diff options
Diffstat (limited to 'man/man8/ip-link.8.in')
| -rw-r--r-- | man/man8/ip-link.8.in | 3030 |
1 files changed, 3030 insertions, 0 deletions
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in new file mode 100644 index 0000000..31e2d7f --- /dev/null +++ b/man/man8/ip-link.8.in @@ -0,0 +1,3030 @@ +.TH IP\-LINK 8 "13 Dec 2012" "iproute2" "Linux" +.SH "NAME" +ip-link \- network device configuration +.SH "SYNOPSIS" +.sp +.ad l +.in +8 +.ti -8 +.B ip link +.RI " { " COMMAND " | " +.BR help " }" +.sp + +.ti -8 +.BI "ip link add" +.RB "[ " link +.IR DEVICE " ]" +.RB "[ " name " ]" +.I NAME +.br +.RB "[ " txqueuelen +.IR PACKETS " ]" +.br +.RB "[ " address +.IR LLADDR " ]" +.RB "[ " broadcast +.IR LLADDR " ]" +.br +.RB "[ " mtu +.IR MTU " ]" +.RB "[ " index +.IR IDX " ]" +.br +.RB "[ " numtxqueues +.IR QUEUE_COUNT " ]" +.RB "[ " numrxqueues +.IR QUEUE_COUNT " ]" +.br +.RB "[ " gso_max_size +.IR BYTES " ]" +.RB "[ " gso_ipv4_max_size +.IR BYTES " ]" +.RB "[ " gso_max_segs +.IR SEGMENTS " ]" +.br +.RB "[ " gro_max_size +.IR BYTES " ]" +.RB "[ " gro_ipv4_max_size +.IR BYTES " ]" +.br +.RB "[ " netns " {" +.IR PID " | " NETNSNAME " | " NETNSFILE " } ]" +.br +.BI type " TYPE" +.RI "[ " ARGS " ]" + +.ti -8 +.BR "ip link delete " { +.IR DEVICE " | " +.BI "group " GROUP +} +.BI type " TYPE" +.RI "[ " ARGS " ]" + +.ti -8 +.BR "ip link set " { +.IR DEVICE " | " +.BI "group " GROUP +} +.br +.RB "[ { " up " | " down " } ]" +.br +.RB "[ " type +.IR "ETYPE TYPE_ARGS" " ]" +.br +.RB "[ " arp " { " on " | " off " } ]" +.br +.RB "[ " dynamic " { " on " | " off " } ]" +.br +.RB "[ " multicast " { " on " | " off " } ]" +.br +.RB "[ " allmulticast " { " on " | " off " } ]" +.br +.RB "[ " promisc " { " on " | " off " } ]" +.br +.RB "[ " protodown " { " on " | " off " } ]" +.br +.RB "[ " protodown_reason +.IR PREASON " { " on " | " off " } ]" +.br +.RB "[ " trailers " { " on " | " off " } ]" +.br +.RB "[ " txqueuelen +.IR PACKETS " ]" +.br +.RB "[ " gso_max_size +.IR BYTES " ]" +.RB "[ " gso_ipv4_max_size +.IR BYTES " ]" +.RB "[ " gso_max_segs +.IR SEGMENTS " ]" +.br +.RB "[ " gro_max_size +.IR BYTES " ]" +.RB "[ " gro_ipv4_max_size +.IR BYTES " ]" +.br +.RB "[ " name +.IR NEWNAME " ]" +.br +.RB "[ " address +.IR LLADDR " ]" +.br +.RB "[ " broadcast +.IR LLADDR " ]" +.br +.RB "[ " mtu +.IR MTU " ]" +.br +.RB "[ " netns " {" +.IR PID " | " NETNSNAME " | " NETNSFILE " } ]" +.br +.RB "[ " link-netnsid +.IR ID " ]" +.br +.RB "[ " alias +.IR NAME " ]" +.br +.RB "[ " vf +.IR NUM " [" +.B mac +.IR LLADDR " ]" +.br +.in +9 +.RI "[ " VFVLAN-LIST " ]" +.br +.RB "[ " rate +.IR TXRATE " ]" +.br +.RB "[ " max_tx_rate +.IR TXRATE " ]" +.br +.RB "[ " min_tx_rate +.IR TXRATE " ]" +.br +.RB "[ " spoofchk " { " on " | " off " } ]" +.br +.RB "[ " query_rss " { " on " | " off " } ]" +.br +.RB "[ " state " { " auto " | " enable " | " disable " } ]" +.br +.RB "[ " trust " { " on " | " off " } ]" +.br +.RB "[ " node_guid " eui64 ]" +.br +.RB "[ " port_guid " eui64 ] ]" +.br +.in -9 +.RB "[ { " xdp " | " xdpgeneric " | " xdpdrv " | " xdpoffload " } { " off " | " +.br +.in +8 +.BR object +.IR FILE +.RB "[ { " section " | " program " } " +.IR NAME " ]" +.RB "[ " verbose " ] |" +.br +.BR pinned +.IR FILE " } ]" +.br +.in -8 +.RB "[ " master +.IR DEVICE " ]" +.br +.RB "[ " nomaster " ]" +.br +.RB "[ " vrf +.IR NAME " ]" +.br +.RB "[ " addrgenmode " { " eui64 " | " none " | " stable_secret " | " random " } ]" +.br +.RB "[ " macaddr +.RI "[ " MACADDR " ]" +.br +.in +10 +.RB "[ { " flush " | " add " | " del " } " +.IR MACADDR " ]" +.br +.RB "[ " set +.IR MACADDR " ] ]" +.br + +.ti -8 +.B ip link show +.RI "[ " DEVICE " | " +.B group +.IR GROUP " ] [" +.BR up " ] [" +.B master +.IR DEVICE " ] [" +.B type +.IR ETYPE " ] [" +.B vrf +.IR NAME " ] [" +.BR nomaster " ]" + +.ti -8 +.B ip link xstats +.BI type " TYPE" +.RI "[ " ARGS " ]" + +.ti -8 +.B ip link afstats +.RB "[ " dev +.IR DEVICE " ]" + +.ti -8 +.B ip link help +.RI "[ " TYPE " ]" + +.ti -8 +.IR TYPE " := [ " +.BR amt " | " +.BR bareudp " |" +.BR bond " | " +.BR bridge " | " +.BR can " | " +.BR dsa " | " +.BR dummy " | " +.BR erspan " |" +.BR geneve " |" +.BR gre " |" +.BR gretap " |" +.BR gtp " |" +.BR hsr " | " +.BR ifb " | " +.BR ip6erspan " |" +.BR ip6gre " |" +.BR ip6gretap " |" +.BR ip6tnl " |" +.BR ipip " |" +.BR ipoib " |" +.BR ipvlan " |" +.BR ipvtap " |" +.BR lowpan " |" +.BR macsec " |" +.BR macvlan " | " +.BR macvtap " | " +.BR netdevsim " |" +.BR netkit " |" +.BR nlmon " |" +.BR rmnet " |" +.BR sit " |" +.BR vcan " | " +.BR veth " | " +.BR virt_wifi " |" +.BR vlan " | " +.BR vrf " |" +.BR vti " |" +.BR vxcan " | " +.BR vxlan " |" +.BR xfrm " ]" + +.ti -8 +.IR ETYPE " := [ " TYPE " |" +.BR bridge_slave " | " bond_slave " ]" + +.ti -8 +.IR VFVLAN-LIST " := [ " VFVLAN-LIST " ] " VFVLAN + +.ti -8 +.IR VFVLAN " := " +.RB "[ " vlan +.IR VLANID " [ " +.B qos +.IR VLAN-QOS " ] [" +.B proto +.IR VLAN-PROTO " ] ]" +.in -8 + +.ti -8 +.BI "ip link property add dev " DEVICE +.RB "[ " altname +.IR NAME " .. ]" + +.ti -8 +.BI "ip link property del dev " DEVICE +.RB "[ " altname +.IR NAME " .. ]" + +.SH "DESCRIPTION" +.SS ip link add - add virtual link + +.TP +.BI link " DEVICE " +specifies the physical device to act operate on. + +.I NAME +specifies the name of the new virtual device. + +.I TYPE +specifies the type of the new device. +.sp +Link types: + +.in +8 +.BR amt +- Automatic Multicast Tunneling (AMT) +.sp +.BR bareudp +- Bare UDP L3 encapsulation support +.sp +.B bond +- Bonding device +.sp +.B bridge +- Ethernet Bridge device +.sp +.B can +- Controller Area Network +.sp +.B dsa +- Distributed Switch Architecture +.sp +.B dummy +- Dummy network interface +.sp +.BR erspan +- Encapsulated Remote SPAN over GRE and IPv4 +.sp +.B geneve +- GEneric NEtwork Virtualization Encapsulation +.sp +.B gre +- Virtual tunnel interface GRE over IPv4 +.sp +.BR gretap +- Virtual L2 tunnel interface GRE over IPv4 +.sp +.BR gtp +- GPRS Tunneling Protocol +.sp +.B hsr +- High-availability Seamless Redundancy device +.sp +.B ifb +- Intermediate Functional Block device +.sp +.BR ip6erspan +- Encapsulated Remote SPAN over GRE and IPv6 +.sp +.BR ip6gre +- Virtual tunnel interface GRE over IPv6 +.sp +.BR ip6gretap +- Virtual L2 tunnel interface GRE over IPv6 +.sp +.BR ip6tnl +- Virtual tunnel interface IPv4|IPv6 over IPv6 +.sp +.BR ipip +- Virtual tunnel interface IPv4 over IPv4 +.sp +.B ipoib +- IP over Infiniband device +.sp +.BR ipvlan +- Interface for L3 (IPv6/IPv4) based VLANs +.sp +.BR ipvtap +- Interface for L3 (IPv6/IPv4) based VLANs and TAP +.sp +.BR lowpan +- Interface for 6LoWPAN (IPv6) over IEEE 802.15.4 / Bluetooth +.sp +.BR macsec +- Interface for IEEE 802.1AE MAC Security (MACsec) +.sp +.B macvlan +- Virtual interface base on link layer address (MAC) +.sp +.B macvtap +- Virtual interface based on link layer address (MAC) and TAP. +.sp +.BR netdevsim +- Interface for netdev API tests +.sp +.BR netkit +- BPF-programmable network device +.sp +.BR nlmon +- Netlink monitoring device +.sp +.BR rmnet +- Qualcomm rmnet device +.sp +.BR sit +- Virtual tunnel interface IPv6 over IPv4 +.sp +.B vcan +- Virtual Controller Area Network interface +.sp +.B veth +- Virtual ethernet interface +.sp +.BR virt_wifi +- rtnetlink wifi simulation device +.sp +.BR vlan +- 802.1q tagged virtual LAN interface +.sp +.BR vrf +- Interface for L3 VRF domains +.sp +.BR vti +- Virtual tunnel interface +.sp +.B vxcan +- Virtual Controller Area Network tunnel interface +.sp +.BR vxlan +- Virtual eXtended LAN +.sp +.BR xfrm +- Virtual xfrm interface +.sp +.in -8 + +.TP +.BI numtxqueues " QUEUE_COUNT " +specifies the number of transmit queues for new device. + +.TP +.BI numrxqueues " QUEUE_COUNT " +specifies the number of receive queues for new device. + +.TP +.BI gso_max_size " BYTES " +specifies the recommended maximum size of a Generic Segment Offload +packet the new device should accept. This is also used to enable BIG +TCP for IPv6 on this device when the size is greater than 65536. + +.TP +.BI gso_ipv4_max_size " BYTES " +specifies the recommended maximum size of a IPv4 Generic Segment Offload +packet the new device should accept. This is especially used to enable +BIG TCP for IPv4 on this device by setting to a size greater than 65536. +Note that +.B gso_max_size +needs to be set to a size greater than or equal to +.B gso_ipv4_max_size +to really enable BIG TCP for IPv4. + +.TP +.BI gso_max_segs " SEGMENTS " +specifies the recommended maximum number of a Generic Segment Offload +segments the new device should accept. + +.TP +.BI gro_max_size " BYTES " +specifies the maximum size of a packet built by GRO stack on this +device. This is also used for BIG TCP to allow the size of a +merged IPv6 GSO packet on this device greater than 65536. + +.TP +.BI gro_ipv4_max_size " BYTES " +specifies the maximum size of a IPv4 packet built by GRO stack on this +device. This is especially used for BIG TCP to allow the size of a +merged IPv4 GSO packet on this device greater than 65536. + +.TP +.BI index " IDX " +specifies the desired index of the new virtual device. The link +creation fails, if the index is busy. + +.TP +.B netns +.RI "{ " PID " | " NETNSNAME " | " NETNSFILE " }" +.br +create the device in the network namespace associated with process +.IR "PID " or +the name +.IR "NETNSNAME " or +the file +.IR "NETNSFILE". + +.TP +VLAN Type Support +For a link of type +.I VLAN +the following additional arguments are supported: + +.BI "ip link add +.BI link " DEVICE " +.BI name " NAME " +.B "type vlan" +[ +.BI protocol " VLAN_PROTO " +] +.BI id " VLANID " +[ +.BR reorder_hdr " { " on " | " off " } " +] +[ +.BR gvrp " { " on " | " off " } " +] +[ +.BR mvrp " { " on " | " off " } " +] +[ +.BR loose_binding " { " on " | " off " } " +] +[ +.BR bridge_binding " { " on " | " off " } " +] +[ +.BI ingress-qos-map " QOS-MAP " +] +[ +.BI egress-qos-map " QOS-MAP " +] + +.in +8 +.sp +.BI protocol " VLAN_PROTO " +- either 802.1Q or 802.1ad. + +.BI id " VLANID " +- specifies the VLAN Identifier to use. Note that numbers with a leading " 0 " or " 0x " are interpreted as octal or hexadecimal, respectively. + +.BR reorder_hdr " { " on " | " off " } " +- specifies whether ethernet headers are reordered or not (default is +.BR on ")." + +.in +4 +If +.BR reorder_hdr " is " on +then VLAN header will be not inserted immediately but only before +passing to the physical device (if this device does not support VLAN +offloading), the similar on the RX direction - by default the packet +will be untagged before being received by VLAN device. Reordering +allows one to accelerate tagging on egress and to hide VLAN header on +ingress so the packet looks like regular Ethernet packet, at the same +time it might be confusing for packet capture as the VLAN header does +not exist within the packet. + +VLAN offloading can be checked by +.BR ethtool "(8):" +.in +4 +.sp +.B ethtool -k +<phy_dev> | +.RB grep " tx-vlan-offload" +.sp +.in -4 +where <phy_dev> is the physical device to which VLAN device is bound. +.in -4 + +.BR gvrp " { " on " | " off " } " +- specifies whether this VLAN should be registered using GARP VLAN +Registration Protocol. + +.BR mvrp " { " on " | " off " } " +- specifies whether this VLAN should be registered using Multiple VLAN +Registration Protocol. + +.BR loose_binding " { " on " | " off " } " +- specifies whether the VLAN device state is bound to the physical device state. + +.BR bridge_binding " { " on " | " off " } " +- specifies whether the VLAN device link state tracks the state of bridge ports +that are members of the VLAN. + +.BI ingress-qos-map " QOS-MAP " +- defines a mapping of VLAN header prio field to the Linux internal packet +priority on incoming frames. The format is FROM:TO with multiple mappings +separated by spaces. + +.BI egress-qos-map " QOS-MAP " +- defines a mapping of Linux internal packet priority to VLAN header prio field +but for outgoing frames. The format is the same as for ingress-qos-map. +.in +4 + +Linux packet priority can be set by +.BR iptables "(8)": +.in +4 +.sp +.B iptables +-t mangle -A POSTROUTING [...] -j CLASSIFY --set-class 0:4 +.sp +.in -4 +and this "4" priority can be used in the egress qos mapping to set +VLAN prio "5": +.sp +.in +4 +.B ip +link set veth0.10 type vlan egress 4:5 +.in -4 +.in -4 +.in -8 + +.TP +VXLAN Type Support +For a link of type +.I VXLAN +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BI type " vxlan " id " VNI" +[ +.BI dev " PHYS_DEV " +.RB " ] [ { " group " | " remote " } " +.I IPADDR +] [ +.B local +.RI "{ "IPADDR " | "any " } " +] [ +.BI ttl " TTL " +] [ +.BI tos " TOS " +] [ +.BI df " DF " +] [ +.BI flowlabel " FLOWLABEL " +] [ +.BI dstport " PORT " +] [ +.BI srcport " MIN MAX " +] [ +.RB [ no ] learning +] [ +.RB [ no ] proxy +] [ +.RB [ no ] rsc +] [ +.RB [ no ] l2miss +] [ +.RB [ no ] l3miss +] [ +.RB [ no ] udpcsum +] [ +.RB [ no ] udp6zerocsumtx +] [ +.RB [ no ] udp6zerocsumrx +] [ +.RB [ no ] localbypass +] [ +.BI ageing " SECONDS " +] [ +.BI maxaddress " NUMBER " +] [ +.RB [ no ] external +] [ +.B gbp +] [ +.B gpe +] [ +.RB [ no ] vnifilter +] + +.in +8 +.sp +.BI id " VNI " +- specifies the VXLAN Network Identifier (or VXLAN Segment +Identifier) to use. + +.BI dev " PHYS_DEV" +- specifies the physical device to use for tunnel endpoint communication. + +.sp +.BI group " IPADDR" +- specifies the multicast IP address to join. +This parameter cannot be specified with the +.B remote +parameter. + +.sp +.BI remote " IPADDR" +- specifies the unicast destination IP address to use in outgoing packets +when the destination link layer address is not known in the VXLAN device +forwarding database. This parameter cannot be specified with the +.B group +parameter. + +.sp +.BI local " IPADDR" +- specifies the source IP address to use in outgoing packets. + +.sp +.BI ttl " TTL" +- specifies the TTL value to use in outgoing packets. + +.sp +.BI tos " TOS" +- specifies the TOS value to use in outgoing packets. + +.sp +.BI df " DF" +- specifies the usage of the Don't Fragment flag (DF) bit in outgoing packets +with IPv4 headers. The value +.B inherit +causes the bit to be copied from the original IP header. The values +.B unset +and +.B set +cause the bit to be always unset or always set, respectively. By default, the +bit is not set. + +.sp +.BI flowlabel " FLOWLABEL" +- specifies the flow label to use in outgoing packets. + +.sp +.BI dstport " PORT" +- specifies the UDP destination port to communicate to the remote + VXLAN tunnel endpoint. + +.sp +.BI srcport " MIN MAX" +- specifies the range of port numbers to use as UDP +source ports to communicate to the remote VXLAN tunnel endpoint. + +.sp +.RB [ no ] learning +- specifies if unknown source link layer addresses and IP addresses +are entered into the VXLAN device forwarding database. + +.sp +.RB [ no ] rsc +- specifies if route short circuit is turned on. + +.sp +.RB [ no ] proxy +- specifies ARP proxy is turned on. + +.sp +.RB [ no ] l2miss +- specifies if netlink LLADDR miss notifications are generated. + +.sp +.RB [ no ] l3miss +- specifies if netlink IP ADDR miss notifications are generated. + +.sp +.RB [ no ] udpcsum +- specifies if UDP checksum is calculated for transmitted packets over IPv4. + +.sp +.RB [ no ] udp6zerocsumtx +- skip UDP checksum calculation for transmitted packets over IPv6. + +.sp +.RB [ no ] udp6zerocsumrx +- allow incoming UDP packets over IPv6 with zero checksum field. + +.sp +.RB [ no ] localbypass +- if FDB destination is local, with nolocalbypass set, forward encapsulated +packets to the userspace network stack. If there is a userspace process +listening for these packets, it will have a chance to process them. If +localbypass is active (default), bypass the kernel network stack and +inject the packets into the target VXLAN device, assuming one exists. + +.sp +.BI ageing " SECONDS" +- specifies the lifetime in seconds of FDB entries learnt by the kernel. + +.sp +.BI maxaddress " NUMBER" +- specifies the maximum number of FDB entries. + +.sp +.RB [ no ] external +- specifies whether an external control plane +.RB "(e.g. " "ip route encap" ) +or the internal FDB should be used. + +.sp +.RB [ no ] vnifilter +- specifies whether the vxlan device is capable of vni filtering. Only works with a vxlan +device with external flag set. once enabled, bridge vni command is used to manage the +vni filtering table on the device. The device can only receive packets with vni's configured +in the vni filtering table. + +.sp +.B gbp +- enables the Group Policy extension (VXLAN-GBP). + +.in +4 +Allows one to transport group policy context across VXLAN network peers. +If enabled, includes the mark of a packet in the VXLAN header for outgoing +packets and fills the packet mark based on the information found in the +VXLAN header for incoming packets. + +Format of upper 16 bits of packet mark (flags); + +.in +2 ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +.br +|-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-| +.br ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +.B D := +Don't Learn bit. When set, this bit indicates that the egress +VTEP MUST NOT learn the source address of the encapsulated frame. + +.B A := +Indicates that the group policy has already been applied to +this packet. Policies MUST NOT be applied by devices when the A bit is set. +.in -2 + +Format of lower 16 bits of packet mark (policy ID): + +.in +2 ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +.br +| Group Policy ID | +.br ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +.in -2 + +Example: + iptables -A OUTPUT [...] -j MARK --set-mark 0x800FF + +.in -4 + +.sp +.B gpe +- enables the Generic Protocol extension (VXLAN-GPE). Currently, this is +only supported together with the +.B external +keyword. + +.in -8 + +.TP +VETH, VXCAN Type Support +For a link of types +.I VETH/VXCAN +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BR type " { " veth " | " vxcan " }" +[ +.BR peer +.BI "name " NAME +] + +.in +8 +.sp +.BR peer +.BI "name " NAME +- specifies the virtual pair device name of the +.I VETH/VXCAN +tunnel. + +.in -8 + +.TP +netkit Type Support +For a link of type +.I netkit +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BR type " netkit " +[ +.BI mode " MODE " +] [ +.I "POLICY " +] [ +.BR peer +[ +.I "POLICY " +] [ +.I "NAME " +] ] + +.in +8 + +.sp +.BI mode " MODE" +- specifies the operation mode of the netkit device with "l3" and "l2" +as possible values. Default option is "l3". + +.sp +.I "POLICY" +- specifies the default device policy when no BPF programs are attached +with "forward" and "blackhole" as possible values. Default option is +"forward". Specifying policy before the peer option refers to the primary +device, after the peer option refers to the peer device. + +.sp +.I "NAME" +- specifies the device name of the peer device. + +.in -8 + +.TP +IPIP, SIT Type Support +For a link