summaryrefslogtreecommitdiff
path: root/man/systemd.network.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd.network.xml')
-rw-r--r--man/systemd.network.xml222
1 files changed, 158 insertions, 64 deletions
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 629088ea81..5a6383cfc2 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -77,8 +77,8 @@
name in <filename>/usr/lib</filename>. This can be used to
override a system-supplied configuration file with a local file if
needed. As a special case, an empty file (file size 0) or symlink
- with the same name pointing to <filename>/dev/null</filename>,
- disable the configuration file entirely (it is "masked").</para>
+ with the same name pointing to <filename>/dev/null</filename>
+ disables the configuration file entirely (it is "masked").</para>
</refsect1>
<refsect1>
@@ -227,7 +227,14 @@
<literal>yes</literal>, <literal>no</literal>,
<literal>ipv4</literal>, or <literal>ipv6</literal>.</para>
- <para>Please note that by default the domain name
+ <para>Note that DHCPv6 will by default be triggered by Router
+ Advertisement, if that is enabled, regardless of this parameter.
+ By enabling DHCPv6 support explicitly, the DHCPv6 client will
+ be started regardless of the presence of routers on the link,
+ or what flags the routers pass. See
+ <literal>IPv6AcceptRouterAdvertisements=</literal>.</para>
+
+ <para>Furthermore, note that by default the domain name
specified through DHCP is not used for name resolution.
See option <option>UseDomains=</option> below.</para>
</listitem>
@@ -263,17 +270,66 @@
<term><varname>IPv6Token=</varname></term>
<listitem>
<para>An IPv6 address with the top 64 bits unset. When set, indicates the
- 64 bits interface part of SLAAC IPv6 addresses for this link. By default
+ 64-bit interface part of SLAAC IPv6 addresses for this link. By default,
it is autogenerated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>LLMNR=</varname></term>
<listitem>
- <para>A boolean or <literal>resolve</literal>. When true, enables
- Link-Local Multicast Name Resolution on the link, when set to
- <literal>resolve</literal> only resolution is enabled, but not
- announcement. Defaults to true.</para>
+ <para>A boolean or <literal>resolve</literal>. When true,
+ enables <ulink
+ url="https://tools.ietf.org/html/rfc4795">Link-Local
+ Multicast Name Resolution</ulink> on the link. When set to
+ <literal>resolve</literal>, only resolution is enabled,
+ but not host registration and announcement. Defaults to
+ true. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MulticastDNS=</varname></term>
+ <listitem>
+ <para>A boolean or <literal>resolve</literal>. When true,
+ enables <ulink
+ url="https://tools.ietf.org/html/rfc6762">Multicast
+ DNS</ulink> support on the link. When set to
+ <literal>resolve</literal>, only resolution is enabled,
+ but not host or service registration and
+ announcement. Defaults to false. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>DNSSEC=</varname></term>
+ <listitem>
+ <para>A boolean or
+ <literal>allow-downgrade</literal>. When true, enables
+ <ulink
+ url="https://tools.ietf.org/html/rfc4033">DNSSEC</ulink>
+ DNS validation support on the link. When set to
+ <literal>allow-downgrade</literal>, compatibility with
+ non-DNSSEC capable networks is increased, by automatically
+ turning off DNSEC in this case. This option defines a
+ per-interface setting for
+ <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+ global <varname>DNSSEC=</varname> option. Defaults to
+ false. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>DNSSECNegativeTrustAnchors=</varname></term>
+ <listitem><para>A space-separated list of DNSSEC negative
+ trust anchor domains. If specified and DNSSEC is enabled,
+ look-ups done via the interface's DNS server will be subject
+ to the list of negative trust anchors, and not require
+ authentication for the specified domains, or anything below
+ it. Use this to disable DNSSEC authentication for specific
+ private domains, that cannot be proven valid using the
+ Internet DNS hierarchy. Defaults to the empty list. This
+ setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -339,52 +395,54 @@
<para>A DNS server address, which must be in the format
described in
<citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- This option may be specified more than once.</para>
+ This option may be specified more than once. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Domains=</varname></term>
<listitem>
- <para>The domains used for DNS resolution over this link.</para>
+ <para>The domains used for DNS resolution over this link. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NTP=</varname></term>
<listitem>
- <para>An NTP server address. This option may be specified more than once.</para>
+ <para>An NTP server address. This option may be specified more than once. This setting is read by
+ <citerefentry><refentrytitle>systemd-timesyncd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>IPForward=</varname></term>
- <listitem><para>Configures IP forwarding for the network
- interface. If enabled incoming packets on the network
- interface will be forwarded to other interfaces according to
- the routing table. Takes either a boolean argument, or the
- values <literal>ipv4</literal> or <literal>ipv6</literal>,
- which only enables IP forwarding for the specified address
- family, or <literal>kernel</literal>, which preserves existing sysctl settings.
