SYSTEMD.NETWORK(5) | systemd.network | SYSTEMD.NETWORK(5) |
NAME
systemd.network - Network configuration
SYNOPSIS
network.network
DESCRIPTION
A plain ini-style text file that encodes network configuration for matching network interfaces, used by systemd-networkd(8). See systemd.syntax(7) for a general description of the syntax.
The main network file must have the extension .network; other extensions are ignored. Networks are applied to links whenever the links appear.
The .network files are read from the files located in the system network directories /usr/lib/systemd/network and /usr/local/lib/systemd/network [1], the volatile runtime network directory /run/systemd/network and the local administration network directory /etc/systemd/network. All configuration files are collectively sorted and processed in alphanumeric order, regardless of the directories in which they live. However, files with identical filenames replace each other. It is recommended that each filename is prefixed with a number smaller than "70" (e.g. 10-eth0.network). Otherwise, the default .network files or those generated by systemd-network-generator.service(8) may take precedence over user configured files. Files in /etc/ have the highest priority, files in /run/ take precedence over files with the same name under /usr/. This can be used to override a system-supplied configuration file with a local file if needed. As a special case, an empty file (file size 0) or symlink with the same name pointing to /dev/null disables the configuration file entirely (it is "masked").
Along with the network file foo.network, a "drop-in" directory foo.network.d/ may exist. All files with the suffix ".conf" from this directory will be merged in the alphanumeric order and parsed after the main file itself has been parsed. This is useful to alter or add configuration settings, without having to modify the main configuration file. Each drop-in file must have appropriate section headers.
In addition to /etc/systemd/network, drop-in ".d" directories can be placed in /usr/lib/systemd/network or /run/systemd/network directories. Drop-in files in /etc/ take precedence over those in /run/ which in turn take precedence over those in /usr/lib/. Drop-in files under any of these directories take precedence over the main network file wherever located.
[MATCH] SECTION OPTIONS
The network file contains a [Match] section, which determines if a given network file may be applied to a given interface; and a [Network] section specifying how the interface should be configured. The first (in alphanumeric order) of the network files that matches a given interface is applied, all later files are ignored, even if they match as well.
Note that any network interfaces that have the ID_NET_MANAGED_BY= udev property set will never be matched by any .network files – unless the property's value is the string "io.systemd.Network" – even if the [Match] section would otherwise match. This may be used to exclude specific network interfaces from systemd-networkd's management, while keeping the [Match] section generic. The ID_NET_MANAGED_BY= property thus declares intended ownership of the device, and permits ensuring that concurrent network management implementations do not compete for management of specific devices.
A network file is said to match a network interface if all matches specified by the [Match] section are satisfied. When a network file does not contain valid settings in [Match] section, then the file will match all interfaces and systemd-networkd warns about that. Hint: to avoid the warning and to make it clear that all interfaces shall be matched, add the following:
Name=*
The following keys are accepted:
MACAddress=
colon-delimited hexadecimal
Added in version 250.
hyphen-delimited hexadecimal
Added in version 250.
dot-delimited hexadecimal
Added in version 250.
IPv4 address format
Added in version 250.
IPv6 address format
Added in version 250.
The total length of each MAC address must be 4 (for IPv4 tunnel), 6 (for Ethernet), 16 (for IPv6 tunnel), or 20 (for InfiniBand). This option may appear more than once, in which case the lists are merged. If the empty string is assigned to this option, the list of hardware addresses defined prior to this is reset. Defaults to unset.
Added in version 211.
PermanentMACAddress=
Added in version 245.
Path=
Added in version 211.
Driver=
Added in version 211.
Type=
Added in version 211.
Kind=
Added in version 251.
Property=
Example: if a .link file has the following:
Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
then, the .link file matches only when an interface has all the above three properties.
Added in version 243.
Name=
Added in version 211.
WLANInterfaceType=
Added in version 244.
SSID=
Added in version 244.
BSSID=
Added in version 244.
Host=
Added in version 211.
Virtualization=
Added in version 211.
KernelCommandLine=
Added in version 211.
KernelVersion=
Added in version 237.
Credential=
Added in version 252.
Architecture=
Added in version 211.
Firmware=
Added in version 249.
[LINK] SECTION OPTIONS
The [Link] section accepts the following keys:
MACAddress=
Added in version 218.
MTUBytes=
Note that if IPv6 is enabled on the interface, and the MTU is chosen below 1280 (the minimum MTU for IPv6) it will automatically be increased to this value.
Added in version 218.
ARP=
For example, disabling ARP is useful when creating multiple MACVLAN or VLAN virtual interfaces atop a single lower-level physical interface, which will then only serve as a link/"bridge" device aggregating traffic to the same physical link and not participate in the network otherwise. Defaults to unset.
Added in version 232.
Multicast=
Added in version 239.
AllMulticast=
Added in version 239.
Promiscuous=
If this is set to false for the underlying link of a "passthru" mode MACVLAN/MACVTAP, the virtual interface will be created with the "nopromisc" flag set.
Added in version 248.
Unmanaged=
This is useful for preventing later matching network files from interfering with certain interfaces that are fully controlled by other applications.
Added in version 233.
Group=
Added in version 246.
RequiredForOnline=
Defaults to "yes" when ActivationPolicy= is not set, or set to "up", "always-up", or "bound". Defaults to "no" when ActivationPolicy= is set to "manual" or "down". This is forced to "no" when ActivationPolicy= is set to "always-down".
The network will be brought up normally (as configured by ActivationPolicy=), but in the event that there is no address being assigned by DHCP or the cable is not plugged in, the link will simply remain offline and be skipped automatically by systemd-networkd-wait-online if "RequiredForOnline=no".
The boolean value "yes" is translated as follows;
CAN devices
Added in version 256.
Master devices, e.g. bond or bridge
Added in version 256.
Bonding port interfaces
Added in version 256.
Other interfaces
Added in version 236.
This setting can be overridden by the command line option for systemd-networkd-wait-online. See systemd-networkd-wait-online.service(8) for more details.
Added in version 236.
RequiredFamilyForOnline=
Added in version 249.
ActivationPolicy=
Takes one of "up", "always-up", "manual", "always-down", "down", or "bound". When "manual", systemd-networkd will not change the link's admin state automatically; the system administrator must bring the interface up or down manually, as desired. When "up" (the default) or "always-up", or "down" or "always-down", systemd-networkd will set the link up or down, respectively, when the interface is (re)configured. When "always-up" or "always-down", systemd-networkd will set the link up or down, respectively, any time systemd-networkd detects a change in the administrative state. When BindCarrier= is also set, this is automatically set to "bound" and any other value is ignored.
When the policy is set to "down" or "manual", the default value of RequiredForOnline= is "no". When the policy is set to "always-down", the value of RequiredForOnline= forced to "no".
The administrative state is not the same as the carrier state, so using "always-up" does not mean the link will never lose carrier. The link carrier depends on both the administrative state as well as the network device's physical connection. However, to avoid reconfiguration failures, when using "always-up", IgnoreCarrierLoss= is forced to true.
Added in version 248.
[SR-IOV] SECTION OPTIONS
The [SR-IOV] section accepts the following keys. Specify several [SR-IOV] sections to configure several SR-IOVs. SR-IOV provides the ability to partition a single physical PCI resource into virtual PCI functions which can then be injected into a VM. In the case of network VFs, SR-IOV improves north-south network performance (that is, traffic with endpoints outside the host machine) by allowing traffic to bypass the host machine’s network stack.
