systemd-networkd

systemd-networkd is a system daemon that manages network configurations. It detects and configures network devices as they appear; it can also create virtual network devices. This service can be especially useful to set up complex network configurations for a container managed by systemd-nspawn or for virtual machines. It also works fine on simple connections.

Basic usage

The systemd package is part of the default Arch installation and contains all needed files to operate a wired network. Wireless adapters, covered later in this article, can be set up by services, such as wpa_supplicant or iwd.

Required services and setup

To use systemd-networkd, start/enable .

It is optional to also configure systemd-resolved, which is a network name resolution service to local applications, considering the following points:

  • It is important to understand how resolv.conf and systemd-resolved interact to properly configure the DNS that will be used, some explanations are provided in systemd-resolved.
  • systemd-resolved is required if DNS entries are specified in .network files.
  • systemd-resolved is also required if you want to obtain DNS addresses from DHCP servers or IPv6 router advertisements.
    (by setting ( and/or in the [Network] section, and (the default) in the corresponding section(s) , [DHCPv6], , see ).
  • Note that systemd-resolved can also be used without systemd-networkd.

systemd-networkd-wait-online

Enabling also enables , which is a oneshot system service that waits for the network to be configured. The latter has , so it will be started only when itself is enabled or pulled in by some other unit. See also systemd#Running services after the network is up.

By default, waits for all links it is aware of and which are managed by systemd-networkd to be fully configured or failed, and for at least one link to be online.

If your system has multiple network interfaces, but some are not expected to be connected all the time (e.g. if you have a dual-port Ethernet card, but only one cable plugged in), starting will fail after the default timeout of 2 minutes. This may cause an unwanted delay in the startup process. To change the behaviour to wait for any interface rather than all interfaces to become online, edit the service and add the parameter to the ExecStart line:

/etc/systemd/system/systemd-networkd-wait-online.service.d/wait-for-only-one-interface.conf
[Service]
ExecStart=
ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --any

Other behaviour such as which specific interface(s) to wait for or the operational state can be configured as well. See for the available parameters.

Configuration examples

All configurations in this section are stored as in . For a full listing of options and processing order, see #Configuration files and .

systemd/udev automatically assigns predictable, stable network interface names for all local Ethernet, WLAN, and WWAN interfaces. Use to list the devices on the system.

After making changes to a configuration file, restart .

Wired adapter using a static IP

can be used more than once to configure multiple IPv4 or IPv6 addresses. See #network files or  for more options.

Wireless adapter

In order to connect to a wireless network with systemd-networkd, a wireless adapter configured with another application such as wpa_supplicant or iwd is required.

/etc/systemd/network/25-wireless.network
[Match]
Name=wlp2s0

[Network]
DHCP=yes
IgnoreCarrierLoss=3s

If the wireless adapter has a static IP address, the configuration is the same (except for the interface name) as in a wired adapter.

To authenticate to the wireless network, use e.g. wpa_supplicant or iwd.

Wired and wireless adapters on the same machine

This setup will enable a DHCP IP for both a wired and wireless connection making use of the metric directive to allow the kernel to decide on-the-fly which one to use. This way, no connection downtime is observed when the wired connection is unplugged.

The kernel's route metric (same as configured with ip) decides which route to use for outgoing packets, in cases when several match. This will be the case when both wireless and wired devices on the system have active connections. To break the tie, the kernel uses the metric. If one of the connections is terminated, the other automatically wins without there being a gap with nothing configured (ongoing transfers may still not deal with this nicely but that is at a different OSI layer).

Note: The Metric option is for static routes while the RouteMetric option is for setups not using static routes. See systemd.network(5) for more details.

If using IPv6, you will need to separately set the metric for the IPv6 routes too, such as:

Renaming an interface

Instead of editing udev rules, a .link file can be used to rename an interface. A useful example is to set a predictable interface name for a USB-to-Ethernet adapter based on its MAC address, as those adapters are usually given different names depending on which USB port they are plugged into.

Configuration files

Configuration files are located in , the volatile runtime network directory /run/systemd/network/ and the local administration network directory . Files in have the highest priority.

