><entry><varname>bond</varname></entry>
9e294e28 87 <entry>A bond device is an aggregation of all its slave devices. See <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">Linux Ethernet Bonding Driver HOWTO</ulink> for details.</entry></row>
e735f4d4
MP		 88
89 <row><entry><varname>bridge</varname></entry>
db2df898 90 <entry>A bridge device is a software switch, and each of its slave devices and the bridge itself are ports of the switch.</entry></row>
e735f4d4
MP		 91
92 <row><entry><varname>dummy</varname></entry>
93 <entry>A dummy device drops all packets sent to it.</entry></row>
94
95 <row><entry><varname>gre</varname></entry>
96 <entry>A Level 3 GRE tunnel over IPv4. See <ulink url="https://tools.ietf.org/html/rfc2784">RFC 2784</ulink> for details.</entry></row>
97
98 <row><entry><varname>gretap</varname></entry>
99 <entry>A Level 2 GRE tunnel over IPv4.</entry></row>
100
6e866b33 101 <row><entry><varname>erspan</varname></entry>
bb4f798a 102 <entry>ERSPAN mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is therefore routable across a layer 3 network between the source switch and the destination switch.</entry></row>
6e866b33 103
e735f4d4
MP		 104 <row><entry><varname>ip6gre</varname></entry>
105 <entry>A Level 3 GRE tunnel over IPv6.</entry></row>
106
107 <row><entry><varname>ip6tnl</varname></entry>
108 <entry>An IPv4 or IPv6 tunnel over IPv6</entry></row>
109
110 <row><entry><varname>ip6gretap</varname></entry>
5a920b42 111 <entry>A Level 2 GRE tunnel over IPv6.</entry></row>
e735f4d4
MP		 112
113 <row><entry><varname>ipip</varname></entry>
114 <entry>An IPv4 over IPv4 tunnel.</entry></row>
115
116 <row><entry><varname>ipvlan</varname></entry>
a10f5d05 117 <entry>An IPVLAN device is a stacked device which receives packets from its underlying device based on IP address filtering.</entry></row>
e735f4d4 118
f2dec872 119 <row><entry><varname>ipvtap</varname></entry>
a10f5d05 120 <entry>An IPVTAP device is a stacked device which receives packets from its underlying device based on IP address filtering and can be accessed using the tap user space interface.</entry></row>
f2dec872 121
e735f4d4
MP		 122 <row><entry><varname>macvlan</varname></entry>
123 <entry>A macvlan device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
124
7035cd9e
MP		 125 <row><entry><varname>macvtap</varname></entry>
126 <entry>A macvtap device is a stacked device which receives packets from its underlying device based on MAC address filtering.</entry></row>
127
e735f4d4
MP		 128 <row><entry><varname>sit</varname></entry>
129 <entry>An IPv6 over IPv4 tunnel.</entry></row>
130
131 <row><entry><varname>tap</varname></entry>
132 <entry>A persistent Level 2 tunnel between a network device and a device node.</entry></row>
133
134 <row><entry><varname>tun</varname></entry>
135 <entry>A persistent Level 3 tunnel between a network device and a device node.</entry></row>
136
137 <row><entry><varname>veth</varname></entry>
db2df898 138 <entry>An Ethernet tunnel between a pair of network devices.</entry></row>
e735f4d4
MP		 139
140 <row><entry><varname>vlan</varname></entry>
141 <entry>A VLAN is a stacked device which receives packets from its underlying device based on VLAN tagging. See <ulink url="http://www.ieee802.org/1/pages/802.1Q.html">IEEE 802.1Q</ulink> for details.</entry></row>
142
143 <row><entry><varname>vti</varname></entry>
144 <entry>An IPv4 over IPSec tunnel.</entry></row>
145
e3bff60a
MP		 146 <row><entry><varname>vti6</varname></entry>
147 <entry>An IPv6 over IPSec tunnel.</entry></row>
148
e735f4d4
MP		 149 <row><entry><varname>vxlan</varname></entry>
150 <entry>A virtual extensible LAN (vxlan), for connecting Cloud computing deployments.</entry></row>
5a920b42 151
81c58355
MB		 152 <row><entry><varname>geneve</varname></entry>
153 <entry>A GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev driver.</entry></row>
154
bb4f798a
MB		 155 <row><entry><varname>l2tp</varname></entry>
156 <entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
157
f2dec872
BR		 158 <row><entry><varname>macsec</varname></entry>
159 <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
160
5a920b42 161 <row><entry><varname>vrf</varname></entry>
8a584da2
MP		 162 <entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
163
164 <row><entry><varname>vcan</varname></entry>
165 <entry>The virtual CAN driver (vcan). Similar to the network loopback devices, vcan offers a virtual local CAN interface.</entry></row>
5a920b42 166
52ad194e
MB		 167 <row><entry><varname>vxcan</varname></entry>
168 <entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
169 </entry></row>
170
1d42b86d
MB		 171 <row><entry><varname>wireguard</varname></entry>
172 <entry>WireGuard Secure Network Tunnel.</entry></row>
173
f2dec872
BR		 174 <row><entry><varname>nlmon</varname></entry>
175 <entry>A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages.</entry></row>
6e866b33
MB		 176
177 <row><entry><varname>fou</varname></entry>
178 <entry>Foo-over-UDP tunneling.</entry></row>
179
f2dec872
BR		 180 <row><entry><varname>xfrm</varname></entry>
181 <entry>A virtual tunnel interface like vti/vti6 but with several advantages.</entry></row>
182
46cdbd49 183 <row><entry><varname>ifb</varname></entry>
3a6ce677 184 <entry>The Intermediate Functional Block (ifb) pseudo network interface acts as a QoS concentrator for multiple different sources of traffic.</entry></row>
46cdbd49 185
a032b68d 186 <row><entry><varname>bareudp</varname></entry>
3a6ce677
BR		 187 <entry>Bare UDP tunnels provide a generic L3 encapsulation support for tunnelling different L3 protocols like MPLS, IP etc. inside of an UDP tunnel.</entry></row>
188
189 <row><entry><varname>batadv</varname></entry>
190 <entry><ulink url="https://www.open-mesh.org/projects/open-mesh/wiki">B.A.T.M.A.N. Advanced</ulink> is a routing protocol for multi-hop mobile ad-hoc networks which operates on layer 2.</entry></row>
e735f4d4
MP		 191 </tbody>
192 </tgroup>
193 </table>
194
195 </refsect1>
196
197 <refsect1>
198 <title>[Match] Section Options</title>
199
200 <para>A virtual network device is only created if the
a10f5d05 201 [Match] section matches the current
e735f4d4
MP		 202 environment, or if the section is empty. The following keys are
203 accepted:</para>
204
205 <variablelist class='network-directives'>
206 <varlistentry>
207 <term><varname>Host=</varname></term>
208 <listitem>
bb4f798a
MB		 209 <para>Matches against the hostname or machine ID of the host. See
210 <literal>ConditionHost=</literal> in
e735f4d4 211 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
bb4f798a
MB		 212 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
213 If an empty string is assigned, then previously assigned value is cleared.
e735f4d4
MP		 214 </para>
215 </listitem>
216 </varlistentry>
217 <varlistentry>
218 <term><varname>Virtualization=</varname></term>
219 <listitem>
bb4f798a
MB		 220 <para>Checks whether the system is executed in a virtualized environment and optionally test
221 whether it is a specific implementation. See <literal>ConditionVirtualization=</literal> in
e735f4d4 222 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
bb4f798a
MB		 223 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
224 If an empty string is assigned, then previously assigned value is cleared.
e735f4d4
MP		 225 </para>
226 </listitem>
227 </varlistentry>
228 <varlistentry>
229 <term><varname>KernelCommandLine=</varname></term>
230 <listitem>
bb4f798a 231 <para>Checks whether a specific kernel command line option is set. See
e735f4d4
MP		 232 <literal>ConditionKernelCommandLine=</literal> in
233 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
bb4f798a
MB		 234 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
235 If an empty string is assigned, then previously assigned value is cleared.
e735f4d4
MP		 236 </para>
237 </listitem>
238 </varlistentry>
1d42b86d
MB		 239 <varlistentry>
240 <term><varname>KernelVersion=</varname></term>
241 <listitem>
bb4f798a
MB		 242 <para>Checks whether the kernel version (as reported by <command>uname -r</command>) matches a
243 certain expression. See <literal>ConditionKernelVersion=</literal> in
244 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
245 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
246 If an empty string is assigned, then previously assigned value is cleared.
1d42b86d
MB		 247 </para>
248 </listitem>
249 </varlistentry>
e735f4d4
MP		 250 <varlistentry>
251 <term><varname>Architecture=</varname></term>
252 <listitem>
bb4f798a
MB		 253 <para>Checks whether the system is running on a specific architecture. See
254 <literal>ConditionArchitecture=</literal> in
e735f4d4 255 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
bb4f798a 256 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
8b3d4ff0
MB		 257 If an empty string is assigned, then previously assigned value is cleared.
258 </para>
259 </listitem>
260 </varlistentry>
261 <varlistentry>
262 <term><varname>Firmware=</varname></term>
263 <listitem>
264 <para>Checks whether the system is running on a machine with the specified firmware. See
265 <literal>ConditionFirmware=</literal> in
266 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
267 for details. When prefixed with an exclamation mark (<literal>!</literal>), the result is negated.
bb4f798a 268 If an empty string is assigned, then previously assigned value is cleared.
e735f4d4
MP		 269 </para>
270 </listitem>
271 </varlistentry>
272 </variablelist>
e735f4d4
MP		 273 </refsect1>
274
275 <refsect1>
276 <title>[NetDev] Section Options</title>
277
a10f5d05 278 <para>The [NetDev] section accepts the
f2dec872
BR		 279 following keys:</para>
280
281 <variablelist class='network-directives'>
282 <varlistentry>
283 <term><varname>Description=</varname></term>
284 <listitem>
285 <para>A free-form description of the netdev.</para>
286 </listitem>
287 </varlistentry>
288 <varlistentry>
289 <term><varname>Name=</varname></term>
290 <listitem>
291 <para>The interface name used when creating the netdev.
a10f5d05 292 This setting is compulsory.</para>
f2dec872
BR		 293 </listitem>
294 </varlistentry>
295 <varlistentry>
296 <term><varname>Kind=</varname></term>
297 <listitem>
a10f5d05 298 <para>The netdev kind. This setting is compulsory. See the
f2dec872
BR		 299 <literal>Supported netdev kinds</literal> section for the
300 valid keys.</para>
301 </listitem>
302 </varlistentry>
303 <varlistentry>
304 <term><varname>MTUBytes=</varname></term>
305 <listitem>
a10f5d05 306 <para>The maximum transmission unit in bytes to set for the device. The usual suffixes K, M, G
f2dec872
BR		 307 are supported and are understood to the base of 1024. For <literal>tun</literal> or
308 <literal>tap</literal> devices, <varname>MTUBytes=</varname> setting is not currently supported in
a10f5d05 309 [NetDev] section. Please specify it in [Link] section of
f2dec872
BR		 310 corresponding
311 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
312 files.</para>
313 </listitem>
314 </varlistentry>
315 <varlistentry>
316 <term><varname>MACAddress=</varname></term>
317 <listitem>
318 <para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
a10f5d05
MB		 319 devices, setting <varname>MACAddress=</varname> in the [NetDev] section is not
320 supported. Please specify it in [Link] section of the corresponding
f2dec872
BR		 321 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
322 file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
323 physical interface. For other kind of netdevs, if this option is not set, then MAC address is
324 generated based on the interface name and the
325 <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
326 </para>
327 </listitem>
328 </varlistentry>
329 </variablelist>
e735f4d4
MP		 330 </refsect1>
331
f2dec872 332 <refsect1>
6300502b
MP		 333 <title>[Bridge] Section Options</title>
334
a10f5d05 335 <para>The [Bridge] section only applies for
f2dec872
BR		 336 netdevs of kind <literal>bridge</literal>, and accepts the
337 following keys:</para>
338
339 <variablelist class='network-directives'>
340 <varlistentry>
341 <term><varname>HelloTimeSec=</varname></term>
342 <listitem>
343 <para>HelloTimeSec specifies the number of seconds between two hello packets
344 sent out by the root bridge and the designated bridges. Hello packets are
345 used to communicate information about the topology throughout the entire
346 bridged local area network.</para>
347 </listitem>
348 </varlistentry>
349 <varlistentry>
350 <term><varname>MaxAgeSec=</varname></term>
351 <listitem>
352 <para>MaxAgeSec specifies the number of seconds of maximum message age.