- This controls the
- <filename>net.ipv4.conf.&lt;interface&gt;.forwarding</filename>
- and
- <filename>net.ipv6.conf.&lt;interface&gt;.forwarding</filename>
- sysctl options of the network interface (see <ulink
+ <listitem><para>Configures IP packet forwarding for the
+ system. If enabled, incoming packets on any network
+ interface will be forwarded to any other interfaces
+ according to the routing table. Takes either a boolean
+ argument, or the values <literal>ipv4</literal> or
+ <literal>ipv6</literal>, which only enable IP packet
+ forwarding for the specified address family. This controls
+ the <filename>net.ipv4.ip_forward</filename> and
+ <filename>net.ipv6.conf.all.forwarding</filename> sysctl
+ options of the network interface (see <ulink
url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink>
for details about sysctl options). Defaults to
<literal>no</literal>.</para>
- <para>Note: unless this option is turned on, or set to <literal>kernel</literal>,
- no IP forwarding is done on this interface, even if this is
- globally turned on in the kernel, with the
- <filename>net.ipv4.ip_forward</filename>,
- <filename>net.ipv4.conf.all.forwarding</filename>, and
- <filename>net.ipv6.conf.all.forwarding</filename> sysctl
- options.</para>
+ <para>Note: this setting controls a global kernel option,
+ and does so one way only: if a network that has this setting
+ enabled is set up the global setting is turned on. However,
+ it is never turned off again, even after all networks with
+ this setting enabled are shut down again.</para>
+
+ <para>To allow IP packet forwarding only between specific
+ network interfaces use a firewall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>IPMasquerade=</varname></term>
<listitem><para>Configures IP masquerading for the network
- interface. If enabled packets forwarded from the network
+ interface. If enabled, packets forwarded from the network
interface will be appear as coming from the local host.
Takes a boolean argument. Implies
<varname>IPForward=ipv4</varname>. Defaults to
@@ -398,21 +456,48 @@
Privacy Extensions for Stateless Address Autoconfiguration
in IPv6). Takes a boolean or the special values
<literal>prefer-public</literal> and
- <literal>kernel</literal>. When true enables the privacy
+ <literal>kernel</literal>. When true, enables the privacy
extensions and prefers temporary addresses over public
- addresses. When <literal>prefer-public</literal> enables the
+ addresses. When <literal>prefer-public</literal>, enables the
privacy extensions, but prefers public addresses over
temporary addresses. When false, the privacy extensions
- remain disabled. When <literal>kernel</literal> the kernel's
+ remain disabled. When <literal>kernel</literal>, the kernel's
default setting will be left in place. Defaults to
<literal>no</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>IPv6AcceptRouterAdvertisements=</varname></term>
- <listitem><para>Configures Accept Router Advertisements.
- This is enabled if local forwarding is disabled.
- Disabled if local forwarding is enabled.
- Takes a boolean. Defaults to unset.
+ <listitem><para>Force the setting of the <filename>accept_ra</filename>
+ (router advertisements) setting for the interface.
+ When unset, the kernel default is used, and router
+ advertisements are accepted only when local forwarding
+ is disabled for that interface.
+ When router advertisements are accepted, they will
+ trigger the start of the DHCPv6 client if the relevant
+ flags are passed, or if no routers are found on the link.
