1.\" $OpenBSD: ifconfig.8,v 1.401 2025/01/06 17:49:29 denis Exp $ 2.\" $NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $ 3.\" $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $ 4.\" 5.\" Copyright (c) 1983, 1991, 1993 6.\" The Regents of the University of California. All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 3. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)ifconfig.8 8.4 (Berkeley) 6/1/94 33.\" 34.Dd $Mdocdate: January 6 2025 $ 35.Dt IFCONFIG 8 36.Os 37.Sh NAME 38.Nm ifconfig 39.Nd configure network interface parameters 40.Sh SYNOPSIS 41.Nm ifconfig 42.Op Fl AaC 43.Op Fl M Ar lladdr 44.Op Ar interface 45.Op Ar address_family 46.Op Ar address Op Ar dest_address 47.Op Ar parameters 48.Sh DESCRIPTION 49The 50.Nm 51utility is used to assign an address 52to a network interface and/or configure 53network interface parameters. 54Generally speaking, 55.Xr hostname.if 5 56files are used at boot-time to define the network address 57of each interface present on a machine; 58.Nm 59is used at 60a later time to redefine an interface's address 61or other operating parameters. 62.Pp 63.Nm 64displays the current configuration for a network interface 65when no optional parameters are supplied. 66If a protocol family is specified, 67.Nm 68will report only the details specific to that protocol family. 69If no parameters are provided, a summary of all interfaces is provided. 70.Pp 71Only the superuser may modify the configuration of a network interface. 72.Pp 73The following options are available: 74.Bl -tag -width Ds 75.It Fl A 76Causes full interface alias information for each interface to 77be displayed. 78.It Fl a 79Causes 80.Nm 81to print information on all interfaces. 82The protocol family may be specified as well. 83This is the default, if no parameters are given to 84.Nm . 85.It Fl C 86Print the names of all network pseudo-devices that 87can be created dynamically at runtime using 88.Nm Cm create . 89.It Fl M Ar lladdr 90Scan the non-cloned interface list for the MAC address 91.Ar lladdr 92and print the name of that interface. 93If the MAC address is found on multiple interfaces, print nothing. 94.It Ar interface 95The 96.Ar interface 97parameter is a string of the form 98.Dq name unit , 99for example, 100.Dq en0 . 101If no optional parameters are supplied, this string can instead be just 102.Dq name . 103If an interface group of that name exists, all interfaces in the group 104will be shown. 105Otherwise all interfaces of the same type will be displayed 106(for example, 107.Dq fxp 108will display all 109.Xr fxp 4 110interfaces). 111.It Ar address_family 112Specifies the address family 113which affects interpretation of the remaining parameters. 114Since an interface can receive transmissions in differing protocols 115with different naming schemes, specifying the address family is recommended. 116The address or protocol families currently 117supported are 118.Dq inet 119and 120.Dq inet6 . 121.It Ar address 122An Internet version 4 or 6 address. 123Valid formats are dot notation (IPv4), 124colon-separated (IPv6), 125CIDR notation, 126or a host name present in the host name database, 127.Xr hosts 5 . 128.It Ar dest_address 129Specify the address of the correspondent on the other end 130of a point-to-point link. 131.El 132.Pp 133The following 134.Ar parameters 135may be set with 136.Nm : 137.Bl -tag -width dest_addressxx 138.It Cm alias 139Establish an additional network address for this interface. 140This is sometimes useful when changing network numbers, and 141one wishes to accept packets addressed to the old interface. 142.It Cm -alias 143A synonym for 144.Cm delete . 145Use of this option is discouraged in favour of 146.Cm delete . 147.It Cm arp 148Enable the use of the Address Resolution Protocol (ARP) 149in mapping 150between network level addresses and link level addresses (default). 151.It Cm -arp 152Disable the use of ARP. 153.It Cm autoconf 154Set the 155.Sy AUTOCONF4 156or 157.Sy AUTOCONF6 158flag on the interface, depending on 159.Ar address_family . 160.Xr slaacd 8 161automatically configures IPv6 addresses for interfaces with 162.Sy AUTOCONF6 163set. 164.Xr dhcpleased 8 165automatically configures IPv4 addresses (using DHCP protocol) 166for interfaces with 167.Sy AUTOCONF4 168set. 169.Pp 170Automatically mark the interface as 171.Dq up . 172.It Cm -autoconf 173Unset the 174.Sy AUTOCONF4 175or 176.Sy AUTOCONF6 177flag on the interface, depending on 178.Ar address_family . 179.It Cm broadcast Ar addr 180(inet only) 181Specify the address to use to represent broadcasts to the 182network. 183The default broadcast address is the address with a host part of all 1's. 184.It Cm create 185Create the specified network pseudo-device. 186A list of devices which can be dynamically created may be shown with the 187.Fl C 188option. 189.It Cm debug 190Enable driver-dependent debugging code; usually, this turns on 191extra console error logging. 192.It Cm -debug 193Disable driver-dependent debugging code. 194.It Cm delete 195Remove the default inet address associated with the interface, 196including any netmask or destination address configured with it. 197An address and address family can be given to make the deletion more specific. 198.Tg description 199.It Cm descr Ns Oo Cm iption Oc Ar value 200Specify a description of the interface. 201This can be used to label interfaces in situations where they may 202otherwise be difficult to distinguish. 203.It Cm -descr Ns Op Cm iption 204Clear the interface description. 205.It Cm destroy 206Destroy the specified network pseudo-device. 207.It Cm down 208Mark an interface 209.Dq down . 210When an interface is marked 211.Dq down , 212the system will not attempt to 213transmit messages through that interface. 214If possible, the interface will be reset to disable reception as well. 215This action automatically disables routes using the interface. 216.It Cm group Ar group-name 217Assign the interface to a group. 218The 219.Ar group-name 220may not be longer than 15 characters and must not end with a digit. 221Any interface can be in multiple groups. 222.Pp 223For instance, a group could be used to create a hardware independent 224.Xr pf 4 225ruleset (i.e. not one based on the names of NICs) using 226existing (egress, carp, etc.) or user-defined groups. 227.Pp 228Some interfaces belong to specific groups by default: 229.Pp 230.Bl -dash -width Ds -compact 231.It 232All interfaces are members of the 233.Dq all 234interface group. 235.It 236Cloned interfaces are members of their interface family group. 237For example, a PPP interface such as 238.Dq ppp0 239is a member of the 240.Dq ppp 241interface family group. 242.It 243.Xr pppx 4 244interfaces are members of the 245.Dq pppx 246interface group. 247.It 248The interfaces the default routes point to are members of the 249.Dq egress 250interface group. 251.It 252IEEE 802.11 wireless interfaces are members of the 253.Dq wlan 254interface group. 255.It 256Any interfaces used for network booting are members of the 257.Dq netboot 258interface group. 259.El 260.It Cm -group Ar group-name 261Remove the interface from the given group. 262.It Cm hwfeatures 263Display the interface hardware features: 264.Pp 265.Bl -tag -width 14n -offset indent -compact 266.It Sy CSUM_IPv4 267The device supports IPv4 checksum offload. 268.It Sy CSUM_TCPv4 269As above, for TCP in IPv4 datagrams. 270.It Sy CSUM_UDPv4 271As above, for UDP. 272.It Sy CSUM_TCPv6 273As CSUM_TCPv4, but supports IPv6 datagrams. 274.It Sy CSUM_UDPv6 275As above, for UDP. 276.It Sy LRO 277The device supports TCP large receive offload (LRO). 278.It Sy TSOv4 279The device supports IPv4 TCP segmentation offload (TSO). 280TSO is used by default. 281Use the 282.Xr sysctl 8 283variable 284.Va net.inet.tcp.tso 285to disable this feature. 286.It Sy TSOv6 287As above, for IPv6. 288.It Sy VLAN_MTU 289The device can handle full sized frames, plus the size 290of the 291.Xr vlan 4 292tag. 293.It Sy VLAN_HWTAGGING 294On transmit, the device can add the 295.Xr vlan 4 296tag. 297.It Sy VLAN_HWOFFLOAD 298On transmit, the device can handle checksum or TSO offload without 299.Sy VLAN_HWTAGGING . 300.It Sy WOL 301The device supports Wake on LAN (WoL). 302.It Sy hardmtu 303The maximum MTU supported. 304.El 305.It Cm -inet 306Remove all configured 307.Xr inet 4 308addresses on the given interface. 309.It Cm -inet6 310Disable 311.Xr inet6 4 312on the given interface and remove all configured 313.Xr inet6 4 314addresses, including the link-local ones. 315This is the default. 316To turn inet6 on, use 317.Cm eui64 318or 319.Cm autoconf , 320or assign any inet6 address. 321.It Cm instance Ar minst 322Set the media instance to 323.Ar minst . 324This is useful for devices which have multiple physical layer interfaces 325(PHYs). 326Setting the instance on such devices may not be strictly required 327by the network interface driver as the driver may take care of this 328automatically; see the driver's manual page for more information. 329.It Cm link[0-2] 330Enable special processing of the link level of the interface. 331These three options are interface specific in actual effect; however, 332they are in general used to select special modes of operation. 333An example 334of this is to select the connector type for some Ethernet cards. 335Refer to the man page for the specific driver for more information. 336.It Cm -link[0-2] 337Disable special processing at the link level with the specified interface. 338.It Cm lladdr Ar etheraddr Ns | Ns Cm random 339Change the link layer address (MAC address) of the interface. 