353 If the last seen (received) hello packet is more than this number of
354 seconds old, the bridge in question will start the takeover procedure
355 in attempt to become the Root Bridge itself.</para>
356 </listitem>
357 </varlistentry>
358 <varlistentry>
359 <term><varname>ForwardDelaySec=</varname></term>
360 <listitem>
361 <para>ForwardDelaySec specifies the number of seconds spent in each
362 of the Listening and Learning states before the Forwarding state is entered.</para>
363 </listitem>
364 </varlistentry>
365 <varlistentry>
366 <term><varname>AgeingTimeSec=</varname></term>
367 <listitem>
368 <para>This specifies the number of seconds a MAC Address will be kept in
369 the forwarding database after having a packet received from this MAC Address.</para>
370 </listitem>
371 </varlistentry>
372 <varlistentry>
373 <term><varname>Priority=</varname></term>
374 <listitem>
375 <para>The priority of the bridge. An integer between 0 and 65535. A lower value
376 means higher priority. The bridge having the lowest priority will be elected as root bridge.</para>
377 </listitem>
378 </varlistentry>
379 <varlistentry>
380 <term><varname>GroupForwardMask=</varname></term>
381 <listitem>
382 <para>A 16-bit bitmask represented as an integer which allows forwarding of link
383 local frames with 802.1D reserved addresses (01:80:C2:00:00:0X). A logical AND
384 is performed between the specified bitmask and the exponentiation of 2^X, the
385 lower nibble of the last octet of the MAC address. For example, a value of 8
386 would allow forwarding of frames addressed to 01:80:C2:00:00:03 (802.1X PAE).</para>
387 </listitem>
388 </varlistentry>
389 <varlistentry>
390 <term><varname>DefaultPVID=</varname></term>
391 <listitem>
392 <para>This specifies the default port VLAN ID of a newly attached bridge port.
393 Set this to an integer in the range 1–4094 or <literal>none</literal> to disable the PVID.</para>
394 </listitem>
395 </varlistentry>
396 <varlistentry>
397 <term><varname>MulticastQuerier=</varname></term>
398 <listitem>
399 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER option in the kernel.
400 If enabled, the kernel will send general ICMP queries from a zero source address.
401 This feature should allow faster convergence on startup, but it causes some
402 multicast-aware switches to misbehave and disrupt forwarding of multicast packets.
403 When unset, the kernel's default will be used.
404 </para>
405 </listitem>
406 </varlistentry>
407 <varlistentry>
408 <term><varname>MulticastSnooping=</varname></term>
409 <listitem>
410 <para>Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option in the kernel.
411 If enabled, IGMP snooping monitors the Internet Group Management Protocol (IGMP) traffic
412 between hosts and multicast routers. When unset, the kernel's default will be used.
413 </para>
414 </listitem>
415 </varlistentry>
416 <varlistentry>
417 <term><varname>VLANFiltering=</varname></term>
418 <listitem>
419 <para>Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING option in the kernel.
420 If enabled, the bridge will be started in VLAN-filtering mode. When unset, the kernel's default will be used.
421 </para>
422 </listitem>
423 </varlistentry>
a10f5d05
MB		 424 <varlistentry>
425 <term><varname>VLANProtocol=</varname></term>
426 <listitem>
427 <para>Allows setting the protocol used for VLAN filtering. Takes
428 <option>802.1q</option> or,
429 <option>802.1ad</option>, and defaults to unset and kernel's default is used.
430 </para>
431 </listitem>
432 </varlistentry>
f2dec872
BR		 433 <varlistentry>
434 <term><varname>STP=</varname></term>
435 <listitem>
436 <para>Takes a boolean. This enables the bridge's Spanning Tree Protocol (STP).
437 When unset, the kernel's default will be used.
438 </para>
439 </listitem>
440 </varlistentry>
441 <varlistentry>
442 <term><varname>MulticastIGMPVersion=</varname></term>
443 <listitem>
46cdbd49
BR		 444 <para>Allows changing bridge's multicast Internet Group Management Protocol (IGMP) version.
445 Takes an integer 2 or 3. When unset, the kernel's default will be used.
f2dec872
BR		 446 </para>
447 </listitem>
448 </varlistentry>
449 </variablelist>
6300502b
MP		 450 </refsect1>
451
e735f4d4
MP		 452 <refsect1>
453 <title>[VLAN] Section Options</title>
454
a10f5d05 455 <para>The [VLAN] section only applies for
f2dec872
BR		 456 netdevs of kind <literal>vlan</literal>, and accepts the
457 following key:</para>
458
459 <variablelist class='network-directives'>
460 <varlistentry>
461 <term><varname>Id=</varname></term>
462 <listitem>
463 <para>The VLAN ID to use. An integer in the range 0–4094.
a10f5d05 464 This setting is compulsory.</para>
f2dec872
BR		 465 </listitem>
466 </varlistentry>
3a6ce677
BR		 467 <varlistentry>
468 <term><varname>Protocol=</varname></term>
469 <listitem>
470 <para>Allows setting the protocol used for the VLAN interface. Takes <literal>802.1q</literal> or,
471 <literal>802.1ad</literal>, and defaults to unset and kernel's default is used.</para>
472 </listitem>
473 </varlistentry>
f2dec872
BR		 474 <varlistentry>
475 <term><varname>GVRP=</varname></term>
476 <listitem>
477 <para>Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a protocol that
478 allows automatic learning of VLANs on a network.
479 When unset, the kernel's default will be used.
480 </para>
481 </listitem>
482 </varlistentry>
483 <varlistentry>
484 <term><varname>MVRP=</varname></term>
485 <listitem>
486 <para>Takes a boolean. Multiple VLAN Registration Protocol (MVRP) formerly known as GARP VLAN
487 Registration Protocol (GVRP) is a standards-based Layer 2 network protocol,
488 for automatic configuration of VLAN information on switches. It was defined
489 in the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's default will be used.
490 </para>
491 </listitem>
492 </varlistentry>
493 <varlistentry>
494 <term><varname>LooseBinding=</varname></term>
495 <listitem>
496 <para>Takes a boolean. The VLAN loose binding mode, in which only the operational state is passed
497 from the parent to the associated VLANs, but the VLAN device state is not changed.
498 When unset, the kernel's default will be used.</para>
499 </listitem>
500 </varlistentry>
501 <varlistentry>
502 <term><varname>ReorderHeader=</varname></term>
503 <listitem>
a10f5d05
MB		 504 <para>Takes a boolean. When enabled, the VLAN reorder header is used and VLAN interfaces behave
505 like physical interfaces. When unset, the kernel's default will be used.</para>
f2dec872
BR		 506 </listitem>
507 </varlistentry>
3a6ce677
BR		 508 <varlistentry>
509 <term><varname>EgressQOSMaps=</varname></term>
510 <listitem>
511 <para>Defines a mapping of Linux internal packet priority (<constant>SO_PRIORITY</constant>) to VLAN header
512 PCP field for outgoing frames. Takes a whitespace-separated list of unsigned integer pairs in the format
513 <literal>from</literal>-<literal>to</literal>, e.g., <literal>21-7 45-5</literal> ranges 1–4294967294.
514 Note that <literal>from</literal> must be greater than or equal to <literal>to</literal>. When unset,
515 the kernel's default will be used.
516 </para>
517 </listitem>
518 </varlistentry>
519 <varlistentry>
520 <term><varname>IngressQOSMaps=</varname></term>
521 <listitem>
522 <para>Defines a mapping of Linux internal packet priority (<constant>SO_PRIORITY</constant>) to VLAN header
523 PCP field for incoming frames. Takes a whitespace-separated list of unsigned integer pairs in the format
524 <literal>from</literal>-<literal>to</literal>, e.g., <literal>21-7 45-5</literal> ranges 1–4294967294.
525 Note that <literal>from</literal> must be greater than or equal to <literal>to</literal>. When unset,
526 the kernel's default will be used.
527 </para>
528 </listitem>
529 </varlistentry>
f2dec872 530 </variablelist>
e735f4d4
MP		 531 </refsect1>
532
533 <refsect1>
534 <title>[MACVLAN] Section Options</title>
535
a10f5d05 536 <para>The [MACVLAN] section only applies for
e735f4d4
MP		 537 netdevs of kind <literal>macvlan</literal>, and accepts the
538 following key:</para>
539
540 <variablelist class='network-directives'>
541 <varlistentry>
542 <term><varname>Mode=</varname></term>
543 <listitem>
544 <para>The MACVLAN mode to use. The supported options are
545 <literal>private</literal>,
546 <literal>vepa</literal>,
a10f5d05
MB		 547 <literal>bridge</literal>,
548 <literal>passthru</literal>, and
549 <literal>source</literal>.
e735f4d4
MP		 550 </para>
551 </listitem>
552 </varlistentry>
a10f5d05
MB		 553 <varlistentry>
554 <term><varname>SourceMACAddress=</varname></term>
555 <listitem>
556 <para>A whitespace-separated list of remote hardware addresses allowed on the MACVLAN. This
557 option only has an effect in source mode. Use full colon-, hyphen- or dot-delimited
558 hexadecimal. This option may appear more than once, in which case the lists are merged. If
559 the empty string is assigned to this option, the list of hardware addresses defined prior
560 to this is reset. Defaults to unset.</para>
561 </listitem>
562 </varlistentry>
3a6ce677
BR		 563 <varlistentry>
564 <term><varname>BroadcastMulticastQueueLength=</varname></term>
565 <listitem>
566 <para>Specifies the length of the receive queue for broadcast/multicast packets. An unsigned
567 integer in the range 0…4294967294. Defaults to unset.</para>
568 </listitem>
569 </varlistentry>
e735f4d4 570 </variablelist>
e735f4d4
MP		 571 </refsect1>
572
f2dec872 573 <refsect1>
7035cd9e
MP		 574 <title>[MACVTAP] Section Options</title>
575
a032b68d
MB		 576 <para>The [MACVTAP] section applies for netdevs of kind <literal>macvtap</literal> and accepts the same
577 keys as [MACVLAN].</para>
f2dec872 578 </refsect1>
7035cd9e 579
e735f4d4
MP		 580 <refsect1>
581 <title>[IPVLAN] Section Options</title>
582
a10f5d05 583 <para>The [IPVLAN] section only applies for
e735f4d4
MP		 584 netdevs of kind <literal>ipvlan</literal>, and accepts the
585 following key:</para>
586
587 <variablelist class='network-directives'>
588 <varlistentry>
589 <term><varname>Mode=</varname></term>
f2dec872
BR		 590 <listitem>
591 <para>The IPVLAN mode to use. The supported options are
592 <literal>L2</literal>,<literal>L3</literal> and <literal>L3S</literal>.
593 </para>
594 </listitem>
1d42b86d 595 </varlistentry>
f2dec872 596 <varlistentry>
1d42b86d 597 <term><varname>Flags=</varname></term>
f2dec872
BR		 598 <listitem>
599 <para>The IPVLAN flags to use. The supported options are
600 <literal>bridge</literal>,<literal>private</literal> and <literal>vepa</literal>.
601 </para>
602 </listitem>
e735f4d4
MP		 603 </varlistentry>
604 </variablelist>
f2dec872
BR		 605 </refsect1>
606
607 <refsect1>
608 <title>[IPVTAP] Section Options</title>
e735f4d4 609
a032b68d
MB		 610 <para>The [IPVTAP] section only applies for netdevs of kind <literal>ipvtap</literal> and accepts the
611 same keys as [IPVLAN].</para>
e735f4d4
MP		 612 </refsect1>
613
614 <refsect1>
615 <title>[VXLAN] Section Options</title>
f2dec872 616
a10f5d05 617 <para>The [VXLAN] section only applies for
e735f4d4
MP		 618 netdevs of kind <literal>vxlan</literal>, and accepts the
619 following keys:</para>
620
621 <variablelist class='network-directives'>
622 <varlistentry>
f2dec872 623 <term><varname>VNI=</varname></term>
e735f4d4 624 <listitem>
3a6ce677 625 <para>The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number in the range 1…16777215.</para>
e735f4d4
MP		 626 </listitem>
627 </varlistentry>
628 <varlistentry>
2897b343 629 <term><varname>Remote=</varname></term>
e735f4d4 630 <listitem>
98393f85 631 <para>Configures destination IP address.</para>
e735f4d4
MP		 632 </listitem>
633 </varlistentry>
634 <varlistentry>
2897b343
MP		 635 <term><varname>Local=</varname></term>
636 <listitem>
637 <para>Configures local IP address.</para>
638 </listitem>
639 </varlistentry>
f2dec872
BR		 640 <varlistentry>
641 <term><varname>Group=</varname></term>
642 <listitem>
a10f5d05
MB		 643 <para>Configures VXLAN multicast group IP address. All members of a VXLAN must use the same
644 multicast group address.</para>
f2dec872
BR		 645 </listitem>
646 </varlistentry>
647 <varlistentry>
e735f4d4
MP		 648 <term><varname>TOS=</varname></term>
649 <listitem>
650 <para>The Type Of Service byte value for a vxlan interface.</para>
651 </listitem>
652 </varlistentry>
653 <varlistentry>
654 <term><varname>TTL=</varname></term>
655 <listitem>
f2dec872
BR		 656 <para>A fixed Time To Live N on Virtual eXtensible Local Area Network packets.