+ Takes a boolean. If true, router advertisements are
+ accepted, when false, router advertisements are ignored,
+ independently of the local forwarding state.</para>
+
+ <para>See
+ <ulink url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink>
+ in the kernel documentation, but note that systemd's
+ setting of <constant>1</constant> corresponds to
+ kernel's setting of <constant>2</constant>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>IPv6DuplicateAddressDetection=</varname></term>
+ <listitem><para>Configures the amount of IPv6 Duplicate
+ Address Detection (DAD) probes to send. Defaults to unset.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>IPv6HopLimit=</varname></term>
+ <listitem><para>Configures IPv6 Hop Limit. For each router that
+ forwards the packet, the hop limit is decremented by 1. When the
+ hop limit field reaches zero, the packet is discarded.
+ Defaults to unset.
</para></listitem>
</varlistentry>
<varlistentry>
@@ -519,7 +604,7 @@
<term><varname>Destination=</varname></term>
<listitem>
<para>The destination prefix of the route. Possibly
- followed by a slash and the prefixlength. If omitted, a
+ followed by a slash and the prefix length. If omitted, a
full-length host route is assumed.</para>
</listitem>
</varlistentry>
@@ -527,24 +612,32 @@
<term><varname>Source=</varname></term>
<listitem>
<para>The source prefix of the route. Possibly followed by
- a slash and the prefixlength. If omitted, a full-length
+ a slash and the prefix length. If omitted, a full-length
host route is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Metric=</varname></term>
<listitem>
- <para>The metric of the route. An unsigned integer</para>
+ <para>The metric of the route (an unsigned integer).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Scope=</varname></term>
<listitem>
- <para>The scope of the route. One of the values <literal>global</literal>,
+ <para>The scope of the route, which can be <literal>global</literal>,
<literal>link</literal> or <literal>host</literal>. Defaults to
<literal>global</literal>.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>PreferredSource=</varname></term>
+ <listitem>
+ <para>The preferred source address of the route. The address
+ must be in the format described in
+ <citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -624,7 +717,7 @@
<listitem>
<para>When true (the default), the static routes will be
requested from the DHCP server and added to the routing
- table with metric of 1024.</para>
+ table with a metric of 1024.</para>
</listitem>
</varlistentry>
@@ -632,7 +725,7 @@
<term><varname>UseTimezone=</varname></term>
<listitem><para>When true, the timezone received from the
- DHCP server will be set as as timezone of the local
+ DHCP server will be set as timezone of the local
system. Defaults to <literal>no</literal>.</para></listitem>
</varlistentry>
@@ -701,7 +794,7 @@
address. <varname>PoolOffset=</varname> takes the offset of the pool
from the start of subnet, or zero to use the default value.
<varname>PoolSize=</varname> takes the number of IP addresses in the
- pool or zero to use the default value. By default the pool starts at
+ pool or zero to use the default value. By default, the pool starts at
the first address after the subnet address and takes up the rest of
the subnet, excluding the broadcast address. If the pool includes
the server address (the default), this is reserved and not handed
@@ -717,7 +810,7 @@
another common time unit, depending on the suffix. The default
lease time is used for clients that did not ask for a specific
lease time. If a client asks for a lease time longer than the
- maximum lease time it is automatically shortened to the
+ maximum lease time, it is automatically shortened to the
specified time. The default lease time defaults to 1h, the
maximum lease time to 12h. Shorter lease times are beneficial
if the configuration data in DHCP leases changes frequently
@@ -737,7 +830,7 @@
pass to clients may be configured with the
<varname>DNS=</varname> option, which takes a list of IPv4
addresses. If the <varname>EmitDNS=</varname> option is
- enabled but no servers configured the servers are
+ enabled but no servers configured, the servers are
automatically propagated from an "uplink" interface that has