There are three types of configuration files. They all use a format similar to systemd unit files.

  • .network files. They will apply a network configuration for a matching device
  • .netdev files. They will create a virtual network device for a matching environment
  • .link files. When a network device appears, udev will look for the first matching .link file

They all follow the same rules:

  • If all conditions in the section are matched, the profile will be activated
  • an empty section means the profile will apply in any case (can be compared to the wildcard)
  • all configuration files are collectively sorted and processed in lexical order, regardless of the directory in which they live
  • files with identical name replace each other

network files

These files are aimed at setting network configuration variables, especially for servers and containers.

.network files have the following sections: , [Link], [Network], , , and . Below are commonly configured keys for each section. See for more information and examples.

[Match]

ParameterDescriptionAccepted ValuesDefault Value
Match device names, e.g. . By prefixing with !, the list can be inverted.white-space separated device names with globs, logical negation (!)
Match MAC addresses, e.g. whitespace-separated MAC addresses in full colon-, hyphen- or dot-delimited hexadecimal
Match the hostname or machine ID of the host.hostname string with globs,
Check whether the system is executed in a virtualized environment. will only match your host machine, while matches any container or VM. It is possible to check for a specific virtualization type or implementation, or for a user namespace (with ).boolean, logical negation (!), type (vm, ), implementation (see systemd-detect-virt(1)),

[Link]

ParameterDescriptionAccepted ValuesDefault Value
Assign a hardware address to the device. Useful for MAC address spoofing.full colon-, hyphen- or dot-delimited hexadecimal MAC addresses
Maximum transmission unit in bytes to set for the device. Note that if IPv6 is enabled on the interface, and the MTU is chosen below 1280 (the minimum MTU for IPv6) it will automatically be increased to this value. Setting a larger MTU value (e.g. when using jumbo frames) can significantly speed up your network transfersinteger (usual suffixes K, M, G, are supported and are understood to the base of 1024)
allows the usage of multicastboolean? not documented ?

[Network]

ParameterDescriptionAccepted ValuesDefault Value
Controls DHCPv4 and/or DHCPv6 client support.boolean, ,
If enabled, a DHCPv4 server will be started.boolean
Enables multicast DNS support. When set to resolve, only resolution is enabled, but not host or service registration and announcement.boolean, resolve
Controls DNSSEC DNS validation support on the link. When set to , compatibility with non-DNSSEC capable networks is increased, by automatically turning off DNSSEC in this case.boolean,
Configure static DNS addresses. May be specified more than once.inet_pton(3)
A list of domains which should be resolved using the DNS servers on this link. more informationdomain name, optionally prefixed with a tilde ()
If enabled, incoming packets on any network interface will be forwarded to any other interfaces according to the routing table. See Internet sharing#Enable packet forwarding for details.boolean, ,
If enabled, packets forwarded from the network interface will appear as coming from the local host. Depending on the value, implies , or IPForward=yes., , ,
Configures use of stateless temporary addresses that change over time (see RFC 4941). When , enables the privacy extensions, but prefers public addresses over temporary addresses. When , the kernel's default setting will be left in place.boolean, ,

[Address]

ParameterDescriptionAccepted ValuesDefault Value
Specify this key more than once to configure several addresses. Mandatory unless DHCP is used. If the specified address is (for IPv4) or :: (for IPv6), a new address range of the requested size is automatically allocated from a system-wide pool of unused ranges.static IPv4 or IPv6 address and its prefix length (see inet_pton(3))

[Route]

  • this option is mandatory unless DHCP is used
  • the destination prefix of the route, possibly followed by a slash and the prefix length

If is not present in section this section is treated as a default route.

Tip: You can put the Address= and Gateway= keys in the [Network] section as a short-hand if [Address] section contains only an Address key and [Route] section contains only a Gateway key.