657 Takes <literal>inherit</literal> or a number in the range 0–255. 0 is a special
658 value meaning inherit the inner protocol's TTL value. <literal>inherit</literal>
659 means that it will inherit the outer protocol's TTL value.</para>
e735f4d4
MP		 660 </listitem>
661 </varlistentry>
662 <varlistentry>
663 <term><varname>MacLearning=</varname></term>
664 <listitem>
6e866b33 665 <para>Takes a boolean. When true, enables dynamic MAC learning
e735f4d4
MP		 666 to discover remote MAC addresses.</para>
667 </listitem>
668 </varlistentry>
669 <varlistentry>
670 <term><varname>FDBAgeingSec=</varname></term>
671 <listitem>
672 <para>The lifetime of Forwarding Database entry learnt by
db2df898
MP		 673 the kernel, in seconds.</para>
674 </listitem>
675 </varlistentry>
676 <varlistentry>
677 <term><varname>MaximumFDBEntries=</varname></term>
678 <listitem>
679 <para>Configures maximum number of FDB entries.</para>
e735f4d4
MP		 680 </listitem>
681 </varlistentry>
682 <varlistentry>
2897b343 683 <term><varname>ReduceARPProxy=</varname></term>
e735f4d4 684 <listitem>
6e866b33 685 <para>Takes a boolean. When true, bridge-connected VXLAN tunnel
2897b343
MP		 686 endpoint answers ARP requests from the local bridge on behalf
687 of remote Distributed Overlay Virtual Ethernet
688 <ulink url="https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet">
689 (DVOE)</ulink> clients. Defaults to false.</para>
e735f4d4
MP		 690 </listitem>
691 </varlistentry>
692 <varlistentry>
693 <term><varname>L2MissNotification=</varname></term>
694 <listitem>
6e866b33 695 <para>Takes a boolean. When true, enables netlink LLADDR miss
e735f4d4
MP		 696 notifications.</para>
697 </listitem>
698 </varlistentry>
699 <varlistentry>
700 <term><varname>L3MissNotification=</varname></term>
701 <listitem>
a10f5d05 702 <para>Takes a boolean. When true, enables netlink IP address miss notifications.</para>
e735f4d4
MP		 703 </listitem>
704 </varlistentry>
705 <varlistentry>
706 <term><varname>RouteShortCircuit=</varname></term>
707 <listitem>
6e866b33 708 <para>Takes a boolean. When true, route short circuiting is turned
e735f4d4
MP		 709 on.</para>
710 </listitem>
711 </varlistentry>
e3bff60a 712 <varlistentry>
8a584da2 713 <term><varname>UDPChecksum=</varname></term>
e3bff60a 714 <listitem>
6e866b33 715 <para>Takes a boolean. When true, transmitting UDP checksums when doing VXLAN/IPv4 is turned on.</para>
e3bff60a
MP		 716 </listitem>
717 </varlistentry>
718 <varlistentry>
719 <term><varname>UDP6ZeroChecksumTx=</varname></term>
720 <listitem>
6e866b33 721 <para>Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is turned on.</para>
e3bff60a
MP		 722 </listitem>
723 </varlistentry>
724 <varlistentry>
8a584da2 725 <term><varname>UDP6ZeroChecksumRx=</varname></term>
e3bff60a 726 <listitem>
6e866b33 727 <para>Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6 is turned on.</para>
8a584da2
MP		 728 </listitem>
729 </varlistentry>
730 <varlistentry>
731 <term><varname>RemoteChecksumTx=</varname></term>
732 <listitem>
6e866b33 733 <para>Takes a boolean. When true, remote transmit checksum offload of VXLAN is turned on.</para>
8a584da2
MP		 734 </listitem>
735 </varlistentry>
736 <varlistentry>
737 <term><varname>RemoteChecksumRx=</varname></term>
738 <listitem>
6e866b33 739 <para>Takes a boolean. When true, remote receive checksum offload in VXLAN is turned on.</para>
e3bff60a
MP		 740 </listitem>
741 </varlistentry>
f2dec872
BR		 742 <varlistentry>
743 <term><varname>GroupPolicyExtension=</varname></term>
744 <listitem>
745 <para>Takes a boolean. When true, it enables Group Policy VXLAN extension security label mechanism
746 across network peers based on VXLAN. For details about the Group Policy VXLAN, see the
747 <ulink url="https://tools.ietf.org/html/draft-smith-vxlan-group-policy">
748 VXLAN Group Policy </ulink> document. Defaults to false.</para>
749 </listitem>
750 </varlistentry>
751 <varlistentry>
752 <term><varname>GenericProtocolExtension=</varname></term>
753 <listitem>
754 <para>Takes a boolean. When true, Generic Protocol Extension extends the existing VXLAN protocol
755 to provide protocol typing, OAM, and versioning capabilities. For details about the VXLAN GPE
756 Header, see the <ulink url="https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07">
757 Generic Protocol Extension for VXLAN </ulink> document. If destination port is not specified and
758 Generic Protocol Extension is set then default port of 4790 is used. Defaults to false.</para>
759 </listitem>
760 </varlistentry>
761 <varlistentry>
762 <term><varname>DestinationPort=</varname></term>
763 <listitem>
a032b68d
MB		 764 <para>Configures the default destination UDP port. If the destination port is not specified then
765 Linux kernel default will be used. Set to 4789 to get the IANA assigned value.</para>
f2dec872
BR		 766 </listitem>
767 </varlistentry>
768 <varlistentry>
769 <term><varname>PortRange=</varname></term>
4c89c718 770 <listitem>
a032b68d
MB		 771 <para>Configures the source port range for the VXLAN. The kernel assigns the source UDP port based
772 on the flow to help the receiver to do load balancing. When this option is not set, the normal
773 range of local UDP ports is used.</para>
4c89c718
MP		 774 </listitem>
775 </varlistentry>
f2dec872
BR		 776 <varlistentry>
777 <term><varname>FlowLabel=</varname></term>
81c58355
MB		 778 <listitem>
779 <para>Specifies the flow label to use in outgoing packets.
780 The valid range is 0-1048575.
781 </para>
782 </listitem>
783 </varlistentry>
f2dec872
BR		 784 <varlistentry>
785 <term><varname>IPDoNotFragment=</varname></term>
786 <listitem>
46cdbd49 787 <para>Allows setting the IPv4 Do not Fragment (DF) bit in outgoing packets, or to inherit its
f2dec872
BR		 788 value from the IPv4 inner header. Takes a boolean value, or <literal>inherit</literal>. Set
789 to <literal>inherit</literal> if the encapsulated protocol is IPv6. When unset, the kernel's
790 default will be used.</para>
791 </listitem>
792 </varlistentry>
81c58355
MB		 793 </variablelist>
794 </refsect1>
f2dec872 795
81c58355
MB		 796 <refsect1>
797 <title>[GENEVE] Section Options</title>
f2dec872 798
a10f5d05 799 <para>The [GENEVE] section only applies for
81c58355
MB		 800 netdevs of kind <literal>geneve</literal>, and accepts the
801 following keys:</para>
802
803 <variablelist class='network-directives'>
804 <varlistentry>
805 <term><varname>Id=</varname></term>
806 <listitem>
9e294e28
MB		 807 <para>Specifies the Virtual Network Identifier (VNI) to use, a number between 0 and 16777215. This
808 field is mandatory.</para>
81c58355
MB		 809 </listitem>
810 </varlistentry>
811 <varlistentry>
812 <term><varname>Remote=</varname></term>
813 <listitem>
814 <para>Specifies the unicast destination IP address to use in outgoing packets.</para>
815 </listitem>
816 </varlistentry>
817 <varlistentry>
818 <term><varname>TOS=</varname></term>
819 <listitem>
9e294e28 820 <para>Specifies the TOS value to use in outgoing packets. Takes a number between 1 and 255.</para>
81c58355
MB		 821 </listitem>
822 </varlistentry>
823 <varlistentry>
824 <term><varname>TTL=</varname></term>
825 <listitem>
a10f5d05
MB		 826 <para>Accepts the same values as in the [VXLAN] section, except that when unset
827 or set to 0, the kernel's default will be used, meaning that packet TTL will be set from
f2dec872 828 <filename>/proc/sys/net/ipv4/ip_default_ttl</filename>.</para>
81c58355
MB		 829 </listitem>
830 </varlistentry>
831 <varlistentry>
832 <term><varname>UDPChecksum=</varname></term>
833 <listitem>
a10f5d05
MB		 834 <para>Takes a boolean. When true, specifies that UDP checksum is calculated for transmitted packets
835 over IPv4.</para>
81c58355
MB		 836 </listitem>
837 </varlistentry>
838 <varlistentry>
839 <term><varname>UDP6ZeroChecksumTx=</varname></term>
840 <listitem>
6e866b33 841 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
81c58355
MB		 842 </listitem>
843 </varlistentry>
844 <varlistentry>
845 <term><varname>UDP6ZeroChecksumRx=</varname></term>
846 <listitem>
6e866b33 847 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
81c58355
MB		 848 </listitem>
849 </varlistentry>
f2dec872
BR		 850 <varlistentry>
851 <term><varname>DestinationPort=</varname></term>
852 <listitem>
853 <para>Specifies destination port. Defaults to 6081. If not set or assigned the empty string, the default
854 port of 6081 is used.</para>
855 </listitem>
856 </varlistentry>
857 <varlistentry>
858 <term><varname>FlowLabel=</varname></term>
81c58355
MB		 859 <listitem>
860 <para>Specifies the flow label to use in outgoing packets.</para>
861 </listitem>
862 </varlistentry>
f2dec872
BR		 863 <varlistentry>
864 <term><varname>IPDoNotFragment=</varname></term>
865 <listitem>
a032b68d
MB		 866 <para>Accepts the same key as in [VXLAN] section.</para>
867 </listitem>
868 </varlistentry>
869 <varlistentry>
870 <term><varname>Independent=</varname></term>
871 <listitem>
9e294e28
MB		 872 <para>Takes a boolean. When true, the vxlan interface is created without any underlying network
873 interface. Defaults to false, which means that a .network file that requests this tunnel using
874 <varname>Tunnel=</varname> is required for the tunnel to be created.</para>
a032b68d
MB		 875 </listitem>
876 </varlistentry>
877 </variablelist>
878 </refsect1>
879
880 <refsect1>
881 <title>[BareUDP] Section Options</title>
882
883 <para>The [BareUDP] section only applies for
884 netdevs of kind <literal>bareudp</literal>, and accepts the
885 following keys:</para>
886
887 <variablelist class='network-directives'>
888 <varlistentry>
889 <term><varname>DestinationPort=</varname></term>
890 <listitem>
891 <para>Specifies the destination UDP port (in range 1…65535). This is mandatory.</para>
892 </listitem>
893 </varlistentry>
894
895 <varlistentry>
896 <term><varname>EtherType=</varname></term>
897 <listitem>
898 <para>Specifies the L3 protocol. Takes one of <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>mpls-uc</literal>
899 or <literal>mpls-mc</literal>. This is mandatory.</para>
f2dec872
BR		 900 </listitem>
901 </varlistentry>
e735f4d4
MP		 902 </variablelist>
903 </refsect1>
f2dec872 904
bb4f798a
MB		 905 <refsect1>
906 <title>[L2TP] Section Options</title>
f2dec872 907
a10f5d05 908 <para>The [L2TP] section only applies for
bb4f798a
MB		 909 netdevs of kind <literal>l2tp</literal>, and accepts the
910 following keys:</para>
911
912 <variablelist class='network-directives'>
913 <varlistentry>
914 <term><varname>TunnelId=</varname></term>
915 <listitem>
a10f5d05
MB		 916 <para>Specifies the tunnel identifier. Takes an number in the range 1–4294967295. The value used
917 must match the <literal>PeerTunnelId=</literal> value being used at the peer. This setting is
918 compulsory.</para>
bb4f798a
MB		 919 </listitem>
920 </varlistentry>
921 <varlistentry>
922 <term><varname>PeerTunnelId=</varname></term>
923 <listitem>
3a6ce677 924 <para>Specifies the peer tunnel id. Takes a number in the range 1…4294967295. The value used must
a032b68d
MB		 925 match the <literal>TunnelId=</literal> value being used at the peer. This setting is compulsory.
