sbin/ifconfig/ifconfig.8

.\"	$OpenBSD: ifconfig.8,v 1.380 2021/11/14 03:02:06 kn Exp $
.\"	$NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $
.\"     $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)ifconfig.8	8.4 (Berkeley) 6/1/94
.\"
.Dd $Mdocdate: November 14 2021 $
.Dt IFCONFIG 8
.Os
.Sh NAME
.Nm ifconfig
.Nd configure network interface parameters
.Sh SYNOPSIS
.Nm ifconfig
.Op Fl AaC
.Op Ar interface
.Op Ar address_family
.Oo
.Ar address
.Op Ar dest_address
.Oc
.Op Ar parameters
.Sh DESCRIPTION
The
.Nm
utility is used to assign an address
to a network interface and/or configure
network interface parameters.
Generally speaking,
.Xr hostname.if 5
files are used at boot-time to define the network address
of each interface present on a machine;
.Nm
is used at
a later time to redefine an interface's address
or other operating parameters.
.Pp
.Nm
displays the current configuration for a network interface
when no optional parameters are supplied.
If a protocol family is specified,
.Nm
will report only the details specific to that protocol family.
If no parameters are provided, a summary of all interfaces is provided.
.Pp
Only the superuser may modify the configuration of a network interface.
.Pp
The following options are available:
.Bl -tag -width Ds
.It Fl A
Causes full interface alias information for each interface to
be displayed.
.It Fl a
Causes
.Nm
to print information on all interfaces.
The protocol family may be specified as well.
This is the default, if no parameters are given to
.Nm .
.It Fl C
Print the names of all network pseudo-devices that
can be created dynamically at runtime using
.Nm Cm create .
.It Ar interface
The
.Ar interface
parameter is a string of the form
.Dq name unit ,
for example,
.Dq en0 .
If no optional parameters are supplied, this string can instead be just
.Dq name .
If an interface group of that name exists, all interfaces in the group
will be shown.
Otherwise all interfaces of the same type will be displayed
(for example,
.Dq fxp
will display all
.Xr fxp 4
interfaces).
.It Ar address_family
Specifies the address family
which affects interpretation of the remaining parameters.
Since an interface can receive transmissions in differing protocols
with different naming schemes, specifying the address family is recommended.
The address or protocol families currently
supported are
.Dq inet
and
.Dq inet6 .
.It Ar address
An Internet version 4 or 6 address.
Valid formats are dot notation (IPv4),
colon-separated (IPv6),
CIDR notation,
or a host name present in the host name database,
.Xr hosts 5 .
.It Ar dest_address
Specify the address of the correspondent on the other end
of a point-to-point link.
.El
.Pp
The following
.Ar parameters
may be set with
.Nm :
.Bl -tag -width dest_addressxx
.It Cm alias
Establish an additional network address for this interface.
This is sometimes useful when changing network numbers, and
one wishes to accept packets addressed to the old interface.
.It Cm -alias
A synonym for
.Cm delete .
Use of this option is discouraged in favour of
.Cm delete .
.It Cm arp
Enable the use of the Address Resolution Protocol (ARP)
in mapping
between network level addresses and link level addresses (default).
.It Cm -arp
Disable the use of ARP.
.It Cm autoconf
Set the
.Sy AUTOCONF4
or
.Sy AUTOCONF6
flag on the interface, depending on
.Ar address_family .
.Xr slaacd 8
automatically configures IPv6 addresses for interfaces with
.Sy AUTOCONF6
set.
.Xr dhcpleased 8
automatically configures IPv4 addresses (using DHCP protocol)
for interfaces with
.Sy AUTOCONF4
set.
.Pp
Automatically mark the interface as
.Dq up .
.It Cm -autoconf
Unset the
.Sy AUTOCONF4
or
.Sy AUTOCONF6
flag on the interface, depending on
.Ar address_family .
.It Cm broadcast Ar addr
(inet only)
Specify the address to use to represent broadcasts to the
network.
The default broadcast address is the address with a host part of all 1's.
.It Cm create
Create the specified network pseudo-device.
A list of devices which can be dynamically created may be shown with the
.Fl C
option.
.It Cm debug
Enable driver-dependent debugging code; usually, this turns on
extra console error logging.
.It Cm -debug
Disable driver-dependent debugging code.
.It Cm delete
Remove the default inet address associated with the interface,
including any netmask or destination address configured with it.
An address and address family can be given to make the deletion more specific.