of type +.IR IPIP or SIT +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BR type " { " ipip " | " sit " }" +.BI " remote " ADDR " local " ADDR +[ +.BR encap " { " fou " | " gue " | " none " }" +] [ +.BR encap-sport " { " \fIPORT " | " auto " }" +] [ +.BI "encap-dport " PORT +] [ +.RB [ no ] encap-csum +] [ +.I " [no]encap-remcsum " +] [ +.I " mode " { ip6ip | ipip | mplsip | any } " +] [ +.BR external +] + +.in +8 +.sp +.BI remote " ADDR " +- specifies the remote address of the tunnel. + +.sp +.BI local " ADDR " +- specifies the fixed local address for tunneled packets. +It must be an address on another interface on this host. + +.sp +.BR encap " { " fou " | " gue " | " none " }" +- specifies type of secondary UDP encapsulation. "fou" indicates +Foo-Over-UDP, "gue" indicates Generic UDP Encapsulation. + +.sp +.BR encap-sport " { " \fIPORT " | " auto " }" +- specifies the source port in UDP encapsulation. +.IR PORT +indicates the port by number, "auto" +indicates that the port number should be chosen automatically +(the kernel picks a flow based on the flow hash of the +encapsulated packet). + +.sp +.RB [ no ] encap-csum +- specifies if UDP checksums are enabled in the secondary +encapsulation. + +.sp +.RB [ no ] encap-remcsum +- specifies if Remote Checksum Offload is enabled. This is only +applicable for Generic UDP Encapsulation. + +.sp +.BI mode " { ip6ip | ipip | mplsip | any } " +- specifies mode in which device should run. "ip6ip" indicates +IPv6-Over-IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indicates +MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS Over IPv4. Supported for +SIT where the default is "ip6ip" and IPIP where the default is "ipip". +IPv6-Over-IPv4 is not supported for IPIP. + +.sp +.BR external +- make this tunnel externally controlled +.RB "(e.g. " "ip route encap" ). + +.in -8 +.TP +GRE Type Support +For a link of type +.IR GRE " or " GRETAP +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BR type " { " gre " | " gretap " }" +.BI " remote " ADDR " local " ADDR +[ +.RB [ no ] "" [ i | o ] seq +] [ +.RB [ i | o ] key +.I KEY +| +.BR no [ i | o ] key +] [ +.RB [ no ] "" [ i | o ] csum +] [ +.BI ttl " TTL " +] [ +.BI tos " TOS " +] [ +.RB [ no ] pmtudisc +] [ +.RB [ no ] ignore-df +] [ +.BI dev " PHYS_DEV " +] [ +.BR encap " { " fou " | " gue " | " none " }" +] [ +.BR encap-sport " { " \fIPORT " | " auto " }" +] [ +.BI "encap-dport " PORT +] [ +.RB [ no ] encap-csum +] [ +.RB [ no ] encap-remcsum +] [ +.BR external +] + +.in +8 +.sp +.BI remote " ADDR " +- specifies the remote address of the tunnel. + +.sp +.BI local " ADDR " +- specifies the fixed local address for tunneled packets. +It must be an address on another interface on this host. + +.sp +.RB [ no ] "" [ i | o ] seq +- serialize packets. +The +.B oseq +flag enables sequencing of outgoing packets. +The +.B iseq +flag requires that all input packets are serialized. + +.sp +.RB [ i | o ] key +.I KEY +| +.BR no [ i | o ] key +- use keyed GRE with key +.IR KEY ". "KEY +is either a number or an IPv4 address-like dotted quad. +The +.B key +parameter specifies the same key to use in both directions. +The +.BR ikey " and " okey +parameters specify different keys for input and output. + +.sp +.RB [ no ] "" [ i | o ] csum +- generate/require checksums for tunneled packets. +The +.B ocsum +flag calculates checksums for outgoing packets. +The +.B icsum +flag requires that all input packets have the correct +checksum. The +.B csum +flag is equivalent to the combination +.B "icsum ocsum" . + +.sp +.BI ttl " TTL" +- specifies the TTL value to use in outgoing packets. + +.sp +.BI tos " TOS" +- specifies the TOS value to use in outgoing packets. + +.sp +.RB [ no ] pmtudisc +- enables/disables Path MTU Discovery on this tunnel. +It is enabled by default. Note that a fixed ttl is incompatible +with this option: tunneling with a fixed ttl always makes pmtu +discovery. + +.sp +.RB [ no ] ignore-df +- enables/disables IPv4 DF suppression on this tunnel. +Normally datagrams that exceed the MTU will be fragmented; the presence +of the DF flag inhibits this, resulting instead in an ICMP Unreachable +(Fragmentation Required) message. Enabling this attribute causes the +DF flag to be ignored. + +.sp +.BI dev " PHYS_DEV" +- specifies the physical device to use for tunnel endpoint communication. + +.sp +.BR encap " { " fou " | " gue " | " none " }" +- specifies type of secondary UDP encapsulation. "fou" indicates +Foo-Over-UDP, "gue" indicates Generic UDP Encapsulation. + +.sp +.BR encap-sport " { " \fIPORT " | " auto " }" +- specifies the source port in UDP encapsulation. +.IR PORT +indicates the port by number, "auto" +indicates that the port number should be chosen automatically +(the kernel picks a flow based on the flow hash of the +encapsulated packet). + +.sp +.RB [ no ] encap-csum +- specifies if UDP checksums are enabled in the secondary +encapsulation. + +.sp +.RB [ no ] encap-remcsum +- specifies if Remote Checksum Offload is enabled. This is only +applicable for Generic UDP Encapsulation. + +.sp +.BR external +- make this tunnel externally controlled +.RB "(e.g. " "ip route encap" ). + +.in -8 + +.TP +IP6GRE/IP6GRETAP Type Support +For a link of type +.I IP6GRE/IP6GRETAP +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BR type " { " ip6gre " | " ip6gretap " }" +.BI remote " ADDR " local " ADDR" +[ +.RB [ no ] "" [ i | o ] seq +] [ +.RB [ i | o ] key +.I KEY +| +.BR no [ i | o ] key +] [ +.RB [ no ] "" [ i | o ] csum +] [ +.BI hoplimit " TTL " +] [ +.BI encaplimit " ELIM " +] [ +.BI tclass " TCLASS " +] [ +.BI flowlabel " FLOWLABEL " +] [ +.BI "dscp inherit" +] [ +.BI "[no]allow-localremote" +] [ +.BI dev " PHYS_DEV " +] [ +.RB external +] + +.in +8 +.sp +.BI remote " ADDR " +- specifies the remote IPv6 address of the tunnel. + +.sp +.BI local " ADDR " +- specifies the fixed local IPv6 address for tunneled packets. +It must be an address on another interface on this host. + +.sp +.RB [ no ] "" [ i | o ] seq +- serialize packets. +The +.B oseq +flag enables sequencing of outgoing packets. +The +.B iseq +flag requires that all input packets are serialized. + +.sp +.RB [ i | o ] key +.I KEY +| +.BR no [ i | o ] key +- use keyed GRE with key +.IR KEY ". "KEY +is either a number or an IPv4 address-like dotted quad. +The +.B key +parameter specifies the same key to use in both directions. +The +.BR ikey " and " okey +parameters specify different keys for input and output. + +.sp +.RB [ no ] "" [ i | o ] csum +- generate/require checksums for tunneled packets. +The +.B ocsum +flag calculates checksums for outgoing packets. +The +.B icsum +flag requires that all input packets have the correct +checksum. The +.B csum +flag is equivalent to the combination +.BR "icsum ocsum" . + +.sp +.BI hoplimit " TTL" +- specifies Hop Limit value to use in outgoing packets. + +.sp +.BI encaplimit " ELIM" +- specifies a fixed encapsulation limit. Default is 4. + +.sp +.BI flowlabel " FLOWLABEL" +- specifies a fixed flowlabel. + +.sp +.BI [no]allow-localremote +- specifies whether to allow remote endpoint to have an address configured on +local host. + +.sp +.BI tclass " TCLASS" +- specifies the traffic class field on +tunneled packets, which can be specified as either a two-digit +hex value (e.g. c0) or a predefined string (e.g. internet). +The value +.B inherit +causes the field to be copied from the original IP header. The +values +.BI "inherit/" STRING +or +.BI "inherit/" 00 ".." ff +will set the field to +.I STRING +or +.IR 00 ".." ff +when tunneling non-IP packets. The default value is 00. + +.sp +.RB external +- make this tunnel externally controlled (or not, which is the default). +In the kernel, this is referred to as collect metadata mode. This flag is +mutually exclusive with the +.BR remote , +.BR local , +.BR seq , +.BR key, +.BR csum, +.BR hoplimit, +.BR encaplimit, +.BR flowlabel " and " tclass +options. + +.in -8 + +.TP +IPoIB Type Support +For a link of type +.I IPoIB +the following additional arguments are supported: + +.BI "ip link add " DEVICE " name " NAME +.BR "type ipoib " [ " pkey \fIPKEY" " ] [ " mode " \fIMODE \fR]" + +.in +8 +.sp +.BI pkey " PKEY " +- specifies the IB P-Key to use. + +.BI mode " MODE " +- specifies the mode (datagram or connected) to use. + +.TP +ERSPAN Type Support +For a link of type +.I ERSPAN/IP6ERSPAN +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BR type " { " erspan " | " ip6erspan " }" +.BI remote " ADDR " local " ADDR " seq +.RB key +.I KEY +.BR erspan_ver " \fIversion " +[ +.BR erspan " \fIIDX " +] [ +.BR erspan_dir " { " \fIingress " | " \fIegress " }" +] [ +.BR erspan_hwid " \fIhwid " +] [ +.BI "[no]allow-localremote" +] [ +.RB external +] + +.in +8 +.sp +.BI remote " ADDR " +- specifies the remote address of the tunnel. + +.sp +.BI local " ADDR " +- specifies the fixed local address for tunneled packets. +It must be an address on another interface on this host. + +.sp +.BR erspan_ver " \fIversion " +- specifies the ERSPAN version number. +.IR version +indicates the ERSPAN version to be created: 0 for version 0 type I, +1 for version 1 (type II) or 2 for version 2 (type III). + +.sp +.BR erspan " \fIIDX " +- specifies the ERSPAN v1 index field. +.IR IDX +indicates a 20 bit index/port number associated with the ERSPAN +traffic's source port and direction. + +.sp +.BR erspan_dir " { " \fIingress " | " \fIegress " }" +- specifies the ERSPAN v2 mirrored