340This should be specified as six colon-separated hex values, or can 341be chosen randomly. 342.It Cm llprio Ar prio 343Set the priority for link layer communications 344.Pf ( Xr arp 4 , 345.Xr bpf 4 , 346.Xr pppoe 4 ) . 347.It Cm media Op Ar type 348Set the media type of the interface to 349.Ar type . 350If no argument is given, 351display a list of all available media. 352.Pp 353Some interfaces support the mutually exclusive use of one of several 354different physical media connectors. 355For example, a 10Mb/s Ethernet interface might support the use of either 356AUI or twisted pair connectors. 357Setting the media type to 358.Dq 10base5 359or 360.Dq AUI 361would change the currently active connector to the AUI port. 362Setting it to 363.Dq 10baseT 364or 365.Dq UTP 366would activate twisted pair. 367Refer to the interface's driver-specific man page for a complete 368list of the available types, 369or use the following command 370for a listing of choices: 371.Pp 372.Dl $ ifconfig interface media 373.It Cm mediaopt Ar opts 374Set the specified media options on the interface. 375.Ar opts 376is a comma delimited list of options to apply to the interface. 377Refer to the interface's driver-specific man page for a complete 378list of available options, 379or use the following command 380for a listing of choices: 381.Pp 382.Dl $ ifconfig interface media 383.It Cm -mediaopt Ar opts 384Disable the specified media options on the interface. 385.It Cm metric Ar nhops 386Set the routing metric of the interface to 387.Ar nhops , 388default 0. 389The routing metric can be used by routing protocols. 390Higher metrics have the effect of making a route less favorable. 391.It Cm mode Ar mode 392If the driver for the interface supports the media selection system, 393force the mode of the interface to the given 394.Ar mode . 395For IEEE 802.11 wireless interfaces that support multiple modes, 396this directive is used to select between 802.11a 397.Pq Dq 11a , 398802.11b 399.Pq Dq 11b , 400802.11g 401.Pq Dq 11g , 402802.11n 403.Pq Dq 11n , 404and 802.11ac 405.Pq Dq 11ac 406modes. 407.It Cm -mode 408Select the mode automatically. 409This is the default for IEEE 802.11 wireless interfaces. 410.It Cm monitor 411Enable monitor mode on the interface, preventing the processing of 412incoming packets by the network stack. 413.It Cm -monitor 414Disable monitor mode on the interface, allowing the processing of 415incoming packets by the network stack. 416.It Cm mpls 417Enable Multiprotocol Label Switching (MPLS) on the interface, 418allowing it to send and receive MPLS traffic. 419.It Cm -mpls 420Disable MPLS on the interface. 421.It Cm mtu Ar value 422Set the MTU for this device to the given 423.Ar value . 424Cloned routes inherit this value as a default. 425For Ethernet devices which support setting the MTU, 426a value greater than 1500 enables jumbo frames. 427The 428.Sy hardmtu 429output from 430.Cm hwfeatures 431shows the maximum supported MTU. 432.It Cm netmask Ar mask 433(inet and inet6 only) 434Specify how much of the address to reserve for subdividing 435networks into subnetworks. 436The mask includes the network part of the local address 437and the subnet part, which is taken from the host field of the address. 438The mask can be specified as a single hexadecimal number 439with a leading 0x, or with a dot-notation Internet address. 440The mask contains 1's for the bit positions in the 32-bit address 441which are to be used for the network and subnet parts, 442and 0's for the host part. 443The mask should contain at least the standard network portion, 444and the subnet field should be contiguous with the network 445portion. 446.It Cm prefixlen Ar n 447(inet and inet6 only) 448Effect is similar to 449.Cm netmask , 450but you can specify prefix length by digits. 451.It Cm priority Ar n 452Set the interface routing priority to 453.Ar n . 454.Ar n 455is in the range of 0 to 15 with smaller numbers being better. 456The default priority of an interface is 0, 457except for IEEE 802.11 wireless interfaces (priority 4), 458.Xr umb 4 459interfaces (priority 6), 460and 461.Xr carp 4 462interfaces (priority 15). 463The default priority of newly connected routes (routes created by 464configuring an IP address on an interface) is calculated by adding 4 465(RTP_CONNECTED) to the interface priority. 466The default priority of new static routes added to the kernel is 467calculated by adding 8 (RTP_STATIC) to the interface priority. 468.It Cm rdomain Ar rdomainid 469Attach the interface to the routing domain with the specified 470.Ar rdomainid . 471Interfaces in different routing domains are separated and cannot directly 472pass traffic between each other. 473It is therefore possible to reuse the same addresses in different routing 474domains. 475If the specified rdomain does not yet exist it will be created, including 476a routing table with the same id. 477By default all interfaces belong to routing domain 0. 478.It Cm -rdomain 479Remove the interface from the routing domain and return it to routing 480domain 0. 481Any inet and inet6 addresses on the interface will also be removed. 482.It Cm rtlabel Ar route-label 483(inet) 484Attach 485.Ar route-label 486to new network routes of the specified interface. 487Route labels can be used to implement policy routing; 488see 489.Xr route 4 , 490.Xr route 8 , 491and 492.Xr pf.conf 5 . 493.It Cm -rtlabel 494Clear the route label. 495.It Cm staticarp 496If ARP is enabled, the host will only reply to requests for its addresses, 497and will never send any requests. 498.It Cm -staticarp 499If ARP is enabled, the host will perform normally, 500sending out requests and listening for replies. 501.It Cm transceiver 502Query and display information and diagnostics from GBIC and SFP 503.\", or QSFP 504modules installed in an interface. 505It is only supported by drivers implementing the necessary functionality 506on hardware which supports it. 507.It Cm tcplro 508Enable TCP large receive offload (LRO) if it's supported by the hardware; see 509.Cm hwfeatures . 510LRO enabled network interfaces modify received TCP/IP packets. 511This will also affect traffic of upper layer interfaces, 512such as 513.Xr vlan 4 , 514.Xr aggr 4 , 515and 516.Xr carp 4 . 517It is not possible to use LRO with interfaces attached to a 518.Xr bridge 4 , 519.Xr veb 4 , 520or 521.Xr tpmr 4 . 522Changing this option will re-initialize the network interface. 523.It Cm -tcplro 524Disable LRO. 525.It Cm up 526Mark an interface 527.Dq up . 528This may be used to enable an interface after an 529.Cm ifconfig down . 530It happens automatically when setting the first address on an interface. 531If the interface was reset when previously marked down, 532the hardware will be re-initialized. 533.It Cm wol 534Enable Wake on LAN (WoL). 535When enabled, reception of a WoL frame will cause the network card to 536power up the system from standby or suspend mode. 537WoL frames are sent using 538.Xr arp 8 . 539.It Cm -wol 540Disable WoL. 541WoL is disabled at boot by the driver, if possible. 542.El 543.Sh BPE 544.nr nS 1 545.Bk -words 546.Nm ifconfig 547.Ar bpe-interface 548.Op Oo Fl Oc Ns Cm parent Ar parent-interface 549.Op Ns Cm vnetid Ar vnetid-tag 550.Ek 551.nr nS 0 552.Pp 553The following options are available for 554.Xr bpe 4 555interfaces: 556.Bl -tag -width Ds 557.It Cm parent Ar parent-interface 558Associate the BPE interface with the interface 559.Ar parent-interface . 560.It Cm -parent 561Disassociate from the parent interface. 562This breaks the link between the BPE interface and its parent. 563.It Cm vnetid Ar vnetid-tag 564Set the virtual network identifier tag value to 565.Ar vnetid-tag . 566This is a 24-bit value in the range 0 to 16777215. 567.El 568.Sh BRIDGE 569The following options are available for a 570.Xr bridge 4 571interface: 572.Bl -tag -width Ds 573.It Cm add Ar interface 574Add 575.Ar interface 576as a member of the bridge. 577The interface is put into promiscuous mode so 578that it can receive every packet sent on the 579network. 580An interface can be a member of at most one bridge. 581.It Cm addr 582Display the addresses that have been learned by the bridge. 583.It Cm addspan Ar interface 584Add 585.Ar interface 586as a span port on the bridge. 587.It Cm autoedge Ar interface 588Automatically detect the spanning tree edge port status on 589.Ar interface . 590This is the default for interfaces added to the bridge. 591.It Cm -autoedge Ar interface 592Disable automatic spanning tree edge port detection on 593.Ar interface . 594.It Cm autoptp Ar interface 595Automatically detect the point-to-point status on 596.Ar interface 597by checking the full duplex link status. 598This is the default for interfaces added to the bridge. 599.It Cm -autoptp Ar interface 600Disable automatic point-to-point link detection on 601.Ar interface . 602.It Cm blocknonip Ar interface 603Mark 604.Ar interface 605so that only IPv4, IPv6, ARP, and Reverse 606ARP packets are accepted from it or forwarded to it from other 607bridge member interfaces. 608.It Cm -blocknonip Ar interface 609Allow non-IPv4, IPv6, ARP, or Reverse ARP packets through 610.Ar interface . 611.It Cm del Ar interface 612Remove 613.Ar interface 614from the bridge. 615Promiscuous mode is turned off for the interface when it is 616removed from the bridge. 617.It Cm deladdr Ar address 618Delete 619.Ar address 620from the cache. 621.It Cm delspan Ar interface 622Delete 623.Ar interface 624from the list of span ports of the bridge. 625.It Cm discover Ar interface 626Mark 627.Ar interface 628so that packets are sent out of the interface 629if the destination port of the packet is unknown. 