.Tg description
.It Cm descr Ns Oo Cm iption Oc Ar value
Specify a description of the interface.
This can be used to label interfaces in situations where they may
otherwise be difficult to distinguish.
.It Cm -descr Ns Op Cm iption
Clear the interface description.
.It Cm destroy
Destroy the specified network pseudo-device.
.It Cm down
Mark an interface
.Dq down .
When an interface is marked
.Dq down ,
the system will not attempt to
transmit messages through that interface.
If possible, the interface will be reset to disable reception as well.
This action automatically disables routes using the interface.
.It Cm group Ar group-name
Assign the interface to a group.
The
.Ar group-name
may not be longer than 15 characters and must not end with a digit.
Any interface can be in multiple groups.
.Pp
For instance, a group could be used to create a hardware independent
.Xr pf 4
ruleset (i.e. not one based on the names of NICs) using
existing (egress, carp, etc.) or user-defined groups.
.Pp
Some interfaces belong to specific groups by default:
.Pp
.Bl -dash -width Ds -compact
.It
All interfaces are members of the
.Dq all
interface group.
.It
Cloned interfaces are members of their interface family group.
For example, a PPP interface such as
.Dq ppp0
is a member of the
.Dq ppp
interface family group.
.It
.Xr pppx 4
interfaces are members of the
.Dq pppx
interface group.
.It
The interfaces the default routes point to are members of the
.Dq egress
interface group.
.It
IEEE 802.11 wireless interfaces are members of the
.Dq wlan
interface group.
.It
Any interfaces used for network booting are members of the
.Dq netboot
interface group.
.El
.It Cm -group Ar group-name
Remove the interface from the given group.
.It Cm hwfeatures
Display the interface hardware features:
.Pp
.Bl -tag -width 14n -offset indent -compact
.It Sy CSUM_IPv4
The device supports IPv4 checksum offload.
.It Sy CSUM_TCPv4
As above, for TCP in IPv4 datagrams.
.It Sy CSUM_UDPv4
As above, for UDP.
.It Sy VLAN_MTU
The device can handle full sized frames, plus the size
of the
.Xr vlan 4
tag.
.It Sy VLAN_HWTAGGING
On transmit, the device can add the
.Xr vlan 4
tag.
.It Sy CSUM_TCPv6
As CSUM_TCPv4, but supports IPv6 datagrams.
.It Sy CSUM_UDPv6
As above, for UDP.
.It Sy WOL
The device supports Wake on LAN (WoL).
.It Sy hardmtu
The maximum MTU supported.
.El
.It Cm -inet
Remove all configured
.Xr inet 4
addresses on the given interface.
.It Cm -inet6
Disable
.Xr inet6 4
on the given interface and remove all configured
.Xr inet6 4
addresses, including the link-local ones.
This is the default.
To turn inet6 on, use
.Cm eui64
or
.Cm autoconf ,
or assign any inet6 address.
.It Cm instance Ar minst
Set the media instance to
.Ar minst .
This is useful for devices which have multiple physical layer interfaces
(PHYs).
Setting the instance on such devices may not be strictly required
by the network interface driver as the driver may take care of this
automatically; see the driver's manual page for more information.
.It Cm link[0-2]
Enable special processing of the link level of the interface.
These three options are interface specific in actual effect; however,
they are in general used to select special modes of operation.
An example
of this is to select the connector type for some Ethernet cards.
Refer to the man page for the specific driver for more information.
.It Cm -link[0-2]
Disable special processing at the link level with the specified interface.
.It Cm lladdr Ar etheraddr Ns | Ns Cm random
Change the link layer address (MAC address) of the interface.
This should be specified as six colon-separated hex values, or can
be chosen randomly.
.It Cm llprio Ar prio
Set the priority for link layer communications
.Pf ( Xr arp 4 ,
.Xr bpf 4 ,
.Xr pppoe 4 ) .
.It Cm media Op Ar type
Set the media type of the interface to
.Ar type .
If no argument is given,
display a list of all available media.
.Pp
Some interfaces support the mutually exclusive use of one of several
different physical media connectors.
For example, a 10Mb/s Ethernet interface might support the use of either
AUI or twisted pair connectors.
Setting the media type to
.Dq 10base5
or
.Dq AUI
would change the currently active connector to the AUI port.
Setting it to
.Dq 10baseT
or
.Dq UTP
would activate twisted pair.