926 </para>
bb4f798a
MB		 927 </listitem>
928 </varlistentry>
929 <varlistentry>
930 <term><varname>Remote=</varname></term>
931 <listitem>
a10f5d05 932 <para>Specifies the IP address of the remote peer. This setting is compulsory.</para>
bb4f798a
MB		 933 </listitem>
934 </varlistentry>
935 <varlistentry>
936 <term><varname>Local=</varname></term>
937 <listitem>
938 <para>Specifies the IP address of the local interface. Takes an IP address, or the special values
939 <literal>auto</literal>, <literal>static</literal>, or <literal>dynamic</literal>. When an address
940 is set, then the local interface must have the address. If <literal>auto</literal>, then one of the
941 addresses on the local interface is used. Similarly, if <literal>static</literal> or
942 <literal>dynamic</literal> is set, then one of the static or dynamic addresses on the local
943 interface is used. Defaults to <literal>auto</literal>.</para>
944 </listitem>
945 </varlistentry>
946 <varlistentry>
947 <term><varname>EncapsulationType=</varname></term>
948 <listitem>
a10f5d05
MB		 949 <para>Specifies the encapsulation type of the tunnel. Takes one of <literal>udp</literal> or
950 <literal>ip</literal>.</para>
bb4f798a
MB		 951 </listitem>
952 </varlistentry>
953 <varlistentry>
954 <term><varname>UDPSourcePort=</varname></term>
955 <listitem>
a10f5d05
MB		 956 <para>Specifies the UDP source port to be used for the tunnel. When UDP encapsulation is selected
957 it's mandatory. Ignored when IP encapsulation is selected.</para>
bb4f798a
MB		 958 </listitem>
959 </varlistentry>
960 <varlistentry>
46cdbd49 961 <term><varname>UDPDestinationPort=</varname></term>
bb4f798a 962 <listitem>
a10f5d05 963 <para>Specifies destination port. When UDP encapsulation is selected it's mandatory. Ignored when IP
bb4f798a
MB		 964 encapsulation is selected.</para>
965 </listitem>
966 </varlistentry>
967 <varlistentry>
968 <term><varname>UDPChecksum=</varname></term>
969 <listitem>
a10f5d05
MB		 970 <para>Takes a boolean. When true, specifies that UDP checksum is calculated for transmitted packets
971 over IPv4.</para>
bb4f798a
MB		 972 </listitem>
973 </varlistentry>
974 <varlistentry>
975 <term><varname>UDP6ZeroChecksumTx=</varname></term>
976 <listitem>
977 <para>Takes a boolean. When true, skip UDP checksum calculation for transmitted packets over IPv6.</para>
978 </listitem>
979 </varlistentry>
980 <varlistentry>
981 <term><varname>UDP6ZeroChecksumRx=</varname></term>
982 <listitem>
983 <para>Takes a boolean. When true, allows incoming UDP packets over IPv6 with zero checksum field.</para>
984 </listitem>
985 </varlistentry>
986 </variablelist>
987 </refsect1>
f2dec872 988
bb4f798a
MB		 989 <refsect1>
990 <title>[L2TPSession] Section Options</title>
f2dec872 991
a10f5d05 992 <para>The [L2TPSession] section only applies for
bb4f798a
MB		 993 netdevs of kind <literal>l2tp</literal>, and accepts the
994 following keys:</para>
995 <variablelist class='network-directives'>
996 <varlistentry>
997 <term><varname>Name=</varname></term>
998 <listitem>
a10f5d05 999 <para>Specifies the name of the session. This setting is compulsory.</para>
bb4f798a
MB		 1000 </listitem>
1001 </varlistentry>
1002 <varlistentry>
1003 <term><varname>SessionId=</varname></term>
1004 <listitem>
a10f5d05
MB		 1005 <para>Specifies the session identifier. Takes an number in the range 1–4294967295. The value used
1006 must match the <literal>SessionId=</literal> value being used at the peer. This setting is
1007 compulsory.</para>
bb4f798a
MB		 1008 </listitem>
1009 </varlistentry>
1010 <varlistentry>
1011 <term><varname>PeerSessionId=</varname></term>
1012 <listitem>
a10f5d05
MB		 1013 <para>Specifies the peer session identifier. Takes an number in the range 1–4294967295.
1014 The value used must match the <literal>PeerSessionId=</literal> value being used at the peer.
1015 This setting is compulsory.</para>
bb4f798a
MB		 1016 </listitem>
1017 </varlistentry>
1018 <varlistentry>
1019 <term><varname>Layer2SpecificHeader=</varname></term>
1020 <listitem>
1021 <para>Specifies layer2specific header type of the session. One of <literal>none</literal> or <literal>default</literal>. Defaults to <literal>default</literal>.</para>
1022 </listitem>
1023 </varlistentry>
1024 </variablelist>
1025 </refsect1>
f2dec872
BR		 1026
1027 <refsect1>
1028 <title>[MACsec] Section Options</title>
1029
a10f5d05 1030 <para>The [MACsec] section only applies for network devices of kind
f2dec872
BR		 1031 <literal>macsec</literal>, and accepts the following keys:</para>
1032
1033 <variablelist class='network-directives'>
1034 <varlistentry>
1035 <term><varname>Port=</varname></term>
1036 <listitem>
1037 <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
1038 secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
1039 </para>
1040 </listitem>
1041 </varlistentry>
1042 <varlistentry>
1043 <term><varname>Encrypt=</varname></term>
1044 <listitem>
1045 <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
1046 </listitem>
1047 </varlistentry>
1048 </variablelist>
1049 </refsect1>
1050
1051 <refsect1>
1052 <title>[MACsecReceiveChannel] Section Options</title>
a10f5d05 1053 <para>The [MACsecReceiveChannel] section only applies for network devices of
f2dec872
BR		 1054 kind <literal>macsec</literal>, and accepts the following keys:</para>
1055
1056 <variablelist class='network-directives'>
1057 <varlistentry>
1058 <term><varname>Port=</varname></term>
1059 <listitem>
1060 <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
1061 secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
1062 compulsory, and is not set by default.</para>
1063 </listitem>
1064 </varlistentry>
1065 <varlistentry>
1066 <term><varname>MACAddress=</varname></term>
1067 <listitem>
1068 <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
a10f5d05 1069 used to make secure channel identifier (SCI). This setting is compulsory, and is not set by
f2dec872
BR		 1070 default.</para>
1071 </listitem>
1072 </varlistentry>
1073 </variablelist>
1074 </refsect1>
1075
1076 <refsect1>
1077 <title>[MACsecTransmitAssociation] Section Options</title>
1078
a10f5d05 1079 <para>The [MACsecTransmitAssociation] section only applies for network devices
f2dec872
BR		 1080 of kind <literal>macsec</literal>, and accepts the following keys:</para>
1081
1082 <variablelist class='network-directives'>
1083 <varlistentry>
1084 <term><varname>PacketNumber=</varname></term>
1085 <listitem>
1086 <para>Specifies the packet number to be used for replay protection and the construction of
1087 the initialization vector (along with the secure channel identifier [SCI]). Takes a value
1088 between 1-4,294,967,295. Defaults to unset.
1089 </para>
1090 </listitem>
1091 </varlistentry>
1092 <varlistentry>
1093 <term><varname>KeyId=</varname></term>
1094 <listitem>
1095 <para>Specifies the identification for the key. Takes a number between 0-255. This option
1096 is compulsory, and is not set by default.</para>
1097 </listitem>
1098 </varlistentry>
1099 <varlistentry>
1100 <term><varname>Key=</varname></term>
1101 <listitem>
1102 <para>Specifies the encryption key used in the transmission channel. The same key must be
a10f5d05 1103 configured on the peer’s matching receive channel. This setting is compulsory, and is not set
f2dec872
BR		 1104 by default. Takes a 128-bit key encoded in a hexadecimal string, for example
1105 <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
1106 </listitem>
1107 </varlistentry>
1108 <varlistentry>
1109 <term><varname>KeyFile=</varname></term>
1110 <listitem>
a10f5d05
MB		 1111 <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
1112 which will be used in the transmission channel. When this option is specified,
f2dec872
BR		 1113 <varname>Key=</varname> is ignored. Note that the file must be readable by the user
1114 <literal>systemd-network</literal>, so it should be, e.g., owned by
a10f5d05
MB		 1115 <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
1116 refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
1117 it and the key read from it.</para>
f2dec872
BR		 1118 </listitem>
1119 </varlistentry>
1120 <varlistentry>
1121 <term><varname>Activate=</varname></term>
1122 <listitem>
1123 <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
1124 unset.</para>
1125 </listitem>
1126 </varlistentry>
1127 <varlistentry>
1128 <term><varname>UseForEncoding=</varname></term>
1129 <listitem>
1130 <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
a10f5d05 1131 one [MACsecTransmitAssociation] section can enable this option. When enabled,
f2dec872
BR		 1132 <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
1133 </listitem>
1134 </varlistentry>
1135 </variablelist>
1136 </refsect1>
1137
1138 <refsect1>
1139 <title>[MACsecReceiveAssociation] Section Options</title>
1140
a10f5d05 1141 <para>The [MACsecReceiveAssociation] section only applies for
f2dec872
BR		 1142 network devices of kind <literal>macsec</literal>, and accepts the
1143 following keys:</para>
1144
1145 <variablelist class='network-directives'>
1146 <varlistentry>
1147 <term><varname>Port=</varname></term>
1148 <listitem>
a032b68d 1149 <para>Accepts the same key as in [MACsecReceiveChannel] section.</para>
f2dec872
BR		 1150 </listitem>
1151 </varlistentry>
1152 <varlistentry>
1153 <term><varname>MACAddress=</varname></term>
1154 <listitem>
a032b68d 1155 <para>Accepts the same key as in [MACsecReceiveChannel] section.</para>
f2dec872
BR		 1156 </listitem>
1157 </varlistentry>
1158 <varlistentry>
1159 <term><varname>PacketNumber=</varname></term>
1160 <listitem>
a032b68d 1161 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
f2dec872
BR		 1162 </listitem>
1163 </varlistentry>
1164 <varlistentry>
1165 <term><varname>KeyId=</varname></term>
1166 <listitem>
a032b68d 1167 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
f2dec872
BR		 1168 </listitem>
1169 </varlistentry>
1170 <varlistentry>
1171 <term><varname>Key=</varname></term>
1172 <listitem>
a032b68d 1173 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
f2dec872
BR		 1174 </listitem>
1175 </varlistentry>
1176 <varlistentry>
1177 <term><varname>KeyFile=</varname></term>
1178 <listitem>
a032b68d 1179 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
f2dec872
BR		 1180 </listitem>
1181 </varlistentry>
1182 <varlistentry>
1183 <term><varname>Activate=</varname></term>
1184 <listitem>
a032b68d 1185 <para>Accepts the same key as in [MACsecTransmitAssociation] section.</para>
f2dec872
BR		 1186 </listitem>
1187 </varlistentry>
1188 </variablelist>
1189 </refsect1>
1190
e735f4d4
MP		 1191 <refsect1>
1192 <title>[Tunnel] Section Options</title>
1193
a10f5d05 1194 <para>The [Tunnel] section only applies for
e735f4d4
MP		 1195 netdevs of kind
1196 <literal>ipip</literal>,
1197 <literal>sit</literal>,
1198 <literal>gre</literal>,
1199 <literal>gretap</literal>,
1200 <literal>ip6gre</literal>,
1201 <literal>ip6gretap</literal>,
e3bff60a 1202 <literal>vti</literal>,
bb4f798a
MB		 1203 <literal>vti6</literal>,
1204 <literal>ip6tnl</literal>, and
1205 <literal>erspan</literal> and accepts
e735f4d4
MP		 1206 the following keys:</para>
1207
1208 <variablelist class='network-directives'>
1209 <varlistentry>
1210 <term><varname>Local=</varname></term>
1211 <listitem>
bb4f798a
MB		 1212 <para>A static local address for tunneled packets. It must be an address on another interface of
1213 this host, or the special value <literal>any</literal>.</para>
e735f4d4
MP		 1214 </listitem>
1215 </varlistentry>
1216 <varlistentry>
1217 <term><varname>Remote=</varname></term>
1218 <listitem>
bb4f798a
MB		 1219 <para>The remote endpoint of the tunnel. Takes an IP address or the special value
1220 <literal>any</literal>.</para>
e735f4d4
MP		 1221 </listitem>
1222 </varlistentry>
1223 <varlistentry>
1224 <term><varname>TOS=</varname></term>
1225 <listitem>
1226 <para>The Type Of Service byte value for a tunnel interface.