630If the bridge has no address cache entry for the destination of 631a packet, meaning that there is no static entry and no dynamically learned 632entry for the destination, the bridge will forward the packet to all member 633interfaces that have this flag set. 634This is the default for interfaces added to the bridge. 635.It Cm -discover Ar interface 636Mark 637.Ar interface 638so that packets are not sent out of the interface 639if the destination port of the packet is unknown. 640Turning this flag 641off means that the bridge will not send packets out of this interface 642unless the packet is a broadcast packet, multicast packet, or a 643packet with a destination address found on the interface's segment. 644This, in combination with static address cache entries, 645prevents potentially sensitive packets from being sent on 646segments that have no need to see the packet. 647.It Cm down 648Stop the bridge from forwarding packets. 649.It Cm edge Ar interface 650Set 651.Ar interface 652as a spanning tree edge port. 653An edge port is a single connection to the network and cannot create 654bridge loops. 655This allows a straight transition to forwarding. 656.It Cm -edge Ar interface 657Disable edge port status on 658.Ar interface . 659.It Cm flush 660Remove all dynamically learned addresses from the cache. 661.It Cm flushall 662Remove all addresses from the cache including static addresses. 663.It Cm flushrule Ar interface 664Remove all Ethernet MAC filtering rules from 665.Ar interface . 666.It Cm fwddelay Ar time 667Set the time (in seconds) before an interface begins forwarding packets. 668Defaults to 15 seconds, minimum of 4, maximum of 30. 669.It Cm hellotime Ar time 670Set the time (in seconds) between broadcasting spanning tree protocol 671configuration packets. 672Defaults to 2 seconds, minimum of 1, maximum of 2. 673This option is only supported in STP mode with rapid transitions disabled; 674see the 675.Cm proto 676command for setting the protocol version. 677.It Cm holdcnt Ar time 678Set the transmit hold count, which is the number of spanning tree protocol 679packets transmitted before being rate limited. 680Defaults to 6, minimum of 1, maximum of 10. 681.It Cm ifcost Ar interface num 682Set the spanning tree path cost of 683.Ar interface 684to 685.Ar num . 686Defaults to 55, minimum of 1, maximum of 200000000 in RSTP mode, 687and maximum of 65535 in STP mode. 688.It Cm -ifcost Ar interface 689Automatically calculate the spanning tree priority of 690.Ar interface 691based on the current link speed, interface status, and spanning tree mode. 692This is the default for interfaces added to the bridge. 693.It Cm ifpriority Ar interface num 694Set the spanning tree priority of 695.Ar interface 696to 697.Ar num . 698Defaults to 128, minimum of 0, maximum of 240. 699.It Cm learn Ar interface 700Mark 701.Ar interface 702so that the source address of packets received from 703the interface 704are entered into the address cache. 705This is the default for interfaces added to the bridge. 706.It Cm -learn Ar interface 707Mark 708.Ar interface 709so that the source address of packets received from interface 710are not entered into the address cache. 711.It Cm link0 712Setting this flag stops all IP multicast packets from 713being forwarded by the bridge. 714.It Cm -link0 715Clear the 716.Cm link0 717flag on the bridge interface. 718.It Cm link1 719Setting this flag stops all non-IP multicast packets from 720being forwarded by the bridge. 721.It Cm -link1 722Clear the 723.Cm link1 724flag on the bridge interface. 725.It Cm link2 726Setting this flag causes all packets to be passed on to 727.Xr ipsec 4 728for processing, based on the policies established by the administrator 729using the 730.Xr ipsecctl 8 731command and 732.Xr ipsec.conf 5 . 733If appropriate security associations (SAs) exist, they will be used to 734encrypt or decrypt the packets. 735Otherwise, any key management daemons such as 736.Xr isakmpd 8 737that are running on the bridge will be invoked to establish the 738necessary SAs. 739These daemons have to be configured as if they were running on the 740host whose traffic they are protecting (i.e. they need to have the 741appropriate authentication and authorization material, such as keys 742and certificates, to impersonate the protected host(s)). 743.It Cm -link2 744Clear the 745.Cm link2 746flag on the bridge interface. 747.It Cm maxaddr Ar size 748Set the address cache size to 749.Ar size . 750The default is 100 entries. 751.It Cm maxage Ar time 752Set the time (in seconds) that a spanning tree protocol configuration is valid. 753Defaults to 20 seconds, minimum of 6, maximum of 40. 754.It Cm protected Ar interface ids 755Put 756.Ar interface 757in protected domains. 758.Ar ids 759is a comma delimited list of domain IDs, between 1 and 31, to put the 760interface in. 761Interfaces that are part of a protected domain cannot forward traffic to any 762other interface in that domain. 763Interfaces do not belong to any protected domain by default. 764.It Cm -protected Ar interface 765Remove 766.Ar interface 767from all protected domains. 768.It Cm proto Ar value 769Force the spanning tree protocol version. 770The available values are 771.Ar rstp 772to operate in the default Rapid Spanning Tree (RSTP) mode 773or 774.Ar stp 775to force operation in Spanning Tree (STP) mode with rapid transitions disabled. 776.It Cm ptp Ar interface 777Set 778.Ar interface 779as a point-to-point link. 780This is required for straight transitions to forwarding and 781should be enabled for a full duplex link or a 782.Xr trunk 4 783with at least two physical links to the same network segment. 784.It Cm -ptp Ar interface 785Disable point-to-point link status on 786.Ar interface . 787This should be disabled for a half duplex link and for an interface 788connected to a shared network segment, 789like a hub or a wireless network. 790.It Xo 791.Cm rule 792.Cm block Ns | Ns Cm pass 793.Op Cm in | out 794.Cm on Ar interface 795.Op Cm src Ar lladdr 796.Op Cm dst Ar lladdr 797.Bk -words 798.Op Cm tag Ar tagname 799.Oo 800.Cm arp Ns | Ns Cm rarp Op Cm request | reply 801.Op Cm sha Ar lladdr 802.Op Cm spa Ar ipaddr 803.Op Cm tha Ar lladdr 804.Op Cm tpa Ar ipaddr 805.Oc 806.Ek 807.Xc 808Add a filtering rule to an interface. 809Rules have a similar syntax to those in 810.Xr pf.conf 5 . 811Rules can be used to selectively 812.Cm block 813or 814.Cm pass 815frames based on Ethernet 816MAC addresses or to 817.Cm tag 818packets for 819.Xr pf 4 820to filter on. 821.Pp 822.Xr arp 4 823packets can be matched with the 824.Cm arp 825keyword for regular packets and 826.Cm rarp 827for reverse arp. 828.Cm request 829and 830.Cm reply 831limit matches to requests or replies. 832The source and target host addresses can be matched with the 833.Cm sha 834and 835.Cm tha 836keywords, 837and the protocol addresses with 838.Cm spa 839and 840.Cm tpa . 841.Pp 842Rules are processed in the order in which they were added to the interface. 843The first rule matched takes the action (block or pass) 844and, if given, the tag of the rule. 845If no source or destination address is specified, the 846rule will match all frames (good for creating a catchall policy). 847.It Cm rulefile Ar filename 848Load a set of rules from the file 849.Ar filename . 850.It Cm rules Ar interface 851Display the active filtering rules in use on 852.Ar interface . 853.It Cm spanpriority Ar num 854Set the spanning priority of this bridge to 855.Ar num . 856Defaults to 32768, minimum of 0, maximum of 61440. 857.It Cm static Ar interface address 858Add a static entry into the address cache pointing to 859.Ar interface . 860Static entries are never aged out of the cache or replaced, even if the address 861is seen on a different interface. 862.It Cm stp Ar interface 863Enable spanning tree protocol on 864.Ar interface . 865.It Cm -stp Ar interface 866Disable spanning tree protocol on 867.Ar interface . 868This is the default for interfaces added to the bridge. 869.It Cm timeout Ar time 870Set the timeout, in seconds, for addresses in the cache to 871.Ar time . 872The default is 240 seconds. 873If 874.Ar time 875is set to zero, then entries will not be expired. 876.It Cm up 877Start the bridge forwarding packets. 878.El 879.Sh CARP 880.nr nS 1 881.Bk -words 882.Nm ifconfig 883.Ar carp-interface 884.Op Cm advbase Ar n 885.Op Cm advskew Ar n 886.Op Cm balancing Ar mode 887.Op Cm carpnodes Ar vhid:advskew,vhid:advskew,... 888.Op Cm carpdev Ar iface 889.Op Oo Fl Oc Ns Cm carppeer Ar peer_address 890.Op Cm pass Ar passphrase 891.Op Cm state Ar state 892.Op Cm vhid Ar host-id 893.Ek 894.nr nS 0 895.Pp 896The following options are available for a 897.Xr carp 4 898interface: 899.Bl -tag -width Ds 900.It Cm advbase Ar n 901Set the base advertisement interval to 902.Ar n 903seconds. 904Acceptable values are 0 to 254; the default value is 1 second. 905.It Cm advskew Ar n 906Skew the advertisement interval by 907.Ar n . 908Acceptable values are 0 to 254; the default value is 0. 909.It Cm balancing Ar mode 910Set the load balancing mode to 911.Ar mode . 912Valid modes are 913.Cm ip , 914.Cm ip-stealth , 915and 916.Cm ip-unicast . 917.It Cm carpnodes Ar vhid:advskew,vhid:advskew,... 918Create a load balancing group consisting of up to 32 nodes. 919Each node is specified as a 920.Ar vhid:advskew 921tuple in a comma-separated list. 922.It Cm carpdev Ar iface 923Attach to parent interface 924.Ar iface . 925.It Cm carppeer Ar peer_address 926Send the carp advertisements to a specified 927point-to-point peer or multicast group instead of sending the messages 928to the default carp multicast group. 