SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
NAME
systemd.netdev - Virtual Network Device configuration
SYNOPSIS
netdev.netdev
DESCRIPTION
A plain ini-style text file that encodes configuration about
a virtual network device, used by systemd-networkd(8). See
systemd.syntax(7) for a general description of the syntax.
The main Virtual Network Device file must have the extension
.netdev; other extensions are ignored. Virtual network
devices are created as soon as networkd is started. If a
netdev with the specified name already exists, networkd will
use that as-is rather than create its own. Note that the
settings of the pre-existing netdev will not be changed by
networkd.
The .netdev files are read from the files located in the
system network directory /lib/systemd/network, the volatile
runtime network directory /run/systemd/network and the local
administration network directory /etc/systemd/network. All
configuration files are collectively sorted and processed in
lexical order, regardless of the directories in which they
live. However, files with identical filenames replace each
other. Files in /etc/ have the highest priority, files in
/run/ take precedence over files with the same name in
/lib/. This can be used to override a system-supplied
configuration file with a local file if needed. As a special
case, an empty file (file size 0) or symlink with the same
name pointing to /dev/null disables the configuration file
entirely (it is "masked").
Along with the netdev file foo.netdev, a "drop-in" directory
foo.netdev.d/ may exist. All files with the suffix ".conf"
from this directory will be parsed after the file itself is
parsed. This is useful to alter or add configuration
settings, without having to modify the main configuration
file. Each drop-in file must have appropriate section
headers.
In addition to /etc/systemd/network, drop-in ".d"
directories can be placed in /lib/systemd/network or
/run/systemd/network directories. Drop-in files in /etc/
take precedence over those in /run/ which in turn take
precedence over those in /lib/. Drop-in files under any of
these directories take precedence over the main netdev file
wherever located. (Of course, since /run/ is temporary and
/usr/lib/ is for vendors, it is unlikely drop-ins should be
Page 1 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
used in either of those places.)
SUPPORTED NETDEV KINDS
The following kinds of virtual network devices may be
configured in .netdev files:
Table 1. Supported kinds of virtual network devices allbox
tab(:); lB lB. T{ Kind T}:T{ Description T} l l l l l l l l
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l.
T{ bond T}:T{ A bond device is an aggregation of all its
slave devices. See m[blue]Linux Ethernet Bonding Driver HOW-
TOm[][1] for details. T} T{ bridge T}:T{ A bridge device is
a software switch, and each of its slave devices and the
bridge itself are ports of the switch. T} T{ dummy T}:T{ A
dummy device drops all packets sent to it. T} T{ gre T}:T{
A Level 3 GRE tunnel over IPv4. See m[blue]RFC 2784m[][2]
for details. T} T{ gretap T}:T{ A Level 2 GRE tunnel over
IPv4. T} T{ erspan T}:T{ ERSPAN mirrors traffic on one or
more source ports and delivers the mirrored traffic to one
or more destination ports on another switch. The traffic is
encapsulated in generic routing encapsulation (GRE) and is
therefore routable across a layer 3 network between the
source switch and the destination switch. T} T{ ip6gre
T}:T{ A Level 3 GRE tunnel over IPv6. T} T{ ip6tnl T}:T{ An
IPv4 or IPv6 tunnel over IPv6 T} T{ ip6gretap T}:T{ A Level
2 GRE tunnel over IPv6. T} T{ ipip T}:T{ An IPv4 over IPv4
tunnel. T} T{ ipvlan T}:T{ An IPVLAN device is a stacked
device which receives packets from its underlying device
based on IP address filtering. T} T{ ipvtap T}:T{ An IPVTAP
device is a stacked device which receives packets from its
underlying device based on IP address filtering and can be
accessed using the tap user space interface. T} T{ macvlan
T}:T{ A macvlan device is a stacked device which receives
packets from its underlying device based on MAC address fil-
tering. T} T{ macvtap T}:T{ A macvtap device is a stacked
device which receives packets from its underlying device
based on MAC address filtering. T} T{ sit T}:T{ An IPv6
over IPv4 tunnel. T} T{ tap T}:T{ A persistent Level 2 tun-
nel between a network device and a device node. T} T{ tun
T}:T{ A persistent Level 3 tunnel between a network device
and a device node. T} T{ veth T}:T{ An Ethernet tunnel
between a pair of network devices. T} T{ vlan T}:T{ A VLAN
is a stacked device which receives packets from its underly-
ing device based on VLAN tagging. See m[blue]IEEE
802.1Qm[][3] for details. T} T{ vti T}:T{ An IPv4 over
IPSec tunnel. T} T{ vti6 T}:T{ An IPv6 over IPSec tunnel.
T} T{ vxlan T}:T{ A virtual extensible LAN (vxlan), for con-
necting Cloud computing deployments. T} T{ geneve T}:T{ A
GEneric NEtwork Virtualization Encapsulation (GENEVE) netdev
driver. T} T{ l2tp T}:T{ A Layer 2 Tunneling Protocol
(L2TP) is a tunneling protocol used to support virtual
Page 2 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
private networks (VPNs) or as part of the delivery of ser-
vices by ISPs. It does not provide any encryption or confi-
dentiality by itself T} T{ macsec T}:T{ Media Access Control
Security (MACsec) is an 802.1AE IEEE industry-standard secu-
rity technology that provides secure communication for all
traffic on Ethernet links. MACsec provides point-to-point
security on Ethernet links between directly connected nodes
and is capable of identifying and preventing most security
threats. T} T{ vrf T}:T{ A Virtual Routing and Forwarding
(m[blue]VRFm[][4]) interface to create separate routing and
forwarding domains. T} T{ vcan T}:T{ The virtual CAN driver
(vcan). Similar to the network loopback devices, vcan offers
a virtual local CAN interface. T} T{ vxcan T}:T{ The vir-
tual CAN tunnel driver (vxcan). Similar to the virtual eth-
ernet driver veth, vxcan implements a local CAN traffic tun-
nel between two virtual CAN network devices. When creating a
vxcan, two vxcan devices are created as pair. When one end
receives the packet it appears on its pair and vice versa.