VirtualFunction=
Added in version 251.
VLANId=
Added in version 251.
QualityOfService=
Added in version 251.
VLANProtocol=
Added in version 251.
MACSpoofCheck=
Added in version 251.
QueryReceiveSideScaling=
Added in version 251.
Trust=
Added in version 251.
LinkState=
Added in version 251.
MACAddress=
Added in version 251.
[NETWORK] SECTION OPTIONS
The [Network] section accepts the following keys:
Description=
Added in version 211.
DHCP=
Note that DHCPv6 will by default be triggered by Router Advertisements, if reception is enabled, regardless of this parameter. By explicitly enabling DHCPv6 support here, the DHCPv6 client will be started in the mode specified by the WithoutRA= setting in the [DHCPv6] section, regardless of the presence of routers on the link, or what flags the routers pass. See IPv6AcceptRA=.
Furthermore, note that by default the domain name specified through DHCP is not used for name resolution. See option UseDomains= below.
See the [DHCPv4] or [DHCPv6] sections below for further configuration options for the DHCP client support.
Added in version 211.
DHCPServer=
Even if this is enabled, the DHCP server will not be started automatically and wait for the persistent storage being ready to load/save leases in the storage, unless RelayTarget= or PersistLeases=no are specified in the [DHCPServer] section. It will be started after systemd-networkd-persistent-storage.service is started, which calls networkctl persistent-storage yes. See networkctl(1) for more details.
Added in version 215.
LinkLocalAddressing=
Defaults to no when KeepMaster= or Bridge= is set or when the specified MACVLAN=/MACVTAP= has Mode=passthru, or ipv6 otherwise.
Added in version 219.
IPv6LinkLocalAddressGenerationMode=
Added in version 246.
IPv6StableSecretAddress=
Added in version 249.
IPv4LLStartAddress=
Added in version 252.
IPv4LLRoute=
Added in version 216.
DefaultRouteOnDevice=
ip route add default dev veth99
or,
[Route] Gateway=0.0.0.0
Currently, there are no way to specify e.g., the table for the route configured by this setting. To configure the default route with such an additional property, please use the following instead:
[Route] Gateway=0.0.0.0 Table=1234
If you'd like to create an IPv6 default route bound to the interface, please use the following:
[Route] Gateway=:: Table=1234
Added in version 243.
LLMNR=
Added in version 216.
MulticastDNS=
Added in version 229.
DNSOverTLS=
Added in version 239.
DNSSEC=
Added in version 229.
DNSSECNegativeTrustAnchors=
Added in version 229.
LLDP=
Added in version 219.
EmitLLDP=
Added in version 230.
BindCarrier=
This forces ActivationPolicy= to be set to "bound".
Added in version 220.
Address=
If the specified address is "0.0.0.0" (for IPv4) or "::" (for IPv6), a new address range of the requested size is automatically allocated from a system-wide pool of unused ranges. Note that the prefix length must be equal or larger than 8 for IPv4, and 64 for IPv6. The allocated range is checked against all current network interfaces and all known network configuration files to avoid address range conflicts. The default system-wide pool consists of 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8 for IPv6. This functionality is useful to manage a large number of dynamically created network interfaces with the same network configuration and automatic address range assignment.
If an IPv4 link-local address (169.254.0.0/16) is specified, IPv4 Address Conflict Detection (RFC 5227[8]) is enabled for the address. To assign an IPv4 link-local address without IPv4 Address Conflict Detection, please use [Address] section to configure the address and disable DuplicateAddressDetection=.
[Address] Address=169.254.10.1/24 DuplicateAddressDetection=none
If an empty string is specified, then the all previous assignments in both [Network] and [Address] sections are cleared.
Added in version 211.
Gateway=
Added in version 211.
DNS=
Added in version 211.
UseDomains=
Added in version 256.
Domains=
Both "search" and "routing-only" domains are used for routing of DNS queries: look-ups for hostnames ending in those domains (hence also single label names, if any "search domains" are listed), are routed to the DNS servers configured for this interface. The domain routing logic is particularly useful on multi-homed hosts with DNS servers serving particular private DNS zones on each interface.
The "routing-only" domain "~." (the tilde indicating definition of a routing domain, the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed to DNS servers specified for this interface. This setting is useful to prefer a certain set of DNS servers if a link on which they are connected is available.
This setting is read by systemd-resolved.service(8). "Search domains" correspond to the domain and search entries in resolv.conf(5). Domain name routing has no equivalent in the traditional glibc API, which has no concept of domain name servers limited to a specific link.
Added in version 216.
DNSDefaultRoute=
Added in version 240.
NTP=
Added in version 216.
IPv4Forwarding=
To control the global setting, use the same setting in networkd.conf(5).
Added in version 256.
IPv6Forwarding=
To control the global setting, use the same setting in networkd.conf(5).
Note, unlike IPv4Forwarding=, enabling per-interface IPv6Forwarding= on two or more interfaces DOES NOT make IPv6 packets forwarded within the interfaces. This setting just controls the per-interface sysctl value, and the sysctl value is not directly correlated to whether packets are forwarded. To ensure IPv6 packets forwarded, the global setting in networkd.conf(5) needs to be enabled.
Added in version 256.
IPMasquerade=
Added in version 219.
IPv6PrivacyExtensions=
Added in version 222.
IPv6AcceptRA=
Further settings for the IPv6 RA support may be configured in the [IPv6AcceptRA] section, see below.
Also see IP Sysctl[9] in the kernel documentation regarding "accept_ra", but note that systemd's setting of 1 (i.e. true) corresponds to kernel's setting of 2.
Note that kernel's implementation of the IPv6 RA protocol is always disabled, regardless of this setting. If this option is enabled, a userspace implementation of the IPv6 RA protocol is used, and the kernel's own implementation remains disabled, since systemd-networkd needs to know all details supplied in the advertisements, and these are not available from the kernel if the kernel's own implementation is used.
Added in version 231.
IPv6DuplicateAddressDetection=
Added in version 228.
IPv6HopLimit=
Added in version 228.
IPv6RetransmissionTimeSec=
Added in version 256.
IPv4ReversePathFilter=
Added in version 255.
IPv4AcceptLocal=
Added in version 246.
IPv4RouteLocalnet=
Added in version 248.
IPv4ProxyARP=
Added in version 233.
IPv4ProxyARPPrivateVLAN=
This variant of the ARP proxy technique will allow the ARP proxy to reply back to the same interface.
See RFC 3069[12]. When unset, the kernel's default will be used.
Added in version 256.
IPv6ProxyNDP=
Added in version 234.
IPv6ProxyNDPAddress=
Added in version 233.
IPv6SendRA=
If enabled, IPv6Forwarding= on this interface is also enabled, unless the setting is explicitly specified. See IPv6Forwarding= in the above for more details.
Added in version 247.
DHCPPrefixDelegation=
Added in version 250.
IPv6MTUBytes=
Added in version 239.
KeepMaster=
Added in version 250.
BatmanAdvanced=, Bond=, Bridge=, VRF=
Added in version 211.
IPoIB=, IPVLAN=, IPVTAP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=, VLAN=, VXLAN=, Xfrm=
Added in version 211.