traffic's direction. + +.sp +.BR erspan_hwid " \fIhwid " +- an unique identifier of an ERSPAN v2 engine within a system. +.IR hwid +is a 6-bit value for users to configure. + +.sp +.BI [no]allow-localremote +- specifies whether to allow remote endpoint to have an address configured on +local host. + +.sp +.BR external +- make this tunnel externally controlled (or not, which is the default). +In the kernel, this is referred to as collect metadata mode. This flag is +mutually exclusive with the +.BR remote , +.BR local , +.BR erspan_ver , +.BR erspan , +.BR erspan_dir " and " erspan_hwid +options. + +.in -8 + +.TP +GENEVE Type Support +For a link of type +.I GENEVE +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BI type " geneve " id " VNI " remote " IPADDR" +[ +.BI ttl " TTL " +] [ +.BI tos " TOS " +] [ +.BI df " DF " +] [ +.BI flowlabel " FLOWLABEL " +] [ +.BI dstport " PORT" +] [ +.RB [ no ] external +] [ +.RB [ no ] udpcsum +] [ +.RB [ no ] udp6zerocsumtx +] [ +.RB [ no ] udp6zerocsumrx +] [ +.B innerprotoinherit +] + +.in +8 +.sp +.BI id " VNI " +- specifies the Virtual Network Identifier to use. + +.sp +.BI remote " IPADDR" +- specifies the unicast destination IP address to use in outgoing packets. + +.sp +.BI ttl " TTL" +- specifies the TTL value to use in outgoing packets. "0" or "auto" means +use whatever default value, "inherit" means inherit the inner protocol's +ttl. Default option is "0". + +.sp +.BI tos " TOS" +- specifies the TOS value to use in outgoing packets. + +.sp +.BI df " DF" +- specifies the usage of the Don't Fragment flag (DF) bit in outgoing packets +with IPv4 headers. The value +.B inherit +causes the bit to be copied from the original IP header. The values +.B unset +and +.B set +cause the bit to be always unset or always set, respectively. By default, the +bit is not set. + +.sp +.BI flowlabel " FLOWLABEL" +- specifies the flow label to use in outgoing packets. + +.sp +.BI dstport " PORT" +- select a destination port other than the default of 6081. + +.sp +.RB [ no ] external +- make this tunnel externally controlled (or not, which is the default). This +flag is mutually exclusive with the +.BR id , +.BR remote , +.BR ttl , +.BR tos " and " flowlabel +options. + +.sp +.RB [ no ] udpcsum +- specifies if UDP checksum is calculated for transmitted packets over IPv4. + +.sp +.RB [ no ] udp6zerocsumtx +- skip UDP checksum calculation for transmitted packets over IPv6. + +.sp +.RB [ no ] udp6zerocsumrx +- allow incoming UDP packets over IPv6 with zero checksum field. + +.sp +.B innerprotoinherit +- use IPv4/IPv6 as inner protocol instead of Ethernet. + +.in -8 + +.TP +Bareudp Type Support +For a link of type +.I Bareudp +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BI type " bareudp " dstport " PORT " ethertype " PROTO" +[ +.BI srcportmin " PORT " +] [ +.RB [ no ] multiproto +] + +.in +8 +.sp +.BI dstport " PORT" +- specifies the destination port for the UDP tunnel. + +.sp +.BI ethertype " PROTO" +- specifies the ethertype of the L3 protocol being tunnelled. +.B ethertype +can be given as plain Ethernet protocol number or using the protocol name +("ipv4", "ipv6", "mpls_uc", etc.). + +.sp +.BI srcportmin " PORT" +- selects the lowest value of the UDP tunnel source port range. + +.sp +.RB [ no ] multiproto +- activates support for protocols similar to the one +.RB "specified by " ethertype . +When +.B ethertype +is "mpls_uc" (that is, unicast MPLS), this allows the tunnel to also handle +multicast MPLS. +When +.B ethertype +is "ipv4", this allows the tunnel to also handle IPv6. This option is disabled +by default. + +.TP +AMT Type Support +For a link of type +.I AMT +the following additional arguments are supported: + +.BI "ip link add " DEVICE +.BI type " AMT " discovery " IPADDR " mode " { " gateway " | " relay " } " +.BI local " IPADDR " dev " PHYS_DEV " [ +.BI relay_port " PORT " ] +[ +.BI gateway_port " PORT " ] +[ +.BI max_tunnels " NUMBER " +] + +.in +8 +.sp +.BI discovery " IPADDR" +- specifies the unicast discovery IP address to use to find remote IP address. + +.BR mode " { " gateway " | " relay " } " +- specifies the role of AMT, Gateway or Relay + +.BI local " IPADDR " +- specifies the source IP address to use in outgoing packets. + +.BI dev " PHYS_DEV " +- specifies the underlying physical interface from which transform traffic +is sent and received. + +.BI relay_port " PORT " +- specifies the UDP Relay port to communicate to the Relay. + +.BI gateway_port " PORT " +- specifies the UDP Gateway port to communicate to the Gateway. + +.BI max_tunnels " NUMBER " +- specifies the maximum number of tunnels. + +.in -8 + +.TP +MACVLAN and MACVTAP Type Support +For a link of type +.I MACVLAN +or +.I MACVTAP +the following additional arguments are supported: + +.BI "ip link add link " DEVICE " name " NAME +.BR type " { " macvlan " | " macvtap " } " +.BR mode " { " private " | " vepa " | " bridge " | " passthru +.RB " [ " nopromisc " ] | " source " [ " nodst " ] } " +.RB " [ " bcqueuelen " { " LENGTH " } ] " +.RB " [ " bclim " " LIMIT " ] " + +.in +8 +.sp +.BR type " { " macvlan " | " macvtap " } " +- specifies the link type to use. +.BR macvlan " creates just a virtual interface, while " +.BR macvtap " in addition creates a character device " +.BR /dev/tapX " to be used just like a " tuntap " device." + +.B mode private +- Do not allow communication between +.B macvlan +instances on the same physical interface, even if the external switch supports +hairpin mode. + +.B mode vepa +- Virtual Ethernet Port Aggregator mode. Data from one +.B macvlan +instance to the other on the same physical interface is transmitted over the +physical interface. Either the attached switch needs to support hairpin mode, +or there must be a TCP/IP router forwarding the packets in order to allow +communication. This is the default mode. + +.B mode bridge +- In bridge mode, all endpoints are directly connected to each other, +communication is not redirected through the physical interface's peer. + +.BR mode " " passthru " [ " nopromisc " ] " +- This mode gives more power to a single endpoint, usually in +.BR macvtap " mode. It is not allowed for more than one endpoint on the same " +physical interface. All traffic will be forwarded to this endpoint, allowing +virtio guests to change MAC address or set promiscuous mode in order to bridge +the interface or create vlan interfaces on top of it. By default, this mode +forces the underlying interface into promiscuous mode. Passing the +.BR nopromisc " flag prevents this, so the promisc flag may be controlled " +using standard tools. + +.BR mode " " source " [ " nodst " ] " +- allows one to set a list of allowed mac address, which is used to match +against source mac address from received frames on underlying interface. This +allows creating mac based VLAN associations, instead of standard port or tag +based. The feature is useful to deploy 802.1x mac based behavior, +where drivers of underlying interfaces doesn't allows that. By default, packets +are also considered (duplicated) for destination-based MACVLAN. Passing the +.BR nodst " flag stops matching packets from also going through the " +destination-based flow. + +.BR bcqueuelen " { " LENGTH " } " +- Set the length of the RX queue used to process broadcast and multicast packets. +.BR LENGTH " must be a positive integer in the range [0-4294967295]." +Setting a length of 0 will effectively drop all broadcast/multicast traffic. +If not specified the macvlan driver default (1000) is used. +Note that all macvlans that share the same underlying device are using the same +.RB "queue. The parameter here is a " request ", the actual queue length used" +will be the maximum length that any macvlan interface has requested. +When listing device parameters both the bcqueuelen parameter +as well as the actual used bcqueuelen are listed to better help +the user understand the setting. + +.BR bclim " " LIMIT +- Set the threshold for broadcast queueing. +.BR LIMIT " must be a 32-bit integer." +Setting this to -1 disables broadcast queueing altogether. Otherwise +a multicast address will be queued as broadcast if the number of devices +using it is greater than the given value. +.in -8 + +.TP +High-availability Seamless Redundancy (HSR) Support +For a link of type +.I HSR +the following additional arguments are supported: + +.BI "ip link add link " DEVICE " name " NAME " type hsr" +.BI slave1 " SLAVE1-IF " slave2 " SLAVE2-IF " +.RB [ " supervision" +.IR ADDR-BYTE " ] [" +.BR version " { " 0 " | " 1 " } [" +.BR proto " { " 0 " | " 1 " } ]" + +.in +8 +.sp +.BR type " hsr " +- specifies the link type to use, here HSR. + +.BI slave1 " SLAVE1-IF " +- Specifies the physical device used for the first of the two ring ports. + +.BI slave2 " SLAVE2-IF " +- Specifies the physical device used for the second of the two ring ports. + +.BI supervision " ADDR-BYTE" +- The last byte of the multicast address used for HSR supervision frames. +Default option is "0", possible values 0-255. + +.BR version " { " 0 " | " 1 " }" +- Selects the protocol version of the interface. Default option is "0", which +corresponds to the 2010 version of the HSR standard. Option "1" activates the +2012 version. + +.BR proto " { " 0 " | " 1 " }" +- Selects the protocol at the interface. Default option is "0", which +corresponds to the HSR standard. Option "1" activates the Parallel +Redundancy Protocol (PRP). +. +.in -8 + +.TP +BRIDGE Type