The vxcan can be used for cross namespace communication. T}
T{ wireguard T}:T{ WireGuard Secure Network Tunnel. T} T{
nlmon T}:T{ A Netlink monitor device. Use an nlmon device
when you want to monitor system Netlink messages. T} T{ fou
T}:T{ Foo-over-UDP tunneling. T} T{ xfrm T}:T{ A virtual
tunnel interface like vti/vti6 but with several advantages.
T} T{ ifb T}:T{ The Intermediate Functional Block (ifb)
pseudo network interface acts as a QoS concentrator for mul-
tiple different sources of traffic. T} T{ bareudp T}:T{
Bare UDP tunnels provide a generic L3 encapsulation support
for tunnelling different L3 protocols like MPLS, IP etc.
inside of an UDP tunnel. T}
[MATCH] SECTION OPTIONS
A virtual network device is only created if the [Match] sec-
tion matches the current environment, or if the section is
empty. The following keys are accepted:
Host=
Matches against the hostname or machine ID of the host.
See "ConditionHost=" in systemd.unit(5) for details.
When prefixed with an exclamation mark ("!"), the result
is negated. If an empty string is assigned, then previ-
ously assigned value is cleared.
Virtualization=
Checks whether the system is executed in a virtualized
environment and optionally test whether it is a specific
implementation. See "ConditionVirtualization=" in
systemd.unit(5) for details. When prefixed with an
exclamation mark ("!"), the result is negated. If an
empty string is assigned, then previously assigned value
is cleared.
Page 3 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
KernelCommandLine=
Checks whether a specific kernel command line option is
set. See "ConditionKernelCommandLine=" in
systemd.unit(5) for details. When prefixed with an
exclamation mark ("!"), the result is negated. If an
empty string is assigned, then previously assigned value
is cleared.
KernelVersion=
Checks whether the kernel version (as reported by uname
-r) matches a certain expression. See "ConditionKer-
nelVersion=" in systemd.unit(5) for details. When pre-
fixed with an exclamation mark ("!"), the result is
negated. If an empty string is assigned, then previously
assigned value is cleared.
Architecture=
Checks whether the system is running on a specific
architecture. See "ConditionArchitecture=" in
systemd.unit(5) for details. When prefixed with an
exclamation mark ("!"), the result is negated. If an
empty string is assigned, then previously assigned value
is cleared.
[NETDEV] SECTION OPTIONS
The [NetDev] section accepts the following keys:
Description=
A free-form description of the netdev.
Name=
The interface name used when creating the netdev. This
setting is compulsory.
Kind=
The netdev kind. This setting is compulsory. See the
"Supported netdev kinds" section for the valid keys.
MTUBytes=
The maximum transmission unit in bytes to set for the
device. The usual suffixes K, M, G are supported and are
understood to the base of 1024. For "tun" or "tap"
devices, MTUBytes= setting is not currently supported in
[NetDev] section. Please specify it in [Link] section of
corresponding systemd.network(5) files.
MACAddress=
The MAC address to use for the device. For "tun" or
"tap" devices, setting MACAddress= in the [NetDev] sec-
tion is not supported. Please specify it in [Link] sec-
tion of the corresponding systemd.network(5) file. If
this option is not set, "vlan" devices inherit the MAC
Page 4 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
address of the physical interface. For other kind of
netdevs, if this option is not set, then MAC address is
generated based on the interface name and the machine-
id(5).
[BRIDGE] SECTION OPTIONS
The [Bridge] section only applies for netdevs of kind
"bridge", and accepts the following keys:
HelloTimeSec=
HelloTimeSec specifies the number of seconds between two
hello packets sent out by the root bridge and the desig-
nated bridges. Hello packets are used to communicate
information about the topology throughout the entire
bridged local area network.
MaxAgeSec=
MaxAgeSec specifies the number of seconds of maximum
message age. If the last seen (received) hello packet is
more than this number of seconds old, the bridge in
question will start the takeover procedure in attempt to
become the Root Bridge itself.
ForwardDelaySec=
ForwardDelaySec specifies the number of seconds spent in
each of the Listening and Learning states before the
Forwarding state is entered.
AgeingTimeSec=
This specifies the number of seconds a MAC Address will
be kept in the forwarding database after having a packet
received from this MAC Address.
Priority=
The priority of the bridge. An integer between 0 and
65535. A lower value means higher priority. The bridge
having the lowest priority will be elected as root
bridge.
GroupForwardMask=
A 16-bit bitmask represented as an integer which allows
forwarding of link local frames with 802.1D reserved
addresses (01:80:C2:00:00:0X). A logical AND is per-
formed between the specified bitmask and the exponentia-
tion of 2^X, the lower nibble of the last octet of the
MAC address. For example, a value of 8 would allow for-
warding of frames addressed to 01:80:C2:00:00:03 (802.1X
PAE).
DefaultPVID=
This specifies the default port VLAN ID of a newly
attached bridge port. Set this to an integer in the
Page 5 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
range 1en4094 or "none" to disable the PVID.
MulticastQuerier=
Takes a boolean. This setting controls the
IFLA_BR_MCAST_QUERIER option in the kernel. If enabled,
the kernel will send general ICMP queries from a zero
source address. This feature should allow faster conver-
gence on startup, but it causes some multicast-aware
switches to misbehave and disrupt forwarding of multi-
cast packets. When unset, the kernel's default will be
used.
MulticastSnooping=
Takes a boolean. This setting controls the
IFLA_BR_MCAST_SNOOPING option in the kernel. If enabled,
IGMP snooping monitors the Internet Group Management
Protocol (IGMP) traffic between hosts and multicast
routers. When unset, the kernel's default will be used.
VLANFiltering=
Takes a boolean. This setting controls the
IFLA_BR_VLAN_FILTERING option in the kernel. If enabled,
the bridge will be started in VLAN-filtering mode. When
unset, the kernel's default will be used.
VLANProtocol=
Allows setting the protocol used for VLAN filtering.
Takes 802.1q or, 802.1ad, and defaults to unset and
kernel's default is used.
STP=
Takes a boolean. This enables the bridge's Spanning Tree
Protocol (STP). When unset, the kernel's default will be
used.