929The 930.Ar peer_address 931is the IP address of the other host taking part in the carp cluster. 932With this option, 933.Xr carp 4 934traffic can be protected using 935.Xr ipsec 4 936and it may be desired in networks that do not allow or have problems 937with IPv4 multicast traffic. 938.It Cm -carppeer 939Send the advertisements to the default carp multicast 940group. 941.It Cm pass Ar passphrase 942Set the authentication key to 943.Ar passphrase . 944There is no passphrase by default. 945.It Cm state Ar state 946Explicitly force the interface to enter this state. 947Valid states are 948.Ar init , 949.Ar backup , 950and 951.Ar master . 952.It Cm vhid Ar n 953Set the virtual host ID to 954.Ar n . 955Acceptable values are 1 to 255. 956.El 957.Pp 958Taken together, the 959.Cm advbase 960and 961.Cm advskew 962indicate how frequently, in seconds, the host will advertise the fact that it 963considers itself master of the virtual host. 964The formula is 965.Cm advbase 966+ 967.Pf ( Cm advskew 968/ 256). 969If the master does not advertise within three times this interval, this host 970will begin advertising as master. 971.Sh IEEE 802.11 (WIRELESS DEVICES) 972.nr nS 1 973.Bk -words 974.Nm ifconfig 975.Ar wireless-interface 976.Op Oo Fl Oc Ns Cm bssid Ar bssid 977.Op Oo Fl Oc Ns Cm chan Op Ar n 978.Op Oo Fl Oc Ns Cm join Ar id 979.Op Oo Fl Oc Ns Cm joinlist 980.Op Oo Fl Oc Ns Cm nwflag Ar flag 981.Op Oo Fl Oc Ns Cm nwid Ar id 982.Op Oo Fl Oc Ns Cm nwkey Ar key 983.Op Oo Fl Oc Ns Cm powersave Op Ar duration 984.Op Cm scan 985.Op Oo Fl Oc Ns Cm wpa 986.Op Cm wpaakms Ar akm,akm,... 987.Op Cm wpaciphers Ar cipher,cipher,... 988.Op Cm wpagroupcipher Ar cipher 989.Op Oo Fl Oc Ns Cm wpakey Ar passphrase | hexkey 990.Op Cm wpaprotos Ar proto,proto,... 991.Ek 992.nr nS 0 993.Pp 994The following options are available for a wireless interface: 995.Bl -tag -width Ds 996.It Cm bssid Ar bssid 997Set the desired BSSID. 998.It Cm -bssid 999Unset the desired BSSID. 1000The interface will automatically select a BSSID in this mode, which is 1001the default. 1002.It Cm chan Op Ar n 1003Set the channel (radio frequency) to 1004.Ar n . 1005.Pp 1006With no channel specified, 1007show the list of channels supported by the device. 1008.It Cm -chan 1009Unset the desired channel. 1010It doesn't affect the channel to be created for IBSS or Host AP mode. 1011.It Cm join Ar id 1012Add the network with ESSID 1013.Ar id 1014to the 1015.Cm join 1016list. 1017The interface will automatically attempt to connect to networks on this 1018list if they are found during a scan. 1019.Pp 1020The 1021.Ar id 1022can either be a printable ASCII string up to 32 characters in length, 1023or a series of hexadecimal digits up to 64 digits preceded by 1024.Dq 0x . 1025If 1026.Ar id 1027is the empty string 1028.Pq Qq 1029and none of the networks on the 1030.Cm join 1031list are found during a scan, the interface will automatically 1032connect to any available networks, provided they do not require 1033WEP or WPA authentication. 1034.Pp 1035Apart from the 1036.Ar id , 1037the 1038.Cm join 1039list will record 1040.Cm wpakey , 1041.Cm wpaprotos , 1042or 1043.Cm nwkey 1044parameters for the network, provided they are passed in the same invocation of 1045.Nm . 1046Because multiple access points may exist in a given network, the 1047.Cm mode 1048(11a/11b/11g/11n/11ac), 1049.Cm chan , 1050and 1051.Cm bssid 1052parameters cannot be stored with 1053.Cm join . 1054However, they may be used separately to force the selection of a 1055particular access point when the automatic access point selection 1056turns out to be suboptimal. 1057.Pp 1058.Cm join 1059and 1060.Cm nwid 1061cannot be used together in the same invocation of 1062.Nm . 1063.It Cm -join Ar id 1064Remove the network with ESSID 1065.Ar id 1066from the 1067.Cm join 1068list and disconnect the interface from the access point if it is currently 1069connected to this network. 1070The interface will keep scanning for access points as long as it remains 1071marked as 1072.Dq up . 1073A new connection will be established either if a network on the 1074.Cm join 1075list is found during the scan or if a network ID is configured with 1076.Cm nwid . 1077.It Cm joinlist 1078Show the list of networks stored on the 1079.Cm join 1080list. 1081.It Cm -joinlist 1082Remove all networks from the 1083.Cm join 1084list. 1085.It Cm nwflag Ar flag 1086Set specified flag. 1087The flag name can be: 1088.Bl -tag -width tenletters 1089.It hidenwid 1090The 1091.Ql hidenwid 1092flag will hide the network ID (ESSID) in beacon frames when operating 1093in Host AP mode. 1094It will also prevent responses to probe requests with an unspecified 1095network ID. 1096.It nobridge 1097The 1098.Ql nobridge 1099flag will disable the direct bridging of frames between associated 1100nodes when operating in Host AP mode. 1101Setting this flag will block and filter direct inter-station 1102communications. 1103.It nomimo 1104The 1105.Ql nomimo 1106flag will disable MIMO reception and transmission even if the driver 1107and wireless network device support MIMO. 1108This flag can be used to work around packet loss in 11n mode if the 1109wireless network device has unused antenna connectors. 1110.It stayauth 1111The 1112.Ql stayauth 1113flag will cause the interface to ignore deauth frames. 1114This flag should only be used on wifi networks which are being 1115attacked with spoofed deauth frames. 1116It breaks interoperability with spectrum management solutions and access 1117points that perform band-steering of clients. 1118.El 1119.Pp 1120Note that the 1121.Ql hidenwid 1122and 1123.Ql nobridge 1124options do not provide any security. 1125The hidden network ID will be sent in clear text by associating 1126stations and can be easily discovered with tools like 1127.Xr tcpdump 8 1128and 1129.Xr hostapd 8 . 1130.It Cm -nwflag Ar flag 1131Remove specified flag. 1132.It Cm nwid Ar id 1133Connect to the network with NWID/ESSID 1134.Ar id . 1135The 1136.Ar id 1137can either be a printable ASCII string up to 32 characters in length, 1138or a series of hexadecimal digits up to 64 digits preceded by 1139.Dq 0x . 1140.Pp 1141Unlike 1142.Cm join , 1143the 1144.Cm nwid 1145option only allows one network to be configured at a time. 1146The 1147.Cm nwid 1148option may not be used together with 1149.Cm join 1150in the same invocation of 1151.Nm 1152but may be used to momentarily override the automatic selection of 1153networks stored in the 1154.Cm join 1155list. 1156.It Cm -nwid 1157Clear the network ID configured with 1158.Cm nwid 1159and disconnect the interface from the access point if it is currently 1160connected to this network. 1161The interface will keep scanning for access points as long as it remains 1162marked as 1163.Dq up . 1164A new connection will be established either if a network on the 1165.Cm join 1166list is found during the scan or if a network ID is configured with 1167.Cm nwid . 1168.It Cm nwkey Ar key 1169Enable WEP encryption using the specified 1170.Ar key . 1171The 1172.Ar key 1173can either be a string, a series of hexadecimal digits (preceded by 1174.So 0x Sc ) , 1175or a set of keys 1176of the form 1177.Dq n:k1,k2,k3,k4 1178where 1179.Sq n 1180specifies which of the keys will be used for transmitted packets, 1181and the four keys, 1182.Dq k1 1183through 1184.Dq k4 , 1185are configured as WEP keys. 1186If a set of keys is specified, a comma 1187.Pq Sq \&, 1188within the key must be escaped with a backslash. 1189Note that if multiple keys are used, their order must be the same within 1190the network. 1191.Pp 1192The length of each key must be either 40 bits for 64-bit encryption 1193(5-character ASCII string 1194or 10 hexadecimal digits) 1195or 104 bits for 128-bit encryption 1196(13-character ASCII string 1197or 26 hexadecimal digits). 1198.It Cm -nwkey 1199Disable WEP encryption. 1200.It Cm nwkey Cm persist 1201Enable WEP encryption using the persistent key stored in the network card. 1202.It Cm nwkey Cm persist : Ns Ar key 1203Write 1204.Ar key 1205to the persistent memory of the network card, and 1206enable WEP encryption using that 1207.Ar key . 1208.It Cm powersave 1209Enable 802.11 power saving mode. 1210Power saving is disabled by default. 1211See driver specific manual pages 1212to see details of the implementation relevant to that device. 1213.\" XXX 1214.\" Undocumented because optional sleep period 1215.\" only configurable on legacy an(4) and atw(4) devices. 1216.\" XXX 1217.\" Op Ar duration 1218.\" If enabled, the receiver sleep period is set to 100ms, 1219.\" though some drivers allow this to be altered via the 1220.\" .Ar duration 1221.\" argument. 1222.It Cm -powersave 1223Disable 802.11 power saving mode. 1224.It Cm scan 1225Show the results of an access point scan. 1226In Host AP mode, this will dump the list of known nodes without scanning. 1227In station mode, this will list each access point's SSID, channel, 1228MAC address (BSSID), received signal strength indicator, maximum data 1229transfer rate, and supported feature flags. 1230If an access point cannot be selected due to incompatibilities with the 1231interface configuration, 1232.Nm 1233indicates mismatching configuration items with an exclamation mark. 1234.Pp 1235Because the list of access points is continuously updated while a scan 1236is in progress, 1237.Cm scan 1238may sometimes show incomplete scan results. 1239.Pp 1240Some interfaces support scanning in the background while remaining 1241associated to the current access point. 