Support +For a link of type +.I BRIDGE +the following additional arguments are supported: + +.BI "ip link add " DEVICE " type bridge " +[ +.BI ageing_time " AGEING_TIME " +] [ +.BI group_fwd_mask " MASK " +] [ +.BI group_address " ADDRESS " +] [ +.BI forward_delay " FORWARD_DELAY " +] [ +.BI hello_time " HELLO_TIME " +] [ +.BI max_age " MAX_AGE " +] [ +.BI stp_state " STP_STATE " +] [ +.BI priority " PRIORITY " +] [ +.BI no_linklocal_learn " NO_LINKLOCAL_LEARN " +] [ +.BI fdb_max_learned " FDB_MAX_LEARNED " +] [ +.BI vlan_filtering " VLAN_FILTERING " +] [ +.BI vlan_protocol " VLAN_PROTOCOL " +] [ +.BI vlan_default_pvid " VLAN_DEFAULT_PVID " +] [ +.BI vlan_stats_enabled " VLAN_STATS_ENABLED " +] [ +.BI vlan_stats_per_port " VLAN_STATS_PER_PORT " +] [ +.BI mcast_snooping " MULTICAST_SNOOPING " +] [ +.BI mcast_vlan_snooping " MULTICAST_VLAN_SNOOPING " +] [ +.BI mcast_router " MULTICAST_ROUTER " +] [ +.BI mcast_query_use_ifaddr " MCAST_QUERY_USE_IFADDR " +] [ +.BI mcast_querier " MULTICAST_QUERIER " +] [ +.BI mcast_hash_elasticity " HASH_ELASTICITY " +] [ +.BI mcast_hash_max " HASH_MAX " +] [ +.BI mcast_last_member_count " LAST_MEMBER_COUNT " +] [ +.BI mcast_startup_query_count " STARTUP_QUERY_COUNT " +] [ +.BI mcast_last_member_interval " LAST_MEMBER_INTERVAL " +] [ +.BI mcast_membership_interval " MEMBERSHIP_INTERVAL " +] [ +.BI mcast_querier_interval " QUERIER_INTERVAL " +] [ +.BI mcast_query_interval " QUERY_INTERVAL " +] [ +.BI mcast_query_response_interval " QUERY_RESPONSE_INTERVAL " +] [ +.BI mcast_startup_query_interval " STARTUP_QUERY_INTERVAL " +] [ +.BI mcast_stats_enabled " MCAST_STATS_ENABLED " +] [ +.BI mcast_igmp_version " IGMP_VERSION " +] [ +.BI mcast_mld_version " MLD_VERSION " +] [ +.BI nf_call_iptables " NF_CALL_IPTABLES " +] [ +.BI nf_call_ip6tables " NF_CALL_IP6TABLES " +] [ +.BI nf_call_arptables " NF_CALL_ARPTABLES " +] + +.in +8 +.sp +.BI ageing_time " AGEING_TIME " +- configure the bridge's FDB entries ageing time, ie the number of +seconds a MAC address will be kept in the FDB after a packet has been +received from that address. after this time has passed, entries are +cleaned up. + +.BI group_fwd_mask " MASK " +- set the group forward mask. This is the bitmask that is applied to +decide whether to forward incoming frames destined to link-local +addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to 0, +ie the bridge does not forward any link-local frames). + +.BI group_address " ADDRESS " +- set the MAC address of the multicast group this bridge uses for STP. +The address must be a link-local address in standard Ethernet MAC +address format, ie an address of the form 01:80:C2:00:00:0X, with X + in [0, 4..f]. + +.BI forward_delay " FORWARD_DELAY " +- set the forwarding delay in seconds, ie the time spent in LISTENING +state (before moving to LEARNING) and in LEARNING state (before +moving to FORWARDING). Only relevant if STP is enabled. Valid values +are between 2 and 30. + +.BI hello_time " HELLO_TIME " +- set the time in seconds between hello packets sent by the bridge, +when it is a root bridge or a designated bridges. +Only relevant if STP is enabled. Valid values are between 1 and 10. + +.BI max_age " MAX_AGE " +- set the hello packet timeout, ie the time in seconds until another +bridge in the spanning tree is assumed to be dead, after reception of +its last hello message. Only relevant if STP is enabled. Valid values +are between 6 and 40. + +.BI stp_state " STP_STATE " +- turn spanning tree protocol on +.RI ( STP_STATE " > 0) " +or off +.RI ( STP_STATE " == 0). " +for this bridge. + +.BI priority " PRIORITY " +- set this bridge's spanning tree priority, used during STP root +bridge election. +.I PRIORITY +is a 16bit unsigned integer. + +.BI no_linklocal_learn " NO_LINKLOCAL_LEARN " +- turn link-local learning on +.RI ( NO_LINKLOCAL_LEARN " == 0) " +or off +.RI ( NO_LINKLOCAL_LEARN " > 0). " +When disabled, the bridge will not learn from link-local frames (default: +enabled). + +.BI fdb_max_learned " FDB_MAX_LEARNED " +- set the maximum number of learned FDB entries. If +.RI ( FDB_MAX_LEARNED " == 0) " +the feature is disabled. Default is +.BR 0 . +.I FDB_MAX_LEARNED +is a 32bit unsigned integer. + +.BI vlan_filtering " VLAN_FILTERING " +- turn VLAN filtering on +.RI ( VLAN_FILTERING " > 0) " +or off +.RI ( VLAN_FILTERING " == 0). " +When disabled, the bridge will not consider the VLAN tag when handling packets. + +.BR vlan_protocol " { " 802.1Q " | " 802.1ad " } " +- set the protocol used for VLAN filtering. + +.BI vlan_default_pvid " VLAN_DEFAULT_PVID " +- set the default PVID (native/untagged VLAN ID) for this bridge. + +.BI vlan_stats_enabled " VLAN_STATS_ENABLED " +- enable +.RI ( VLAN_STATS_ENABLED " == 1) " +or disable +.RI ( VLAN_STATS_ENABLED " == 0) " +per-VLAN stats accounting. + +.BI vlan_stats_per_port " VLAN_STATS_PER_PORT " +- enable +.RI ( VLAN_STATS_PER_PORT " == 1) " +or disable +.RI ( VLAN_STATS_PER_PORT " == 0) " +per-VLAN per-port stats accounting. Can be changed only when there are no port VLANs configured. + +.BI mcast_snooping " MULTICAST_SNOOPING " +- turn multicast snooping on +.RI ( MULTICAST_SNOOPING " > 0) " +or off +.RI ( MULTICAST_SNOOPING " == 0). " + +.BI mcast_vlan_snooping " MULTICAST_VLAN_SNOOPING " +- turn multicast VLAN snooping on +.RI ( MULTICAST_VLAN_SNOOPING " > 0) " +or off +.RI ( MULTICAST_VLAN_SNOOPING " == 0). " + +.BI mcast_router " MULTICAST_ROUTER " +- set bridge's multicast router if IGMP snooping is enabled. +.I MULTICAST_ROUTER +is an integer value having the following meaning: +.in +8 +.sp +.B 0 +- disabled. + +.B 1 +- automatic (queried). + +.B 2 +- permanently enabled. +.in -8 + +.BI mcast_query_use_ifaddr " MCAST_QUERY_USE_IFADDR " +- whether to use the bridge's own IP address as source address for IGMP queries +.RI ( MCAST_QUERY_USE_IFADDR " > 0) " +or the default of 0.0.0.0 +.RI ( MCAST_QUERY_USE_IFADDR " == 0). " + +.BI mcast_querier " MULTICAST_QUERIER " +- enable +.RI ( MULTICAST_QUERIER " > 0) " +or disable +.RI ( MULTICAST_QUERIER " == 0) " +IGMP querier, ie sending of multicast queries by the bridge (default: disabled). + +.BI mcast_querier_interval " QUERIER_INTERVAL " +- interval between queries sent by other routers. if no queries are seen +after this delay has passed, the bridge will start to send its own queries +(as if +.BI mcast_querier +was enabled). + +.BI mcast_hash_elasticity " HASH_ELASTICITY " +- set multicast database hash elasticity, ie the maximum chain length +in the multicast hash table (defaults to 4). + +.BI mcast_hash_max " HASH_MAX " +- set maximum size of multicast hash table (defaults to 512, +value must be a power of 2). + +.BI mcast_last_member_count " LAST_MEMBER_COUNT " +- set multicast last member count, ie the number of queries the bridge +will send before stopping forwarding a multicast group after a "leave" +message has been received (defaults to 2). + +.BI mcast_last_member_interval " LAST_MEMBER_INTERVAL " +- interval between queries to find remaining members of a group, +after a "leave" message is received. + +.BI mcast_startup_query_count " STARTUP_QUERY_COUNT " +- set the number of IGMP queries to send during startup phase (defaults to 2). + +.BI mcast_startup_query_interval " STARTUP_QUERY_INTERVAL " +- interval between queries in the startup phase. + +.BI mcast_query_interval " QUERY_INTERVAL " +- interval between queries sent by the bridge after the end of the +startup phase. + +.BI mcast_query_response_interval " QUERY_RESPONSE_INTERVAL " +- set the Max Response Time/Maximum Response Delay for IGMP/MLD +queries sent by the bridge. + +.BI mcast_membership_interval " MEMBERSHIP_INTERVAL " +- delay after which the bridge will leave a group, +if no membership reports for this group are received. + +.BI mcast_stats_enabled " MCAST_STATS_ENABLED " +- enable +.RI ( MCAST_STATS_ENABLED " > 0) " +or disable +.RI ( MCAST_STATS_ENABLED " == 0) " +multicast (IGMP/MLD) stats accounting. + +.BI mcast_igmp_version " IGMP_VERSION " +- set the IGMP version. + +.BI mcast_mld_version " MLD_VERSION " +- set the MLD version. + +.BI nf_call_iptables " NF_CALL_IPTABLES " +- enable +.RI ( NF_CALL_IPTABLES " > 0) " +or disable +.RI ( NF_CALL_IPTABLES " == 0) " +iptables hooks on the bridge. + +.BI nf_call_ip6tables " NF_CALL_IP6TABLES " +- enable +.RI ( NF_CALL_IP6TABLES " > 0) " +or disable +.RI ( NF_CALL_IP6TABLES " == 0) " +ip6tables hooks on the bridge. + +.BI nf_call_arptables " NF_CALL_ARPTABLES " +- enable +.RI ( NF_CALL_ARPTABLES " > 0) " +or disable +.RI ( NF_CALL_ARPTABLES " == 0) " +arptables hooks on the bridge. + + +.in -8 + +.TP +MACsec Type Support +For a link of type +.I MACsec +the following additional arguments are supported: + +.BI "ip link add link " DEVICE " name " NAME " type macsec" +[ [ +.BI address " <lladdr>" +] +.BI port " PORT" +| +.BI sci " SCI" +] [ +.BI cipher " CIPHER_SUITE" +] [ +.BR icvlen " { " +.IR 8..16 " } ] [" +.BR encrypt " {" +.BR on " | " off " } ] [ " +.BR send_sci " { " on " | " off " } ] [" +.BR end_station " { " on " | " off " } ] [" +.BR scb " { " on " | " off " } ] [" +.BR protect " { " on " | " off " } ] [" +.BR replay " { " on " | " off " }" +.BR window " { " +.IR 0..2^32-1 " } ] [" +.BR validate " { " strict " | " check " | " disabled " } ] [" +.BR encodingsa " { " +.IR 0..3 " } ]" + +.in +8 +.sp +.BI address " <lladdr> " +- sets the system identifier component of secure channel for this MACsec device. + +.sp +.BI port " PORT " +- sets the port number component of secure channel for this MACsec +device, in a range from 1 to 65535 inclusive. Numbers with a leading " +0 " or " 0x " are interpreted as octal and hexadecimal, respectively. + +.sp +.BI sci " SCI " +- sets the secure channel identifier for this MACsec device. +.I SCI +is a 64bit wide number in hexadecimal format. + +.sp +.BI cipher " CIPHER_SUITE " +- defines the cipher suite to use. + +.sp +.BI icvlen " LENGTH " +- sets the length of the Integrity Check Value (ICV). + +.sp +.BR "encrypt on " or " encrypt off" +- switches between authenticated encryption, or authenticity mode only. + +.sp +.BR "send_sci on " or " send_sci off" +- specifies whether the SCI is included in every packet, +or only when it is necessary. + +.sp +.BR "end_station on " or " end_station off" +- sets the End Station bit. + +.sp +.BR "scb on " or " scb off" +- sets the Single Copy Broadcast bit. + +.sp +.BR "protect on " or " protect off" +- enables MACsec protection on the device. + +.sp +.BR "replay on " or " replay off" +- enables replay protection on the device. + +.in +8 + +.sp +.BI window " SIZE " +- sets the size of the replay window. + +.in -8 + +.sp +.BR "validate strict " or " validate check " or " validate disabled" +- sets the validation mode on the device. + +.sp +.BI encodingsa " AN " +- sets the active secure association for transmission. + +.in -8 + +.TP +VRF Type Support +For a link of type +.I VRF +the following additional arguments are supported: + +.BI "ip link add " DEVICE " type vrf table " TABLE + +.in +8 +.sp +.BR table " table id associated with VRF device" + +.in -8 + +.TP +RMNET Type Support +For a link of type +.I RMNET +the following additional arguments are supported: + +.BI "ip link add link " DEVICE " name " NAME " type rmnet mux_id " MUXID + +.in +8 +.sp +.BI mux_id " MUXID " +- specifies the mux identifier for the rmnet device, possible values 1-254. + +.in -8 + +.TP +XFRM Type Support +For a link of type +.I XFRM +the following additional arguments are supported: + +.BI "ip link add " DEVICE " type xfrm dev " PHYS_DEV " [ if_id " IF_ID " ]" +.BR "[ external ]" + +.in +8 +.sp +.BI dev " PHYS_DEV " +- specifies the underlying physical interface from which transform traffic is sent and received. + +.sp +.BI if_id " IF-ID " +- specifies the hexadecimal lookup key used to send traffic to and from specific xfrm +policies. Policies must be configured with the same key. If not set, the key defaults to +0 and will match any policies which similarly do not have a lookup key configuration. + +.sp +.BI external +- make this device externally controlled. This flag is mutually exclusive with the +.BR dev " and " if_id +options. + +.in -8 + +.TP +GTP Type Support +For a link of type +.I GTP +the following additional arguments are supported: + +.BI "ip link add " DEVICE " type gtp role " ROLE " hsize " HSIZE + +.in +8 +.sp +.BI role " ROLE " +- specifies the role of the GTP device, either sgsn or ggsn + +.sp +.BI hsize " HSIZE " +- specifies size of the hashtable which stores PDP contexts + +.sp +.BI restart_count " RESTART_COUNT " +- GTP instance restart counter + +.in -8 + +.SS ip link delete - delete virtual link + +.TP +.BI dev " DEVICE " +specifies the virtual device to act operate on. + +.TP +.BI group " GROUP " +specifies the group of virtual links to delete. Group 0 is not allowed to be +deleted since it is the default group. + +.TP +.BI type " TYPE " +specifies the type of the device. + +.SS ip link set - change device attributes + +.PP +.B Warning: +If multiple parameter changes are requested, +.B ip +aborts immediately after any of the changes have failed. +This is the only case when +.B ip +can move the system to an unpredictable state. The solution +is to avoid changing several parameters with one +.B ip link set +call. +The modifier +.B change +is equivalent to +.BR "set" . + + +.TP +.BI dev " DEVICE " +.I DEVICE +specifies network device to operate on. When configuring SR-IOV +Virtual Function (VF) devices, this keyword should specify the +associated Physical Function (PF) device. + +.TP +.BI group " GROUP " +.I GROUP +has a dual role: If both group and dev are present, then move the device to the +specified group. If only a group is specified, then the command operates on +all devices in that group. + +.TP +.BR up " and " down +change the state of the device to +.B UP +or +.BR "DOWN" . + +.TP +.BR "arp on " or " arp off" +change the +.B NOARP +flag on the device. + +.TP +.BR "multicast on " or " multicast off" +change the +.B MULTICAST +flag on the device. + +.TP +.BR "allmulticast on " or " allmulticast off" +change the +.B ALLMULTI +flag on the device. When enabled, instructs network driver to retrieve all +multicast packets from the network to the kernel for further processing. + +.TP +.BR "promisc on " or " promisc off" +change the +.B PROMISC +flag on the device. When enabled, activates promiscuous operation of the +network device. + +.TP +.BR "trailers on " or " trailers off" +change the +.B NOTRAILERS +flag on the device, +.B NOT +used by the Linux and exists for BSD compatibility. + +.TP +.BR "protodown on " or " protodown off" +change the +.B PROTODOWN +state on the device. Indicates that a protocol error has been detected +on the port. Switch drivers can react to this error by doing a phys +down on the switch port. + +.TP +.BR "protodown_reason PREASON on " or " off" +set +.B PROTODOWN +reasons on the device. protodown reason bit names can be enumerated under +/etc/iproute2/protodown_reasons.d/. possible reasons bits 0-31 + +.TP +.BR "dynamic on " or " dynamic off" +change the +.B DYNAMIC +flag on the device. Indicates that address can change when interface +goes down (currently +.B NOT +used by the Linux). + +.TP +.BI name " NAME" +change the name of the device. This operation is not +recommended if the device is running or has some addresses +already configured. + +.TP +.BI txqueuelen " NUMBER" +.TP +.BI txqlen " NUMBER" +change the transmit queue length of the device. + +.TP +.BI mtu " NUMBER" +change the +.I MTU +of the device. + +.TP +.BI address " LLADDRESS" +change the station address of the interface. + +.TP +.BI broadcast " LLADDRESS" +.TP +.BI brd " LLADDRESS" +.TP +.BI peer " LLADDRESS" +change the link layer broadcast address or the peer address when +the interface is +.IR "POINTOPOINT" . + +.TP +.B netns +.RI "{ " PID " | " NETNSNAME " | " NETNSFILE " }" +.br +move the device to the network namespace associated with process +.IR "PID " or +the name +.IR "NETNSNAME " or +the file +.IR "NETNSFILE". + +Some devices are not allowed to change network namespace: loopback, bridge, +wireless. These are network namespace local devices. In such case +.B ip +tool will return "Invalid argument" error. It is possible to find out +if device is local to a single network namespace by checking +.B netns-local +flag in the output of the +.BR ethtool ":" + +.in +8 +.B ethtool -k +.I DEVICE +.in -8 + +To change network namespace for wireless devices the +.B iw +tool can be used. But it allows one to change network namespace only for +physical devices and by process +.IR PID . + +.TP +.BI alias " NAME" +give the device a symbolic name for easy reference. + +.TP +.BI group " GROUP" +specify the group the device belongs to. +The available groups are listed in +.BR @SYSCONF_USR_DIR@/group " or " @SYSCONF_ETC_DIR@/group +(has precedence if exists). + +.TP +.BI vf " NUM" +specify a Virtual Function device to be configured. The associated PF device +must be specified using the +.B dev +parameter. + +.in +8 +.BI mac " LLADDRESS" +- change the station address for the specified VF. The +.B vf +parameter must be specified. + +.sp +.BI vlan " VLANID" +- change the assigned VLAN for the specified VF. When specified, all traffic +sent from the VF will be tagged with the specified VLAN ID. Incoming traffic +will be filtered for the specified VLAN ID, and will have all VLAN tags +stripped before being passed to the VF. Setting this parameter to 0 disables +VLAN tagging and filtering. The +.B vf +parameter must be specified. + +.sp +.BI qos " VLAN-QOS" +- assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN +tags transmitted by the VF will include the specified priority bits in the +VLAN tag. If not specified, the value is assumed to be 0. Both the +.B vf +and +.B vlan +parameters must be specified. Setting both +.B vlan +and +.B qos +as 0 disables VLAN tagging and filtering for the VF. + +.sp +.BI proto " VLAN-PROTO" +- assign VLAN PROTOCOL for the VLAN tag, either 802.1Q or 802.1ad. +Setting to 802.1ad, all traffic sent from the VF will be tagged with +VLAN S-Tag. Incoming traffic will have VLAN S-Tags stripped before +being passed to the VF. Setting to 802.1ad also enables an option to +concatenate another VLAN tag, so both S-TAG and C-TAG will be +inserted/stripped for outgoing/incoming traffic, respectively. If not +specified, the value is assumed to be 802.1Q. Both the +.B vf +and +.B vlan +parameters must be specified. + +.sp +.BI rate " TXRATE" +-- change the allowed transmit bandwidth, in Mbps, for the specified VF. +Setting this parameter to 0 disables rate limiting. +.B vf +parameter must be specified. +Please use new API +.B "max_tx_rate" +option instead. + +.sp +.BI max_tx_rate " TXRATE" +- change the allowed maximum transmit bandwidth, in Mbps, for the +specified VF. Setting this parameter to 0 disables rate limiting. +.B vf +parameter