MulticastIGMPVersion=
Allows changing bridge's multicast Internet Group Man-
agement Protocol (IGMP) version. Takes an integer 2 or
3. When unset, the kernel's default will be used.
[VLAN] SECTION OPTIONS
The [VLAN] section only applies for netdevs of kind "vlan",
and accepts the following key:
Id=
The VLAN ID to use. An integer in the range 0en4094. This
setting is compulsory.
GVRP=
Takes a boolean. The Generic VLAN Registration Protocol
(GVRP) is a protocol that allows automatic learning of
VLANs on a network. When unset, the kernel's default
Page 6 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
will be used.
MVRP=
Takes a boolean. Multiple VLAN Registration Protocol
(MVRP) formerly known as GARP VLAN Registration Protocol
(GVRP) is a standards-based Layer 2 network protocol,
for automatic configuration of VLAN information on
switches. It was defined in the 802.1ak amendment to
802.1Q-2005. When unset, the kernel's default will be
used.
LooseBinding=
Takes a boolean. The VLAN loose binding mode, in which
only the operational state is passed from the parent to
the associated VLANs, but the VLAN device state is not
changed. When unset, the kernel's default will be used.
ReorderHeader=
Takes a boolean. When enabled, the VLAN reorder header
is used and VLAN interfaces behave like physical inter-
faces. When unset, the kernel's default will be used.
[MACVLAN] SECTION OPTIONS
The [MACVLAN] section only applies for netdevs of kind
"macvlan", and accepts the following key:
Mode=
The MACVLAN mode to use. The supported options are "pri-
vate", "vepa", "bridge", "passthru", and "source".
SourceMACAddress=
A whitespace-separated list of remote hardware addresses
allowed on the MACVLAN. This option only has an effect
in source mode. Use full colon-, hyphen- or
dot-delimited hexadecimal. This option may appear more
than once, in which case the lists are merged. If the
empty string is assigned to this option, the list of
hardware addresses defined prior to this is reset.
Defaults to unset.
[MACVTAP] SECTION OPTIONS
The [MACVTAP] section applies for netdevs of kind "macvtap"
and accepts the same keys as [MACVLAN].
[IPVLAN] SECTION OPTIONS
The [IPVLAN] section only applies for netdevs of kind
"ipvlan", and accepts the following key:
Mode=
The IPVLAN mode to use. The supported options are
"L2","L3" and "L3S".
Page 7 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
Flags=
The IPVLAN flags to use. The supported options are
"bridge","private" and "vepa".
[IPVTAP] SECTION OPTIONS
The [IPVTAP] section only applies for netdevs of kind "ipv-
tap" and accepts the same keys as [IPVLAN].
[VXLAN] SECTION OPTIONS
The [VXLAN] section only applies for netdevs of kind
"vxlan", and accepts the following keys:
VNI=
The VXLAN Network Identifier (or VXLAN Segment ID).
Takes a number in the range 1-16777215.
Remote=
Configures destination IP address.
Local=
Configures local IP address.
Group=
Configures VXLAN multicast group IP address. All members
of a VXLAN must use the same multicast group address.
TOS=
The Type Of Service byte value for a vxlan interface.
TTL=
A fixed Time To Live N on Virtual eXtensible Local Area
Network packets. Takes "inherit" or a number in the
range 0en255. 0 is a special value meaning inherit the
inner protocol's TTL value. "inherit" means that it
will inherit the outer protocol's TTL value.
MacLearning=
Takes a boolean. When true, enables dynamic MAC learning
to discover remote MAC addresses.
FDBAgeingSec=
The lifetime of Forwarding Database entry learnt by the
kernel, in seconds.
MaximumFDBEntries=
Configures maximum number of FDB entries.
ReduceARPProxy=
Takes a boolean. When true, bridge-connected VXLAN tun-
nel endpoint answers ARP requests from the local bridge
on behalf of remote Distributed Overlay Virtual Ethernet
m[blue](DVOE)m[][5] clients. Defaults to false.
Page 8 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
L2MissNotification=
Takes a boolean. When true, enables netlink LLADDR miss
notifications.
L3MissNotification=
Takes a boolean. When true, enables netlink IP address
miss notifications.
RouteShortCircuit=
Takes a boolean. When true, route short circuiting is
turned on.
UDPChecksum=
Takes a boolean. When true, transmitting UDP checksums
when doing VXLAN/IPv4 is turned on.
UDP6ZeroChecksumTx=
Takes a boolean. When true, sending zero checksums in
VXLAN/IPv6 is turned on.
UDP6ZeroChecksumRx=
Takes a boolean. When true, receiving zero checksums in
VXLAN/IPv6 is turned on.
RemoteChecksumTx=
Takes a boolean. When true, remote transmit checksum
offload of VXLAN is turned on.
RemoteChecksumRx=
Takes a boolean. When true, remote receive checksum
offload in VXLAN is turned on.
GroupPolicyExtension=
Takes a boolean. When true, it enables Group Policy
VXLAN extension security label mechanism across network
peers based on VXLAN. For details about the Group Policy
VXLAN, see the m[blue]VXLAN Group Policym[][6] document.
Defaults to false.
GenericProtocolExtension=
Takes a boolean. When true, Generic Protocol Extension
extends the existing VXLAN protocol to provide protocol
typing, OAM, and versioning capabilities. For details
about the VXLAN GPE Header, see the m[blue]Generic Pro-
tocol Extension for VXLANm[][7] document. If destination
port is not specified and Generic Protocol Extension is
set then default port of 4790 is used. Defaults to
false.
DestinationPort=
Configures the default destination UDP port. If the des-
tination port is not specified then Linux kernel default
Page 9 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
will be used. Set to 4789 to get the IANA assigned
value.
PortRange=
Configures the source port range for the VXLAN. The ker-
nel assigns the source UDP port based on the flow to
help the receiver to do load balancing. When this option
is not set, the normal range of local UDP ports is used.
FlowLabel=
Specifies the flow label to use in outgoing packets. The
valid range is 0-1048575.
IPDoNotFragment=
Allows setting the IPv4 Do not Fragment (DF) bit in out-
going packets, or to inherit its value from the IPv4
inner header. Takes a boolean value, or "inherit". Set
to "inherit" if the encapsulated protocol is IPv6. When
unset, the kernel's default will be used.