ActiveSlave=
Added in version 235.
PrimarySlave=
Added in version 235.
ConfigureWithoutCarrier=
With this enabled, to make the interface enter the "configured" state, which is required to make systemd-networkd-wait-online work properly for the interface, all dynamic address configuration mechanisms like DHCP= and IPv6AcceptRA= (which is enabled by default in most cases) need to be disabled. Also, DuplicateAddressDetection= (which is enabled by default for IPv4 link-local addresses and all IPv6 addresses) needs to be disabled for all static address configurations. Otherwise, without carrier, the interface will be stuck in the "configuring" state, and systemd-networkd-wait-online for the interface will timeout. Also, it is recommended to set RequiredForOnline=no-carrier to make systemd-networkd-wait-online work for the interface.
Added in version 235.
IgnoreCarrierLoss=
Setting a finite timespan may be useful when e.g. in the following cases:
When Bond= is specified to a wireless interface, defaults to 3 seconds. When the DHCPv4 client is enabled and UseMTU= in the [DHCPv4] section enabled, defaults to 5 seconds. Otherwise, defaults to the value specified with ConfigureWithoutCarrier=. When ActivationPolicy= is set to "always-up", this is forced to "yes", and ignored any user specified values.
Added in version 242.
KeepConfiguration=
Added in version 243.
[ADDRESS] SECTION OPTIONS
An [Address] section accepts the following keys. Specify several [Address] sections to configure several addresses.
Address=
Added in version 211.
Peer=
Added in version 216.
Broadcast=
Added in version 211.
Label=
Added in version 211.
PreferredLifetime=
Added in version 230.
Scope=
Added in version 235.
RouteMetric=
Added in version 246.
HomeAddress=
Added in version 232.
DuplicateAddressDetection=
Added in version 232.
ManageTemporaryAddress=
Added in version 232.
AddPrefixRoute=
Added in version 245.
AutoJoin=
Added in version 232.
NetLabel=label
The option expects a single NetLabel label. The label must conform to lexical restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and subnetwork masks will be appended to the NetLabel Fallback Peer Labeling[18] rules. They will be removed when the interface is deconfigured. Failures to manage the labels will be ignored.
Warning
Once labeling is enabled for network traffic, a lot of LSM access control points in Linux networking stack go from dormant to active. Care should be taken to avoid getting into a situation where for example remote connectivity is broken, when the security policy hasn't been updated to consider LSM per-packet access controls and no rules would allow any network traffic. Also note that additional configuration with netlabelctl(8) is needed.
[Address] NetLabel=system_u:object_r:localnet_peer_t:s0
With the example rules applying for interface "eth0", when the interface is configured with an IPv4 address of 10.0.0.123/8, systemd-networkd performs the equivalent of netlabelctl operation
netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
and the reverse operation when the IPv4 address is deconfigured. The configuration can be used with LSM rules; in case of SELinux to allow a SELinux domain to receive data from objects of SELinux "peer" class. For example:
type localnet_peer_t; allow my_server_t localnet_peer_t:peer recv;
The effect of the above configuration and rules (in absence of other rules as may be the case) is to only allow "my_server_t" (and nothing else) to receive data from local subnet 10.0.0.0/8 of interface "eth0".
Added in version 252.
NFTSet=source:family:table:set
This option expects a whitespace separated list of NFT set definitions. Each definition consists of a colon-separated tuple of source type (one of "address", "prefix" or "ifindex"), NFT address family (one of "arp", "bridge", "inet", "ip", "ip6", or "netdev"), table name and set name. The names of tables and sets must conform to lexical restrictions of NFT table names. The type of the element used in the NFT filter must match the type implied by the directive ("address", "prefix" or "ifindex") and address type (IPv4 or IPv6) as shown in the table below.
Table 1. Defined source type values
Source type | Description | Corresponding NFT type name |
"address" | host IP address | "ipv4_addr" or "ipv6_addr" |
"prefix" | network prefix | "ipv4_addr" or "ipv6_addr", with "flags interval" |
"ifindex" | interface index | "iface_index" |
When an interface is configured with IP addresses, the addresses,
subnetwork masks or interface index will be appended to the NFT sets. The
information will be removed when the interface is deconfigured.
systemd-networkd only inserts elements to (or removes from) the sets,
so the related NFT rules, tables and sets must be prepared elsewhere in
advance. Failures to manage the sets will be ignored.
Example:
[Address] NFTSet=prefix:netdev:filter:eth_ipv4_prefix
Corresponding NFT rules:
table netdev filter { set eth_ipv4_prefix { type ipv4_addr flags interval } chain eth_ingress { type filter hook ingress device "eth0" priority filter; policy drop; ip daddr != @eth_ipv4_prefix drop accept } }
Added in version 255.
[NEIGHBOR] SECTION OPTIONS
A [Neighbor] section accepts the following keys. The neighbor section adds a permanent, static entry to the neighbor table (IPv6) or ARP table (IPv4) for the given hardware address on the links matched for the network. Specify several [Neighbor] sections to configure several static neighbors.
Address=
Added in version 240.
LinkLayerAddress=
Added in version 243.
[IPV6ADDRESSLABEL] SECTION OPTIONS
An [IPv6AddressLabel] section accepts the following keys. Specify several [IPv6AddressLabel] sections to configure several address labels. IPv6 address labels are used for address selection. See RFC 3484[20]. Precedence is managed by userspace, and only the label itself is stored in the kernel.
Label=
Added in version 234.
Prefix=
Added in version 234.
[ROUTINGPOLICYRULE] SECTION OPTIONS
An [RoutingPolicyRule] section accepts the following settings. Specify several [RoutingPolicyRule] sections to configure several rules.
TypeOfService=
Added in version 235.
From=
Added in version 235.
To=
Added in version 235.
FirewallMark=
Added in version 235.
Table=
Added in version 235.
Priority=
Added in version 235.
IncomingInterface=
Added in version 236.
OutgoingInterface=
Added in version 236.
L3MasterDevice=
Added in version 256.
SourcePort=
Added in version 240.
DestinationPort=
Added in version 240.
IPProtocol=
Added in version 240.
InvertRule=
Added in version 240.
Family=
Added in version 243.
User=
Added in version 245.
SuppressPrefixLength=
Added in version 245.
SuppressInterfaceGroup=
Added in version 250.
Type=
Added in version 248.
[NEXTHOP] SECTION OPTIONS
The [NextHop] section is used to manipulate entries in the kernel's "nexthop" tables. The [NextHop] section accepts the following settings. Specify several [NextHop] sections to configure several hops.
Id=
Added in version 244.
Gateway=
Added in version 244.
Family=
Added in version 248.
OnLink=
Added in version 248.
Blackhole=
Added in version 248.
Group=
Added in version 249.
[ROUTE] SECTION OPTIONS
The [Route] section accepts the following settings. Specify several [Route] sections to configure several routes.
Gateway=
Added in version 211.
GatewayOnLink=
Added in version 234.
Destination=
Added in version 211.
Source=
Added in version 218.
Metric=
Added in version 216.
IPv6Preference=
Added in version 234.
Scope=
For IPv4 route, defaults to "host" if Type= is "local" or "nat", and "link" if Type= is "broadcast", "multicast", "anycast", or "unicast". In other cases, defaults to "global". The value is not used for IPv6.