[DHCPv4]

ParameterDescriptionAccepted ValuesDefault Value
controls whether the DNS servers advertised by the DHCP server are usedboolean
when true, the options sent to the DHCP server will follow the RFC:7844 (Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying informationboolean
controls whether the domain name received from the DHCP server will be used as DNS search domain. If set to , the domain name received from the DHCP server will be used for routing DNS queries only, but not for searching. This option can sometimes fix local name resolving when using systemd-resolvedboolean,

[DHCPServer]

This is an example of a DHCP server configuration which works well with hostapd to create a wireless hotspot. IPMasquerade adds the firewall rules for NAT and implies to enable packet forwarding.

netdev files

These files will create virtual network devices. They have two sections: and [NetDev]. Below are commonly configured keys for each section. See for more information and examples.

[Match] section

  • the hostname
  • check if the system is running in a virtualized environment

[NetDev] section

Most common keys are:

  • the interface name. mandatory
  • e.g. bridge, bond, vlan, veth, sit, etc. mandatory

These files are an alternative to custom udev rules and will be applied by udev as the device appears. They have two sections: and [Link]. Below are commonly configured keys for each section. See for more information and examples.

[Match] section

  • the MAC address
  • the host name
  • the device type e.g. vlan

[Link] section

  • MACAddressPolicy= persistent or random addresses, or
  • a specific address
  • list of policies by which the interface name should be set, e.g. kernel, keep

Usage with containers

systemd-networkd can provide fully automatic configuration of networking for systemd-nspawn containers when it is used on the host system as well as inside the container. See systemd-nspawn#Networking for a comprehensive overview.

For the examples below,

  • we will limit the output of the ip a command to the concerned interfaces.
  • we assume the host is your main OS you are booting to and the container is your guest virtual machine.
  • all interface names and IP addresses are only examples.

Bridge interface

First, create a virtual bridge interface with a netdev unit file. We tell systemd to create a device named br0 that functions as an ethernet bridge.

Restart to have systemd create the bridge.

To see the newly created bridge on the host and on the container, type:

Note that the interface br0 is listed but is still DOWN at this stage.

Bind Ethernet to bridge

The next step is to add to the newly created bridge a network interface. Its configuration file must be loaded before those of the bridged interfaces, so its configuration file should be alphanumerically prior to those. In the example below, we add any interface that matches the name en* into the bridge br0.

The Ethernet interface must not have DHCP or an IP address associated as the bridge requires an interface to bind to with no IP: modify the corresponding accordingly to remove the addressing.

Bridge network

Now that the bridge has been created and has been bound to an existing network interface, the IP configuration of the bridge interface must be specified. This is defined in a third .network file, the example below uses DHCP.

/etc/systemd/network/''mybridge''.network
[Match]
Name=br0

[Network]
DHCP=ipv4

Configure the container

Use the option when starting the container. See systemd-nspawn#Use a network bridge for details.

Result

  • on host
  • on container

Notice

  • we have now one IP address for br0 on the host, and one for in the container
  • two new interfaces have appeared: in the host and in the container. This comes as a result of the option as explained in systemd-nspawn#Use a network bridge for details.
  • the DHCP address on comes from the system file.
  • on host

the above command output confirms we have a bridge with two interfaces binded to.

  • on host
  • on container

the above command outputs confirm we have activated br0 and interfaces with an IP address and Gateway 192.168.1.254. The gateway address has been automatically grabbed by systemd-networkd.

Network bridge with static IP addresses

Setting a static IP address for each device can be helpful in case of deployed web services (e.g FTP, http, SSH). Each device will keep the same MAC address across reboots if your system /usr/lib/systemd/network/99-default.link file has the option (it has by default). Thus, you will easily route any service on your Gateway to the desired device.

The following configuration needs to be done for this setup:

  • on host

The configuration is very similar to the #Network bridge with DHCP section. First, a virtual bridge interface needs to be created and the main physical interface needs to be bound to it. This task can be accomplished with the following two files, with contents equal to those available in the DHCP section.

/etc/systemd/network/MyBridge.netdev
/etc/systemd/network/MyEth.network

Next, you need to configure the IP and DNS of the newly created virtual bridge interface. For example:

  • on container

To get configure a static IP address on the container, we need to override the system file, which provides a DHCP configuration for the network interface of the container. This can be done by placing the configuration into . For example:

/etc/systemd/network/80-container-host0.network
[Match]
Name=host0

[Network]
DNS=192.168.1.254
Address=192.168.1.94/24
Gateway=192.168.1.254

Make sure that is enabled in the container.