db2df898 1227 For details about the TOS, see the
e735f4d4
MP		 1228 <ulink url="http://tools.ietf.org/html/rfc1349"> Type of
1229 Service in the Internet Protocol Suite </ulink> document.
1230 </para>
1231 </listitem>
1232 </varlistentry>
1233 <varlistentry>
1234 <term><varname>TTL=</varname></term>
1235 <listitem>
1236 <para>A fixed Time To Live N on tunneled packets. N is a
db2df898 1237 number in the range 1–255. 0 is a special value meaning that
e735f4d4 1238 packets inherit the TTL value. The default value for IPv4
a10f5d05 1239 tunnels is 0 (inherit). The default value for IPv6 tunnels is
e735f4d4
MP		 1240 64.</para>
1241 </listitem>
1242 </varlistentry>
1243 <varlistentry>
1244 <term><varname>DiscoverPathMTU=</varname></term>
1245 <listitem>
6e866b33 1246 <para>Takes a boolean. When true, enables Path MTU Discovery on
e735f4d4
MP		 1247 the tunnel.</para>
1248 </listitem>
1249 </varlistentry>
7035cd9e
MP		 1250 <varlistentry>
1251 <term><varname>IPv6FlowLabel=</varname></term>
1252 <listitem>
db2df898 1253 <para>Configures the 20-bit flow label (see <ulink url="https://tools.ietf.org/html/rfc6437">
7035cd9e 1254 RFC 6437</ulink>) field in the IPv6 header (see <ulink url="https://tools.ietf.org/html/rfc2460">
db2df898
MP		 1255 RFC 2460</ulink>), which is used by a node to label packets of a flow.
1256 It is only used for IPv6 tunnels.
1257 A flow label of zero is used to indicate packets that have
1258 not been labeled.
1259 It can be configured to a value in the range 0–0xFFFFF, or be
1260 set to <literal>inherit</literal>, in which case the original flowlabel is used.</para>
7035cd9e
MP		 1261 </listitem>
1262 </varlistentry>
1263 <varlistentry>
1264 <term><varname>CopyDSCP=</varname></term>
1265 <listitem>
6e866b33 1266 <para>Takes a boolean. When true, the Differentiated Service Code
7035cd9e
MP		 1267 Point (DSCP) field will be copied to the inner header from
1268 outer header during the decapsulation of an IPv6 tunnel
1269 packet. DSCP is a field in an IP packet that enables different
1270 levels of service to be assigned to network traffic.
1271 Defaults to <literal>no</literal>.
1272 </para>
1273 </listitem>
1274 </varlistentry>
d9dfd233
MP		 1275 <varlistentry>
1276 <term><varname>EncapsulationLimit=</varname></term>
1277 <listitem>
1278 <para>The Tunnel Encapsulation Limit option specifies how many additional
1279 levels of encapsulation are permitted to be prepended to the packet.
1280 For example, a Tunnel Encapsulation Limit option containing a limit
1281 value of zero means that a packet carrying that option may not enter
1282 another tunnel before exiting the current tunnel.
1283 (see <ulink url="https://tools.ietf.org/html/rfc2473#section-4.1.1"> RFC 2473</ulink>).
db2df898 1284 The valid range is 0–255 and <literal>none</literal>. Defaults to 4.
d9dfd233
MP		 1285 </para>
1286 </listitem>
1287 </varlistentry>
5a920b42
MP		 1288 <varlistentry>
1289 <term><varname>Key=</varname></term>
1290 <listitem>
1291 <para>The <varname>Key=</varname> parameter specifies the same key to use in
1292 both directions (<varname>InputKey=</varname> and <varname>OutputKey=</varname>).
1293 The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
1294 It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
a10f5d05 1295 and control path) in IP XFRM (framework used to implement IPsec protocol).
5a920b42 1296 See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
bb4f798a
MB		 1297 ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
1298 GRE, GRETAP, and ERSPAN tunnels.</para>
5a920b42
MP		 1299 </listitem>
1300 </varlistentry>
1301 <varlistentry>
1302 <term><varname>InputKey=</varname></term>
1303 <listitem>
1304 <para>The <varname>InputKey=</varname> parameter specifies the key to use for input.
bb4f798a
MB		 1305 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1306 and ERSPAN tunnels.</para>
5a920b42
MP		 1307 </listitem>
1308 </varlistentry>
1309 <varlistentry>
1310 <term><varname>OutputKey=</varname></term>
1311 <listitem>
1312 <para>The <varname>OutputKey=</varname> parameter specifies the key to use for output.
bb4f798a
MB		 1313 The format is same as <varname>Key=</varname>. It is only used for VTI/VTI6, GRE, GRETAP,
1314 and ERSPAN tunnels.</para>
5a920b42
MP		 1315 </listitem>
1316 </varlistentry>
e735f4d4
MP		 1317 <varlistentry>
1318 <term><varname>Mode=</varname></term>
1319 <listitem>
db2df898 1320 <para>An <literal>ip6tnl</literal> tunnel can be in one of three
e735f4d4
MP		 1321 modes
1322 <literal>ip6ip6</literal> for IPv6 over IPv6,
1323 <literal>ipip6</literal> for IPv4 over IPv6 or
1324 <literal>any</literal> for either.
1325 </para>
1326 </listitem>
1327 </varlistentry>
f5e65279
MB		 1328 <varlistentry>
1329 <term><varname>Independent=</varname></term>
1330 <listitem>
9e294e28
MB		 1331 <para>Takes a boolean. When false (the default), the tunnel is always created over some network
1332 device, and a .network file that requests this tunnel using <varname>Tunnel=</varname> is required
1333 for the tunnel to be created. When true, the tunnel is created independently of any network as
1334 "tunnel@NONE".</para>
f5e65279
MB		 1335 </listitem>
1336 </varlistentry>
f2dec872
BR		 1337 <varlistentry>
1338 <term><varname>AssignToLoopback=</varname></term>
1339 <listitem>
1340 <para>Takes a boolean. If set to <literal>yes</literal>, the loopback interface <literal>lo</literal>
1341 is used as the underlying device of the tunnel interface. Defaults to <literal>no</literal>.</para>
1342 </listitem>
1343 </varlistentry>
1d42b86d
MB		 1344 <varlistentry>
1345 <term><varname>AllowLocalRemote=</varname></term>
1346 <listitem>
6e866b33
MB		 1347 <para>Takes a boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
1348 When unset, the kernel's default will be used.
1349 </para>
1350 </listitem>
1351 </varlistentry>
1352 <varlistentry>
1353 <term><varname>FooOverUDP=</varname></term>
1354 <listitem>
1355 <para>Takes a boolean. Specifies whether <varname>FooOverUDP=</varname> tunnel is to be configured.
bb4f798a
MB		 1356 Defaults to false. This takes effects only for IPIP, SIT, GRE, and GRETAP tunnels.
1357 For more detail information see
6e866b33
MB		 1358 <ulink url="https://lwn.net/Articles/614348">Foo over UDP</ulink></para>
1359 </listitem>
1360 </varlistentry>
1361 <varlistentry>
1362 <term><varname>FOUDestinationPort=</varname></term>
1363 <listitem>
7c20daf6 1364 <para>This setting specifies the UDP destination port for encapsulation.
bb4f798a 1365 This field is mandatory when <varname>FooOverUDP=yes</varname>, and is not set by default.</para>
6e866b33
MB		 1366 </listitem>
1367 </varlistentry>
1368 <varlistentry>
1369 <term><varname>FOUSourcePort=</varname></term>
1370 <listitem>
7c20daf6
FS		 1371 <para>This setting specifies the UDP source port for encapsulation. Defaults to <constant>0</constant>
1372 — that is, the source port for packets is left to the network stack to decide.</para>
6e866b33
MB		 1373 </listitem>
1374 </varlistentry>
1375 <varlistentry>
1376 <term><varname>Encapsulation=</varname></term>
1377 <listitem>
a10f5d05 1378 <para>Accepts the same key as in the [FooOverUDP] section.</para>
6e866b33
MB		 1379 </listitem>
1380 </varlistentry>
1381 <varlistentry>
1382 <term><varname>IPv6RapidDeploymentPrefix=</varname></term>
1383 <listitem>
1384 <para>Reconfigure the tunnel for <ulink url="https://tools.ietf.org/html/rfc5569">IPv6 Rapid
1385 Deployment</ulink>, also known as 6rd. The value is an ISP-specific IPv6 prefix with a non-zero length. Only
1386 applicable to SIT tunnels.</para>
1387 </listitem>
1388 </varlistentry>
1389 <varlistentry>
1390 <term><varname>ISATAP=</varname></term>
1391 <listitem>
1392 <para>Takes a boolean. If set, configures the tunnel as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnel.
1393 Only applicable to SIT tunnels. When unset, the kernel's default will be used.</para>
1394 </listitem>
1395 </varlistentry>
1396 <varlistentry>
1397 <term><varname>SerializeTunneledPackets=</varname></term>
1398 <listitem>
bb4f798a
MB		 1399 <para>Takes a boolean. If set to yes, then packets are serialized. Only applies for GRE,
1400 GRETAP, and ERSPAN tunnels. When unset, the kernel's default will be used.
6e866b33
MB		 1401 </para>
1402 </listitem>
1403 </varlistentry>
1404 <varlistentry>
1405 <term><varname>ERSPANIndex=</varname></term>
1406 <listitem>
3a6ce677 1407 <para>Specifies the ERSPAN index field for the interface, an integer in the range 1…1048575 associated with
6e866b33 1408 the ERSPAN traffic's source port and direction. This field is mandatory.
1d42b86d
MB		 1409 </para>
1410 </listitem>
1411 </varlistentry>
e735f4d4
MP		 1412 </variablelist>
1413 </refsect1>
6e866b33
MB		 1414
1415 <refsect1>
1416 <title>[FooOverUDP] Section Options</title>
1417
a10f5d05 1418 <para>The [FooOverUDP] section only applies for
6e866b33
MB		 1419 netdevs of kind <literal>fou</literal> and accepts the
1420 following keys:</para>
1421
1422 <variablelist class='network-directives'>
6e866b33
MB		 1423 <varlistentry>
1424 <term><varname>Encapsulation=</varname></term>
1425 <listitem>
a10f5d05
MB		 1426 <para>Specifies the encapsulation mechanism used to store networking packets of various protocols
1427 inside the UDP packets. Supports the following values:
6e866b33 1428
a032b68d 1429 <literal>FooOverUDP</literal> provides the simplest no-frills model of UDP encapsulation, it simply
a10f5d05
MB		 1430 encapsulates packets directly in the UDP payload. <literal>GenericUDPEncapsulation</literal> is a
1431 generic and extensible encapsulation, it allows encapsulation of packets for any IP protocol and
1432 optional data as part of the encapsulation. For more detailed information see <ulink
1433 url="https://lwn.net/Articles/615044">Generic UDP Encapsulation</ulink>. Defaults to
1434 <literal>FooOverUDP</literal>.