Added in version 219.
PreferredSource=
Added in version 227.
Table=
Added in version 230.
HopLimit=
Added in version 255.
Protocol=
Added in version 234.
Type=
Added in version 235.
InitialCongestionWindow=
Added in version 237.
InitialAdvertisedReceiveWindow=
Added in version 237.
QuickAck=
Added in version 237.
FastOpenNoCookie=
Added in version 243.
MTUBytes=
Added in version 239.
TCPAdvertisedMaximumSegmentSize=
Added in version 248.
TCPCongestionControlAlgorithm=
Added in version 252.
TCPRetransmissionTimeoutSec=
Added in version 255.
MultiPathRoute=address[@name] [weight]
Added in version 245.
NextHop=
Added in version 248.
[DHCPV4] SECTION OPTIONS
The [DHCPv4] section configures the DHCPv4 client, if it is enabled with the DHCP= setting described above:
RequestAddress=
Added in version 255.
SendHostname=
Added in version 215.
Hostname=
Added in version 223.
MUDURL=
MUD is an embedded software standard defined by the IETF that allows IoT device makers to advertise device specifications, including the intended communication patterns for their device when it connects to the network. The network can then use this to author a context-specific access policy, so the device functions only within those parameters.
Added in version 246.
ClientIdentifier=
Added in version 220.
VendorClassIdentifier=
Added in version 216.
UserClass=
Added in version 239.
DUIDType=
Added in version 230.
DUIDRawData=
Added in version 230.
IAID=
Added in version 230.
RapidCommit=
Added in version 255.
Anonymize=
This option should only be set to true when MACAddressPolicy= is set to random (see systemd.link(5)).
When true, ClientIdentifier=mac, RapidCommit=no, SendHostname=no, Use6RD=no, UseCaptivePortal=no, UseMTU=no, UseNTP=no, UseSIP=no, and UseTimezone=no are implied and these settings in the .network file are silently ignored. Also, Hostname=, MUDURL=, RequestAddress=, RequestOptions=, SendOption=, SendVendorOption=, UserClass=, and VendorClassIdentifier= are silently ignored.
With this option enabled DHCP requests will mimic those generated by Microsoft Windows, in order to reduce the ability to fingerprint and recognize installations. This means DHCP request sizes will grow and lease data will be more comprehensive than normally, though most of the requested data is not actually used.
Added in version 235.
RequestOptions=
Added in version 244.
SendOption=
Added in version 244.
SendVendorOption=
Added in version 246.
IPServiceType=
Added in version 244.
SocketPriority=
Added in version 253.
Label=
Added in version 250.
UseDNS=
This corresponds to the nameserver option in resolv.conf(5).
Added in version 211.
RoutesToDNS=
Added in version 243.
UseNTP=
Added in version 220.
RoutesToNTP=
Added in version 249.
UseSIP=
Added in version 244.
UseCaptivePortal=
Added in version 254.
UseMTU=
Note, some drivers will reset the interfaces if the MTU is changed. For such interfaces, please try to use IgnoreCarrierLoss= with a short timespan, e.g. "3 seconds".
Added in version 211.
UseHostname=
Added in version 211.
UseDomains=
When unspecified, the value specified in the same setting in the [Network] section will be used. When it is unspecified, the value specified in the same setting in the [DHCPv4] section in networkd.conf(5) will be used. When it is unspecified, the value specified in the same setting in the [Network] section in networkd.conf(5) will be used. When none of them are specified, defaults to "no".
It is recommended to enable this option only on trusted networks, as setting this affects resolution of all hostnames, in particular of single-label names. It is generally safer to use the supplied domain only as routing domain, rather than as search domain, in order to not have it affect local resolution of single-label names.
When set to true, this setting corresponds to the domain option in resolv.conf(5).
Added in version 216.
UseRoutes=
Added in version 215.
RouteMetric=
Added in version 217.
RouteTable=num
When used in combination with VRF=, the VRF's routing table is used when this parameter is not specified.
Added in version 232.
RouteMTUBytes=
Added in version 245.
QuickAck=
Added in version 253.
InitialCongestionWindow=
Added in version 255.
InitialAdvertisedReceiveWindow=
Added in version 255.
UseGateway=
Note, when the server provides both the Router and Classless Static Routes option, and UseRoutes= is enabled, the Router option is always ignored regardless of this setting. See RFC 3442[29].
Added in version 246.
UseTimezone=
Added in version 226.
Use6RD=
Added in version 250.
IPv6OnlyMode=
Added in version 255.
FallbackLeaseLifetimeSec=
Added in version 246.
RequestBroadcast=
Added in version 216.
MaxAttempts=
Added in version 243.
ListenPort=
Added in version 233.
ServerPort=
Added in version 256.
DenyList=
Note that this filters only DHCP offers, so the filtering might not work when RapidCommit= is enabled. See also RapidCommit= above.
Added in version 246.
AllowList=
Note that this filters only DHCP offers, so the filtering might not work when RapidCommit= is enabled. See also RapidCommit= in the above.
Added in version 246.
SendRelease=
Added in version 243.
SendDecline=
Added in version 245.
NetLabel=
Added in version 252.
NFTSet=
Added in version 255.
[DHCPV6] SECTION OPTIONS
The [DHCPv6] section configures the DHCPv6 client, if it is enabled with the DHCP= setting described above, or invoked by the IPv6 Router Advertisement:
MUDURL=, IAID=, DUIDType=, DUIDRawData=, RequestOptions=
Added in version 246.
SendOption=
Added in version 246.
SendVendorOption=
Added in version 246.
UserClass=
Added in version 246.
VendorClass=
Added in version 246.
PrefixDelegationHint=
Added in version 244.
RapidCommit=
Added in version 252.
SendHostname=
Added in version 255.
Hostname=
Added in version 255.
UseAddress=
Added in version 248.
UseCaptivePortal=
Added in version 254.
UseDelegatedPrefix=
Added in version 250.
UseDNS=, UseNTP=, UseHostname=, UseDomains=, NetLabel=, SendRelease=
Added in version 243.
NFTSet=
Added in version 255.
WithoutRA=
Added in version 246.
[DHCPPREFIXDELEGATION] SECTION OPTIONS
The [DHCPPrefixDelegation] section configures subnet prefixes of the delegated prefixes acquired by a DHCPv6 client or by a DHCPv4 client through the 6RD option on another interface. The settings in this section are used only when the DHCPPrefixDelegation= setting in the [Network] section is enabled.
UplinkInterface=
Added in version 250.
SubnetId=
Added in version 246.
Announce=
Added in version 247.
Assign=
Added in version 246.
Token=
Added in version 246.
ManageTemporaryAddress=
Added in version 248.
RouteMetric=
Added in version 249.
NetLabel=
Added in version 252.
NFTSet=
Added in version 255.
[IPV6ACCEPTRA] SECTION OPTIONS
The [IPv6AcceptRA] section configures the IPv6 Router Advertisement (RA) client, if it is enabled with the IPv6AcceptRA= setting described above:
UseRedirect=
Added in version 256.