Tips and tricks

Interface and desktop integration

systemd-networkd does not have a proper interactive management interface neither via command-line shell nor graphical.

Still, some tools are available to either display the current state of the network, receive notifications or interact with the wireless configuration:

  • networkctl (via CLI) offers a simple dump of the network interface states.
  • When networkd is configured with wpa_supplicant, both wpa_cli and wpa_gui offer the ability to associate and configure WLAN interfaces dynamically.
  • can generate simple notifications in response to network interface state changes (such as connection/disconnection and re-association).
  • The daemon allows executing scripts in response to network interface state changes, similar to NetworkManager-dispatcher.
  • As for the DNS resolver systemd-resolved, information about current DNS servers can be visualized with .

Configuring static IP or DHCP based on SSID (location)

Often there is a situation where your home wireless network uses DHCP and office wireless network uses static IP. This mixed setup can be configured as follows:

Bonding a wired and wireless interface

See also Wireless bonding.

Bonding allows connection sharing through multiple interfaces, so if e.g. the wired interface is unplugged, the wireless is still connected and the network connectivity remains up seamlessly.

Create a bond interface. In this case the mode is active-backup, which means packets are routed through a secondary interface if the primary interface goes down.

/etc/systemd/network/30-bond0.netdev
[NetDev]
Name=bond0
Kind=bond

[Bond]
Mode=active-backup
PrimaryReselectPolicy=always
MIIMonitorSec=1s

Set the wired interface as the primary:

Set the wireless as the secondary:

Configure the bond interface as you would a normal interface:

Now if the wired network is unplugged, the connection should remain through the wireless:

Speeding up TCP slow-start

On a higher bandwidth link with moderate latency (typically a home Internet connection that is above 10 Mbit/s) the default settings for the TCP Slow Start algorithm are somewhat conservative. This issue exhibits as downloads starting slowly and taking a number of seconds to speed up before they reach the connection's full bandwidth. It is particularly noticeable with a pacman upgrade, where each package downloaded starts off slowly and often finishes before it has reached the connection's full speed.

These settings can be adjusted to make TCP connections start with larger window sizes than the defaults, avoiding the time it takes for them to automatically increase on each new TCP connection. While this will usually decrease performance on slow connections (or if the values are increased too far) due to having to retransmit a larger number of lost packets, they can substantially increase performance on connections with sufficient bandwidth.

It is important to benchmark before and after changing these values to ensure it is improving network speed and not reducing it. If you are not seeing downloads begin slowly and gradually speed up, then there is no need to change these values as they are already optimal for your connection speed. When benchmarking, be sure to test against both a high speed and low speed remote server to ensure you are not speeding up access to fast machines at the expense of making access to slow servers even slower.

To adjust these values, edit the .network file for the connection:

The defaults of work well for connections slower than 10 Mbit/s. For a 100 Mbit/s connection, a value of 30 works well. The manual page says a value of is considered excessive.

If the sysctl setting net.ipv4.tcp_slow_start_after_idle is enabled then the connection will return to these initial settings after it has been idle for some time (and often a very small amount of time). If this setting is disabled then the connection will maintain a higher window if a larger one was negotiated during packet transfer. Regardless of the setting, each new TCP connection will begin with the settings set above.

The sysctl setting is not directly related to these values, as it controls how the congestion and receive windows are adjusted while a TCP link is active, and particularly when the path between the two hosts is congested and throughput must be reduced. The above values simply set the default window values selected for each new connection, before any congestion algorithm takes over and adjusts them as needed. Setting higher initial values simply shortcuts some negotiation while the congestion algorithm tries to find the optimum values (or, conversely, setting the wrong initial values adds additional negotiation time while the congestion algorithm works towards correcting them, slowing down each newly established TCP connection for a few seconds extra).

gollark: A helloboiocracy?
gollark: I am not at present aware of better systems.
gollark: Yes.
gollark: I only said that taxation was theft ironically, however?
gollark: I technically actually have a job now.

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.