Refer to the interface's driver-specific man page for a complete
list of the available types,
or use the following command
for a listing of choices:
.Pp
.Dl $ ifconfig interface media
.It Cm mediaopt Ar opts
Set the specified media options on the interface.
.Ar opts
is a comma delimited list of options to apply to the interface.
Refer to the interface's driver-specific man page for a complete
list of available options,
or use the following command
for a listing of choices:
.Pp
.Dl $ ifconfig interface media
.It Cm -mediaopt Ar opts
Disable the specified media options on the interface.
.It Cm metric Ar nhops
Set the routing metric of the interface to
.Ar nhops ,
default 0.
The routing metric can be used by routing protocols.
Higher metrics have the effect of making a route less favorable.
.It Cm mode Ar mode
If the driver for the interface supports the media selection system,
force the mode of the interface to the given
.Ar mode .
For IEEE 802.11 wireless interfaces that support multiple modes,
this directive is used to select between 802.11a
.Pq Dq 11a ,
802.11b
.Pq Dq 11b ,
802.11g
.Pq Dq 11g ,
802.11n
.Pq Dq 11n ,
and 802.11ac
.Pq Dq 11ac
modes.
.It Cm -mode
Select the mode automatically.
This is the default for IEEE 802.11 wireless interfaces.
.It Cm monitor
Enable monitor mode on the interface, preventing the processing of
incoming packets by the network stack.
.It Cm -monitor
Disable monitor mode on the interface, allowing the processing of
incoming packets by the network stack.
.It Cm mpls
Enable Multiprotocol Label Switching (MPLS) on the interface,
allowing it to send and receive MPLS traffic.
.It Cm -mpls
Disable MPLS on the interface.
.It Cm mtu Ar value
Set the MTU for this device to the given
.Ar value .
Cloned routes inherit this value as a default.
For Ethernet devices which support setting the MTU,
a value greater than 1500 enables jumbo frames.
The
.Sy hardmtu
output from
.Cm hwfeatures
shows the maximum supported MTU.
.It Cm netmask Ar mask
(inet and inet6 only)
Specify how much of the address to reserve for subdividing
networks into subnetworks.
The mask includes the network part of the local address
and the subnet part, which is taken from the host field of the address.
The mask can be specified as a single hexadecimal number
with a leading 0x, or with a dot-notation Internet address.
The mask contains 1's for the bit positions in the 32-bit address
which are to be used for the network and subnet parts,
and 0's for the host part.
The mask should contain at least the standard network portion,
and the subnet field should be contiguous with the network
portion.
.It Cm prefixlen Ar n
(inet and inet6 only)
Effect is similar to
.Cm netmask ,
but you can specify prefix length by digits.
.It Cm priority Ar n
Set the interface routing priority to
.Ar n .
.Ar n
is in the range of 0 to 15 with smaller numbers being better.
The default priority of an interface is 0,
except for IEEE 802.11 wireless interfaces (priority 4),
.Xr umb 4
interfaces (priority 6),
and
.Xr carp 4
interfaces (priority 15).
The default priority of newly connected routes (routes created by
configuring an IP address on an interface) is calculated by adding 4
(RTP_CONNECTED) to the interface priority.
The default priority of new static routes added to the kernel is
calculated by adding 8 (RTP_STATIC) to the interface priority.
.It Cm rdomain Ar rdomainid
Attach the interface to the routing domain with the specified
.Ar rdomainid .
Interfaces in different routing domains are separated and cannot directly
pass traffic between each other.
It is therefore possible to reuse the same addresses in different routing
domains.
If the specified rdomain does not yet exist it will be created, including
a routing table with the same id.
By default all interfaces belong to routing domain 0.
.It Cm -rdomain
Remove the interface from the routing domain and return it to routing
domain 0.
Any inet and inet6 addresses on the interface will also be removed.
.It Cm rtlabel Ar route-label
(inet)
Attach
.Ar route-label
to new network routes of the specified interface.
Route labels can be used to implement policy routing;
see
.Xr route 4 ,
.Xr route 8 ,
and
.Xr pf.conf 5 .
.It Cm -rtlabel
Clear the route label.
.It Cm staticarp
If ARP is enabled, the host will only reply to requests for its addresses,
and will never send any requests.
.It Cm -staticarp
If ARP is enabled, the host will perform normally,
sending out requests and listening for replies.
.It Cm transceiver
Query and display information and diagnostics from GBIC and SFP
.\", or QSFP
modules installed in an interface.