Token=
eui64
Added in version 250.
static:ADDRESS
Added in version 250.
prefixstable[:ADDRESS][,UUID]
This mode can also optionally take a non-null UUID in the format which sd_id128_from_string() accepts, e.g. "86b123b969ba4b7eb8b3d8605123525a" or "86b123b9-69ba-4b7e-b8b3-d8605123525a". If a UUID is specified, the value is used as the secret key to generate interface identifiers. If not specified, then an application specific ID generated with the system's machine-ID will be used as the secret key. See sd-id128(3), sd_id128_from_string(3), and sd_id128_get_machine(3).
Note that the "prefixstable" algorithm uses both the interface name and MAC address as input to the hash to compute the interface identifier, so if either of those are changed the resulting interface identifier (and address) will be changed, even if the prefix received in the RA message has not been changed.
Added in version 250.
If no address generation mode is specified (which is the default), or a received prefix does not match any of the addresses provided in "prefixstable" mode, then the EUI-64 algorithm will be used for Ethernet or InfiniBand interfaces, otherwise "prefixstable" will be used to form an interface identifier for that prefix.
This setting can be specified multiple times. If an empty string is assigned, then the all previous assignments are cleared.
Examples:
Token=eui64 Token=::1a:2b:3c:4d Token=static:::1a:2b:3c:4d Token=prefixstable Token=prefixstable:2002:da8:1::
Added in version 250.
UseDNS=
This corresponds to the nameserver option in resolv.conf(5).
Added in version 231.
UseDomains=
It is recommended to enable this option only on trusted networks, as setting this affects resolution of all hostnames, in particular of single-label names. It is generally safer to use the supplied domain only as routing domain, rather than as search domain, in order to not have it affect local resolution of single-label names.
When set to true, this setting corresponds to the domain option in resolv.conf(5).
Added in version 231.
RouteTable=num
When used in combination with VRF=, the VRF's routing table is used when this parameter is not specified.
Added in version 232.
RouteMetric=
Added in version 249.
QuickAck=
Added in version 253.
UseMTU=
Added in version 250.
UseHopLimit=
Added in version 255.
UseReachableTime=
Added in version 256.
UseRetransmissionTime=
Added in version 256.
UseGateway=
Added in version 250.
UseRoutePrefix=
Added in version 250.
UseCaptivePortal=
Added in version 254.
UsePREF64=
Added in version 255.
UseAutonomousPrefix=
Added in version 242.
UseOnLinkPrefix=
Added in version 242.
RouterDenyList=
Added in version 248.
RouterAllowList=
Added in version 248.
PrefixDenyList=
Added in version 248.
PrefixAllowList=
Added in version 248.
RouteDenyList=
Added in version 248.
RouteAllowList=
Added in version 248.
DHCPv6Client=
Added in version 246.
NetLabel=
Added in version 252.
NFTSet=
Added in version 255.
[DHCPSERVER] SECTION OPTIONS
The [DHCPServer] section contains settings for the DHCP server, if enabled via the DHCPServer= option described above:
ServerAddress=
This implies Address= in [Network] or [Address] section with the same address and prefix length. That is,
[Network] DHCPServer=yes Address=192.168.0.1/24 Address=192.168.0.2/24 [DHCPServer] ServerAddress=192.168.0.1/24
or
[Network] DHCPServer=yes [Address] Address=192.168.0.1/24 [Address] Address=192.168.0.2/24 [DHCPServer] ServerAddress=192.168.0.1/24
are equivalent to the following:
[Network] DHCPServer=yes Address=192.168.0.2/24 [DHCPServer] ServerAddress=192.168.0.1/24
Since version 255, like the Address= setting in [Network] or [Address] section, this also supports a null address, e.g. "0.0.0.0/24", and an unused address will be automatically selected. For more details about the automatic address selection, see Address= setting in [Network] section in the above.
Added in version 249.
PoolOffset=, PoolSize=
Added in version 226.
DefaultLeaseTimeSec=, MaxLeaseTimeSec=
Added in version 226.
UplinkInterface=
Added in version 249.
EmitDNS=, DNS=
If the EmitDNS= option is enabled but no servers configured, the servers are automatically propagated from an "uplink" interface that has appropriate servers set. The "uplink" interface is determined by the default route of the system with the highest priority. Note that this information is acquired at the time the lease is handed out, and does not take uplink interfaces into account that acquire DNS server information at a later point. If no suitable uplink interface is found the DNS server data from /etc/resolv.conf is used. Also, note that the leases are not refreshed if the uplink network configuration changes. To ensure clients regularly acquire the most current uplink DNS server information, it is thus advisable to shorten the DHCP lease time via MaxLeaseTimeSec= described above.
This setting can be specified multiple times. If an empty string is specified, then all DNS servers specified earlier are cleared.
Added in version 226.
EmitNTP=, NTP=, EmitSIP=, SIP=, EmitPOP3=, POP3=, EmitSMTP=, SMTP=, EmitLPR=, LPR=
Added in version 226.
EmitRouter=, Router=
Added in version 230.
EmitTimezone=, Timezone=
Added in version 226.
BootServerAddress=
Added in version 251.
BootServerName=
Note that typically setting one of BootServerName= or BootServerAddress= is sufficient, but both can be set too, if desired.
Added in version 251.
BootFilename=
Added in version 251.
IPv6OnlyPreferredSec=
Added in version 255.
SendOption=
Added in version 244.
SendVendorOption=
Added in version 246.
BindToInterface=
Added in version 249.
RelayTarget=
Added in version 249.
RelayAgentCircuitId=
Added in version 249.
RelayAgentRemoteId=
Added in version 249.
RapidCommit=
Added in version 255.
PersistLeases=
Added in version 256.
[DHCPSERVERSTATICLEASE] SECTION OPTIONS
The "[DHCPServerStaticLease]" section configures a static DHCP lease to assign a fixed IPv4 address to a specific device based on its MAC address. This section can be specified multiple times.
MACAddress=
Added in version 249.
Address=
Added in version 249.
[IPV6SENDRA] SECTION OPTIONS
The [IPv6SendRA] section contains settings for sending IPv6 Router Advertisements and whether to act as a router, if enabled via the IPv6SendRA= option described above. IPv6 network prefixes or routes are defined with one or more [IPv6Prefix] or [IPv6RoutePrefix] sections.
Managed=, OtherInformation=
Added in version 235.
RouterLifetimeSec=
Added in version 235.
ReachableTimeSec=
Added in version 256.
RetransmitSec=
Added in version 255.
RouterPreference=
Added in version 235.
HopLimit=
Added in version 255.
UplinkInterface=
Added in version 250.
EmitDNS=, DNS=
Added in version 235.
EmitDomains=, Domains=
Added in version 235.
DNSLifetimeSec=
Added in version 235.
HomeAgent=
Added in version 255.
HomeAgentLifetimeSec=
Added in version 255.
HomeAgentPreference=
Added in version 255.
[IPV6PREFIX] SECTION OPTIONS
One or more [IPv6Prefix] sections contain the IPv6 prefixes that are announced via Router Advertisements. See RFC 4861[41] for further details.
AddressAutoconfiguration=, OnLink=
Added in version 235.
Prefix=
Added in version 235.
PreferredLifetimeSec=, ValidLifetimeSec=
Added in version 235.
Assign=
Added in version 246.
Token=
Added in version 250.
RouteMetric=
Added in version 249.
[IPV6ROUTEPREFIX] SECTION OPTIONS
One or more [IPv6RoutePrefix] sections contain the IPv6 prefix routes that are announced via Router Advertisements. See RFC 4191[24] for further details.