[GENEVE] SECTION OPTIONS
The [GENEVE] section only applies for netdevs of kind "gen-
eve", and accepts the following keys:
Id=
Specifies the Virtual Network Identifier (VNI) to use, a
number between 0 and 16777215. This field is mandatory.
Remote=
Specifies the unicast destination IP address to use in
outgoing packets.
TOS=
Specifies the TOS value to use in outgoing packets.
Takes a number between 1 and 255.
TTL=
Accepts the same values as in the [VXLAN] section,
except that when unset or set to 0, the kernel's default
will be used, meaning that packet TTL will be set from
/proc/sys/net/ipv4/ip_default_ttl.
UDPChecksum=
Takes a boolean. When true, specifies that UDP checksum
is calculated for transmitted packets over IPv4.
UDP6ZeroChecksumTx=
Takes a boolean. When true, skip UDP checksum calcula-
tion for transmitted packets over IPv6.
UDP6ZeroChecksumRx=
Takes a boolean. When true, allows incoming UDP packets
Page 10 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
over IPv6 with zero checksum field.
DestinationPort=
Specifies destination port. Defaults to 6081. If not set
or assigned the empty string, the default port of 6081
is used.
FlowLabel=
Specifies the flow label to use in outgoing packets.
IPDoNotFragment=
Accepts the same key as in [VXLAN] section.
Independent=
Takes a boolean. When true, the vxlan interface is cre-
ated without any underlying network interface. Defaults
to false, which means that a .network file that requests
this tunnel using Tunnel= is required for the tunnel to
be created.
[BAREUDP] SECTION OPTIONS
The [BareUDP] section only applies for netdevs of kind
"bareudp", and accepts the following keys:
DestinationPort=
Specifies the destination UDP port (in range 1...65535).
This is mandatory.
EtherType=
Specifies the L3 protocol. Takes one of "ipv4", "ipv6",
"mpls-uc" or "mpls-mc". This is mandatory.
[L2TP] SECTION OPTIONS
The [L2TP] section only applies for netdevs of kind "l2tp",
and accepts the following keys:
TunnelId=
Specifies the tunnel identifier. Takes an number in the
range 1en4294967295. The value used must match the "Peer-
TunnelId=" value being used at the peer. This setting is
compulsory.
PeerTunnelId=
Specifies the peer tunnel id. Takes a number in the
range 1-4294967295. The value used must match the "Tun-
nelId=" value being used at the peer. This setting is
compulsory.
Remote=
Specifies the IP address of the remote peer. This set-
ting is compulsory.
Page 11 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
Local=
Specifies the IP address of the local interface. Takes
an IP address, or the special values "auto", "static",
or "dynamic". When an address is set, then the local
interface must have the address. If "auto", then one of
the addresses on the local interface is used. Similarly,
if "static" or "dynamic" is set, then one of the static
or dynamic addresses on the local interface is used.
Defaults to "auto".
EncapsulationType=
Specifies the encapsulation type of the tunnel. Takes
one of "udp" or "ip".
UDPSourcePort=
Specifies the UDP source port to be used for the tunnel.
When UDP encapsulation is selected it's mandatory.
Ignored when IP encapsulation is selected.
UDPDestinationPort=
Specifies destination port. When UDP encapsulation is
selected it's mandatory. Ignored when IP encapsulation
is selected.
UDPChecksum=
Takes a boolean. When true, specifies that UDP checksum
is calculated for transmitted packets over IPv4.
UDP6ZeroChecksumTx=
Takes a boolean. When true, skip UDP checksum calcula-
tion for transmitted packets over IPv6.
UDP6ZeroChecksumRx=
Takes a boolean. When true, allows incoming UDP packets
over IPv6 with zero checksum field.
[L2TPSESSION] SECTION OPTIONS
The [L2TPSession] section only applies for netdevs of kind
"l2tp", and accepts the following keys:
Name=
Specifies the name of the session. This setting is com-
pulsory.
SessionId=
Specifies the session identifier. Takes an number in the
range 1en4294967295. The value used must match the "Ses-
sionId=" value being used at the peer. This setting is
compulsory.
PeerSessionId=
Specifies the peer session identifier. Takes an number
Page 12 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
in the range 1en4294967295. The value used must match the
"PeerSessionId=" value being used at the peer. This set-
ting is compulsory.
Layer2SpecificHeader=
Specifies layer2specific header type of the session. One
of "none" or "default". Defaults to "default".
[MACSEC] SECTION OPTIONS
The [MACsec] section only applies for network devices of
kind "macsec", and accepts the following keys:
Port=
Specifies the port to be used for the MACsec transmit
channel. The port is used to make secure channel identi-
fier (SCI). Takes a value between 1 and 65535. Defaults
to unset.
Encrypt=
Takes a boolean. When true, enable encryption. Defaults
to unset.
[MACSECRECEIVECHANNEL] SECTION OPTIONS
The [MACsecReceiveChannel] section only applies for network
devices of kind "macsec", and accepts the following keys:
Port=
Specifies the port to be used for the MACsec receive
channel. The port is used to make secure channel identi-
fier (SCI). Takes a value between 1 and 65535. This
option is compulsory, and is not set by default.
MACAddress=
Specifies the MAC address to be used for the MACsec
receive channel. The MAC address used to make secure
channel identifier (SCI). This setting is compulsory,
and is not set by default.
[MACSECTRANSMITASSOCIATION] SECTION OPTIONS
The [MACsecTransmitAssociation] section only applies for
network devices of kind "macsec", and accepts the following
keys:
PacketNumber=
Specifies the packet number to be used for replay pro-
tection and the construction of the initialization vec-
tor (along with the secure channel identifier [SCI]).
Takes a value between 1-4,294,967,295. Defaults to
unset.
KeyId=
Specifies the identification for the key. Takes a number
Page 13 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
between 0-255. This option is compulsory, and is not set
by default.
Key=
Specifies the encryption key used in the transmission
channel. The same key must be configured on the peercqs
matching receive channel. This setting is compulsory,
and is not set by default. Takes a 128-bit key encoded
in a hexadecimal string, for example
"dffafc8d7b9a43d5b9a3dfbbf6a30c16".