It is only supported by drivers implementing the necessary functionality
on hardware which supports it.
.It Cm up
Mark an interface
.Dq up .
This may be used to enable an interface after an
.Cm ifconfig down .
It happens automatically when setting the first address on an interface.
If the interface was reset when previously marked down,
the hardware will be re-initialized.
.It Cm wol
Enable Wake on LAN (WoL).
When enabled, reception of a WoL frame will cause the network card to
power up the system from standby or suspend mode.
WoL frames are sent using
.Xr arp 8 .
.It Cm -wol
Disable WoL.
WoL is disabled at boot by the driver, if possible.
.El
.Sh BPE
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar bpe-interface
.Op Oo Fl Oc Ns Cm parent Ar parent-interface
.Op Ns Cm vnetid Ar vnetid-tag
.Ek
.nr nS 0
.Pp
The following options are available for
.Xr bpe 4
interfaces:
.Bl -tag -width Ds
.It Cm parent Ar parent-interface
Associate the BPE interface with the interface
.Ar parent-interface .
.It Cm -parent
Disassociate from the parent interface.
This breaks the link between the BPE interface and its parent.
.It Cm vnetid Ar vnetid-tag
Set the virtual network identifier tag value to
.Ar vnetid-tag .
This is a 24-bit value in the range 0 to 16777215.
.El
.Sh BRIDGE
The following options are available for a
.Xr bridge 4
interface:
.Bl -tag -width Ds
.It Cm add Ar interface
Add
.Ar interface
as a member of the bridge.
The interface is put into promiscuous mode so
that it can receive every packet sent on the
network.
An interface can be a member of at most one bridge.
.It Cm addr
Display the addresses that have been learned by the bridge.
.It Cm addspan Ar interface
Add
.Ar interface
as a span port on the bridge.
.It Cm autoedge Ar interface
Automatically detect the spanning tree edge port status on
.Ar interface .
This is the default for interfaces added to the bridge.
.It Cm -autoedge Ar interface
Disable automatic spanning tree edge port detection on
.Ar interface .
.It Cm autoptp Ar interface
Automatically detect the point-to-point status on
.Ar interface
by checking the full duplex link status.
This is the default for interfaces added to the bridge.
.It Cm -autoptp Ar interface
Disable automatic point-to-point link detection on
.Ar interface .
.It Cm blocknonip Ar interface
Mark
.Ar interface
so that only IPv4, IPv6, ARP, and Reverse
ARP packets are accepted from it or forwarded to it from other
bridge member interfaces.
.It Cm -blocknonip Ar interface
Allow non-IPv4, IPv6, ARP, or Reverse ARP packets through
.Ar interface .
.It Cm del Ar interface
Remove
.Ar interface
from the bridge.
Promiscuous mode is turned off for the interface when it is
removed from the bridge.
.It Cm deladdr Ar address
Delete
.Ar address
from the cache.
.It Cm delspan Ar interface
Delete
.Ar interface
from the list of span ports of the bridge.
.It Cm discover Ar interface
Mark
.Ar interface
so that packets are sent out of the interface
if the destination port of the packet is unknown.
If the bridge has no address cache entry for the destination of
a packet, meaning that there is no static entry and no dynamically learned
entry for the destination, the bridge will forward the packet to all member
interfaces that have this flag set.
This is the default for interfaces added to the bridge.
.It Cm -discover Ar interface
Mark
.Ar interface
so that packets are not sent out of the interface
if the destination port of the packet is unknown.
Turning this flag
off means that the bridge will not send packets out of this interface
unless the packet is a broadcast packet, multicast packet, or a
packet with a destination address found on the interface's segment.
This, in combination with static address cache entries,
prevents potentially sensitive packets from being sent on
segments that have no need to see the packet.
.It Cm down
Stop the bridge from forwarding packets.
.It Cm edge Ar interface
Set
.Ar interface
as a spanning tree edge port.
An edge port is a single connection to the network and cannot create
bridge loops.
This allows a straight transition to forwarding.
.It Cm -edge Ar interface
Disable edge port status on
.Ar interface .
.It Cm flush
Remove all dynamically learned addresses from the cache.
.It Cm flushall
Remove all addresses from the cache including static addresses.
.It Cm flushrule Ar interface
Remove all Ethernet MAC filtering rules from
.Ar interface .
.It Cm fwddelay Ar time
Set the time (in seconds) before an interface begins forwarding packets.
Defaults to 15 seconds, minimum of 4, maximum of 30.