Route=
Added in version 244.
LifetimeSec=
Added in version 244.
[IPV6PREF64PREFIX] SECTION OPTIONS
One or more [IPv6PREF64Prefix] sections contain the IPv6 PREF64 (or NAT64) prefixes that are announced via Router Advertisements. See RFC 8781[36] for further details.
Prefix=
Added in version 255.
LifetimeSec=
Added in version 255.
[BRIDGE] SECTION OPTIONS
The [Bridge] section accepts the following keys:
UnicastFlood=
Added in version 223.
MulticastFlood=
Added in version 242.
MulticastToUnicast=
Added in version 240.
NeighborSuppression=
Added in version 242.
Learning=
Added in version 242.
HairPin=
Added in version 223.
Isolated=
Added in version 251.
UseBPDU=
Added in version 223.
FastLeave=
Added in version 223.
AllowPortToBeRoot=
Added in version 223.
ProxyARP=
Added in version 243.
ProxyARPWiFi=
Added in version 243.
MulticastRouter=
Added in version 243.
Cost=
Added in version 218.
Priority=
Added in version 234.
[BRIDGEFDB] SECTION OPTIONS
The [BridgeFDB] section manages the forwarding database table of a port and accepts the following keys. Specify several [BridgeFDB] sections to configure several static MAC table entries.
MACAddress=
Added in version 219.
Destination=
Added in version 243.
VLANId=
Added in version 219.
VNI=
Added in version 243.
AssociatedWith=
Added in version 243.
OutgoingInterface=
Added in version 249.
[BRIDGEMDB] SECTION OPTIONS
The [BridgeMDB] section manages the multicast membership entries forwarding database table of a port and accepts the following keys. Specify several [BridgeMDB] sections to configure several permanent multicast membership entries.
MulticastGroupAddress=
Added in version 247.
VLANId=
Added in version 247.
[LLDP] SECTION OPTIONS
The [LLDP] section manages the Link Layer Discovery Protocol (LLDP) and accepts the following keys:
MUDURL=
The MUD URLs received via LLDP packets are saved and can be read using the sd_lldp_neighbor_get_mud_url() function.
Added in version 246.
[CAN] SECTION OPTIONS
The [CAN] section manages the Controller Area Network (CAN bus) and accepts the following keys:
BitRate=
Added in version 239.
SamplePoint=
Added in version 239.
TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=, SyncJumpWidth=
Added in version 250.
DataBitRate=, DataSamplePoint=
Added in version 246.
DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, DataSyncJumpWidth=
Added in version 250.
FDMode=
Added in version 246.
FDNonISO=
Added in version 246.
RestartSec=
Added in version 239.
Termination=
Added in version 246.
TripleSampling=
Added in version 242.
BusErrorReporting=
Added in version 248.
ListenOnly=
Added in version 246.
Loopback=
Added in version 250.
OneShot=
Added in version 250.
PresumeAck=
Added in version 250.
ClassicDataLengthCode=
Added in version 250.
[IPOIB] SECTION OPTIONS
The [IPoIB] section manages the IP over Infiniband and accepts the following keys:
Mode=
When "datagram", the Infiniband unreliable datagram (UD) transport is used, and so the interface MTU is equal to the IB L2 MTU minus the IPoIB encapsulation header (4 bytes). For example, in a typical IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044 bytes.
When "connected", the Infiniband reliable connected (RC) transport is used. Connected mode takes advantage of the connected nature of the IB transport and allows an MTU up to the maximal IP packet size of 64K, which reduces the number of IP packets needed for handling large UDP datagrams, TCP segments, etc and increases the performance for large messages.
Added in version 250.
IgnoreUserspaceMulticastGroup=
Added in version 250.
[QDISC] SECTION OPTIONS
The [QDisc] section manages the traffic control queueing discipline (qdisc).
Parent=
Added in version 244.
Handle=
[NETWORKEMULATOR] SECTION OPTIONS
The [NetworkEmulator] section manages the queueing discipline (qdisc) of the network emulator. It can be used to configure the kernel packet scheduler and simulate packet delay and loss for UDP or TCP applications, or limit the bandwidth usage of a particular service to simulate internet connections.
Parent=
Handle=
DelaySec=
Added in version 245.
DelayJitterSec=
Added in version 245.
PacketLimit=
Added in version 245.
LossRate=
Added in version 245.
DuplicateRate=
Added in version 245.
[TOKENBUCKETFILTER] SECTION OPTIONS
The [TokenBucketFilter] section manages the queueing discipline (qdisc) of token bucket filter (tbf).
Parent=
Handle=
LatencySec=
Added in version 245.
LimitBytes=
Added in version 246.
BurstBytes=
Added in version 246.
Rate=
Added in version 245.
MPUBytes=
Added in version 245.
PeakRate=
Added in version 245.
MTUBytes=
Added in version 245.
[PIE] SECTION OPTIONS
The [PIE] section manages the queueing discipline (qdisc) of Proportional Integral controller-Enhanced (PIE).
Parent=
Handle=
PacketLimit=
Added in version 246.
[FLOWQUEUEPIE] SECTION OPTIONS
The "[FlowQueuePIE]" section manages the queueing discipline (qdisc) of Flow Queue Proportional Integral controller-Enhanced (fq_pie).
Parent=
Handle=
PacketLimit=
Added in version 247.
[STOCHASTICFAIRBLUE] SECTION OPTIONS
The [StochasticFairBlue] section manages the queueing discipline (qdisc) of stochastic fair blue (sfb).
Parent=
Handle=
PacketLimit=
Added in version 246.
[STOCHASTICFAIRNESSQUEUEING] SECTION OPTIONS
The [StochasticFairnessQueueing] section manages the queueing discipline (qdisc) of stochastic fairness queueing (sfq).
Parent=
Handle=
PerturbPeriodSec=
Added in version 245.
[BFIFO] SECTION OPTIONS
The [BFIFO] section manages the queueing discipline (qdisc) of Byte limited Packet First In First Out (bfifo).
Parent=
Handle=
LimitBytes=
Added in version 246.
[PFIFO] SECTION OPTIONS
The [PFIFO] section manages the queueing discipline (qdisc) of Packet First In First Out (pfifo).
Parent=
Handle=
PacketLimit=
Added in version 246.
[PFIFOHEADDROP] SECTION OPTIONS
The [PFIFOHeadDrop] section manages the queueing discipline (qdisc) of Packet First In First Out Head Drop (pfifo_head_drop).
Parent=
Handle=
PacketLimit=
Added in version 246.
[PFIFOFAST] SECTION OPTIONS
The [PFIFOFast] section manages the queueing discipline (qdisc) of Packet First In First Out Fast (pfifo_fast).
Parent=
Handle=
[CAKE] SECTION OPTIONS
The [CAKE] section manages the queueing discipline (qdisc) of Common Applications Kept Enhanced (CAKE).
Parent=
Handle=
Bandwidth=
Added in version 246.
AutoRateIngress=
Added in version 250.
OverheadBytes=
Added in version 246.
MPUBytes=
Added in version 250.
CompensationMode=
Added in version 250.
UseRawPacketSize=
Added in version 250.