6e866b33
MB		 1435 </para>
1436 </listitem>
1437 </varlistentry>
1438 <varlistentry>
1439 <term><varname>Port=</varname></term>
1440 <listitem>
a032b68d
MB		 1441 <para>Specifies the port number where the encapsulated packets will arrive. Those packets will be
1442 removed and manually fed back into the network stack with the encapsulation removed to be sent to
1443 the real destination. This option is mandatory.</para>
6e866b33 1444 </listitem>
f2dec872
BR		 1445 </varlistentry>
1446 <varlistentry>
1447 <term><varname>PeerPort=</varname></term>
1448 <listitem>
a10f5d05
MB		 1449 <para>Specifies the peer port number. Defaults to unset. Note that when peer port is set
1450 <literal>Peer=</literal> address is mandatory.</para>
f2dec872
BR		 1451 </listitem>
1452 </varlistentry>
bb4f798a
MB		 1453 <varlistentry>
1454 <term><varname>Protocol=</varname></term>
1455 <listitem>
1456 <para>The <varname>Protocol=</varname> specifies the protocol number of the packets arriving
1457 at the UDP port. When <varname>Encapsulation=FooOverUDP</varname>, this field is mandatory
1458 and is not set by default. Takes an IP protocol name such as <literal>gre</literal> or
3a6ce677 1459 <literal>ipip</literal>, or an integer within the range 1…255. When
bb4f798a
MB		 1460 <varname>Encapsulation=GenericUDPEncapsulation</varname>, this must not be specified.</para>
1461 </listitem>
1462 </varlistentry>
f2dec872
BR		 1463 <varlistentry>
1464 <term><varname>Peer=</varname></term>
1465 <listitem>
a10f5d05
MB		 1466 <para>Configures peer IP address. Note that when peer address is set <literal>PeerPort=</literal>
1467 is mandatory.</para>
f2dec872
BR		 1468 </listitem>
1469 </varlistentry>
1470 <varlistentry>
1471 <term><varname>Local=</varname></term>
1472 <listitem>
1473 <para>Configures local IP address.</para>
1474 </listitem>
1475 </varlistentry>
bb4f798a 1476 </variablelist>
6e866b33 1477 </refsect1>
f2dec872 1478
e735f4d4
MP		 1479 <refsect1>
1480 <title>[Peer] Section Options</title>
1481
a10f5d05 1482 <para>The [Peer] section only applies for
f2dec872
BR		 1483 netdevs of kind <literal>veth</literal> and accepts the
1484 following keys:</para>
1485
1486 <variablelist class='network-directives'>
1487 <varlistentry>
1488 <term><varname>Name=</varname></term>
1489 <listitem>
1490 <para>The interface name used when creating the netdev.
a10f5d05 1491 This setting is compulsory.</para>
f2dec872
BR		 1492 </listitem>
1493 </varlistentry>
1494 <varlistentry>
1495 <term><varname>MACAddress=</varname></term>
1496 <listitem>
1497 <para>The peer MACAddress, if not set, it is generated in
1498 the same way as the MAC address of the main
1499 interface.</para>
1500 </listitem>
1501 </varlistentry>
1502 </variablelist>
e735f4d4 1503 </refsect1>
f2dec872 1504
52ad194e 1505 <refsect1>
f2dec872
BR		 1506 <title>[VXCAN] Section Options</title>
1507
a10f5d05 1508 <para>The [VXCAN] section only applies for
f2dec872
BR		 1509 netdevs of kind <literal>vxcan</literal> and accepts the
1510 following key:</para>
1511
1512 <variablelist class='network-directives'>
1513 <varlistentry>
1514 <term><varname>Peer=</varname></term>
1515 <listitem>
1516 <para>The peer interface name used when creating the netdev.
a10f5d05 1517 This setting is compulsory.</para>
f2dec872
BR		 1518 </listitem>
1519 </varlistentry>
1520 </variablelist>
52ad194e 1521 </refsect1>
f2dec872 1522
e735f4d4
MP		 1523 <refsect1>
1524 <title>[Tun] Section Options</title>
1525
a10f5d05 1526 <para>The [Tun] section only applies for
e735f4d4
MP		 1527 netdevs of kind <literal>tun</literal>, and accepts the following
1528 keys:</para>
1529
1530 <variablelist class='network-directives'>
e735f4d4
MP		 1531 <varlistentry>
1532 <term><varname>MultiQueue=</varname></term>
6e866b33 1533 <listitem><para>Takes a boolean. Configures whether
e735f4d4
MP		 1534 to use multiple file descriptors (queues) to parallelize
1535 packets sending and receiving. Defaults to
1536 <literal>no</literal>.</para>
1537 </listitem>
1538 </varlistentry>
1539 <varlistentry>
1540 <term><varname>PacketInfo=</varname></term>
6e866b33 1541 <listitem><para>Takes a boolean. Configures whether
e3bff60a 1542 packets should be prepended with four extra bytes (two flag
db2df898 1543 bytes and two protocol bytes). If disabled, it indicates that
e735f4d4
MP		 1544 the packets will be pure IP packets. Defaults to
1545 <literal>no</literal>.</para>
1546 </listitem>
1547 </varlistentry>
7035cd9e
MP		 1548 <varlistentry>
1549 <term><varname>VNetHeader=</varname></term>
6e866b33 1550 <listitem><para>Takes a boolean. Configures
f2dec872 1551 IFF_VNET_HDR flag for a tun or tap device. It allows sending
7035cd9e
MP		 1552 and receiving larger Generic Segmentation Offload (GSO)
1553 packets. This may increase throughput significantly.
1554 Defaults to
1555 <literal>no</literal>.</para>
1556 </listitem>
1557 </varlistentry>
e735f4d4
MP		 1558 <varlistentry>
1559 <term><varname>User=</varname></term>
1560 <listitem><para>User to grant access to the
1561 <filename>/dev/net/tun</filename> device.</para>
1562 </listitem>
1563 </varlistentry>
1564 <varlistentry>
1565 <term><varname>Group=</varname></term>
1566 <listitem><para>Group to grant access to the
1567 <filename>/dev/net/tun</filename> device.</para>
1568 </listitem>
1569 </varlistentry>
e735f4d4 1570 </variablelist>
e735f4d4
MP		 1571 </refsect1>
1572
1573 <refsect1>
1574 <title>[Tap] Section Options</title>
1575
a10f5d05 1576 <para>The [Tap] section only applies for
e735f4d4 1577 netdevs of kind <literal>tap</literal>, and accepts the same keys
a10f5d05 1578 as the [Tun] section.</para>
e735f4d4
MP		 1579 </refsect1>
1580
1d42b86d
MB		 1581 <refsect1>
1582 <title>[WireGuard] Section Options</title>
1583
a10f5d05 1584 <para>The [WireGuard] section accepts the following
1d42b86d
MB		 1585 keys:</para>
1586
1587 <variablelist class='network-directives'>
1588 <varlistentry>
1589 <term><varname>PrivateKey=</varname></term>
1590 <listitem>
1591 <para>The Base64 encoded private key for the interface. It can be
f2dec872
BR		 1592 generated using the <command>wg genkey</command> command
1593 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
1594 This option or <varname>PrivateKeyFile=</varname> is mandatory to use WireGuard.
1595 Note that because this information is secret, you may want to set
1596 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
1597 with a <literal>0640</literal> file mode.</para>
1d42b86d
MB		 1598 </listitem>
1599 </varlistentry>
bb4f798a
MB		 1600 <varlistentry>
1601 <term><varname>PrivateKeyFile=</varname></term>
1602 <listitem>
a10f5d05
MB		 1603 <para>Takes an absolute path to a file which contains the Base64 encoded private key for the
1604 interface. When this option is specified, then <varname>PrivateKey=</varname> is ignored. Note
1605 that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
1606 e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
1607 the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
1608 made to it and the key read from it.</para>
bb4f798a
MB		 1609 </listitem>
1610 </varlistentry>
1d42b86d
MB		 1611 <varlistentry>
1612 <term><varname>ListenPort=</varname></term>
1613 <listitem>
1614 <para>Sets UDP port for listening. Takes either value between 1 and 65535
f2dec872
BR		 1615 or <literal>auto</literal>. If <literal>auto</literal> is specified,
1616 the port is automatically generated based on interface name.
1617 Defaults to <literal>auto</literal>.</para>
1d42b86d
MB		 1618 </listitem>
1619 </varlistentry>
1620 <varlistentry>
f2dec872 1621 <term><varname>FirewallMark=</varname></term>
1d42b86d 1622 <listitem>
f2dec872 1623 <para>Sets a firewall mark on outgoing WireGuard packets from this interface. Takes a number between 1 and 4294967295.</para>
1d42b86d
MB		 1624 </listitem>
1625 </varlistentry>
1626 </variablelist>
1627 </refsect1>
1628
1629 <refsect1>
1630 <title>[WireGuardPeer] Section Options</title>
1631
a10f5d05 1632 <para>The [WireGuardPeer] section accepts the following
1d42b86d
MB		 1633 keys:</para>
1634
1635 <variablelist class='network-directives'>
1636 <varlistentry>
1637 <term><varname>PublicKey=</varname></term>
1638 <listitem>
1639 <para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
f2dec872
BR		 1640 (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
1641 from a private key, and usually transmitted out of band to the
1642 author of the configuration file. This option is mandatory for this
1643 section.</para>
1d42b86d
MB		 1644 </listitem>
1645 </varlistentry>
1646 <varlistentry>
1647 <term><varname>PresharedKey=</varname></term>
1648 <listitem>
1649 <para>Optional preshared key for the interface. It can be generated
f2dec872
BR		 1650 by the <command>wg genpsk</command> command. This option adds an
1651 additional layer of symmetric-key cryptography to be mixed into the
1652 already existing public-key cryptography, for post-quantum
1653 resistance.
1654 Note that because this information is secret, you may want to set
a10f5d05 1655 the permissions of the .netdev file to be owned by <literal>root:systemd-network</literal>
f2dec872 1656 with a <literal>0640</literal> file mode.</para>
1d42b86d
MB		 1657 </listitem>
1658 </varlistentry>
bb4f798a
MB		 1659 <varlistentry>
1660 <term><varname>PresharedKeyFile=</varname></term>
1661 <listitem>
1662 <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
a10f5d05
MB		 1663 peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. Note that
1664 the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
1665 owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
1666 path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
1667 made to it and the key read from it.</para>
bb4f798a
MB		 1668 </listitem>
1669 </varlistentry>
1d42b86d
MB		 1670 <varlistentry>
1671 <term><varname>AllowedIPs=</varname></term>
1672 <listitem>
1673 <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
f2dec872 1674 from which this peer is allowed to send incoming traffic and to
1ce460ce
MB		 1675 which outgoing traffic for this peer is directed.</para>
1676 <para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses,
1677 and ::/0 may be specified for matching all IPv6 addresses.</para>
1678 <para>Note that this only affects "routing inside the network interface itself",
1679 as in, which wireguard peer packets with a specific destination address are sent to,
1680 and what source addresses are accepted from which peer.</para>
1681 <para>To cause packets to be sent via wireguard in first place, a route needs
1682 to be added, as well - either in the <literal>[Routes]</literal> section on the
1683 <literal>.network</literal> matching the wireguard interface, or outside of networkd.
1684 </para>
1d42b86d
MB		 1685 </listitem>
1686 </varlistentry>
1687 <varlistentry>
1688 <term><varname>Endpoint=</varname></term>
1689 <listitem>
1690 <para>Sets an endpoint IP address or hostname, followed by a colon, and then
f2dec872
BR		 1691 a port number. This endpoint will be updated automatically once to
1692 the most recent source IP address and port of correctly
1693 authenticated packets from the peer at configuration time.</para>
1d42b86d
MB		 1694 </listitem>
1695 </varlistentry>
1696 <varlistentry>
1697 <term><varname>PersistentKeepalive=</varname></term>
1698 <listitem>
1699 <para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
f2dec872
BR		 1700 to send an authenticated empty packet to the peer for the purpose
1701 of keeping a stateful firewall or NAT mapping valid persistently.
1702 For example, if the interface very rarely sends traffic, but it
1703 might at anytime receive traffic from a peer, and it is behind NAT,
1704 the interface might benefit from having a persistent keepalive
1705 interval of 25 seconds. If set to 0 or "off", this option is
1706 disabled. By default or when unspecified, this option is off.
1707 Most users will not need this.</para>
1d42b86d
MB		 1708 </listitem>
1709 </varlistentry>
1710 </variablelist>
1711 </refsect1>
1712
e735f4d4
MP		 1713 <refsect1>
1714 <title>[Bond] Section Options</title>
1715
a10f5d05 1716 <para>The [Bond] section accepts the following
e735f4d4
MP		 1717 key:</para>
1718
1719 <variablelist class='network-directives'>
1720 <varlistentry>
1721 <term><varname>Mode=</varname></term>
1722 <listitem>
1723 <para>Specifies one of the bonding policies. The default is
1724 <literal>balance-rr</literal> (round robin). Possible values are
1725 <literal>balance-rr</literal>,
1726 <literal>active-backup</literal>,
1727 <literal>balance-xor</literal>,
1728 <literal>broadcast</literal>,
1729 <literal>802.3ad</literal>,
1730 <literal>balance-tlb</literal>, and
1731 <literal>balance-alb</literal>.
