The [Network] section accepts the following keys:
Description=
A description of the device. This is only used for
presentation purposes.
DHCP=
Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes",
"no", "ipv4", or "ipv6". Defaults to "no".
Note that DHCPv6 will by default be triggered by Router
Advertisement, if that is enabled, regardless of this
parameter. By enabling DHCPv6 support explicitly, the DHCPv6
client will be started regardless of the presence of routers
on the link, or what flags the routers pass. See
"IPv6AcceptRA=".
Furthermore, note that by default the domain name specified
through DHCP is not used for name resolution. See option
UseDomains=
below.
See the [DHCPv4] or [DHCPv6] sections below for further
configuration options for the DHCP client support.
DHCPServer=
Takes a boolean. If set to "yes", DHCPv4 server will be
started. Defaults to "no". Further settings for the DHCP
server may be set in the [DHCPServer] section described
below.
LinkLocalAddressing=
Enables link-local address autoconfiguration. Accepts yes
,
no
, ipv4
, and ipv6
. An IPv6 link-local address is configured
when yes
or ipv6
. An IPv4 link-local address is configured
when yes
or ipv4
and when DHCPv4 autoconfiguration has been
unsuccessful for some time. (IPv4 link-local address
autoconfiguration will usually happen in parallel with
repeated attempts to acquire a DHCPv4 lease).
Defaults to no
when Bridge= is set or when the specified
MACVLAN=/MACVTAP= has Mode=passthru, or ipv6
otherwise.
IPv6LinkLocalAddressGenerationMode=
Specifies how IPv6 link local address is generated. Takes one
of "eui64", "none", "stable-privacy" and "random". When
unset, "stable-privacy" is used if IPv6StableSecretAddress=
is specified, and if not, "eui64" is used. Note that if
LinkLocalAddressing= is "no" or "ipv4", then
IPv6LinkLocalAddressGenerationMode= will be ignored. Also,
even if LinkLocalAddressing= is "yes" or "ipv6", setting
IPv6LinkLocalAddressGenerationMode=none disables to configure
an IPv6 link-local address.
IPv6StableSecretAddress=
Takes an IPv6 address. The specified address will be used as
a stable secret for generating IPv6 link-local address. If
this setting is specified, and
IPv6LinkLocalAddressGenerationMode= is unset, then
IPv6LinkLocalAddressGenerationMode=stable-privacy is implied.
If this setting is not specified, and "stable-privacy" is set
to IPv6LinkLocalAddressGenerationMode=, then a stable secret
address will be generated from the local machine ID and the
interface name.
IPv4LLRoute=
Takes a boolean. If set to true, sets up the route needed for
non-IPv4LL hosts to communicate with IPv4LL-only hosts.
Defaults to false.
DefaultRouteOnDevice=
Takes a boolean. If set to true, sets up the default route
bound to the interface. Defaults to false. This is useful
when creating routes on point-to-point interfaces. This is
equivalent to e.g. the following,
ip route add default dev veth99
or,
[Route]
Gateway=0.0.0.0
Currently, there are no way to specify e.g., the table for
the route configured by this setting. To configure the
default route with such an additional property, please use
the following instead:
[Route]
Gateway=0.0.0.0
Table=1234
IPv6Token=
Specifies an optional address generation mode for the
Stateless Address Autoconfiguration (SLAAC). Supported modes
are "prefixstable" and "static".
When the mode is set to "static", an IPv6 address must be
specified after a colon (":"), and the lower bits of the
supplied address are combined with the upper bits of a prefix
received in a Router Advertisement (RA) message to form a
complete address. Note that if multiple prefixes are received
in an RA message, or in multiple RA messages, addresses will
be formed from each of them using the supplied address. This
mode implements SLAAC but uses a static interface identifier
instead of an identifier generated by using the EUI-64
algorithm. Because the interface identifier is static, if
Duplicate Address Detection detects that the computed address
is a duplicate (in use by another node on the link), then
this mode will fail to provide an address for that prefix. If
an IPv6 address without mode is specified, then "static" mode
is assumed.
When the mode is set to "prefixstable" the RFC 7217
[1]
algorithm for generating interface identifiers will be used.
This mode can optionally take an IPv6 address separated with
a colon (":"). If an IPv6 address is specified, then an
interface identifier is generated only when a prefix received
in an RA message matches the supplied address.