FlowIsolationMode=
none
Added in version 250.
src-host
Added in version 250.
dst-host
Added in version 250.
hosts
Added in version 250.
flows
Added in version 250.
dual-src-host
Added in version 250.
dual-dst-host
Added in version 250.
triple
Added in version 250.
Defaults to unset and the kernel's default is used.
Added in version 250.
NAT=
Added in version 250.
PriorityQueueingPreset=
besteffort
Added in version 250.
precedence
Added in version 250.
diffserv8
Added in version 250.
diffserv4
Added in version 250.
diffserv3
Added in version 250.
Defaults to unset, and the kernel's default is used.
Added in version 250.
FirewallMark=
Added in version 250.
Wash=
Added in version 250.
SplitGSO=
Added in version 250.
RTTSec=
Added in version 253.
AckFilter=
Added in version 253.
[CONTROLLEDDELAY] SECTION OPTIONS
The [ControlledDelay] section manages the queueing discipline (qdisc) of controlled delay (CoDel).
Parent=
Handle=
PacketLimit=
Added in version 245.
TargetSec=
Added in version 245.
IntervalSec=
Added in version 245.
ECN=
Added in version 245.
CEThresholdSec=
Added in version 245.
[DEFICITROUNDROBINSCHEDULER] SECTION OPTIONS
The [DeficitRoundRobinScheduler] section manages the queueing discipline (qdisc) of Deficit Round Robin Scheduler (DRR).
Parent=
Handle=
[DEFICITROUNDROBINSCHEDULERCLASS] SECTION OPTIONS
The [DeficitRoundRobinSchedulerClass] section manages the traffic control class of Deficit Round Robin Scheduler (DRR).
Parent=
ClassId=
QuantumBytes=
Added in version 246.
[ENHANCEDTRANSMISSIONSELECTION] SECTION OPTIONS
The [EnhancedTransmissionSelection] section manages the queueing discipline (qdisc) of Enhanced Transmission Selection (ETS).
Parent=
Handle=
Bands=
Added in version 246.
StrictBands=
Added in version 246.
QuantumBytes=
Added in version 246.
PriorityMap=
Added in version 246.
[GENERICRANDOMEARLYDETECTION] SECTION OPTIONS
The [GenericRandomEarlyDetection] section manages the queueing discipline (qdisc) of Generic Random Early Detection (GRED).
Parent=
Handle=
VirtualQueues=
Added in version 246.
DefaultVirtualQueue=
Added in version 246.
GenericRIO=
Added in version 246.
[FAIRQUEUEINGCONTROLLEDDELAY] SECTION OPTIONS
The [FairQueueingControlledDelay] section manages the queueing discipline (qdisc) of fair queuing controlled delay (FQ-CoDel).
Parent=
Handle=
PacketLimit=
Added in version 245.
MemoryLimitBytes=
Added in version 246.
Flows=
Added in version 245.
TargetSec=
Added in version 245.
IntervalSec=
Added in version 245.
QuantumBytes=
Added in version 246.
ECN=
Added in version 245.
CEThresholdSec=
Added in version 245.
[FAIRQUEUEING] SECTION OPTIONS
The [FairQueueing] section manages the queueing discipline (qdisc) of fair queue traffic policing (FQ).
Parent=
Handle=
PacketLimit=
Added in version 245.
FlowLimit=
Added in version 245.
QuantumBytes=
Added in version 246.
InitialQuantumBytes=
Added in version 245.
MaximumRate=
Added in version 245.
Buckets=
Added in version 245.
OrphanMask=
Added in version 245.
Pacing=
Added in version 245.
CEThresholdSec=
Added in version 245.
[TRIVIALLINKEQUALIZER] SECTION OPTIONS
The [TrivialLinkEqualizer] section manages the queueing discipline (qdisc) of trivial link equalizer (teql).
Parent=
Handle=
Id=
Added in version 245.
[HIERARCHYTOKENBUCKET] SECTION OPTIONS
The [HierarchyTokenBucket] section manages the queueing discipline (qdisc) of hierarchy token bucket (htb).
Parent=
Handle=
DefaultClass=
Added in version 246.
RateToQuantum=
Added in version 246.
[HIERARCHYTOKENBUCKETCLASS] SECTION OPTIONS
The [HierarchyTokenBucketClass] section manages the traffic control class of hierarchy token bucket (htb).
Parent=
ClassId=
Priority=
Added in version 246.
QuantumBytes=
Added in version 246.
MTUBytes=
Added in version 246.
OverheadBytes=
Added in version 246.
Rate=
Added in version 246.
CeilRate=
Added in version 246.
BufferBytes=
Added in version 246.
CeilBufferBytes=
Added in version 246.
[HEAVYHITTERFILTER] SECTION OPTIONS
The [HeavyHitterFilter] section manages the queueing discipline (qdisc) of Heavy Hitter Filter (hhf).
Parent=
Handle=
PacketLimit=
Added in version 246.
[QUICKFAIRQUEUEING] SECTION OPTIONS
The [QuickFairQueueing] section manages the queueing discipline (qdisc) of Quick Fair Queueing (QFQ).
Parent=
Handle=
[QUICKFAIRQUEUEINGCLASS] SECTION OPTIONS
The [QuickFairQueueingClass] section manages the traffic control class of Quick Fair Queueing (qfq).
Parent=
ClassId=
Weight=
Added in version 246.
MaxPacketBytes=
Added in version 246.
[BRIDGEVLAN] SECTION OPTIONS
The [BridgeVLAN] section manages the VLAN ID configurations of a bridge master or port, and accepts the following keys. To make the settings in this section take an effect, VLANFiltering= option has to be enabled on the bridge master, see the [Bridge] section in systemd.netdev(5). If at least one valid settings specified in this section in a .network file for an interface, all assigned VLAN IDs on the interface that are not configured in the .network file will be removed. If VLAN IDs on an interface need to be managed by other tools, then the settings in this section cannot be used in the matching .network file.
VLAN=
Added in version 231.
EgressUntagged=
Added in version 231.
PVID=
Added in version 231.
EXAMPLES
Example 1. Static network configuration
# /etc/systemd/network/50-static.network [Match] Name=enp2s0 [Network] Address=192.168.0.15/24 Gateway=192.168.0.1
This brings interface "enp2s0" up with a static address. The specified gateway will be used for a default route.
Example 2. DHCP on ethernet links
# /etc/systemd/network/80-dhcp.network [Match] Name=en* [Network] DHCP=yes
This will enable DHCPv4 and DHCPv6 on all interfaces with names starting with "en" (i.e. ethernet interfaces).
Example 3. IPv6 Prefix Delegation (DHCPv6 PD)
# /etc/systemd/network/55-dhcpv6-pd-upstream.network [Match] Name=enp1s0 [Network] DHCP=ipv6 # The below setting is optional, to also assign an address in the delegated prefix # to the upstream interface. If not necessary, then comment out the line below and # the [DHCPPrefixDelegation] section. DHCPPrefixDelegation=yes # If the upstream network provides Router Advertisement with Managed bit set, # then comment out the line below and WithoutRA= setting in the [DHCPv6] section. IPv6AcceptRA=no [DHCPv6] WithoutRA=solicit [DHCPPrefixDelegation] UplinkInterface=:self SubnetId=0 Announce=no
# /etc/systemd/network/55-dhcpv6-pd-downstream.network [Match] Name=enp2s0 [Network] DHCPPrefixDelegation=yes IPv6SendRA=yes # It is expected that the host is acting as a router. So, usually it is not # necessary to receive Router Advertisement from other hosts in the downstream network. IPv6AcceptRA=no [DHCPPrefixDelegation] UplinkInterface=enp1s0 SubnetId=1 Announce=yes
This will enable DHCPv6-PD on the interface enp1s0 as an upstream interface where the DHCPv6 client is running and enp2s0 as a downstream interface where the prefix is delegated to. The delegated prefixes are distributed by IPv6 Router Advertisement on the downstream network.