1242The superuser may use 1243.Cm scan 1244to trigger a background scan while associated, which will update the scan 1245result list and also trigger a search for a better access point to roam to. 1246.It Cm wpa 1247Enable Wi-Fi Protected Access. 1248WPA is a Wi-Fi Alliance protocol based on the IEEE 802.11i standard. 1249It was designed to enhance the security of wireless networks. 1250Notice that not all drivers support WPA. 1251Check the driver's manual page to know if this option is supported. 1252.It Cm -wpa 1253Disable Wi-Fi Protected Access. 1254.It Cm wpaakms Ar akm,akm,... 1255Set the comma-separated list of allowed authentication and key management 1256protocols. 1257.Pp 1258The supported values are 1259.Dq psk 1260and 1261.Dq 802.1x . 1262.Ar psk 1263authentication (also known as personal mode) uses a 256-bit pre-shared key. 1264.Ar 802.1x 1265authentication (also known as enterprise mode) is used with 1266an external IEEE 802.1X authentication server, 1267such as wpa_supplicant. 1268The default value is 1269.Dq psk . 1270.Dq psk 1271can only be used if a pre-shared key is configured using the 1272.Cm wpakey 1273option. 1274.It Cm wpaciphers Ar cipher,cipher,... 1275Set the comma-separated list of allowed pairwise ciphers. 1276.Pp 1277The supported values are 1278.Dq tkip , 1279.Dq ccmp , 1280and 1281.Dq usegroup . 1282.Ar usegroup 1283specifies that no pairwise ciphers are supported and that only group keys 1284should be used. 1285The default value is 1286.Dq ccmp . 1287If multiple pairwise ciphers are specified, the pairwise cipher will 1288be negotiated between the station and the access point at association 1289time. 1290A station will always try to use 1291.Ar ccmp 1292over 1293.Ar tkip 1294if both ciphers are allowed and supported by the access point. 1295If the selected cipher is not supported by the hardware, software 1296encryption will be used. 1297Check the driver's manual page to know which ciphers are supported in 1298hardware. 1299.It Cm wpagroupcipher Ar cipher 1300Set the group cipher used to encrypt broadcast and multicast traffic. 1301.Pp 1302The supported values are 1303.Dq wep40 , 1304.Dq wep104 , 1305.Dq tkip , 1306and 1307.Dq ccmp . 1308The default value is 1309.Dq ccmp . 1310The use of 1311.Ar tkip 1312or 1313.Ar wep40 1314or 1315.Ar wep104 1316as the group cipher is discouraged due to weaknesses in TKIP and WEP. 1317The 1318.Cm wpagroupcipher 1319option is available in Host AP mode only. 1320A station will always use the group cipher of the BSS. 1321.It Cm wpakey Ar passphrase | hexkey 1322Set the WPA key and enable WPA. 1323The key can be given using either a passphrase or a full length hex key, 1324starting with 0x. 1325If a passphrase is used the 1326.Cm nwid 1327or 1328.Cm join 1329option must first be specified, since 1330.Nm 1331will hash the nwid along with the passphrase to create the key. 1332.It Cm -wpakey 1333Delete the pre-shared WPA key and disable WPA. 1334.It Cm wpaprotos Ar proto,proto,... 1335Set the comma-separated list of allowed WPA protocol versions. 1336.Pp 1337The supported values are 1338.Dq wpa1 1339and 1340.Dq wpa2 . 1341.Ar wpa1 1342is based on draft 3 of the IEEE 802.11i standard whereas 1343.Ar wpa2 1344is based on the ratified standard. 1345The default value is 1346.Dq wpa2 . 1347If 1348.Dq wpa1,wpa2 1349is specified, a station will always use the 1350.Ar wpa2 1351protocol when supported by the access point. 1352.El 1353.Sh INET6 1354.nr nS 1 1355.Bk -words 1356.Nm ifconfig 1357.Ar interface 1358.Cm inet6 1359.Op Oo Fl Oc Ns Cm anycast 1360.Op Oo Fl Oc Ns Cm temporary 1361.Op Cm eui64 1362.Op Cm pltime Ar n 1363.Op Oo Fl Oc Ns Cm soii 1364.Op Oo Fl Oc Ns Cm tentative 1365.Op Cm vltime Ar n 1366.Ek 1367.nr nS 0 1368.Pp 1369The following options are available for an 1370.Xr ip6 4 1371interface: 1372.Bl -tag -width Ds 1373.It Cm anycast 1374Set the IPv6 anycast address bit. 1375.It Cm -anycast 1376Clear the IPv6 anycast address bit. 1377.It Cm temporary 1378Enable temporary address extensions for stateless IPv6 address 1379autoconfiguration (RFC 8981) on the interface. 1380These extensions are enabled by default. 1381The purpose of these extensions is to prevent tracking of individual 1382devices which connect to the IPv6 internet from different networks 1383using stateless autoconfiguration. 1384The interface identifier often remains constant and provides the lower 138564 bits of an autoconfigured IPv6 address, facilitating tracking of 1386individual devices (and hence, potentially, users of these devices) 1387over long periods of time (weeks to months to years). 1388When these extensions are active, random interface identifiers are used 1389for autoconfigured addresses. 1390.Pp 1391Autoconfigured addresses are also made temporary, which means that they 1392will automatically be replaced regularly. 1393Temporary addresses are deprecated after 24 hours. 1394Once a temporary address has been deprecated, a new temporary address 1395will be configured upon reception of a router advertisement indicating 1396that the prefix is still valid. 1397Deprecated addresses will not be used for new connections as long as a 1398non-deprecated address remains available. 1399Temporary addresses become invalid after another 24 hours, at which time they 1400will be removed from the interface. 1401.It Cm -temporary 1402Disable IPv6 autoconf temporary address extensions on the interface. 1403Currently configured addresses will not be removed until they become 1404invalid. 1405.It Cm eui64 1406Fill the interface index 1407.Pq the lowermost 64 bits of an IPv6 address 1408automatically. 1409.It Cm pltime Ar n 1410Set preferred lifetime for the address, in seconds. 1411.It Cm soii 1412Enable persistent Semantically Opaque Interface Identifiers (SOIIs), 1413as per RFC 7217, for SLAAC addresses on the interface. 1414The purpose of these identifiers is to make discovery of hosts by 1415scanning a whole prefix more difficult. 1416SOIIs use the whole 64 bits of the host part while SLAAC addresses are 1417formed from MAC addresses which can lower the entropy to 24 bits if 1418the host is running in a virtualization environment or the hardware 1419manufacturer is known. 1420See RFC 7721 and RFC 8064 for details. 1421SOIIs are enabled by default. 1422.It Cm -soii 1423Disable IPv6 persistent Semantically Opaque Interface Identifiers on the 1424interface. 1425Currently configured addresses will not be removed until they become 1426invalid. 1427.It Cm tentative 1428Set the IPv6 tentative address bit. 1429.It Cm -tentative 1430Clear the IPv6 tentative address bit. 1431.It Cm vltime Ar n 1432Set valid lifetime for the address, in seconds. 1433.El 1434.Sh INTERFACE GROUPS 1435.Nm ifconfig 1436.Fl g 1437.Ar group-name 1438.Oo 1439.Oo Fl Oc Ns Cm carpdemote 1440.Op Ar number 1441.Oc 1442.Pp 1443The following options are available for interface groups: 1444.Bl -tag -width Ds 1445.It Fl g Ar group-name 1446Specify the group. 1447.It Cm carpdemote Op Ar number 1448Increase 1449.Xr carp 4 1450demotion counter for given interface group by 1451.Ar number . 1452Acceptable values are 0 to 128. 1453If 1454.Ar number 1455is omitted, it is increased by 1. 1456The maximum value for a demotion counter is 255. 1457.It Cm -carpdemote Op Ar number 1458Decrease 1459.Xr carp 4 1460demotion counter for given interface group by 1461.Ar number . 1462Acceptable values are 0 to 128. 1463If 1464.Ar number 1465is omitted, it is decreased by 1. 1466.El 1467.Sh MPLS 1468.nr nS 1 1469.Bk -words 1470.Nm ifconfig 1471.Ar mpls-interface 1472.Op Oo Fl Oc Ns Cm mplslabel Ar mpls-label 1473.Op Oo Fl Oc Ns Cm pwecw 1474.Op Oo Fl Oc Ns Cm pwefat 1475.Op Oo Fl Oc Ns Cm pweneighbor Ar mpls-label Ar neighbor 1476.Op Oo Fl Oc Ns Cm tunneldomain Ar rdomain 1477.Ek 1478.nr nS 0 1479.Pp 1480The following options are available for 1481.Xr mpe 4 , 1482.Xr mpip 4 , 1483and 1484.Xr mpw 4 1485interfaces: 1486.Bl -tag -width Ds 1487.It Cm mplslabel Ar mpls-label 1488Set the local MPLS label to 1489.Ar mpls-label . 1490MPLS packets sent to this label on the local system will be 1491decapsulated for input. 1492An MPLS label is a 20-bit number. 1493Labels 0 to 15 inclusive are reserved labels and cannot be used. 1494.It Cm -mplslabel 1495Unset the local MPLS label. 1496.It Cm tunneldomain Ar rdomain 1497Use the routing domain 1498.Ar rdomain 1499for MPLS transit. 1500The MPLS encapsulated traffic does not need to terminate in the same 1501routing domain as the interface itself. 1502.It Cm -tunneldomain 1503Use the default routing domain 0 for MPLS transit. 1504.El 1505.Pp 1506The following options are available for the 1507.Xr mpip 4 1508and 1509.Xr mpw 4 1510interfaces that provide MPLS Pseudowire Emulation Edge-to-Edge (PWE3) 1511functionality: 1512.Bl -tag -width Ds 1513.It Cm pwecw 1514Enable the use of the PWE3 Control Word. 1515.It Fl Ns Cm pwecw 1516Disable the use of the PWE3 Control Word. 1517.It Cm pwefat 1518Enable the use of the Flow-Aware Transport (FAT) flow label. 1519.It Fl Ns Cm pwefat 1520Disable the use of the Flow-Aware Transport (FAT) flow label. 1521.It Cm pweneighbor Ar mpls-label Ar neighbor 1522Use 1523.Ar mpls-label 1524and 1525.Ar neighbor 1526as the remote MPLS label and neighbor respectively. 1527Remote MPLS labels have the same restrictions on values as local MPLS labels. 1528.It Fl Ns Cm pweneighbor 1529Unset the remote MPLS label and neighbor. 1530.El 1531.Sh PAIR 1532.nr nS 1 1533.Bk -words 1534.Nm ifconfig 1535.Ar pair-interface 1536.Op Oo Fl Oc Ns Cm patch Ar interface 1537.Ek 1538.nr nS 0 1539.Pp 1540The following options are available for a 1541.Xr pair 4 1542interface: 1543.Bl -tag -width Ds 1544.It Cm patch Ar interface 1545Connect the interface with a second 1546.Xr pair 4 1547interface. 