must be specified. + +.sp +.BI min_tx_rate " TXRATE" +- change the allowed minimum transmit bandwidth, in Mbps, for the specified VF. +Minimum TXRATE should be always <= Maximum TXRATE. +Setting this parameter to 0 disables rate limiting. +.B vf +parameter must be specified. + +.sp +.BI spoofchk " on|off" +- turn packet spoof checking on or off for the specified VF. +.sp +.BI query_rss " on|off" +- toggle the ability of querying the RSS configuration of a specific +VF. VF RSS information like RSS hash key may be considered sensitive +on some devices where this information is shared between VF and PF +and thus its querying may be prohibited by default. +.sp +.BI state " auto|enable|disable" +- set the virtual link state as seen by the specified VF. Setting to +auto means a reflection of the PF link state, enable lets the VF to +communicate with other VFs on this host even if the PF link state is +down, disable causes the HW to drop any packets sent by the VF. +.sp +.BI trust " on|off" +- trust the specified VF user. This enables that VF user can set a +specific feature which may impact security and/or +performance. (e.g. VF multicast promiscuous mode) +.sp +.BI node_guid " eui64" +- configure node GUID for Infiniband VFs. +.sp +.BI port_guid " eui64" +- configure port GUID for Infiniband VFs. +.in -8 + +.TP +.B xdp object "|" pinned "|" off +set (or unset) a XDP ("eXpress Data Path") BPF program to run on every +packet at driver level. +.B ip link +output will indicate a +.B xdp +flag for the networking device. If the driver does not have native XDP +support, the kernel will fall back to a slower, driver-independent "generic" +XDP variant. The +.B ip link +output will in that case indicate +.B xdpgeneric +instead of +.B xdp +only. If the driver does have native XDP support, but the program is +loaded under +.B xdpgeneric object "|" pinned +then the kernel will use the generic XDP variant instead of the native one. +.B xdpdrv +has the opposite effect of requestsing that the automatic fallback to the +generic XDP variant be disabled and in case driver is not XDP-capable error +should be returned. +.B xdpdrv +also disables hardware offloads. +.B xdpoffload +in ip link output indicates that the program has been offloaded to hardware +and can also be used to request the "offload" mode, much like +.B xdpgeneric +it forces program to be installed specifically in HW/FW of the apater. + +.B off +(or +.B none +) +- Detaches any currently attached XDP/BPF program from the given device. + +.BI object " FILE " +- Attaches a XDP/BPF program to the given device. The +.I FILE +points to a BPF ELF file (f.e. generated by LLVM) that contains the BPF +program code, map specifications, etc. If a XDP/BPF program is already +attached to the given device, an error will be thrown. If no XDP/BPF +program is currently attached, the device supports XDP and the program +from the BPF ELF file passes the kernel verifier, then it will be attached +to the device. If the option +.I -force +is passed to +.B ip +then any prior attached XDP/BPF program will be atomically overridden and +no error will be thrown in this case. If no +.B section +option is passed, then the default section name ("prog") will be assumed, +otherwise the provided section name will be used. If no +.B verbose +option is passed, then a verifier log will only be dumped on load error. +See also +.B EXAMPLES +section for usage examples. + +.BI section " NAME " +- Specifies a section name that contains the BPF program code. If no section +name is specified, the default one ("prog") will be used. This option is +to be passed with the +.B object +option. + +.BI program " NAME " +- Specifies the BPF program name that need to be attached. When the program +name is specified, the section name parameter will be ignored. This option +only works when iproute2 build with +.B libbpf +support. + +.BI verbose +- Act in verbose mode. For example, even in case of success, this will +print the verifier log in case a program was loaded from a BPF ELF file. + +.BI pinned " FILE " +- Attaches a XDP/BPF program to the given device. The +.I FILE +points to an already pinned BPF program in the BPF file system. The option +.B section +doesn't apply here, but otherwise semantics are the same as with the option +.B object +described already. + +.TP +.BI master " DEVICE" +set master device of the device (enslave device). + +.TP +.BI nomaster +unset master device of the device (release device). + +.TP +.BI addrgenmode " eui64|none|stable_secret|random" +set the IPv6 address generation mode + +.I eui64 +- use a Modified EUI-64 format interface identifier + +.I none +- disable automatic address generation + +.I stable_secret +- generate the interface identifier based on a preset + /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret + +.I random +- like stable_secret, but auto-generate a new random secret if none is set + +.TP +.BR "link-netnsid " +set peer netnsid for a cross-netns interface + +.TP +.BI type " ETYPE TYPE_ARGS" +Change type-specific settings. For a list of supported types and arguments refer +to the description of +.B "ip link add" +above. In addition to that, it is possible to manipulate settings to slave +devices: + +.TP +Bridge Slave Support +For a link with master +.B bridge +the following additional arguments are supported: + +.B "ip link set type bridge_slave" +[ +.B fdb_flush +] [ +.BI state " STATE" +] [ +.BI priority " PRIO" +] [ +.BI cost " COST" +] [ +.BR guard " { " on " | " off " }" +] [ +.BR hairpin " { " on " | " off " }" +] [ +.BR fastleave " { " on " | " off " }" +] [ +.BR root_block " { " on " | " off " }" +] [ +.BR learning " { " on " | " off " }" +] [ +.BR flood " { " on " | " off " }" +] [ +.BR proxy_arp " { " on " | " off " }" +] [ +.BR proxy_arp_wifi " { " on " | " off " }" +] [ +.BI mcast_router " MULTICAST_ROUTER" +] [ +.BR mcast_fast_leave " { " on " | " off "}" +] [ +.BR bcast_flood " { " on " | " off " }" +] [ +.BR mcast_flood " { " on " | " off " }" +] [ +.BR mcast_to_unicast " { " on " | " off " }" +] [ +.BR group_fwd_mask " MASK" +] [ +.BR neigh_suppress " { " on " | " off " }" +] [ +.BR neigh_vlan_suppress " { " on " | " off " }" +] [ +.BR vlan_tunnel " { " on " | " off " }" +] [ +.BR isolated " { " on " | " off " }" +] [ +.BR locked " { " on " | " off " }" +] [ +.BR mab " { " on " | " off " }" +] [ +.BR backup_port " DEVICE" +] [ +.BR nobackup_port +] [ +.BR backup_nhid " NHID" +] + +.in +8 +.sp +.B fdb_flush +- flush bridge slave's fdb dynamic entries. + +.BI state " STATE" +- Set port state. +.I STATE +is a number representing the following states: +.BR 0 " (disabled)," +.BR 1 " (listening)," +.BR 2 " (learning)," +.BR 3 " (forwarding)," +.BR 4 " (blocking)." + +.BI priority " PRIO" +- set port priority (allowed values are between 0 and 63, inclusively). + +.BI cost " COST" +- set port cost (allowed values are between 1 and 65535, inclusively). + +.BR guard " { " on " | " off " }" +- block incoming BPDU packets on this port. + +.BR hairpin " { " on " | " off " }" +- enable hairpin mode on this port. This will allow incoming packets on this +port to be reflected back. + +.BR fastleave " { " on " | " off " }" +- enable multicast fast leave on this port. + +.BR root_block " { " on " | " off " }" +- block this port from becoming the bridge's root port. + +.BR learning " { " on " | " off " }" +- allow MAC address learning on this port. + +.BR flood " { " on " | " off " }" +- open the flood gates on this port, i.e. forward all unicast frames to this +port also. Requires +.BR proxy_arp " and " proxy_arp_wifi +to be turned off. + +.BR proxy_arp " { " on " | " off " }" +- enable proxy ARP on this port. + +.BR proxy_arp_wifi " { " on " | " off " }" +- enable proxy ARP on this port which meets extended requirements by IEEE +802.11 and Hotspot 2.0 specifications. + +.BI mcast_router " MULTICAST_ROUTER" +- configure this port for having multicast routers attached. A port with a +multicast router will receive all multicast traffic. +.I MULTICAST_ROUTER +may be either +.B 0 +to disable multicast routers on this port, +.B 1 +to let the system detect the presence of routers (this is the default), +.B 2 +to permanently enable multicast traffic forwarding on this port or +.B 3 +to enable multicast routers temporarily on this port, not depending on incoming +queries. + +.BR mcast_fast_leave " { " on " | " off " }" +- this is a synonym to the +.B fastleave +option above. + +.BR bcast_flood " { " on " | " off " }" +- controls flooding of broadcast traffic on the given port. By default +this flag is on. + +.BR mcast_flood " { " on " | " off " }" +- controls whether a given port will flood multicast traffic for which +there is no MDB entry. By default this flag is on. + +.BR mcast_to_unicast " { " on " | " off " }" +- controls whether a given port will replicate packets using unicast +instead of multicast. By default this flag is off. + +.BI group_fwd_mask " MASK " +- set the group forward mask. This is the bitmask that is applied to +decide whether to forward incoming frames destined to link-local +addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to +0, ie the bridge does not forward any link-local frames coming on +this port). + +.BR neigh_suppress " { " on " | " off " }" +- controls whether neigh discovery (arp and nd) proxy and suppression +is enabled on the port. By default this flag is off. + +.BR neigh_vlan_suppress " { " on " | " off " }" +- controls whether per-VLAN neigh discovery (arp and nd) proxy and suppression +is enabled on the port. When on, the \fBbridge link\fR option +\fBneigh_suppress\fR has no effect and the per-VLAN state is set using the +\fBbridge vlan\fR option \fBneigh_suppress\fR. By default this flag is off. + +.BR vlan_tunnel " { " on " | " off " }" +- controls whether vlan to tunnel mapping is enabled on the port. By +default this flag is off. + +.BR locked " { " on " | " off " }" +- controls whether a port is locked or not. When locked, non-link-local frames +received through the port are dropped unless an FDB entry with the MAC source +address points to the port. The common use case is IEEE 802.1X where hosts can +authenticate themselves by exchanging EAPOL frames with an authenticator. After +authentication is complete, the user space control plane can install a matching +FDB entry to allow traffic from the host to be forwarded by the bridge. When +learning is enabled on a locked port, the +.B no_linklocal_learn +bridge option needs to be on to prevent the bridge from learning from received +EAPOL frames. By default this flag is off. + +.BR mab " { " on " | " off " }" +- controls whether MAC Authentication Bypass (MAB) is enabled on the port or +not. MAB can only be enabled on a locked port that has learning enabled. When +enabled, FDB entries are learned from received traffic and have the "locked" +FDB flag set. The flag can only be set by the kernel and it indicates that the +FDB entry cannot be used to authenticate the corresponding host. User space can +decide to authenticate the host by replacing the FDB entry and clearing the +"locked" FDB flag. Locked FDB entries can roam to unlocked (authorized) ports +in which case the "locked" flag is cleared. FDB entries cannot roam to locked +ports regardless of MAB being enabled or not. Therefore, locked FDB entries are +only created if an FDB entry with the given {MAC, VID} does not already exist. +This behavior prevents unauthenticated hosts from disrupting traffic destined +to already authenticated hosts. Locked FDB entries act like regular dynamic +entries with respect to forwarding and aging. By default this flag is off. + +.BI backup_port " DEVICE" +- if the port loses carrier all traffic will be redirected to the +configured backup port + +.BR nobackup_port +- removes the currently configured backup port + +.BI backup_nhid " NHID" +- the FDB nexthop object ID (see \fBip-nexthop\fR(8)) to attach to packets +being redirected to a backup port that has VLAN tunnel mapping enabled (via the +\fBvlan_tunnel\fR option). Setting a value of 0 (default) has the effect of not +attaching any ID. + +.in -8 + +.TP +Bonding Slave Support +For a link with master +.B bond +the following additional arguments are supported: + +.B "ip link set type bond_slave" +[ +.BI queue_id " ID" +] [ +.BI prio " PRIORITY" +] + +.in +8 +.sp +.BI queue_id " ID" +- set the slave's queue ID (a 16bit unsigned value). + +.sp +.BI prio " PRIORITY" +- set the slave's priority for active slave re-selection during failover +(a 32bit signed value). This option only valid for active-backup(1), +balance-tlb (5) and balance-alb (6) mode. + +.in -8 + +.TP +MACVLAN and MACVTAP Support +Modify list of allowed macaddr for link in source mode. + +.B "ip link set type { macvlan | macvap } " +[ +.BI macaddr " " "" COMMAND " " MACADDR " ..." +] + +Commands: +.in +8 +.B add +- add MACADDR to allowed list +.sp +.B set +- replace allowed list +.sp +.B del +- remove MACADDR from allowed list +.sp +.B flush +- flush whole allowed list +.sp +.in -8 + +Update the broadcast/multicast queue length. + +.B "ip link set type { macvlan | macvap } " +[ +.BI bcqueuelen " LENGTH " +] +[ +.BI bclim " LIMIT " +] + +.in +8 +.BI bcqueuelen " LENGTH " +- Set the length of the RX queue used to process broadcast and multicast packets. +.IR LENGTH " must be a positive integer in the range [0-4294967295]." +Setting a length of 0 will effectively drop all broadcast/multicast traffic. +If not specified the macvlan driver default (1000) is used. +Note that all macvlans that share the same underlying device are using the same +.RB "queue. The parameter here is a " request ", the actual queue length used" +will be the maximum length that any macvlan interface has requested. +When listing device parameters both the bcqueuelen parameter +as well as the actual used bcqueuelen are listed to better help +the user understand the setting. + +.BI bclim " LIMIT " +- Set the threshold for broadcast queueing. +.IR LIMIT " must be a 32-bit integer." +Setting this to -1 disables broadcast queueing altogether. Otherwise +a multicast address will be queued as broadcast if the number of devices +using it is greater than the given value. +.in -8 + +.TP +DSA user port support +For a link having the DSA user port type, the following additional arguments +are supported: + +.B "ip link set type dsa " +[ +.BI conduit " DEVICE" +] + +.in +8 +.sp +.BI conduit " DEVICE" +- change the DSA conduit (host network interface) responsible for handling the +locally terminated traffic for the given DSA switch user port. For a +description of which network interfaces are suitable for serving as conduit +interfaces of this user port, please see +https://docs.kernel.org/networking/dsa/configuration.html#affinity-of-user-ports-to-cpu-ports +as well as what is supported by the driver in use. + +.sp +.BI master " DEVICE" +- this is a synonym for "conduit". + +.in -8 + +.SS ip link show - display device attributes + +.TP +.BI dev " NAME " (default) +.I NAME +specifies the network device to show. + +.TP +.BI group " GROUP " +.I GROUP +specifies what group of devices to show. + +.TP +.B up +only display running interfaces. + +.TP +.BI master " DEVICE " +.I DEVICE +specifies the master device which enslaves devices to show. + +.TP +.BI vrf " NAME " +.I NAME +specifies the VRF which enslaves devices to show. + +.TP +.BI type " TYPE " +.I TYPE +specifies the type of devices to show. + +Note that the type name is not checked against the list of supported types - +instead it is sent as-is to the kernel. Later it is used to filter the returned +interface list by comparing it with the relevant attribute in case the kernel +didn't filter already. Therefore any string is accepted, but may lead to empty +output. + +.TP +.B nomaster +only show devices with no master + +.SS ip link xstats - display extended statistics + +.TP +.BI type " TYPE " +.I TYPE +specifies the type of devices to display extended statistics for. + +.SS ip link afstats - display address-family specific statistics + +.TP +.BI dev " DEVICE " +.I DEVICE +specifies the device to display address-family statistics for. + +.SS ip link help - display help + +.PP +.I "TYPE" +specifies which help of link type to display. + +.SS +.I GROUP +may be a number or a string from +.BR @SYSCONF_USR_DIR@/group " or " @SYSCONF_ETC_DIR@/group +which can be manually filled and has precedence if exists. + +.SH "EXAMPLES" +.PP +ip link show +.RS 4 +Shows the state of all network interfaces on the system. +.RE +.PP +ip link show type bridge +.RS 4 +Shows the bridge devices. +.RE +.PP +ip link show type vlan +.RS 4 +Shows the vlan devices. +.RE +.PP +ip link show master br0 +.RS 4 +Shows devices enslaved by br0 +.RE +.PP +ip link set dev ppp0 mtu 1400 +.RS 4 +Change the MTU the ppp0 device. +.RE +.PP +ip link add link eth0 name eth0.10 type vlan id 10 +.RS 4 +Creates a new vlan device eth0.10 on device eth0. +.RE +.PP +ip link delete dev eth0.10 +.RS 4 +Removes vlan device. +.RE + +ip link help gre +.RS 4 +Display help for the gre link type. +.RE +.PP +ip link add name tun1 type ipip remote 192.168.1.1 +local 192.168.1.2 ttl 225 encap gue encap-sport auto +encap-dport 5555 encap-csum encap-remcsum +.RS 4 +Creates an IPIP that is encapsulated with Generic UDP Encapsulation, +and the outer UDP checksum and remote checksum offload are enabled. +.RE +.PP +ip link set dev eth0 xdp obj prog.o +.RS 4 +Attaches a XDP/BPF program to device eth0, where the program is +located in prog.o, section "prog" (default section). In case a +XDP/BPF program is already attached, throw an error. +.RE +.PP +ip -force link set dev eth0 xdp obj prog.o sec foo +.RS 4 +Attaches a XDP/BPF program to device eth0, where the program is +located in prog.o, section "foo". In case a XDP/BPF program is +already attached, it will be overridden by the new one. +.RE +.PP +ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo +.RS 4 +Attaches a XDP/BPF program to device eth0, where the program was +previously pinned as an object node into BPF file system under +name foo. +.RE +.PP +ip link set dev eth0 xdp off +.RS 4 +If a XDP/BPF program is attached on device eth0, detach it and +effectively turn off XDP for device eth0. +.RE +.PP +ip link add link wpan0 lowpan0 type lowpan +.RS 4 +Creates a 6LoWPAN interface named lowpan0 on the underlying +IEEE 802.15.4 device wpan0. +.RE +.PP +ip link add dev ip6erspan11 type ip6erspan seq key 102 +local fc00:100::2 remote fc00:100::1 +erspan_ver 2 erspan_dir ingress erspan_hwid 17 +.RS 4 +Creates a IP6ERSPAN version 2 interface named ip6erspan00. +.RE +.PP +ip link set dev swp0 type dsa conduit eth1 +.RS 4 +Changes the conduit interface of the swp0 user port to eth1. +.RE + +.SH SEE ALSO +.br +.BR ip (8), +.BR ip-netns (8), +.BR ethtool (8), +.BR iptables (8) + +.SH AUTHOR +Original Manpage by Michail Litvak <mci@owl.openwall.com> |