.It Cm hellotime Ar time
Set the time (in seconds) between broadcasting spanning tree protocol
configuration packets.
Defaults to 2 seconds, minimum of 1, maximum of 2.
This option is only supported in STP mode with rapid transitions disabled;
see the
.Cm proto
command for setting the protocol version.
.It Cm holdcnt Ar time
Set the transmit hold count, which is the number of spanning tree protocol
packets transmitted before being rate limited.
Defaults to 6, minimum of 1, maximum of 10.
.It Cm ifcost Ar interface num
Set the spanning tree path cost of
.Ar interface
to
.Ar num .
Defaults to 55, minimum of 1, maximum of 200000000 in RSTP mode,
and maximum of 65535 in STP mode.
.It Cm -ifcost Ar interface
Automatically calculate the spanning tree priority of
.Ar interface
based on the current link speed, interface status, and spanning tree mode.
This is the default for interfaces added to the bridge.
.It Cm ifpriority Ar interface num
Set the spanning tree priority of
.Ar interface
to
.Ar num .
Defaults to 128, minimum of 0, maximum of 240.
.It Cm learn Ar interface
Mark
.Ar interface
so that the source address of packets received from
the interface
are entered into the address cache.
This is the default for interfaces added to the bridge.
.It Cm -learn Ar interface
Mark
.Ar interface
so that the source address of packets received from interface
are not entered into the address cache.
.It Cm link0
Setting this flag stops all IP multicast packets from
being forwarded by the bridge.
.It Cm -link0
Clear the
.Cm link0
flag on the bridge interface.
.It Cm link1
Setting this flag stops all non-IP multicast packets from
being forwarded by the bridge.
.It Cm -link1
Clear the
.Cm link1
flag on the bridge interface.
.It Cm link2
Setting this flag causes all packets to be passed on to
.Xr ipsec 4
for processing, based on the policies established by the administrator
using the
.Xr ipsecctl 8
command and
.Xr ipsec.conf 5 .
If appropriate security associations (SAs) exist, they will be used to
encrypt or decrypt the packets.
Otherwise, any key management daemons such as
.Xr isakmpd 8
that are running on the bridge will be invoked to establish the
necessary SAs.
These daemons have to be configured as if they were running on the
host whose traffic they are protecting (i.e. they need to have the
appropriate authentication and authorization material, such as keys
and certificates, to impersonate the protected host(s)).
.It Cm -link2
Clear the
.Cm link2
flag on the bridge interface.
.It Cm maxaddr Ar size
Set the address cache size to
.Ar size .
The default is 100 entries.
.It Cm maxage Ar time
Set the time (in seconds) that a spanning tree protocol configuration is valid.
Defaults to 20 seconds, minimum of 6, maximum of 40.
.It Cm protected Ar interface ids
Put
.Ar interface
in protected domains.
.Ar ids
is a comma delimited list of domain IDs, between 1 and 31, to put the
interface in.
Interfaces that are part of a protected domain cannot forward traffic to any
other interface in that domain.
Interfaces do not belong to any protected domain by default.
.It Cm -protected Ar interface
Remove
.Ar interface
from all protected domains.
.It Cm proto Ar value
Force the spanning tree protocol version.
The available values are
.Ar rstp
to operate in the default Rapid Spanning Tree (RSTP) mode
or
.Ar stp
to force operation in Spanning Tree (STP) mode with rapid transitions disabled.
.It Cm ptp Ar interface
Set
.Ar interface
as a point-to-point link.
This is required for straight transitions to forwarding and
should be enabled for a full duplex link or a
.Xr trunk 4
with at least two physical links to the same network segment.
.It Cm -ptp Ar interface
Disable point-to-point link status on
.Ar interface .
This should be disabled for a half duplex link and for an interface
connected to a shared network segment,
like a hub or a wireless network.
.It Xo
.Cm rule
.Cm block Ns | Ns Cm pass
.Op Cm in | out
.Cm on Ar interface
.Op Cm src Ar lladdr
.Op Cm dst Ar lladdr
.Bk -words
.Op Cm tag Ar tagname
.Oo
.Cm arp Ns | Ns Cm rarp Op Cm request | reply
.Op Cm sha Ar lladdr
.Op Cm spa Ar ipaddr
.Op Cm tha Ar lladdr
.Op Cm tpa Ar ipaddr
.Oc
.Ek
.Xc
Add a filtering rule to an interface.