KeyFile=
Takes a absolute path to a file which contains a 128-bit
key encoded in a hexadecimal string, which will be used
in the transmission channel. When this option is speci-
fied, Key= is ignored. Note that the file must be read-
able by the user "systemd-network", so it should be,
e.g., owned by "root:systemd-network" with a "0640" file
mode. If the path refers to an AF_UNIX stream socket in
the file system a connection is made to it and the key
read from it.
Activate=
Takes a boolean. If enabled, then the security associa-
tion is activated. Defaults to unset.
UseForEncoding=
Takes a boolean. If enabled, then the security associa-
tion is used for encoding. Only one [MACsecTransmitAsso-
ciation] section can enable this option. When enabled,
Activate=yes is implied. Defaults to unset.
[MACSECRECEIVEASSOCIATION] SECTION OPTIONS
The [MACsecReceiveAssociation] section only applies for net-
work devices of kind "macsec", and accepts the following
keys:
Port=
Accepts the same key as in [MACsecReceiveChannel] sec-
tion.
MACAddress=
Accepts the same key as in [MACsecReceiveChannel] sec-
tion.
PacketNumber=
Accepts the same key as in [MACsecTransmitAssociation]
section.
KeyId=
Accepts the same key as in [MACsecTransmitAssociation]
section.
Page 14 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
Key=
Accepts the same key as in [MACsecTransmitAssociation]
section.
KeyFile=
Accepts the same key as in [MACsecTransmitAssociation]
section.
Activate=
Accepts the same key as in [MACsecTransmitAssociation]
section.
[TUNNEL] SECTION OPTIONS
The [Tunnel] section only applies for netdevs of kind
"ipip", "sit", "gre", "gretap", "ip6gre", "ip6gretap",
"vti", "vti6", "ip6tnl", and "erspan" and accepts the fol-
lowing keys:
Local=
A static local address for tunneled packets. It must be
an address on another interface of this host, or the
special value "any".
Remote=
The remote endpoint of the tunnel. Takes an IP address
or the special value "any".
TOS=
The Type Of Service byte value for a tunnel interface.
For details about the TOS, see the m[blue]Type of Ser-
vice in the Internet Protocol Suitem[][8] document.
TTL=
A fixed Time To Live N on tunneled packets. N is a num-
ber in the range 1en255. 0 is a special value meaning
that packets inherit the TTL value. The default value
for IPv4 tunnels is 0 (inherit). The default value for
IPv6 tunnels is 64.
DiscoverPathMTU=
Takes a boolean. When true, enables Path MTU Discovery
on the tunnel.
IPv6FlowLabel=
Configures the 20-bit flow label (see m[blue]RFC
6437m[][9]) field in the IPv6 header (see m[blue]RFC
2460m[][10]), which is used by a node to label packets
of a flow. It is only used for IPv6 tunnels. A flow
label of zero is used to indicate packets that have not
been labeled. It can be configured to a value in the
range 0en0xFFFFF, or be set to "inherit", in which case
the original flowlabel is used.
Page 15 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
CopyDSCP=
Takes a boolean. When true, the Differentiated Service
Code Point (DSCP) field will be copied to the inner
header from outer header during the decapsulation of an
IPv6 tunnel packet. DSCP is a field in an IP packet that
enables different levels of service to be assigned to
network traffic. Defaults to "no".
EncapsulationLimit=
The Tunnel Encapsulation Limit option specifies how many
additional levels of encapsulation are permitted to be
prepended to the packet. For example, a Tunnel Encapsu-
lation Limit option containing a limit value of zero
means that a packet carrying that option may not enter
another tunnel before exiting the current tunnel. (see
m[blue]RFC 2473m[][11]). The valid range is 0en255 and
"none". Defaults to 4.
Key=
The Key= parameter specifies the same key to use in both
directions (InputKey= and OutputKey=). The Key= is
either a number or an IPv4 address-like dotted quad. It
is used as mark-configured SAD/SPD entry as part of the
lookup key (both in data and control path) in IP XFRM
(framework used to implement IPsec protocol). See
m[blue]ip-xfrm - transform configurationm[][12] for
details. It is only used for VTI/VTI6, GRE, GRETAP, and
ERSPAN tunnels.
InputKey=
The InputKey= parameter specifies the key to use for
input. The format is same as Key=. It is only used for
VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
OutputKey=
The OutputKey= parameter specifies the key to use for
output. The format is same as Key=. It is only used for
VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
Mode=
An "ip6tnl" tunnel can be in one of three modes "ip6ip6"
for IPv6 over IPv6, "ipip6" for IPv4 over IPv6 or "any"
for either.
Independent=
Takes a boolean. When false (the default), the tunnel is
always created over some network device, and a .network
file that requests this tunnel using Tunnel= is required
for the tunnel to be created. When true, the tunnel is
created independently of any network as "tunnel@NONE".
AssignToLoopback=
Page 16 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
Takes a boolean. If set to "yes", the loopback interface
"lo" is used as the underlying device of the tunnel
interface. Defaults to "no".
AllowLocalRemote=
Takes a boolean. When true allows tunnel traffic on
ip6tnl devices where the remote endpoint is a local host
address. When unset, the kernel's default will be used.
FooOverUDP=
Takes a boolean. Specifies whether FooOverUDP= tunnel is
to be configured. Defaults to false. This takes effects
only for IPIP, SIT, GRE, and GRETAP tunnels. For more
detail information see m[blue]Foo over UDPm[][13]
FOUDestinationPort=
This setting specifies the UDP destination port for
encapsulation. This field is mandatory when
FooOverUDP=yes, and is not set by default.
FOUSourcePort=
This setting specifies the UDP source port for encapsu-
lation. Defaults to 0 - that is, the source port for
packets is left to the network stack to decide.
Encapsulation=
Accepts the same key as in the [FooOverUDP] section.
IPv6RapidDeploymentPrefix=
Reconfigure the tunnel for m[blue]IPv6 Rapid Deploy-
mentm[][14], also known as 6rd. The value is an
ISP-specific IPv6 prefix with a non-zero length. Only
applicable to SIT tunnels.
ISATAP=
Takes a boolean. If set, configures the tunnel as
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
tunnel. Only applicable to SIT tunnels. When unset, the
kernel's default will be used.