If no address generation mode is specified (which is the
default), or a received prefix does not match any of the
addresses provided in "prefixstable" mode, then the EUI-64
algorithm will be used to form an interface identifier for
that prefix. This mode is also SLAAC, but with a potentially
stable interface identifier which does not directly map to
the interface's hardware address.
Note that the "prefixstable" algorithm uses both the
interface name and MAC address as input to the hash to
compute the interface identifier, so if either of those are
changed the resulting interface identifier (and address) will
change, even if the prefix received in the RA message has not
changed.
This setting can be specified multiple times. If an empty
string is assigned, then the all previous assignments are
cleared.
Examples:
IPv6Token=::1a:2b:3c:4d
IPv6Token=static:::1a:2b:3c:4d
IPv6Token=prefixstable
IPv6Token=prefixstable:2002:da8:1::
LLMNR=
Takes a boolean or "resolve". When true, enables Link-Local
Multicast Name Resolution
[2] on the link. When set to
"resolve", only resolution is enabled, but not host
registration and announcement. Defaults to true. This setting
is read by systemd-resolved.service(8).
MulticastDNS=
Takes a boolean or "resolve". When true, enables Multicast
DNS
[3] support on the link. When set to "resolve", only
resolution is enabled, but not host or service registration
and announcement. Defaults to false. This setting is read by
systemd-resolved.service(8).
DNSOverTLS=
Takes a boolean or "opportunistic". When true, enables
DNS-over-TLS
[4] support on the link. When set to
"opportunistic", compatibility with non-DNS-over-TLS servers
is increased, by automatically turning off DNS-over-TLS
servers in this case. This option defines a per-interface
setting for resolved.conf(5)'s global DNSOverTLS= option.
Defaults to false. This setting is read by
systemd-resolved.service(8).
DNSSEC=
Takes a boolean or "allow-downgrade". When true, enables
DNSSEC
[5] DNS validation support on the link. When set to
"allow-downgrade", compatibility with non-DNSSEC capable
networks is increased, by automatically turning off DNSSEC in
this case. This option defines a per-interface setting for
resolved.conf(5)'s global DNSSEC= option. Defaults to false.
This setting is read by systemd-resolved.service(8).
DNSSECNegativeTrustAnchors=
A space-separated list of DNSSEC negative trust anchor
domains. If specified and DNSSEC is enabled, look-ups done
via the interface's DNS server will be subject to the list of
negative trust anchors, and not require authentication for
the specified domains, or anything below it. Use this to
disable DNSSEC authentication for specific private domains,
that cannot be proven valid using the Internet DNS hierarchy.
Defaults to the empty list. This setting is read by
systemd-resolved.service(8).
LLDP=
Controls support for Ethernet LLDP packet reception. LLDP is
a link-layer protocol commonly implemented on professional
routers and bridges which announces which physical port a
system is connected to, as well as other related data.
Accepts a boolean or the special value "routers-only". When
true, incoming LLDP packets are accepted and a database of
all LLDP neighbors maintained. If "routers-only" is set only
LLDP data of various types of routers is collected and LLDP
data about other types of devices ignored (such as stations,
telephones and others). If false, LLDP reception is disabled.
Defaults to "routers-only". Use networkctl(1) to query the
collected neighbor data. LLDP is only available on Ethernet
links. See EmitLLDP= below for enabling LLDP packet emission
from the local system.
EmitLLDP=
Controls support for Ethernet LLDP packet emission. Accepts a
boolean parameter or the special values "nearest-bridge",
"non-tpmr-bridge" and "customer-bridge". Defaults to false,
which turns off LLDP packet emission. If not false, a short
LLDP packet with information about the local system is sent
out in regular intervals on the link. The LLDP packet will
contain information about the local hostname, the local
machine ID (as stored in machine-id(5)) and the local
interface name, as well as the pretty hostname of the system
(as set in machine-info(5)). LLDP emission is only available
on Ethernet links. Note that this setting passes data
suitable for identification of host to the network and should
thus not be enabled on untrusted networks, where such
identification data should not be made available. Use this
option to permit other systems to identify on which
interfaces they are connected to this system. The three
special values control propagation of the LLDP packets. The
"nearest-bridge" setting permits propagation only to the
nearest connected bridge, "non-tpmr-bridge" permits
propagation across Two-Port MAC Relays, but not any other
bridges, and "customer-bridge" permits propagation until a
customer bridge is reached. For details about these concepts,
see IEEE 802.1AB-2016
[6]. Note that configuring this setting
to true is equivalent to "nearest-bridge", the recommended
and most restricted level of propagation. See LLDP= above for
an option to enable LLDP reception.