appropriate servers set. The "uplink" interface is determined
by the default route of the system with the highest
@@ -746,9 +839,9 @@
into account that acquire DNS or NTP server information at a
later point. DNS server propagation does not take
<filename>/etc/resolv.conf</filename> into account. Also, note
- that the leases are not refreshed if uplink network
+ that the leases are not refreshed if the uplink network
configuration changes. To ensure clients regularly acquire the
- most current uplink DNS server information it is thus
+ most current uplink DNS server information, it is thus
advisable to shorten the DHCP lease time via
<varname>MaxLeaseTimeSec=</varname> described
above.</para></listitem>
@@ -759,7 +852,7 @@
<term><varname>NTP=</varname></term>
<listitem><para>Similar to the <varname>EmitDNS=</varname> and
- <varname>DNS=</varname> settings described above these
+ <varname>DNS=</varname> settings described above, these
settings configure whether and what NTP server information
shall be emitted as part of the DHCP lease. The same syntax,
propagation semantics and defaults apply as for
@@ -778,7 +871,7 @@
<varname>Timezone=</varname> setting takes a timezone string
(such as <literal>Europe/Berlin</literal> or
<literal>UTC</literal>) to pass to clients. If no explicit
- timezone is set the system timezone of the local host is
+ timezone is set, the system timezone of the local host is
propagated, as determined by the
<filename>/etc/localtime</filename> symlink.</para></listitem>
</varlistentry>
@@ -820,7 +913,7 @@
<term><varname>FastLeave=</varname></term>
<listitem>
<para>A boolean. This flag allows the bridge to immediately stop multicast
- traffic on a port that receives IGMP Leave message. It is only used with
+ traffic on a port that receives an IGMP Leave message. It is only used with
IGMP snooping if enabled on the bridge. Defaults to off.</para>
</listitem>
</varlistentry>
@@ -836,7 +929,7 @@
<term><varname>Cost=</varname></term>
<listitem>
<para>Sets the "cost" of sending packets of this interface.
- Each port in a bridge may have different speed and the cost
+ Each port in a bridge may have a different speed and the cost
is used to decide which link to use. Faster interfaces
should have lower costs.</para>
</listitem>
@@ -861,8 +954,8 @@
<varlistentry>
<term><varname>VLANId=</varname></term>
<listitem>
- <para>The VLAN Id for the new static MAC table entry. If
- omitted, no VLAN Id info is appended to the new static MAC
+ <para>The VLAN ID for the new static MAC table entry. If
+ omitted, no VLAN ID info is appended to the new static MAC
table entry.</para>
</listitem>
</varlistentry>
@@ -893,7 +986,7 @@ DHCP=yes</programlisting>
</example>
<example>
- <title>/etc/systemd/network/bridge-static.network</title>
+ <title>/etc/systemd/network/25-bridge-static.network</title>
<programlisting>[Match]
Name=bridge0
@@ -905,7 +998,7 @@ DNS=192.168.0.1</programlisting>
</example>
<example>
- <title>/etc/systemd/network/bridge-slave-interface.network</title>
+ <title>/etc/systemd/network/25-bridge-slave-interface.network</title>
<programlisting>[Match]
Name=enp2s0
@@ -914,7 +1007,7 @@ Name=enp2s0
Bridge=bridge0</programlisting>
</example>
<example>
- <title>/etc/systemd/network/ipip.network</title>
+ <title>/etc/systemd/network/25-ipip.network</title>
<programlisting>[Match]
Name=em1
@@ -924,7 +1017,7 @@ Tunnel=ipip-tun</programlisting>
</example>
<example>
- <title>/etc/systemd/network/sit.network</title>
+ <title>/etc/systemd/network/25-sit.network</title>
<programlisting>[Match]
Name=em1
@@ -934,7 +1027,7 @@ Tunnel=sit-tun</programlisting>
</example>
<example>
- <title>/etc/systemd/network/gre.network</title>
+ <title>/etc/systemd/network/25-gre.network</title>
<programlisting>[Match]
Name=em1
@@ -944,7 +1037,7 @@ Tunnel=gre-tun</programlisting>
</example>
<example>
- <title>/etc/systemd/network/vti.network</title>
+ <title>/etc/systemd/network/25-vti.network</title>
<programlisting>[Match]
Name=em1
@@ -954,7 +1047,7 @@ Tunnel=vti-tun</programlisting>
</example>
<example>
- <title>/etc/systemd/network/bond.network</title>
+ <title>/etc/systemd/network/25-bond.network</title>
<programlisting>[Match]
Name=bond1
@@ -970,9 +1063,10 @@ DHCP=yes
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2025-01-05 15:49:21 +0000