SerializeTunneledPackets=
Takes a boolean. If set to yes, then packets are serial-
ized. Only applies for GRE, GRETAP, and ERSPAN tunnels.
When unset, the kernel's default will be used.
ERSPANIndex=
Specifies the ERSPAN index field for the interface, an
integer in the range 1-1048575 associated with the
ERSPAN traffic's source port and direction. This field
is mandatory.
[FOOOVERUDP] SECTION OPTIONS
Page 17 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
The [FooOverUDP] section only applies for netdevs of kind
"fou" and accepts the following keys:
Encapsulation=
Specifies the encapsulation mechanism used to store net-
working packets of various protocols inside the UDP
packets. Supports the following values: "FooOverUDP"
provides the simplest no-frills model of UDP encapsula-
tion, it simply encapsulates packets directly in the UDP
payload. "GenericUDPEncapsulation" is a generic and
extensible encapsulation, it allows encapsulation of
packets for any IP protocol and optional data as part of
the encapsulation. For more detailed information see
m[blue]Generic UDP Encapsulationm[][15]. Defaults to
"FooOverUDP".
Port=
Specifies the port number where the encapsulated packets
will arrive. Those packets will be removed and manually
fed back into the network stack with the encapsulation
removed to be sent to the real destination. This option
is mandatory.
PeerPort=
Specifies the peer port number. Defaults to unset. Note
that when peer port is set "Peer=" address is mandatory.
Protocol=
The Protocol= specifies the protocol number of the pack-
ets arriving at the UDP port. When
Encapsulation=FooOverUDP, this field is mandatory and is
not set by default. Takes an IP protocol name such as
"gre" or "ipip", or an integer within the range 1-255.
When Encapsulation=GenericUDPEncapsulation, this must
not be specified.
Peer=
Configures peer IP address. Note that when peer address
is set "PeerPort=" is mandatory.
Local=
Configures local IP address.
[PEER] SECTION OPTIONS
The [Peer] section only applies for netdevs of kind "veth"
and accepts the following keys:
Name=
The interface name used when creating the netdev. This
setting is compulsory.
MACAddress=
Page 18 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
The peer MACAddress, if not set, it is generated in the
same way as the MAC address of the main interface.
[VXCAN] SECTION OPTIONS
The [VXCAN] section only applies for netdevs of kind "vxcan"
and accepts the following key:
Peer=
The peer interface name used when creating the netdev.
This setting is compulsory.
[TUN] SECTION OPTIONS
The [Tun] section only applies for netdevs of kind "tun",
and accepts the following keys:
MultiQueue=
Takes a boolean. Configures whether to use multiple file
descriptors (queues) to parallelize packets sending and
receiving. Defaults to "no".
PacketInfo=
Takes a boolean. Configures whether packets should be
prepended with four extra bytes (two flag bytes and two
protocol bytes). If disabled, it indicates that the
packets will be pure IP packets. Defaults to "no".
VNetHeader=
Takes a boolean. Configures IFF_VNET_HDR flag for a tun
or tap device. It allows sending and receiving larger
Generic Segmentation Offload (GSO) packets. This may
increase throughput significantly. Defaults to "no".
User=
User to grant access to the /dev/net/tun device.
Group=
Group to grant access to the /dev/net/tun device.
[TAP] SECTION OPTIONS
The [Tap] section only applies for netdevs of kind "tap",
and accepts the same keys as the [Tun] section.
[WIREGUARD] SECTION OPTIONS
The [WireGuard] section accepts the following keys:
PrivateKey=
The Base64 encoded private key for the interface. It can
be generated using the wg genkey command (see wg(8)).
This option or PrivateKeyFile= is mandatory to use Wire-
Guard. Note that because this information is secret, you
may want to set the permissions of the .netdev file to
be owned by "root:systemd-network" with a "0640" file
Page 19 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
mode.
PrivateKeyFile=
Takes an absolute path to a file which contains the
Base64 encoded private key for the interface. When this
option is specified, then PrivateKey= is ignored. Note
that the file must be readable by the user
"systemd-network", so it should be, e.g., owned by
"root:systemd-network" with a "0640" file mode. If the
path refers to an AF_UNIX stream socket in the file sys-
tem a connection is made to it and the key read from it.
ListenPort=
Sets UDP port for listening. Takes either value between
1 and 65535 or "auto". If "auto" is specified, the port
is automatically generated based on interface name.
Defaults to "auto".
FirewallMark=
Sets a firewall mark on outgoing WireGuard packets from
this interface. Takes a number between 1 and 4294967295.
[WIREGUARDPEER] SECTION OPTIONS
The [WireGuardPeer] section accepts the following keys:
PublicKey=
Sets a Base64 encoded public key calculated by wg pubkey
(see wg(8)) from a private key, and usually transmitted
out of band to the author of the configuration file.
This option is mandatory for this section.
PresharedKey=
Optional preshared key for the interface. It can be gen-
erated by the wg genpsk command. This option adds an
additional layer of symmetric-key cryptography to be
mixed into the already existing public-key cryptography,
for post-quantum resistance. Note that because this
information is secret, you may want to set the permis-
sions of the .netdev file to be owned by
"root:systemd-network" with a "0640" file mode.
PresharedKeyFile=
Takes an absolute path to a file which contains the
Base64 encoded preshared key for the peer. When this
option is specified, then PresharedKey= is ignored. Note
that the file must be readable by the user
"systemd-network", so it should be, e.g., owned by
"root:systemd-network" with a "0640" file mode. If the
path refers to an AF_UNIX stream socket in the file sys-
tem a connection is made to it and the key read from it.
AllowedIPs=
Page 20 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
Sets a comma-separated list of IP (v4 or v6) addresses
with CIDR masks from which this peer is allowed to send
incoming traffic and to which outgoing traffic for this
peer is directed.
The catch-all 0.0.0.0/0 may be specified for matching
all IPv4 addresses, and ::/0 may be specified for match-
ing all IPv6 addresses.
Note that this only affects "routing inside the network
interface itself", as in, which wireguard peer packets
with a specific destination address are sent to, and
what source addresses are accepted from which peer.