BindCarrier=
A link name or a list of link names. When set, controls the
behavior of the current link. When all links in the list are
in an operational down state, the current link is brought
down. When at least one link has carrier, the current
interface is brought up.
This forces ActivationPolicy= to be set to "bound".
Address=
A static IPv4 or IPv6 address and its prefix length,
separated by a "/" character. Specify this key more than once
to configure several addresses. The format of the address
must be as described in inet_pton(3). This is a short-hand
for an [Address] section only containing an Address key (see
below). This option may be specified more than once.
If the specified address is "0.0.0.0" (for IPv4) or "::" (for
IPv6), a new address range of the requested size is
automatically allocated from a system-wide pool of unused
ranges. Note that the prefix length must be equal or larger
than 8 for IPv4, and 64 for IPv6. The allocated range is
checked against all current network interfaces and all known
network configuration files to avoid address range conflicts.
The default system-wide pool consists of 192.168.0.0/16,
172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8 for IPv6.
This functionality is useful to manage a large number of
dynamically created network interfaces with the same network
configuration and automatic address range assignment.
Gateway=
The gateway address, which must be in the format described in
inet_pton(3). This is a short-hand for a [Route] section only
containing a Gateway key. This option may be specified more
than once.
DNS=
A DNS server address, which must be in the format described
in inet_pton(3). This option may be specified more than once.
Each address can optionally take a port number separated with
":", a network interface name or index separated with "%",
and a Server Name Indication (SNI) separated with "#". When
IPv6 address is specified with a port number, then the
address must be in the square brackets. That is, the
acceptable full formats are
"111.222.333.444:9953%ifname#example.com" for IPv4 and
"[1111:2222::3333]:9953%ifname#example.com" for IPv6. If an
empty string is assigned, then the all previous assignments
are cleared. This setting is read by
systemd-resolved.service(8).
Domains=
A whitespace-separated list of domains which should be
resolved using the DNS servers on this link. Each item in the
list should be a domain name, optionally prefixed with a
tilde ("~"). The domains with the prefix are called
"routing-only domains". The domains without the prefix are
called "search domains" and are first used as search suffixes
for extending single-label hostnames (hostnames containing no
dots) to become fully qualified domain names (FQDNs). If a
single-label hostname is resolved on this interface, each of
the specified search domains are appended to it in turn,
converting it into a fully qualified domain name, until one
of them may be successfully resolved.
Both "search" and "routing-only" domains are used for routing
of DNS queries: look-ups for hostnames ending in those
domains (hence also single label names, if any "search
domains" are listed), are routed to the DNS servers
configured for this interface. The domain routing logic is
particularly useful on multi-homed hosts with DNS servers
serving particular private DNS zones on each interface.
The "routing-only" domain "~." (the tilde indicating
definition of a routing domain, the dot referring to the DNS
root domain which is the implied suffix of all valid DNS
names) has special effect. It causes all DNS traffic which
does not match another configured domain routing entry to be
routed to DNS servers specified for this interface. This
setting is useful to prefer a certain set of DNS servers if a
link on which they are connected is available.
This setting is read by systemd-resolved.service(8). "Search
domains" correspond to the domain and search entries in
resolv.conf(5). Domain name routing has no equivalent in the
traditional glibc API, which has no concept of domain name
servers limited to a specific link.
DNSDefaultRoute=
Takes a boolean argument. If true, this link's configured DNS
servers are used for resolving domain names that do not match
any link's configured Domains= setting. If false, this link's
configured DNS servers are never used for such domains, and
are exclusively used for resolving names that match at least
one of the domains configured on this link. If not specified
defaults to an automatic mode: queries not matching any
link's configured domains will be routed to this link if it
has no routing-only domains configured.
NTP=
An NTP server address (either an IP address, or a hostname).