1548Any outgoing packets from the first 1549.Ar pair-interface 1550will be received by the second 1551.Ar interface , 1552and vice versa. 1553This makes it possible to interconnect two routing domains locally. 1554.It Cm -patch 1555If configured, disconnect the interface pair. 1556.El 1557.Sh PFLOW 1558.nr nS 1 1559.Bk -words 1560.Nm ifconfig 1561.Ar pflow-interface 1562.Op Oo Fl Oc Ns Cm flowdst Ar addr : Ns Ar port 1563.Op Oo Fl Oc Ns Cm flowsrc Ar addr Ns Oo : Ns Ar port Oc 1564.Op Cm pflowproto Ar n 1565.Ek 1566.nr nS 0 1567.Pp 1568The following options are available for a 1569.Xr pflow 4 1570interface: 1571.Bl -tag -width Ds 1572.It Cm flowdst Ar addr : Ns Ar port 1573Set the receiver address and the port for 1574.Xr pflow 4 1575packets. 1576Both must be defined to export pflow data. 1577.Ar addr 1578is the IP address and 1579.Ar port 1580is the port number of the flow collector. 1581Pflow data will be sent to this address/port. 1582.It Cm -flowdst 1583Unset the receiver address and stop sending pflow data. 1584.It Cm flowsrc Ar addr Ns Oo : Ns Ar port Oc 1585Set the source IP address for pflow packets. 1586.Ar addr 1587is the IP address used as sender of the UDP packets and may be used to 1588identify the source of the data on the pflow collector. 1589.It Cm -flowsrc 1590Unset the source address. 1591.It Cm pflowproto Ar n 1592Set the protocol version. 1593The default is version 5. 1594.El 1595.Sh PFSYNC 1596.nr nS 1 1597.Bk -words 1598.Nm ifconfig 1599.Ar pfsync-interface 1600.Op Oo Fl Oc Ns Cm defer 1601.Op Cm maxupd Ar n 1602.Op Oo Fl Oc Ns Cm syncdev Ar iface 1603.Op Oo Fl Oc Ns Cm syncpeer Ar peer_address 1604.Ek 1605.nr nS 0 1606.Pp 1607The following options are available for a 1608.Xr pfsync 4 1609interface: 1610.Bl -tag -width Ds 1611.It Cm defer 1612Defer transmission of the first packet in a state until a peer has 1613acknowledged that the associated state has been inserted. 1614See 1615.Xr pfsync 4 1616for more information. 1617.It Cm -defer 1618Do not defer the first packet in a state. 1619This is the default. 1620.It Cm maxupd Ar n 1621Indicate the maximum number 1622of updates for a single state which can be collapsed into one. 1623This is an 8-bit number; the default value is 128. 1624.It Cm syncdev Ar iface 1625Use the specified interface 1626to send and receive pfsync state synchronisation messages. 1627.It Cm -syncdev 1628Stop sending pfsync state synchronisation messages over the network. 1629.It Cm syncpeer Ar peer_address 1630Make the pfsync link point-to-point rather than using 1631multicast to broadcast the state synchronisation messages. 1632The peer_address is the IP address of the other host taking part in 1633the pfsync cluster. 1634With this option, 1635.Xr pfsync 4 1636traffic can be protected using 1637.Xr ipsec 4 . 1638.It Cm -syncpeer 1639Broadcast the packets using multicast. 1640.El 1641.Sh PPPOE 1642.nr nS 1 1643.Bk -words 1644.Nm ifconfig 1645.Ar pppoe-interface 1646.Op Cm authkey Ar key 1647.Op Cm authname Ar name 1648.Op Cm authproto Ar proto 1649.Op Oo Fl Oc Ns Cm peerflag Ar flag 1650.Op Cm peerkey Ar key 1651.Op Cm peername Ar name 1652.Op Cm peerproto Ar proto 1653.Op Oo Fl Oc Ns Cm pppoeac Ar access-concentrator 1654.Op Cm pppoedev Ar parent-interface 1655.Op Oo Fl Oc Ns Cm pppoesvc Ar service 1656.Ek 1657.nr nS 0 1658.Pp 1659.Xr pppoe 4 1660uses the 1661.Xr sppp 4 1662"generic" SPPP framework. 1663Any options not described in the section immediately following 1664are described in the 1665.Sx SPPP 1666section, below. 1667.Pp 1668The following options are available for a 1669.Xr pppoe 4 1670interface: 1671.Bl -tag -width Ds 1672.It Cm pppoeac Ar access-concentrator 1673Set the name of the access-concentrator. 1674.It Cm -pppoeac 1675Clear a previously set access-concentrator name. 1676.It Cm pppoedev Ar parent-interface 1677Set the name of the interface through which 1678packets will be transmitted and received. 1679.It Cm pppoesvc Ar service 1680Set the service name of the interface. 1681.It Cm -pppoesvc 1682Clear a previously set service name. 1683.El 1684.Sh SPPP (PPP LINK CONTROL PROTOCOL) 1685.nr nS 1 1686.Bk -words 1687.Nm 1688.Ar sppp-interface 1689.Op Cm authkey Ar key 1690.Op Cm authname Ar name 1691.Op Cm authproto Ar proto 1692.Op Oo Fl Oc Ns Cm peerflag Ar flag 1693.Op Cm peerkey Ar key 1694.Op Cm peername Ar name 1695.Op Cm peerproto Ar proto 1696.Ek 1697.nr nS 0 1698.Pp 1699The following options are available for an 1700.Xr sppp 4 1701or 1702.Xr pppoe 4 1703interface: 1704.Bl -tag -width Ds 1705.It Cm authkey Ar key 1706Set the client key or password for the PPP authentication protocol. 1707.It Cm authname Ar name 1708Set the client name for the PPP authentication protocol. 1709.It Cm authproto Ar proto 1710Set the PPP authentication protocol on the specified 1711interface acting as a client. 1712The protocol name can be either 1713.Ql chap , 1714.Ql pap , 1715or 1716.Ql none . 1717In the latter case, authentication will be turned off. 1718.It Cm peerflag Ar flag 1719Set a specified PPP flag for the remote authenticator. 1720The flag name can be either 1721.Ql callin 1722or 1723.Ql norechallenge . 1724The 1725.Ql callin 1726flag will require the remote peer to authenticate only when he's 1727calling in, but not when the peer is called by the local client. 1728This is required for some peers that do not implement the 1729authentication protocols symmetrically. 1730The 1731.Ql norechallenge 1732flag is only meaningful with the CHAP protocol to not re-challenge 1733once the initial CHAP handshake has been successful. 1734This is used to work around broken peer implementations that can't 1735grok being re-challenged once the connection is up. 1736.It Cm -peerflag Ar flag 1737Remove a specified PPP flag for the remote authenticator. 1738.It Cm peerkey Ar key 1739Set the authenticator key or password for the PPP authentication protocol. 1740.It Cm peername Ar name 1741Set the authenticator name for the PPP authentication protocol. 1742.It Cm peerproto Ar proto 1743Set the PPP authentication protocol on the specified 1744interface acting as an authenticator. 1745The protocol name can be either 1746.Ql chap , 1747.Ql pap , 1748or 1749.Ql none . 1750In the latter case, authentication will be turned off. 1751.El 1752.Sh TPMR 1753.nr nS 1 1754.Bk -words 1755.Nm ifconfig 1756.Ar tpmr-interface 1757.Op Cm add Ar child-iface 1758.Op Cm del Ar child-iface 1759.Op Oo Fl Oc Ns Cm link0 1760.Op Oo Fl Oc Ns Cm link1 1761.Op Oo Fl Oc Ns Cm link2 1762.Ek 1763.Pp 1764The following options are available for a 1765.Xr tpmr 4 1766interface: 1767.Bl -tag -width Ds 1768.It Cm add Ar child-iface 1769Add 1770.Ar child-iface 1771as a member. 1772.It Cm del Ar child-iface 1773Remove the member 1774.Ar child-iface . 1775.It Cm link0 1776Disable the filtering of Ethernet frames destined for the TPMR 1777component reserved addresses, as specified by IEEE 802.1Q. 1778.It Cm -link0 1779Enable the filtering of Ethernet frames destined for the TPMR 1780component reserved addresses, as specified by IEEE 802.1Q. 1781This is the default. 1782.It Cm link1 1783Disable the filtering of IPv4 and IPv6 packets with 1784.Xr pf 4 . 1785.It Cm -link1 1786Enable the filtering of IPv4 and IPv6 packets with 1787.Xr pf 4 . 1788This is the default. 1789.It Cm link2 1790Disable the filtering of 802.1Q VLAN and QinQ SVLAN packets. 1791.It Cm -link2 1792Enable the filtering of 802.1Q VLAN and QinQ SVLAN packets. 1793This is the default. 1794.El 1795.Sh TRUNK (LINK AGGREGATION) 1796.nr nS 1 1797.Bk -words 1798.Nm ifconfig 1799.Ar trunk-interface 1800.Op Cm lacpmode Cm active Ns | Ns Cm passive 1801.Op Cm lacptimeout Cm fast Ns | Ns Cm slow 1802.Op Oo Fl Oc Ns Cm trunkport Ar child-iface 1803.Op Cm trunkproto Ar proto 1804.Ek 1805.nr nS 0 1806.Pp 1807The following options are available for 1808.Xr aggr 4 1809and 1810.Xr trunk 4 1811interfaces: 1812.Bl -tag -width Ds 1813.It Cm lacpmode Cm active Ns | Ns Cm passive 1814Set the LACP trunk mode to either 1815.Cm active 1816(default) or 1817.Cm passive . 1818.It Cm lacptimeout Cm fast Ns | Ns Cm slow 1819Set the LACP timeout speed to either 1820.Cm fast 1821or 1822.Cm slow 1823(default). 1824.It Cm trunkport Ar child-iface 1825Add 1826.Ar child-iface 1827as a trunk port. 1828.It Cm -trunkport Ar child-iface 1829Remove the trunk port 1830.Ar child-iface . 1831.It Cm trunkproto Ar proto 1832Set the link aggregation protocol on 1833.Xr trunk 4 1834interfaces. 1835Refer to 1836.Xr trunk 4 1837for a complete list of the available protocols. 1838.El 1839.Sh TUNNEL 1840.nr nS 1 1841.Bk -words 1842.Nm ifconfig 1843.Ar tunnel-interface 1844.Op Oo Fl Oc Ns Cm endpoint Ar dest_address dest_mac 1845.Op Oo Fl Oc Ns Cm keepalive Ar period count 1846.Op Oo Fl Oc Ns Cm parent Ar parent-interface 1847.Op Cm rxprio Ar prio 1848.Op Oo Fl Oc Ns Cm tunnel Ar src_address dest_address 1849.Op Cm tunneladdr Ar src_address 1850.Op Oo Fl Oc Ns Cm tunneldf 1851.Op Oo Fl Oc Ns Cm tunneldomain Ar rtable 1852.Op Cm tunnelttl Ar ttl 1853.Op Cm txprio Ar prio 1854.Op Oo Fl Oc Ns Cm vnetflowid 1855.Op Oo Fl Oc Ns Cm vnetid Ar network-id 1856.Ek 1857.nr nS 0 1858.Pp 1859.Xr egre 4 , 1860.Xr eoip 4 , 1861.Xr etherip 4 , 1862.Xr gif 4 , 1863.Xr gre 4 , 1864.Xr mgre 4 , 1865.Xr nvgre 4 , 1866and 1867.Xr vxlan 4 1868are all tunnel interfaces. 1869The following options are available: 1870.Bl -tag -width Ds 1871.It Cm endpoint Ar dest_address dest_mac 1872When 1873.Xr vxlan 4 1874is in endpoint mode, set the tunnel endpoint 1875.Ar dest_address 1876where 1877.Ar dest_mac 1878MAC address can be reached. 