To cause packets to be sent via wireguard in first
place, a route needs to be added, as well - either in
the "[Routes]" section on the ".network" matching the
wireguard interface, or outside of networkd.
Endpoint=
Sets an endpoint IP address or hostname, followed by a
colon, and then a port number. This endpoint will be
updated automatically once to the most recent source IP
address and port of correctly authenticated packets from
the peer at configuration time.
PersistentKeepalive=
Sets a seconds interval, between 1 and 65535 inclusive,
of how often to send an authenticated empty packet to
the peer for the purpose of keeping a stateful firewall
or NAT mapping valid persistently. For example, if the
interface very rarely sends traffic, but it might at
anytime receive traffic from a peer, and it is behind
NAT, the interface might benefit from having a persis-
tent keepalive interval of 25 seconds. If set to 0 or
"off", this option is disabled. By default or when
unspecified, this option is off. Most users will not
need this.
[BOND] SECTION OPTIONS
The [Bond] section accepts the following key:
Mode=
Specifies one of the bonding policies. The default is
"balance-rr" (round robin). Possible values are
"balance-rr", "active-backup", "balance-xor", "broad-
cast", "802.3ad", "balance-tlb", and "balance-alb".
TransmitHashPolicy=
Selects the transmit hash policy to use for slave selec-
tion in balance-xor, 802.3ad, and tlb modes. Possible
values are "layer2", "layer3+4", "layer2+3", "encap2+3",
Page 21 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
and "encap3+4".
LACPTransmitRate=
Specifies the rate with which link partner transmits
Link Aggregation Control Protocol Data Unit packets in
802.3ad mode. Possible values are "slow", which requests
partner to transmit LACPDUs every 30 seconds, and
"fast", which requests partner to transmit LACPDUs every
second. The default value is "slow".
MIIMonitorSec=
Specifies the frequency that Media Independent Interface
link monitoring will occur. A value of zero disables MII
link monitoring. This value is rounded down to the near-
est millisecond. The default value is 0.
UpDelaySec=
Specifies the delay before a link is enabled after a
link up status has been detected. This value is rounded
down to a multiple of MIIMonitorSec. The default value
is 0.
DownDelaySec=
Specifies the delay before a link is disabled after a
link down status has been detected. This value is
rounded down to a multiple of MIIMonitorSec. The default
value is 0.
LearnPacketIntervalSec=
Specifies the number of seconds between instances where
the bonding driver sends learning packets to each slave
peer switch. The valid range is 1en0x7fffffff; the
default value is 1. This option has an effect only for
the balance-tlb and balance-alb modes.
AdSelect=
Specifies the 802.3ad aggregation selection logic to
use. Possible values are "stable", "bandwidth" and
"count".
AdActorSystemPriority=
Specifies the 802.3ad actor system priority. Takes a
number in the range 1-65535.
AdUserPortKey=
Specifies the 802.3ad user defined portion of the port
key. Takes a number in the range 0en1023.
AdActorSystem=
Specifies the 802.3ad system MAC address. This cannot be
a null or multicast address.
Page 22 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
FailOverMACPolicy=
Specifies whether the active-backup mode should set all
slaves to the same MAC address at the time of enslave-
ment or, when enabled, to perform special handling of
the bond's MAC address in accordance with the selected
policy. The default policy is none. Possible values are
"none", "active" and "follow".
ARPValidate=
Specifies whether or not ARP probes and replies should
be validated in any mode that supports ARP monitoring,
or whether non-ARP traffic should be filtered (disre-
garded) for link monitoring purposes. Possible values
are "none", "active", "backup" and "all".
ARPIntervalSec=
Specifies the ARP link monitoring frequency. A value of
0 disables ARP monitoring. The default value is 0, and
the default unit seconds.
ARPIPTargets=
Specifies the IP addresses to use as ARP monitoring
peers when ARPIntervalSec is greater than 0. These are
the targets of the ARP request sent to determine the
health of the link to the targets. Specify these values
in IPv4 dotted decimal format. At least one IP address
must be given for ARP monitoring to function. The maxi-
mum number of targets that can be specified is 16. The
default value is no IP addresses.
ARPAllTargets=
Specifies the quantity of ARPIPTargets that must be
reachable in order for the ARP monitor to consider a
slave as being up. This option affects only
active-backup mode for slaves with ARPValidate enabled.
Possible values are "any" and "all".
PrimaryReselectPolicy=
Specifies the reselection policy for the primary slave.
This affects how the primary slave is chosen to become
the active slave when failure of the active slave or
recovery of the primary slave occurs. This option is
designed to prevent flip-flopping between the primary
slave and other slaves. Possible values are "always",
"better" and "failure".
ResendIGMP=
Specifies the number of IGMP membership reports to be
issued after a failover event. One membership report is
issued immediately after the failover, subsequent pack-
ets are sent in each 200ms interval. The valid range is
0en255. Defaults to 1. A value of 0 prevents the IGMP
Page 23 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
membership report from being issued in response to the
failover event.
PacketsPerSlave=
Specify the number of packets to transmit through a
slave before moving to the next one. When set to 0, then
a slave is chosen at random. The valid range is 0en65535.
Defaults to 1. This option only has effect when in
balance-rr mode.
GratuitousARP=
Specify the number of peer notifications (gratuitous
ARPs and unsolicited IPv6 Neighbor Advertisements) to be
issued after a failover event. As soon as the link is up
on the new slave, a peer notification is sent on the
bonding device and each VLAN sub-device. This is
repeated at each link monitor interval (ARPIntervalSec
or MIIMonitorSec, whichever is active) if the number is
greater than 1. The valid range is 0en255. The default
value is 1. These options affect only the active-backup
mode.
AllSlavesActive=
Takes a boolean. Specifies that duplicate frames
(received on inactive ports) should be dropped when
false, or delivered when true. Normally, bonding will
drop duplicate frames (received on inactive ports),
which is desirable for most users. But there are some
times it is nice to allow duplicate frames to be deliv-
ered. The default value is false (drop duplicate frames
received on inactive ports).
DynamicTransmitLoadBalancing=
Takes a boolean. Specifies if dynamic shuffling of flows
is enabled. Applies only for balance-tlb mode. Defaults
to unset.