This option may be specified more than once. This setting is
read by systemd-timesyncd.service(8).
IPForward=
Configures IP packet forwarding for the system. If enabled,
incoming packets on any network interface will be forwarded
to any other interfaces according to the routing table. Takes
a boolean, or the values "ipv4" or "ipv6", which only enable
IP packet forwarding for the specified address family. This
controls the net.ipv4.ip_forward and
net.ipv6.conf.all.forwarding sysctl options of the network
interface (see ip-sysctl.txt
[7] for details about sysctl
options). Defaults to "no".
Note: this setting controls a global kernel option, and does
so one way only: if a network that has this setting enabled
is set up the global setting is turned on. However, it is
never turned off again, even after all networks with this
setting enabled are shut down again.
To allow IP packet forwarding only between specific network
interfaces use a firewall.
IPMasquerade=
Configures IP masquerading for the network interface. If
enabled, packets forwarded from the network interface will be
appear as coming from the local host. Takes one of "ipv4",
"ipv6", "both", or "no". Defaults to "no". If enabled, this
automatically sets IPForward= to one of "ipv4", "ipv6" or
"yes".
Note. Any positive boolean values such as "yes" or "true" are
now deprecated. Please use one of the values in the above.
IPv6PrivacyExtensions=
Configures use of stateless temporary addresses that change
over time (see RFC 4941
[8], Privacy Extensions for Stateless
Address Autoconfiguration in IPv6). Takes a boolean or the
special values "prefer-public" and "kernel". When true,
enables the privacy extensions and prefers temporary
addresses over public addresses. When "prefer-public",
enables the privacy extensions, but prefers public addresses
over temporary addresses. When false, the privacy extensions
remain disabled. When "kernel", the kernel's default setting
will be left in place. Defaults to "no".
IPv6AcceptRA=
Takes a boolean. Controls IPv6 Router Advertisement (RA)
reception support for the interface. If true, RAs are
accepted; if false, RAs are ignored. When RAs are accepted,
they may trigger the start of the DHCPv6 client if the
relevant flags are set in the RA data, or if no routers are
found on the link. The default is to disable RA reception for
bridge devices or when IP forwarding is enabled, and to
enable it otherwise. Cannot be enabled on bond devices and
when link local addressing is disabled.
Further settings for the IPv6 RA support may be configured in
the [IPv6AcceptRA] section, see below.
Also see ip-sysctl.txt
[7] in the kernel documentation
regarding "accept_ra", but note that systemd's setting of 1
(i.e. true) corresponds to kernel's setting of 2
.
Note that kernel's implementation of the IPv6 RA protocol is
always disabled, regardless of this setting. If this option
is enabled, a userspace implementation of the IPv6 RA
protocol is used, and the kernel's own implementation remains
disabled, since systemd-networkd
needs to know all details
supplied in the advertisements, and these are not available
from the kernel if the kernel's own implementation is used.
IPv6DuplicateAddressDetection=
Configures the amount of IPv6 Duplicate Address Detection
(DAD) probes to send. When unset, the kernel's default will
be used.
IPv6HopLimit=
Configures IPv6 Hop Limit. For each router that forwards the
packet, the hop limit is decremented by 1. When the hop limit
field reaches zero, the packet is discarded. When unset, the
kernel's default will be used.
IPv4AcceptLocal=
Takes a boolean. Accept packets with local source addresses.
In combination with suitable routing, this can be used to
direct packets between two local interfaces over the wire and
have them accepted properly. When unset, the kernel's default
will be used.
IPv4RouteLocalnet=
Takes a boolean. When true, the kernel does not consider
loopback addresses as martian source or destination while
routing. This enables the use of 127.0.0.0/8 for local
routing purposes. When unset, the kernel's default will be
used.
IPv4ProxyARP=
Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is
the technique in which one host, usually a router, answers
ARP requests intended for another machine. By "faking" its
identity, the router accepts responsibility for routing
packets to the "real" destination. See RFC 1027
[9]. When
unset, the kernel's default will be used.
IPv6ProxyNDP=
Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP
(Neighbor Discovery Protocol) is a technique for IPv6 to
allow routing of addresses to a different destination when
peers expect them to be present on a certain physical link.