1732 </para>
1733 </listitem>
1734 </varlistentry>
1735
1736 <varlistentry>
1737 <term><varname>TransmitHashPolicy=</varname></term>
1738 <listitem>
1739 <para>Selects the transmit hash policy to use for slave
1740 selection in balance-xor, 802.3ad, and tlb modes. Possible
1741 values are
1742 <literal>layer2</literal>,
1743 <literal>layer3+4</literal>,
1744 <literal>layer2+3</literal>,
5a920b42 1745 <literal>encap2+3</literal>, and
e735f4d4
MP		 1746 <literal>encap3+4</literal>.
1747 </para>
1748 </listitem>
1749 </varlistentry>
1750
1751 <varlistentry>
1752 <term><varname>LACPTransmitRate=</varname></term>
1753 <listitem>
1754 <para>Specifies the rate with which link partner transmits
1755 Link Aggregation Control Protocol Data Unit packets in
1756 802.3ad mode. Possible values are <literal>slow</literal>,
1757 which requests partner to transmit LACPDUs every 30 seconds,
1758 and <literal>fast</literal>, which requests partner to
1759 transmit LACPDUs every second. The default value is
1760 <literal>slow</literal>.</para>
1761 </listitem>
1762 </varlistentry>
1763
1764 <varlistentry>
1765 <term><varname>MIIMonitorSec=</varname></term>
1766 <listitem>
1767 <para>Specifies the frequency that Media Independent
1768 Interface link monitoring will occur. A value of zero
7035cd9e 1769 disables MII link monitoring. This value is rounded down to
e735f4d4
MP		 1770 the nearest millisecond. The default value is 0.</para>
1771 </listitem>
1772 </varlistentry>
1773
1774 <varlistentry>
1775 <term><varname>UpDelaySec=</varname></term>
1776 <listitem>
1777 <para>Specifies the delay before a link is enabled after a
1778 link up status has been detected. This value is rounded down
1779 to a multiple of MIIMonitorSec. The default value is
1780 0.</para>
1781 </listitem>
1782 </varlistentry>
1783
1784 <varlistentry>
1785 <term><varname>DownDelaySec=</varname></term>
1786 <listitem>
1787 <para>Specifies the delay before a link is disabled after a
1788 link down status has been detected. This value is rounded
1789 down to a multiple of MIIMonitorSec. The default value is
1790 0.</para>
1791 </listitem>
1792 </varlistentry>
1793
e3bff60a
MP		 1794 <varlistentry>
1795 <term><varname>LearnPacketIntervalSec=</varname></term>
1796 <listitem>
1797 <para>Specifies the number of seconds between instances where the bonding
db2df898
MP		 1798 driver sends learning packets to each slave peer switch.
1799 The valid range is 1–0x7fffffff; the default value is 1. This option
1800 has an effect only for the balance-tlb and balance-alb modes.</para>
e3bff60a
MP		 1801 </listitem>
1802 </varlistentry>
1803
1804 <varlistentry>
1805 <term><varname>AdSelect=</varname></term>
1806 <listitem>
1807 <para>Specifies the 802.3ad aggregation selection logic to use. Possible values are
1808 <literal>stable</literal>,
db2df898
MP		 1809 <literal>bandwidth</literal> and
1810 <literal>count</literal>.
e3bff60a
MP		 1811 </para>
1812 </listitem>
1813 </varlistentry>
1814
6e866b33
MB		 1815 <varlistentry>
1816 <term><varname>AdActorSystemPriority=</varname></term>
1817 <listitem>
3a6ce677 1818 <para>Specifies the 802.3ad actor system priority. Takes a number in the range 1…65535.</para>
6e866b33
MB		 1819 </listitem>
1820 </varlistentry>
1821
1822 <varlistentry>
1823 <term><varname>AdUserPortKey=</varname></term>
1824 <listitem>
a10f5d05
MB		 1825 <para>Specifies the 802.3ad user defined portion of the port key. Takes a number in the range
1826 0–1023.</para>
6e866b33
MB		 1827 </listitem>
1828 </varlistentry>
1829
1830 <varlistentry>
1831 <term><varname>AdActorSystem=</varname></term>
1832 <listitem>
9e294e28
MB		 1833 <para>Specifies the 802.3ad system MAC address. This cannot be a null or multicast address.
1834 </para>
6e866b33
MB		 1835 </listitem>
1836 </varlistentry>
1837
e3bff60a
MP		 1838 <varlistentry>
1839 <term><varname>FailOverMACPolicy=</varname></term>
1840 <listitem>
db2df898
MP		 1841 <para>Specifies whether the active-backup mode should set all slaves to
1842 the same MAC address at the time of enslavement or, when enabled, to perform special handling of the
e3bff60a
MP		 1843 bond's MAC address in accordance with the selected policy. The default policy is none.
1844 Possible values are
1845 <literal>none</literal>,
db2df898
MP		 1846 <literal>active</literal> and
1847 <literal>follow</literal>.
e3bff60a
MP		 1848 </para>
1849 </listitem>
1850 </varlistentry>
1851
1852 <varlistentry>
1853 <term><varname>ARPValidate=</varname></term>
1854 <listitem>
1855 <para>Specifies whether or not ARP probes and replies should be
1856 validated in any mode that supports ARP monitoring, or whether
1857 non-ARP traffic should be filtered (disregarded) for link
1858 monitoring purposes. Possible values are
1859 <literal>none</literal>,
1860 <literal>active</literal>,
db2df898
MP		 1861 <literal>backup</literal> and
1862 <literal>all</literal>.
e3bff60a
MP		 1863 </para>
1864 </listitem>
1865 </varlistentry>
1866
1867 <varlistentry>
1868 <term><varname>ARPIntervalSec=</varname></term>
1869 <listitem>
e1f67bc7
MB		 1870 <para>Specifies the ARP link monitoring frequency. A value of 0 disables ARP monitoring. The
1871 default value is 0, and the default unit seconds.
e3bff60a
MP		 1872 </para>
1873 </listitem>
1874 </varlistentry>
1875
1876 <varlistentry>
1877 <term><varname>ARPIPTargets=</varname></term>
1878 <listitem>
1879 <para>Specifies the IP addresses to use as ARP monitoring peers when
1880 ARPIntervalSec is greater than 0. These are the targets of the ARP request
1881 sent to determine the health of the link to the targets.
db2df898 1882 Specify these values in IPv4 dotted decimal format. At least one IP
e3bff60a
MP		 1883 address must be given for ARP monitoring to function. The
1884 maximum number of targets that can be specified is 16. The
1885 default value is no IP addresses.
1886 </para>
1887 </listitem>
1888 </varlistentry>
1889
1890 <varlistentry>
1891 <term><varname>ARPAllTargets=</varname></term>
1892 <listitem>
1893 <para>Specifies the quantity of ARPIPTargets that must be reachable
1894 in order for the ARP monitor to consider a slave as being up.
1895 This option affects only active-backup mode for slaves with
1896 ARPValidate enabled. Possible values are
db2df898
MP		 1897 <literal>any</literal> and
1898 <literal>all</literal>.
e3bff60a
MP		 1899 </para>
1900 </listitem>
1901 </varlistentry>
1902
1903 <varlistentry>
1904 <term><varname>PrimaryReselectPolicy=</varname></term>
1905 <listitem>
1906 <para>Specifies the reselection policy for the primary slave. This
1907 affects how the primary slave is chosen to become the active slave
1908 when failure of the active slave or recovery of the primary slave
1909 occurs. This option is designed to prevent flip-flopping between
1910 the primary slave and other slaves. Possible values are
1911 <literal>always</literal>,
db2df898
MP		 1912 <literal>better</literal> and
1913 <literal>failure</literal>.
e3bff60a
MP		 1914 </para>
1915 </listitem>
1916 </varlistentry>
1917
1918 <varlistentry>
1919 <term><varname>ResendIGMP=</varname></term>
1920 <listitem>
1921 <para>Specifies the number of IGMP membership reports to be issued after
1922 a failover event. One membership report is issued immediately after
1923 the failover, subsequent packets are sent in each 200ms interval.
db2df898 1924 The valid range is 0–255. Defaults to 1. A value of 0
e3bff60a
MP		 1925 prevents the IGMP membership report from being issued in response
1926 to the failover event.
1927 </para>
1928 </listitem>
1929 </varlistentry>
1930
1931 <varlistentry>
1932 <term><varname>PacketsPerSlave=</varname></term>
1933 <listitem>
db2df898 1934 <para>Specify the number of packets to transmit through a slave before
f2dec872
BR		 1935 moving to the next one. When set to 0, then a slave is chosen at
1936 random. The valid range is 0–65535. Defaults to 1. This option
1937 only has effect when in balance-rr mode.
e3bff60a
MP		 1938 </para>
1939 </listitem>
1940 </varlistentry>
1941
1942 <varlistentry>
1943 <term><varname>GratuitousARP=</varname></term>
1944 <listitem>
1945 <para>Specify the number of peer notifications (gratuitous ARPs and
f2dec872
BR		 1946 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1947 failover event. As soon as the link is up on the new slave,
1948 a peer notification is sent on the bonding device and each
1949 VLAN sub-device. This is repeated at each link monitor interval
1950 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the number is
1951 greater than 1. The valid range is 0–255. The default value is 1.
1952 These options affect only the active-backup mode.
e3bff60a
MP		 1953 </para>
1954 </listitem>
1955 </varlistentry>
1956
1957 <varlistentry>
1958 <term><varname>AllSlavesActive=</varname></term>
1959 <listitem>
6e866b33 1960 <para>Takes a boolean. Specifies that duplicate frames (received on inactive ports)
db2df898 1961 should be dropped when false, or delivered when true. Normally, bonding will drop
e3bff60a
MP		 1962 duplicate frames (received on inactive ports), which is desirable for
1963 most users. But there are some times it is nice to allow duplicate
1964 frames to be delivered. The default value is false (drop duplicate frames
1965 received on inactive ports).
1966 </para>
1967 </listitem>
1968 </varlistentry>
1969
6e866b33
MB		 1970 <varlistentry>
1971 <term><varname>DynamicTransmitLoadBalancing=</varname></term>
1972 <listitem>
1973 <para>Takes a boolean. Specifies if dynamic shuffling of flows is enabled. Applies only
1974 for balance-tlb mode. Defaults to unset.
1975 </para>
1976 </listitem>
1977 </varlistentry>
1978
e3bff60a
MP		 1979 <varlistentry>
1980 <term><varname>MinLinks=</varname></term>
1981 <listitem>
1982 <para>Specifies the minimum number of links that must be active before
1983 asserting carrier. The default value is 0.
1984 </para>
1985 </listitem>
1986 </varlistentry>
e735f4d4 1987 </variablelist>
e3bff60a
MP		 1988
1989 <para>For more detail information see
1990 <ulink url="https://www.kernel.org/doc/Documentation/networking/bonding.txt">
1991 Linux Ethernet Bonding Driver HOWTO</ulink></para>
f2dec872 1992 </refsect1>
e3bff60a 1993
f2dec872
BR		 1994 <refsect1>
1995 <title>[Xfrm] Section Options</title>
1996
a10f5d05 1997 <para>The [Xfrm] section accepts the following
f2dec872
BR		 1998 keys:</para>
1999
2000 <variablelist class='network-directives'>
2001 <varlistentry>
2002 <term><varname>InterfaceId=</varname></term>
2003 <listitem>
2004 <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
2005 Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
2006 </listitem>
2007 </varlistentry>
2008 <varlistentry>
2009 <term><varname>Independent=</varname></term>
2010 <listitem>
9e294e28
MB		 2011 <para>Takes a boolean. If false (the default), the xfrm interface must have an underlying device
2012 which can be used for hardware offloading.</para>
f2dec872
BR		 2013 </listitem>
2014 </varlistentry>
2015 </variablelist>
2016
2017 <para>For more detail information see
a10f5d05 2018 <ulink url="https://lwn.net/Articles/757391">Virtual XFRM Interfaces</ulink>.</para>
f2dec872
BR		 2019 </refsect1>
2020
2021 <refsect1>
2022 <title>[VRF] Section Options</title>
a10f5d05 2023 <para>The [VRF] section only applies for
f2dec872
BR		 2024 netdevs of kind <literal>vrf</literal> and accepts the
2025 following key:</para>
2026
2027 <variablelist class='network-directives'>
2028 <varlistentry>
2029 <term><varname>Table=</varname></term>
2030 <listitem>
a10f5d05 2031 <para>The numeric routing table identifier. This setting is compulsory.</para>
f2dec872
BR		 2032 </listitem>
2033 </varlistentry>
2034 </variablelist>
e735f4d4
MP		 2035 </refsect1>
2036
3a6ce677
BR		 2037 <refsect1>
2038 <title>[BatmanAdvanced] Section Options</title>
2039 <para>The [BatmanAdvanced] section only applies for
2040 netdevs of kind <literal>batadv</literal> and accepts the
2041 following keys:</para>
2042
2043 <variablelist class='network-directives'>
2044 <varlistentry>
2045 <term><varname>GatewayMode=</varname></term>
2046 <listitem>
2047 <para>Takes one of <literal>off</literal>, <literal>server</literal>, or <literal>client</literal>.