1879.It Cm -endpoint Ar dest_mac 1880When 1881.Xr vxlan 4 1882is in endpoint mode, remove the tunnel endpoint for 1883.Ar dest_mac 1884MAC address. 1885.It Cm keepalive Ar period count 1886Enable 1887.Xr gre 4 1888and 1889.Xr eoip 4 1890keepalive with a packet sent every 1891.Ar period 1892seconds. 1893A second timer is run with a timeout of 1894.Ar count 1895* 1896.Ar period . 1897If no keepalive response is received during that time, the link is considered 1898down. 1899The minimal usable 1900.Ar count 1901is 2 since the round-trip time of keepalive packets needs to be accounted for. 1902.It Cm -keepalive 1903Disable the 1904.Xr gre 4 1905keepalive mechanism. 1906.It Cm parent Ar parent-interface 1907Associate the 1908.Xr nvgre 4 1909interface with the interface 1910.Ar parent-interface . 1911.It Cm -parent 1912Disassociate from the parent interface. 1913This breaks the link between the 1914.Xr nvgre 4 1915interface and its parent. 1916.It Cm rxprio Ar prio 1917Configure the source used for the packet priority when decapsulating a packet. 1918The value can be a priority number from 0 to 7, or 1919.Ar packet 1920to use the priority currently set on the packet. 1921If supported by the interface, the value may also be set to 1922.Ar outer 1923to have the priority field copied from the tunnel protocol headers, or 1924.Ar payload 1925to have the priority field copied from the encapsulated protocol headers. 1926.It Cm tunnel Ar src_address dest_address Ns Op : Ns Ar dest_port 1927Set the source and destination tunnel addresses on a tunnel interface. 1928Packets routed to this interface will be encapsulated in 1929IPv4 or IPv6, depending on the source and destination address families. 1930Both addresses must be of the same family. 1931The optional destination port can be specified for interfaces such as 1932.Xr vxlan 4 , 1933which further encapsulate the packets in UDP datagrams. 1934This directive is incompatible with 1935.Cm tunneladdr . 1936.It Cm -tunnel 1937Remove the source and destination tunnel addresses. 1938.It Cm tunneladdr Ar src_address 1939Set the outer IP address of the tunnel. 1940This is useful for point-to-multipoint tunnels where peers are in different 1941subnets like 1942.Xr vxlan 4 1943endpoint mode or 1944.Xr mgre 4 . 1945It is incompatible with the 1946.Cm tunnel 1947directive. 1948.It Cm tunneldf 1949Do not allow fragmentation of encapsulated packets. 1950.It Cm -tunneldf 1951Allow fragmentation of encapsulated packets. 1952.It Cm tunneldomain Ar rtable 1953Use routing table 1954.Ar rtable 1955instead of the default table. 1956The tunnel does not need to terminate in the same routing domain as the 1957interface itself. 1958.Ar rtable 1959can be set to any valid routing table ID; 1960the corresponding routing domain is derived from this table. 1961.It Cm -tunneldomain 1962Use the default routing table and routing domain 0. 1963.It Cm tunnelttl Ar ttl 1964Set the IP or multicast TTL of the tunnel packets. 1965If supported by the tunnel protocol, 1966the value can also be set to 1967.Ar copy 1968to have the TTL copied between the encapsulated protocol headers 1969and the tunnel protocol headers. 1970.It Cm txprio Ar prio 1971Configure the value used for the priority field in the tunnel 1972protocol headers. 1973The value can be a priority number from 0 to 7, or 1974.Ar packet 1975to use the priority currently set on the packet. 1976If supported by the interface, the value can also be set to 1977.Ar payload 1978to have the priority field copied from the encapsulated protocol headers 1979to the tunnel protocol headers. 1980.It Cm vnetflowid 1981Use a portion of the virtual network identifier space for a flow identifier. 1982This allows load balancing of the encapsulated traffic over multiple 1983links. 1984.It Cm -vnetflowid 1985Disable the use of a flow identifier in the virtual network identifier. 1986.It Cm vnetid Ar network-id 1987Set the virtual network identifier. 1988This is a number which is used by tunnel protocols such as 1989.Xr eoip 4 1990and 1991.Xr vxlan 4 1992to identify packets with a virtual network. 1993The accepted size of the number depends on the individual tunnel protocol; 1994it is a 16-bit number for 1995.Xr eoip 4 , 1996and a 24-bit number for 1997.Xr vxlan 4 . 1998If supported by the tunnel protocol, 1999the value can also be set to 2000.Ar any 2001to accept packets with arbitrary network identifiers (for example for 2002multipoint-to-multipoint modes). 2003.It Cm -vnetid 2004Clear the virtual network identifier. 2005.El 2006.Sh UMB 2007.nr nS 1 2008.Bk -words 2009.Nm ifconfig 2010.Ar umb-interface 2011.Op Oo Fl Oc Ns Cm apn Ar apn 2012.Op Cm chgpin Ar oldpin newpin 2013.Op Oo Fl Oc Ns Cm class Ar class,class,... 2014.Op Cm pin Ar pin 2015.Op Cm puk Ar puk newpin 2016.Op Oo Fl Oc Ns Cm roaming 2017.Ek 2018.nr nS 0 2019.Pp 2020The following options are available for a 2021.Xr umb 4 2022interface: 2023.Bl -tag -width Ds 2024.It Cm apn Ar apn 2025Set the Access Point Name (APN) required by the network provider. 2026.It Cm -apn 2027Clear the current APN. 2028.It Cm chgpin Ar oldpin newpin 2029Permanently change the PIN of the SIM card from the current value 2030.Ar oldpin 2031to 2032.Ar newpin . 2033.It Cm class 2034List all available cell classes. 2035.It Cm class Ar class,class,... 2036Set the preferred cell classes. 2037Apart from those listed by 2038.Cm class 2039the following aliases can be used: 2040.Ar 4G , 2041.Ar 3G , 2042and 2043.Ar 2G . 2044.It Cm -class 2045Clear any cell class preferences. 2046.It Cm down 2047Marking the interface as "down" will terminate any existing data connection 2048and deregister with the service provider. 2049.It Cm pin Ar pin 2050Enter the PIN required to unlock the SIM card. 2051Most SIM cards will not be able to establish a network association without 2052providing a PIN. 2053.It Cm puk Ar puk newpin 2054Sets the PIN of the SIM card to 2055.Ar newpin 2056using the PUK 2057.Ar puk 2058to validate the request. 2059.It Cm roaming 2060Enable data roaming. 2061.It Cm -roaming 2062Disable data roaming. 2063.It Cm up 2064As soon as the interface is marked as "up", the 2065.Xr umb 4 2066device will try to establish a data connection with the service provider. 2067.El 2068.Sh VEB 2069.nr nS 1 2070.Bk -words 2071.Nm ifconfig 2072.Ar veb-interface 2073.Op Cm add Ar child-iface 2074.Op Cm addspan Ar child-iface 2075.Op Cm del Ar child-iface 2076.Op Cm deladdr Ar address 2077.Op Cm delspan Ar child-iface 2078.Op Oo Fl Oc Ns Cm discover Ar child-iface 2079.Op Cm flushrule Ar interface 2080.Op Oo Fl Oc Ns Cm learn Ar child-iface 2081.Op Oo Fl Oc Ns Cm link0 2082.Op Oo Fl Oc Ns Cm link1 2083.Op Cm maxaddr Ar size 2084.Op Oo Fl Oc Ns Cm protected Ar child-iface ids 2085.Op Cm rule Ar filtering-rule 2086.Op Cm rulefile Ar filename 2087.Op Cm rules Ar interface 2088.Op Cm static Ar interface Ar address 2089.Op Cm timeout Ar time 2090.Op Cm up 2091.Ek 2092.nr nS 0 2093.Pp 2094The following options are available for a 2095.Xr veb 4 2096interface: 2097.Bl -tag -width Ds 2098.It Cm add Ar child-iface 2099Add 2100.Ar child-iface 2101as a member. 2102.It Cm addspan Ar child-iface 2103Add 2104.Ar child-iface 2105as a span port on the bridge. 2106.It Cm del Ar child-iface 2107Remove the member 2108.Ar child-iface . 2109.It Cm deladdr Ar address 2110Delete 2111.Ar address 2112from the cache. 2113.It Cm delspan Ar child-iface 2114Delete 2115.Ar child-iface 2116from the list of span ports of the bridge. 2117.It Cm discover Ar child-iface 2118Mark 2119.Ar child-iface 2120so that packets are sent out of the interface 2121if the destination port of the packet is unknown. 2122If the bridge has no address cache entry for the destination of 2123a packet, meaning that there is no static entry and no dynamically learned 2124entry for the destination, the bridge will forward the packet to all member 2125interfaces that have this flag set. 2126This is the default for interfaces added to the bridge. 2127.It Cm -discover Ar child-iface 2128Mark 2129.Ar child-iface 2130so that packets are not sent out of the interface 2131if the destination port of the packet is unknown. 2132Turning this flag 2133off means that the bridge will not send packets out of this interface 2134unless the packet is a broadcast packet, multicast packet, or a 2135packet with a destination address found on the interface's segment. 2136This, in combination with static address cache entries, 2137prevents potentially sensitive packets from being sent on 2138segments that have no need to see the packet. 2139.It Cm flushrule Ar interface 2140Remove all Ethernet MAC filtering rules from 2141.Ar interface . 2142.It Cm learn Ar child-iface 2143Mark 2144.Ar child-iface 2145so that the source address of packets received from 2146the interface 2147are entered into the address cache. 2148This is the default for interfaces added to the bridge. 2149.It Cm -learn Ar child-iface 2150Mark 2151.Ar child-iface 2152so that the source address of packets received from interface 2153are not entered into the address cache. 2154.It Cm link0 2155Disable the filtering of 802.1Q VLAN and QinQ SVLAN packets. 2156.It Cm -link0 2157Enable the filtering of 802.1Q VLAN and QinQ SVLAN packets. 2158This is the default. 2159.It Cm link1 2160Enable the filtering of IPv4 and IPv6 packets with 2161.Xr pf 4 . 2162.It Cm -link1 2163Disable the filtering of IPv4 and IPv6 packets with 2164.Xr pf 4 . 2165This is the default. 2166.It Cm protected Ar child-iface ids 2167Put 2168.Ar child-iface 2169in protected domains. 