In this case a router answers Neighbour Advertisement
messages intended for another machine by offering its own MAC
address as destination. Unlike proxy ARP for IPv4, it is not
enabled globally, but will only send Neighbour Advertisement
messages for addresses in the IPv6 neighbor proxy table,
which can also be shown by ip -6 neighbour show proxy
.
systemd-networkd will control the per-interface `proxy_ndp`
switch for each configured interface depending on this
option. When unset, the kernel's default will be used.
IPv6ProxyNDPAddress=
An IPv6 address, for which Neighbour Advertisement messages
will be proxied. This option may be specified more than once.
systemd-networkd will add the IPv6ProxyNDPAddress=
entries to
the kernel's IPv6 neighbor proxy table. This option implies
IPv6ProxyNDP=yes
but has no effect if IPv6ProxyNDP
has been
set to false. When unset, the kernel's default will be used.
IPv6SendRA=
Whether to enable or disable Router Advertisement sending on
a link. Takes a boolean value. When enabled, prefixes
configured in [IPv6Prefix] sections and routes configured in
[IPv6RoutePrefix] sections are distributed as defined in the
[IPv6SendRA] section. If DHCPv6PrefixDelegation= is enabled,
then the delegated prefixes are also distributed. See
DHCPv6PrefixDelegation= setting and the [IPv6SendRA],
[IPv6Prefix], [IPv6RoutePrefix], and [DHCPv6PrefixDelegation]
sections for more configuration options.
DHCPv6PrefixDelegation=
Takes a boolean value. When enabled, requests prefixes using
a DHCPv6 client configured on another link. By default, an
address within each delegated prefix will be assigned, and
the prefixes will be announced through IPv6 Router
Advertisement when IPv6SendRA= is enabled. Such default
settings can be configured in [DHCPv6PrefixDelegation]
section. Defaults to disabled.
IPv6MTUBytes=
Configures IPv6 maximum transmission unit (MTU). An integer
greater than or equal to 1280 bytes. When unset, the kernel's
default will be used.
BatmanAdvanced=, Bond=, Bridge=, VRF=
The name of the B.A.T.M.A.N. Advanced, bond, bridge, or VRF
interface to add the link to. See systemd.netdev(5).
IPVLAN=, IPVTAP=, L2TP=, MACsec=, MACVLAN=, MACVTAP=, Tunnel=,
VLAN=, VXLAN=, Xfrm=
The name of an IPVLAN, IPVTAP, L2TP, MACsec, MACVLAN,
MACVTAP, tunnel, VLAN, VXLAN, or Xfrm to be created on the
link. See systemd.netdev(5). This option may be specified
more than once.
ActiveSlave=
Takes a boolean. Specifies the new active slave. The
"ActiveSlave=" option is only valid for following modes:
"active-backup", "balance-alb" and "balance-tlb". Defaults to
false.
PrimarySlave=
Takes a boolean. Specifies which slave is the primary device.
The specified device will always be the active slave while it
is available. Only when the primary is off-line will
alternate devices be used. This is useful when one slave is
preferred over another, e.g. when one slave has higher
throughput than another. The "PrimarySlave=" option is only
valid for following modes: "active-backup", "balance-alb" and
"balance-tlb". Defaults to false.
ConfigureWithoutCarrier=
Takes a boolean. Allows networkd to configure a specific link
even if it has no carrier. Defaults to false. If
IgnoreCarrierLoss=
is not explicitly set, it will default to
this value.
IgnoreCarrierLoss=
Takes a boolean. Allows networkd to retain both the static
and dynamic configuration of the interface even if its
carrier is lost. When unset, the value specified with
ConfigureWithoutCarrier=
is used.
When ActivationPolicy= is set to "always-up", this is forced
to "true".
KeepConfiguration=
Takes a boolean or one of "static", "dhcp-on-stop", "dhcp".
When "static", systemd-networkd
will not drop static
addresses and routes on starting up process. When set to
"dhcp-on-stop", systemd-networkd
will not drop addresses and
routes on stopping the daemon. When "dhcp", the addresses and
routes provided by a DHCP server will never be dropped even
if the DHCP lease expires. This is contrary to the DHCP
specification, but may be the best choice if, e.g., the root
filesystem relies on this connection. The setting "dhcp"
implies "dhcp-on-stop", and "yes" implies "dhcp" and
"static". Defaults to "no".