Example 4. IPv6 Prefix Delegation (DHCPv4 6RD)
# /etc/systemd/network/55-dhcpv4-6rd-upstream.network [Match] Name=enp1s0 [Network] DHCP=ipv4 # When DHCPv4-6RD is used, the upstream network does not support IPv6. # Hence, it is not necessary to wait for Router Advertisement, which is enabled by default. IPv6AcceptRA=no [DHCPv4] Use6RD=yes
# /etc/systemd/network/55-dhcpv4-6rd-downstream.network [Match] Name=enp2s0 [Network] DHCPPrefixDelegation=yes IPv6SendRA=yes # It is expected that the host is acting as a router. So, usually it is not # necessary to receive Router Advertisement from other hosts in the downstream network. IPv6AcceptRA=no [DHCPPrefixDelegation] UplinkInterface=enp1s0 SubnetId=1 Announce=yes
This will enable DHCPv4-6RD on the interface enp1s0 as an upstream interface where the DHCPv4 client is running and enp2s0 as a downstream interface where the prefix is delegated to. The delegated prefixes are distributed by IPv6 Router Advertisement on the downstream network.
Example 5. A bridge with two enslaved links
# /etc/systemd/network/25-bridge-static.netdev [NetDev] Name=bridge0 Kind=bridge
# /etc/systemd/network/25-bridge-static.network [Match] Name=bridge0 [Network] Address=192.168.0.15/24 Gateway=192.168.0.1 DNS=192.168.0.1
# /etc/systemd/network/25-bridge-slave-interface-1.network [Match] Name=enp2s0 [Network] Bridge=bridge0
# /etc/systemd/network/25-bridge-slave-interface-2.network [Match] Name=wlp3s0 [Network] Bridge=bridge0
This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it. The bridge will have the specified static address and network assigned, and a default route via the specified gateway will be added. The specified DNS server will be added to the global list of DNS resolvers.
Example 6. Bridge port with VLAN forwarding
# /etc/systemd/network/25-bridge-slave-interface-1.network [Match] Name=enp2s0 [Network] Bridge=bridge0 [BridgeVLAN] VLAN=1-32 PVID=42 EgressUntagged=42 [BridgeVLAN] VLAN=100-200 [BridgeVLAN] EgressUntagged=300-400
This overrides the configuration specified in the previous example for the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42, 300-400 will be untagged when they leave on this interface. Untagged packets which arrive on this interface will be assigned VLAN ID 42.
Example 7. Various tunnels
/etc/systemd/network/25-tunnels.network [Match] Name=ens1 [Network] Tunnel=ipip-tun Tunnel=sit-tun Tunnel=gre-tun Tunnel=vti-tun
/etc/systemd/network/25-tunnel-ipip.netdev [NetDev] Name=ipip-tun Kind=ipip
/etc/systemd/network/25-tunnel-sit.netdev [NetDev] Name=sit-tun Kind=sit
/etc/systemd/network/25-tunnel-gre.netdev [NetDev] Name=gre-tun Kind=gre
/etc/systemd/network/25-tunnel-vti.netdev [NetDev] Name=vti-tun Kind=vti
This will bring interface "ens1" up and create an IPIP tunnel, a SIT tunnel, a GRE tunnel, and a VTI tunnel using it.
Example 8. A bond device
# /etc/systemd/network/30-bond1.network [Match] Name=bond1 [Network] DHCP=ipv6
# /etc/systemd/network/30-bond1.netdev [NetDev] Name=bond1 Kind=bond
# /etc/systemd/network/30-bond1-dev1.network [Match] MACAddress=52:54:00:e9:64:41 [Network] Bond=bond1
# /etc/systemd/network/30-bond1-dev2.network [Match] MACAddress=52:54:00:e9:64:42 [Network] Bond=bond1
This will create a bond device "bond1" and enslave the two devices with MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP will be used to acquire an address.
Example 9. Virtual Routing and Forwarding (VRF)
Add the "bond1" interface to the VRF master interface "vrf1". This will redirect routes generated on this interface to be within the routing table defined during VRF creation. For kernels before 4.8 traffic won't be redirected towards the VRFs routing table unless specific ip-rules are added.
# /etc/systemd/network/25-vrf.network [Match] Name=bond1 [Network] VRF=vrf1
Example 10. MacVTap
This brings up a network interface "macvtap-test" and attaches it to "enp0s25".
# /usr/lib/systemd/network/25-macvtap.network [Match] Name=enp0s25 [Network] MACVTAP=macvtap-test
Example 11. A Xfrm interface with physical underlying device.
# /etc/systemd/network/27-xfrm.netdev [NetDev] Name=xfrm0 Kind=xfrm [Xfrm] InterfaceId=7
# /etc/systemd/network/27-eth0.network [Match] Name=eth0 [Network] Xfrm=xfrm0
This creates a "xfrm0" interface and binds it to the "eth0" device. This allows hardware based ipsec offloading to the "eth0" nic. If offloading is not needed, xfrm interfaces can be assigned to the "lo" device.
SEE ALSO
systemd(1), systemd-networkd.service(8), systemd.link(5), systemd.netdev(5), systemd-network-generator.service(8), systemd-resolved.service(8)
NOTES
- 1.
- 💣💥🧨💥💥💣 Please note that those configuration files must be available at all times. If /usr/local/ is a separate partition, it may not be available during early boot, and must not be used for configuration.
- 2.
- System and Service Credentials
- 3.
- Link-Local Multicast Name Resolution
- 4.
- Multicast DNS
- 5.
- DNS-over-TLS
- 6.
- DNSSEC
- 7.
- IEEE 802.1AB-2016
- 8.
- RFC 5227
- 9.
- IP Sysctl
- 10.
- RFC 4941
- 11.
- RFC 3704
- 12.
- RFC 3069
- 13.
- RFC 6275
- 14.
- RFC 4862
- 15.
- RFC 3041
- 16.
- NetLabel
- 17.
- Linux Security Modules (LSMs)
- 18.
- NetLabel Fallback Peer Labeling
- 19.
- NFT
- 20.
- RFC 3484
- 21.
- Type of Service
- 22.
- Differentiated services
- 23.
- Virtual Routing and Forwarding (VRF)
- 24.
- RFC 4191
- 25.
- RFC 8520
- 26.
- RFC 4039
- 27.
- RFC 7844
- 28.
- C-style escapes
- 29.
- RFC 3442
- 30.
- RFC 5969
- 31.
- RFC 8925
- 32.
- RFC 3315
- 33.
- RFC 8415
- 34.
- RFC 4291
- 35.
- RFC 7217
- 36.
- RFC 8781
- 37.
- RFC 2131
- 38.
- RFC 2132
- 39.
- RFC 1542
- 40.
- RFC 4039
- 41.
- RFC 4861
systemd 256.8 |