2048 A batman-adv node can either run in server mode (sharing its internet
2049 connection with the mesh) or in client mode (searching for the most suitable internet connection
2050 in the mesh) or having the gateway support turned off entirely (which is the default setting).
2051 </para>
2052 </listitem>
2053 </varlistentry>
2054 <varlistentry>
2055 <term><varname>Aggregation=</varname></term>
2056 <listitem>
2057 <para>Takes a boolean value. Enables or disables aggregation of originator messages. Defaults to
2058 true.
2059 </para>
2060 </listitem>
2061 </varlistentry>
2062 <varlistentry>
2063 <term><varname>BridgeLoopAvoidance=</varname></term>
2064 <listitem>
2065 <para>Takes a boolean value. Enables or disables avoidance of loops on bridges. Defaults to true.
2066 </para>
2067 </listitem>
2068 </varlistentry>
2069 <varlistentry>
2070 <term><varname>DistributedArpTable=</varname></term>
2071 <listitem>
2072 <para>Takes a boolean value. Enables or disables the distributed ARP table. Defaults to true.</para>
2073 </listitem>
2074 </varlistentry>
2075 <varlistentry>
2076 <term><varname>Fragmentation=</varname></term>
2077 <listitem>
2078 <para>Takes a boolean value. Enables or disables fragmentation. Defaults to true.</para>
2079 </listitem>
2080 </varlistentry>
2081 <varlistentry>
2082 <term><varname>HopPenalty=</varname></term>
2083 <listitem>
2084 <para>The hop penalty setting allows to modify
2085 <citerefentry project='mankier'><refentrytitle>batctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
2086 preference for multihop routes vs. short routes. This integer value is applied to the
2087 TQ (Transmit Quality) of each forwarded OGM (Originator Message), thereby propagating the
2088 cost of an extra hop (the packet has to be received and retransmitted which costs airtime).
2089 A higher hop penalty will make it more unlikely that other nodes will choose this node as
2090 intermediate hop towards any given destination. The default hop penalty of '15' is a reasonable
2091 value for most setups and probably does not need to be changed. However, mobile nodes could
2092 choose a value of 255 (maximum value) to avoid being chosen as a router by other nodes.
2093 The minimum value is 0.
2094 </para>
2095 </listitem>
2096 </varlistentry>
2097 <varlistentry>
2098 <term><varname>OriginatorIntervalSec=</varname></term>
2099 <listitem>
2100 <para>The value specifies the interval in seconds, unless another time unit is specified in which
2101 batman-adv floods the network with its protocol information.
2102 See <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>
2103 for more information.</para>
2104 </listitem>
2105 </varlistentry>
2106 <varlistentry>
2107 <term><varname>GatewayBandwidthDown=</varname></term>
2108 <listitem>
2109 <para>If the node is a server, this
2110 parameter is used to inform other nodes in the network about
2111 this node's internet connection download bandwidth in bits per second. Just enter any number
2112 suffixed with K, M, G or T (base 1000) and the batman-adv
2113 module will propagate the entered value in the mesh.</para>
2114 </listitem>
2115 </varlistentry>
2116 <varlistentry>
2117 <term><varname>GatewayBandwidthUp=</varname></term>
2118 <listitem>
2119 <para>If the node is a server, this
2120 parameter is used to inform other nodes in the network about
2121 this node's internet connection upload bandwidth in bits per second. Just enter any number
2122 suffixed with K, M, G or T (base 1000) and the batman-adv
2123 module will propagate the entered value in the mesh.</para>
2124 </listitem>
2125 </varlistentry>
2126 <varlistentry>
2127 <term><varname>RoutingAlgorithm=</varname></term>
2128 <listitem>
2129 <para>This can be either <literal>batman-v</literal> or <literal>batman-iv</literal> and describes which routing_algo
2130 of <citerefentry><refentrytitle>batctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> to use. The algorithm
2131 cannot be changed after interface creation. Defaults to <literal>batman-v</literal>.
2132 </para>
2133 </listitem>
2134 </varlistentry>
2135 </variablelist>
2136 </refsect1>
2137
e735f4d4 2138 <refsect1>
6e866b33 2139 <title>Examples</title>
e735f4d4 2140 <example>
6300502b 2141 <title>/etc/systemd/network/25-bridge.netdev</title>
e735f4d4
MP		 2142
2143 <programlisting>[NetDev]
60f067b4
JS		 2144Name=bridge0
2145Kind=bridge</programlisting>
e735f4d4 2146 </example>
60f067b4 2147
e735f4d4 2148 <example>
6300502b 2149 <title>/etc/systemd/network/25-vlan1.netdev</title>
60f067b4 2150
e735f4d4 2151 <programlisting>[Match]
60f067b4
JS		 2152Virtualization=no
2153
2154[NetDev]
2155Name=vlan1
2156Kind=vlan
2157
2158[VLAN]
2159Id=1</programlisting>
e735f4d4
MP		 2160 </example>
2161 <example>
6300502b 2162 <title>/etc/systemd/network/25-ipip.netdev</title>
e735f4d4 2163 <programlisting>[NetDev]
e842803a
MB		 2164Name=ipip-tun
2165Kind=ipip
2166MTUBytes=1480
2167
2168[Tunnel]
2169Local=192.168.223.238
2170Remote=192.169.224.239
2171TTL=64</programlisting>
e735f4d4 2172 </example>
6e866b33
MB		 2173 <example>
2174 <title>/etc/systemd/network/1-fou-tunnel.netdev</title>
2175 <programlisting>[NetDev]
2176Name=fou-tun
2177Kind=fou
2178
2179[FooOverUDP]
2180Port=5555
2181Protocol=4
2182 </programlisting>
2183 </example>
2184 <example>
2185 <title>/etc/systemd/network/25-fou-ipip.netdev</title>
2186 <programlisting>[NetDev]
2187Name=ipip-tun
2188Kind=ipip
2189
2190[Tunnel]
2191Independent=yes
2192Local=10.65.208.212
2193Remote=10.65.208.211
2194FooOverUDP=yes
2195FOUDestinationPort=5555
2196 </programlisting>
2197 </example>
e735f4d4 2198 <example>
6300502b 2199 <title>/etc/systemd/network/25-tap.netdev</title>
e735f4d4 2200 <programlisting>[NetDev]
e842803a
MB		 2201Name=tap-test
2202Kind=tap
60f067b4 2203
e842803a 2204[Tap]
6e866b33
MB		 2205MultiQueue=yes
2206PacketInfo=yes</programlisting> </example>
e842803a 2207
e735f4d4 2208 <example>
6300502b 2209 <title>/etc/systemd/network/25-sit.netdev</title>
e735f4d4 2210 <programlisting>[NetDev]
e842803a
MB		 2211Name=sit-tun
2212Kind=sit
2213MTUBytes=1480
2214
2215[Tunnel]
2216Local=10.65.223.238
2217Remote=10.65.223.239</programlisting>
e735f4d4 2218 </example>
60f067b4 2219
6e866b33
MB		 2220 <example>
2221 <title>/etc/systemd/network/25-6rd.netdev</title>
2222 <programlisting>[NetDev]
2223Name=6rd-tun
2224Kind=sit
2225MTUBytes=1480
2226
2227[Tunnel]
2228Local=10.65.223.238
2229IPv6RapidDeploymentPrefix=2602::/24</programlisting>
2230 </example>
2231
e735f4d4 2232 <example>
6300502b 2233 <title>/etc/systemd/network/25-gre.netdev</title>
e735f4d4 2234 <programlisting>[NetDev]
e842803a
MB		 2235Name=gre-tun
2236Kind=gre
2237MTUBytes=1480
2238
2239[Tunnel]
2240Local=10.65.223.238
2241Remote=10.65.223.239</programlisting>
e735f4d4 2242 </example>
e842803a 2243
e1f67bc7
MB		 2244 <example>
2245 <title>/etc/systemd/network/25-ip6gre.netdev</title>
2246 <programlisting>[NetDev]
2247Name=ip6gre-tun
2248Kind=ip6gre
2249
2250[Tunnel]
2251Key=123</programlisting>
2252 </example>
2253
e735f4d4 2254 <example>
6300502b 2255 <title>/etc/systemd/network/25-vti.netdev</title>
e842803a 2256
e735f4d4 2257 <programlisting>[NetDev]
e842803a
MB		 2258Name=vti-tun
2259Kind=vti
2260MTUBytes=1480
2261
2262[Tunnel]
2263Local=10.65.223.238
2264Remote=10.65.223.239</programlisting>
e735f4d4 2265 </example>
e842803a 2266
e735f4d4 2267 <example>
6300502b 2268 <title>/etc/systemd/network/25-veth.netdev</title>
e735f4d4 2269 <programlisting>[NetDev]
e842803a
MB		 2270Name=veth-test
2271Kind=veth
2272
2273[Peer]
2274Name=veth-peer</programlisting>
e735f4d4 2275 </example>
e842803a 2276
13d276d0 2277 <example>
6300502b 2278 <title>/etc/systemd/network/25-bond.netdev</title>
13d276d0
MP		 2279 <programlisting>[NetDev]
2280Name=bond1
2281Kind=bond
2282
2283[Bond]
2284Mode=802.3ad
2285TransmitHashPolicy=layer3+4
2286MIIMonitorSec=1s
2287LACPTransmitRate=fast
2288</programlisting>
2289 </example>
2290
e735f4d4 2291 <example>
6300502b 2292 <title>/etc/systemd/network/25-dummy.netdev</title>
e735f4d4 2293 <programlisting>[NetDev]
e842803a
MB		 2294Name=dummy-test
2295Kind=dummy
2296MACAddress=12:34:56:78:9a:bc</programlisting>
e735f4d4 2297 </example>
5a920b42
MP		 2298 <example>
2299 <title>/etc/systemd/network/25-vrf.netdev</title>
2300 <para>Create a VRF interface with table 42.</para>
2301 <programlisting>[NetDev]
2302Name=vrf-test
2303Kind=vrf
e735f4d4 2304
5a920b42 2305[VRF]
f5e65279 2306Table=42</programlisting>
5a920b42 2307 </example>
2897b343
MP		 2308
2309 <example>
2310 <title>/etc/systemd/network/25-macvtap.netdev</title>
2311 <para>Create a MacVTap device.</para>
2312 <programlisting>[NetDev]
2313Name=macvtap-test
2314Kind=macvtap
2315 </programlisting>
2316 </example>
1d42b86d
MB		 2317 <example>
2318 <title>/etc/systemd/network/25-wireguard.netdev</title>
2319 <programlisting>[NetDev]
2320Name=wg0
2321Kind=wireguard
2322
2323[WireGuard]
2324PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
2325ListenPort=51820
2326
2327[WireGuardPeer]
2328PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
2329AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
2330Endpoint=wireguard.example.com:51820</programlisting>
2331 </example>
f2dec872
BR		 2332
2333 <example>
2334 <title>/etc/systemd/network/27-xfrm.netdev</title>
97e5042f 2335 <programlisting>[NetDev]
f2dec872
BR		 2336Name=xfrm0
2337Kind=xfrm
2338
2339[Xfrm]
2340Independent=yes</programlisting>
2341 </example>
e735f4d4 2342 </refsect1>
f2dec872 2343
e735f4d4
MP		 2344 <refsect1>
2345 <title>See Also</title>
2346 <para>
2347 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
2348 <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
2349 <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2350 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
2351 </para>
2352 </refsect1>
60f067b4
JS		 2353
2354</refentry>
systemd for Proxmox projects