2170.Ar ids 2171is a comma delimited list of domain IDs, between 1 and 31, to put the 2172interface in. 2173Interfaces that are part of a protected domain cannot forward traffic to any 2174other interface in that domain. 2175Interfaces do not belong to any protected domain by default. 2176.It Cm -protected Ar child-iface 2177Remove 2178.Ar child-iface 2179from all protected domains. 2180.It Cm maxaddr Ar size 2181Set the address cache size to 2182.Ar size . 2183The default is 100 entries. 2184.It Xo 2185.Cm rule 2186.Cm block Ns | Ns Cm pass 2187.Op Cm in | out 2188.Cm on Ar interface 2189.Op Cm src Ar lladdr 2190.Op Cm dst Ar lladdr 2191.Bk -words 2192.Op Cm tag Ar tagname 2193.Oo 2194.Cm arp Ns | Ns Cm rarp Op Cm request | reply 2195.Op Cm sha Ar lladdr 2196.Op Cm spa Ar ipaddr 2197.Op Cm tha Ar lladdr 2198.Op Cm tpa Ar ipaddr 2199.Oc 2200.Ek 2201.Xc 2202Add a filtering rule to an interface. 2203Rules have a similar syntax to those in 2204.Xr pf.conf 5 . 2205Rules can be used to selectively 2206.Cm block 2207or 2208.Cm pass 2209frames based on Ethernet 2210MAC addresses or to 2211.Cm tag 2212packets for 2213.Xr pf 4 2214to filter on. 2215.Pp 2216.Xr arp 4 2217packets can be matched with the 2218.Cm arp 2219keyword for regular packets and 2220.Cm rarp 2221for reverse arp. 2222.Cm request 2223and 2224.Cm reply 2225limit matches to requests or replies. 2226The source and target host addresses can be matched with the 2227.Cm sha 2228and 2229.Cm tha 2230keywords, 2231and the protocol addresses with 2232.Cm spa 2233and 2234.Cm tpa . 2235.Pp 2236Rules are processed in the order in which they were added to the interface. 2237The first rule matched takes the action (block or pass) 2238and, if given, the tag of the rule. 2239If no source or destination address is specified, the 2240rule will match all frames (good for creating a catchall policy). 2241.It Cm rulefile Ar filename 2242Load a set of rules from the file 2243.Ar filename . 2244.It Cm rules Ar interface 2245Display the active filtering rules in use on 2246.Ar interface . 2247.It Cm static Ar interface Ar address 2248Add a static entry into the address cache pointing to 2249.Ar interface . 2250Static entries are never aged out of the cache or replaced, even if the address 2251is seen on a different interface. 2252.It Cm timeout Ar time 2253Set the timeout, in seconds, for addresses in the cache to 2254.Ar time . 2255The default is 240 seconds. 2256If 2257.Ar time 2258is set to zero, then entries will not be expired. 2259.It Cm up 2260Start forwarding packets. 2261.El 2262.Sh VLAN 2263.nr nS 1 2264.Bk -words 2265.Nm ifconfig 2266.Ar vlan-interface 2267.Op Oo Fl Oc Ns Cm parent Ar parent-interface 2268.Op Cm rxprio Ar prio 2269.Op Cm txprio Ar prio 2270.Op Oo Fl Oc Ns Cm vnetid Ar vlan-tag 2271.Ek 2272.nr nS 0 2273.Pp 2274The following options are available for 2275.Xr vlan 4 2276and 2277.Xr svlan 4 2278VLAN interfaces: 2279.Bl -tag -width Ds 2280.It Cm parent Ar parent-interface 2281Associate the VLAN interface with the interface 2282.Ar parent-interface . 2283Packets transmitted on 2284.Xr vlan 4 2285or 2286.Xr svlan 4 2287interfaces will be tagged with 802.1Q or 802.1ad headers respectively 2288and transmitted on the specified parent interface. 2289Packets with 802.1Q or 802.1ad tags received 2290by the parent interface with the specified VLAN tag will be diverted to 2291the associated VLAN interface. 2292Unless a custom Ethernet address is assigned to the VLAN interface, 2293it will inherit a copy of the parent interface's Ethernet address. 2294.It Cm -parent 2295Disassociate from the parent interface. 2296This breaks the link between the VLAN interface and its parent. 2297.It Cm rxprio Ar prio 2298Set the value used for the packet priority field. 2299Values may be from 0 to 7, 2300.Ar packet 2301to maintain the current packet priority, or 2302.Ar outer 2303to use the priority field in the 802.1Q or 802.1ad headers. 2304.It Cm txprio Ar prio 2305Set the value used for the priority field in the 802.1Q or 802.1ad 2306headers. 2307Values may be from 0 to 7, or 2308.Ar packet 2309to use the priority of packets transmitted on the interface. 2310.It Cm vnetid Ar vlan-tag 2311Set the VLAN tag value to 2312.Ar vlan-tag . 2313This value is a 12-bit number which is used in the 802.1Q or 802.1ad 2314headers in packets handled by 2315.Xr vlan 4 2316or 2317.Xr svlan 4 2318interfaces respectively. 2319Valid tag values are from 1 to 4094 inclusive. 2320.It Cm -vnetid 2321Clear the tag value. 2322Packets on a VLAN interface without a tag set will use a value of 23230 in their headers. 2324.El 2325.Sh WIREGUARD 2326.nr nS 1 2327.Bk -words 2328.Nm ifconfig 2329.Ar wg-interface 2330.Op Cm wgkey Ar privatekey 2331.Op Cm wgport Ar port 2332.Op Cm wgrtable Ar rtable 2333.Op Fl wgpeerall 2334.Oo 2335.Oo Fl Oc Ns Cm wgpeer Ar publickey 2336.Op Oo Fl Oc Ns Cm wgdescr Ns Oo Cm iption Oc Ar value 2337.Op Cm wgaip Ar allowed-ip_address/prefix 2338.Op Cm wgendpoint Ar peer_address port 2339.Op Cm wgpka Ar interval 2340.Op Cm wgpsk Ar presharedkey 2341.Op Fl wgpsk 2342.Oc 2343.Ek 2344.nr nS 0 2345.Pp 2346Detailed peer information is available to the superuser when 2347.Nm 2348is run with the 2349.Fl A 2350flag or when passed specific 2351.Ar wg-interface 2352names. 2353.Pp 2354The following options are available for 2355.Xr wg 4 2356interfaces: 2357.Bl -tag -width Ds 2358.It Cm wgkey Ar privatekey 2359Set the private key of the interface. 2360The 2361.Ar privatekey 2362is 32 bytes, base64-encoded. 2363It can be generated as follows: 2364.Pp 2365.Dl $ openssl rand -base64 32 2366.Pp 2367The corresponding public key will then be displayed 2368in the interface status for distribution to peers. 2369.It Cm wgpeer Ar publickey 2370Specify an interface peer by its 2371.Ar publickey , 2372which is 32 bytes, base64-encoded. 2373Repeat the option to specify multiple peers in a single command. 2374.It Cm -wgpeer Ar publickey 2375Remove the peer with the given 2376.Ar publickey . 2377.It Cm -wgpeerall 2378Remove all peers from the interface. 2379.It Cm wgport Ar port 2380Set the interface's UDP 2381.Ar port 2382for exchanging traffic with its peers. 2383The interface will bind to 2384.Dv INADDR_ANY 2385and 2386.Dv IN6ADDR_ANY_INIT . 2387By default, the interface will choose a port. 2388.It Cm wgrtable Ar rtable 2389Exchange traffic with peers under the routing table 2390.Ar rtable , 2391instead of the default 2392.Xr rtable 4 . 2393The routing domain of the 2394.Ar rtable 2395needn't be the routing domain to which the interface is attached, in which 2396the interface's tunneled traffic appears. 2397.El 2398.Pp 2399Peer configuration options, which apply to the 2400.Cm wgpeer 2401immediately preceding them, 2402are as follows: 2403.Bl -tag -width Ds 2404.Tg wgdescription 2405.It Cm wgdescr Ns Oo Cm iption Oc Ar value 2406Set the peer's description. 2407This can be used to label peers in situations where they may 2408otherwise be difficult to distinguish. 2409.It Cm -wgdescr Ns Op Cm iption 2410Clear the peer description. 2411.It Cm wgaip Ar allowed-ip_address/prefix 2412Set the peer's IPv4 or IPv6 2413.Ar allowed-ip_address 2414range for tunneled traffic. 2415Repeat the option to set multiple ranges. 2416By default, no addresses are allowed. 2417.It Cm wgendpoint Ar peer_address port 2418Address traffic to the peer's IPv4 or IPv6 2419.Ar peer_address 2420and UDP 2421.Ar port . 2422The interface will track the peer, updating 2423.Cm wgendpoint 2424to the source of its last authenticated packet. 2425By default, the endpoint is unknown and so the peer cannot be addressed until 2426it initiates communication. 2427This implies that at least one peer in each pair must specify 2428.Cm wgendpoint . 2429.It Cm wgpka Ar interval 2430Set the 2431.Ar interval 2432of persistent keepalive packets in seconds. 2433The default, zero, disables these. 2434They can be used to maintain connectivity to a peer otherwise blocked 2435to unsolicited traffic by an intermediate firewall or NAT device. 2436For this, an 2437.Ar interval 2438of 25 seconds should suffice. 2439.It Cm wgpsk Ar presharedkey 2440Set a unique key pre-shared with the peer. 2441This strengthens the Diffie-Hellman exchange should in future a 2442quantum-computational attack on it become feasible. 2443The 2444.Ar presharedkey 2445is 32 bytes, base64-encoded. 2446It is optional but recommended and can be generated as follows: 2447.Pp 2448.Dl $ openssl rand -base64 32 2449.It Cm -wgpsk 2450Remove the pre-shared key for this peer. 2451.El 2452.Sh EXAMPLES 2453Assign the 2454address of 192.168.1.10 with a network mask of 2455255.255.255.0 to interface fxp0: 2456.Pp 2457.Dl # ifconfig fxp0 inet 192.168.1.10 netmask 255.255.255.0 2458.Pp 2459Configure the xl0 interface to use 100baseTX, full duplex: 2460.Pp 2461.Dl # ifconfig xl0 media 100baseTX mediaopt full-duplex 2462.Pp 2463Label the em0 interface as an uplink: 2464.Pp 2465.Dl # ifconfig em0 description \&"Uplink to Gigabit Switch 2\&" 2466.Pp 2467Create the gif1 network interface: 2468.Pp 2469.Dl # ifconfig gif1 create 2470.Pp 2471Put the athn0 wireless interface into monitor mode: 2472.Pp 2473.Dl # ifconfig athn0 mediaopt monitor 2474.Sh DIAGNOSTICS 2475Messages indicating the specified interface does not exist, the 2476requested address is unknown, or the user is not privileged and 2477tried to alter an interface's configuration. 2478.Sh SEE ALSO 2479.Xr netstat 1 , 2480.Xr ifmedia 4 , 2481.Xr inet 4 , 2482.Xr intro 4 , 2483.Xr netintro 4 , 2484.Xr rtable 4 , 2485.Xr hostname.if 5 , 2486.Xr hosts 5 , 2487.Xr rc 8 , 2488.Xr route 8 , 2489.Xr slaacd 8 , 2490.Xr tcpdump 8 2491.Sh HISTORY 2492The 2493.Nm 2494command appeared in 2495.Bx 4.2 . 2496