MinLinks=
Specifies the minimum number of links that must be
active before asserting carrier. The default value is 0.
For more detail information see m[blue]Linux Ethernet Bond-
ing Driver HOWTOm[][1]
[XFRM] SECTION OPTIONS
The [Xfrm] section accepts the following keys:
InterfaceId=
Sets the ID/key of the xfrm interface which needs to be
associated with a SA/policy. Can be decimal or hexadeci-
mal, valid range is 0-0xffffffff, defaults to 0.
Page 24 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
Independent=
Takes a boolean. If false (the default), the xfrm inter-
face must have an underlying device which can be used
for hardware offloading.
For more detail information see m[blue]Virtual XFRM Inter-
facesm[][16].
[VRF] SECTION OPTIONS
The [VRF] section only applies for netdevs of kind "vrf" and
accepts the following key:
Table=
The numeric routing table identifier. This setting is
compulsory.
EXAMPLES
Example 1. /etc/systemd/network/25-bridge.netdev
[NetDev]
Name=bridge0
Kind=bridge
Example 2. /etc/systemd/network/25-vlan1.netdev
[Match]
Virtualization=no
[NetDev]
Name=vlan1
Kind=vlan
[VLAN]
Id=1
Example 3. /etc/systemd/network/25-ipip.netdev
[NetDev]
Name=ipip-tun
Kind=ipip
MTUBytes=1480
[Tunnel]
Local=192.168.223.238
Remote=192.169.224.239
TTL=64
Example 4. /etc/systemd/network/1-fou-tunnel.netdev
[NetDev]
Name=fou-tun
Kind=fou
Page 25 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
[FooOverUDP]
Port=5555
Protocol=4
Example 5. /etc/systemd/network/25-fou-ipip.netdev
[NetDev]
Name=ipip-tun
Kind=ipip
[Tunnel]
Independent=yes
Local=10.65.208.212
Remote=10.65.208.211
FooOverUDP=yes
FOUDestinationPort=5555
Example 6. /etc/systemd/network/25-tap.netdev
[NetDev]
Name=tap-test
Kind=tap
[Tap]
MultiQueue=yes
PacketInfo=yes
Example 7. /etc/systemd/network/25-sit.netdev
[NetDev]
Name=sit-tun
Kind=sit
MTUBytes=1480
[Tunnel]
Local=10.65.223.238
Remote=10.65.223.239
Example 8. /etc/systemd/network/25-6rd.netdev
[NetDev]
Name=6rd-tun
Kind=sit
MTUBytes=1480
[Tunnel]
Local=10.65.223.238
IPv6RapidDeploymentPrefix=2602::/24
Example 9. /etc/systemd/network/25-gre.netdev
Page 26 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
[NetDev]
Name=gre-tun
Kind=gre
MTUBytes=1480
[Tunnel]
Local=10.65.223.238
Remote=10.65.223.239
Example 10. /etc/systemd/network/25-ip6gre.netdev
[NetDev]
Name=ip6gre-tun
Kind=ip6gre
[Tunnel]
Key=123
Example 11. /etc/systemd/network/25-vti.netdev
[NetDev]
Name=vti-tun
Kind=vti
MTUBytes=1480
[Tunnel]
Local=10.65.223.238
Remote=10.65.223.239
Example 12. /etc/systemd/network/25-veth.netdev
[NetDev]
Name=veth-test
Kind=veth
[Peer]
Name=veth-peer
Example 13. /etc/systemd/network/25-bond.netdev
[NetDev]
Name=bond1
Kind=bond
[Bond]
Mode=802.3ad
TransmitHashPolicy=layer3+4
MIIMonitorSec=1s
LACPTransmitRate=fast
Example 14. /etc/systemd/network/25-dummy.netdev
Page 27 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
[NetDev]
Name=dummy-test
Kind=dummy
MACAddress=12:34:56:78:9a:bc
Example 15. /etc/systemd/network/25-vrf.netdev
Create a VRF interface with table 42.
[NetDev]
Name=vrf-test
Kind=vrf
[VRF]
Table=42
Example 16. /etc/systemd/network/25-macvtap.netdev
Create a MacVTap device.
[NetDev]
Name=macvtap-test
Kind=macvtap
Example 17. /etc/systemd/network/25-wireguard.netdev
[NetDev]
Name=wg0
Kind=wireguard
[WireGuard]
PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
ListenPort=51820
[WireGuardPeer]
PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
Endpoint=wireguard.example.com:51820
Example 18. /etc/systemd/network/27-xfrm.netdev
[NetDev]
Name=xfrm0
Kind=xfrm
[Xfrm]
Independent=yes
SEE ALSO
systemd(1), systemd-networkd(8), systemd.link(5),
systemd.network(5)
Page 28 systemd 247 (printed 5/26/22)
SYSTEMD.NETDEV(5) SYSTEMD.NETDEV(5)
NOTES
1. Linux Ethernet Bonding Driver HOWTO
https://www.kernel.org/doc/Documentation/networking/bonding.txt
2. RFC 2784
https://tools.ietf.org/html/rfc2784
3. IEEE 802.1Q
http://www.ieee802.org/1/pages/802.1Q.html
4. VRF
https://www.kernel.org/doc/Documentation/networking/vrf.txt
5. (DVOE)
https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
6. VXLAN Group Policy
https://tools.ietf.org/html/draft-smith-vxlan-group-policy
7. Generic Protocol Extension for VXLAN
https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
8. Type of Service in the Internet Protocol Suite
http://tools.ietf.org/html/rfc1349
9. RFC 6437
https://tools.ietf.org/html/rfc6437
10. RFC 2460
https://tools.ietf.org/html/rfc2460
11. RFC 2473
https://tools.ietf.org/html/rfc2473#section-4.1.1
12. ip-xfrm - transform configuration
http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
13. Foo over UDP
https://lwn.net/Articles/614348
14. IPv6 Rapid Deployment
https://tools.ietf.org/html/rfc5569
15. Generic UDP Encapsulation
https://lwn.net/Articles/615044
16. Virtual XFRM Interfaces
https://lwn.net/Articles/757391
Page 29 systemd 247 (printed 5/26/22)