Rules have a similar syntax to those in
.Xr pf.conf 5 .
Rules can be used to selectively
.Cm block
or
.Cm pass
frames based on Ethernet
MAC addresses or to
.Cm tag
packets for
.Xr pf 4
to filter on.
.Pp
.Xr arp 4
packets can be matched with the
.Cm arp
keyword for regular packets and
.Cm rarp
for reverse arp.
.Cm request
and
.Cm reply
limit matches to requests or replies.
The source and target host addresses can be matched with the
.Cm sha
and
.Cm tha
keywords,
and the protocol addresses with
.Cm spa
and
.Cm tpa .
.Pp
Rules are processed in the order in which they were added to the interface.
The first rule matched takes the action (block or pass)
and, if given, the tag of the rule.
If no source or destination address is specified, the
rule will match all frames (good for creating a catchall policy).
.It Cm rulefile Ar filename
Load a set of rules from the file
.Ar filename .
.It Cm rules Ar interface
Display the active filtering rules in use on
.Ar interface .
.It Cm spanpriority Ar num
Set the spanning priority of this bridge to
.Ar num .
Defaults to 32768, minimum of 0, maximum of 61440.
.It Cm static Ar interface address
Add a static entry into the address cache pointing to
.Ar interface .
Static entries are never aged out of the cache or replaced, even if the address
is seen on a different interface.
.It Cm stp Ar interface
Enable spanning tree protocol on
.Ar interface .
.It Cm -stp Ar interface
Disable spanning tree protocol on
.Ar interface .
This is the default for interfaces added to the bridge.
.It Cm timeout Ar time
Set the timeout, in seconds, for addresses in the cache to
.Ar time .
The default is 240 seconds.
If
.Ar time
is set to zero, then entries will not be expired.
.It Cm up
Start the bridge forwarding packets.
.El
.Sh CARP
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar carp-interface
.Op Cm advbase Ar n
.Op Cm advskew Ar n
.Op Cm balancing Ar mode
.Op Cm carpnodes Ar vhid:advskew,vhid:advskew,...
.Op Cm carpdev Ar iface
.Op Oo Fl Oc Ns Cm carppeer Ar peer_address
.Op Cm pass Ar passphrase
.Op Cm state Ar state
.Op Cm vhid Ar host-id
.Ek
.nr nS 0
.Pp
The following options are available for a
.Xr carp 4
interface:
.Bl -tag -width Ds
.It Cm advbase Ar n
Set the base advertisement interval to
.Ar n
seconds.
Acceptable values are 0 to 254; the default value is 1 second.
.It Cm advskew Ar n
Skew the advertisement interval by
.Ar n .
Acceptable values are 0 to 254; the default value is 0.
.It Cm balancing Ar mode
Set the load balancing mode to
.Ar mode .
Valid modes are
.Cm ip ,
.Cm ip-stealth ,
and
.Cm ip-unicast .
.It Cm carpnodes Ar vhid:advskew,vhid:advskew,...
Create a load balancing group consisting of up to 32 nodes.
Each node is specified as a
.Ar vhid:advskew
tuple in a comma-separated list.
.It Cm carpdev Ar iface
Attach to parent interface
.Ar iface .
.It Cm carppeer Ar peer_address
Send the carp advertisements to a specified
point-to-point peer or multicast group instead of sending the messages
to the default carp multicast group.
The
.Ar peer_address
is the IP address of the other host taking part in the carp cluster.
With this option,
.Xr carp 4
traffic can be protected using
.Xr ipsec 4
and it may be desired in networks that do not allow or have problems
with IPv4 multicast traffic.
.It Cm -carppeer
Send the advertisements to the default carp multicast
group.
.It Cm pass Ar passphrase
Set the authentication key to
.Ar passphrase .
There is no passphrase by default.
.It Cm state Ar state
Explicitly force the interface to enter this state.
Valid states are
.Ar init ,
.Ar backup ,
and
.Ar master .
.It Cm vhid Ar n
Set the virtual host ID to
.Ar n .
Acceptable values are 1 to 255.
.El
.Pp
Taken together, the
.Cm advbase
and
.Cm advskew
indicate how frequently, in seconds, the host will advertise the fact that it
considers itself master of the virtual host.
The formula is
.Cm advbase
+
.Pf ( Cm advskew
/ 256).
If the master does not advertise within three times this interval, this host
will begin advertising as master.
.Sh IEEE 802.11 (WIRELESS DEVICES)
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar wireless-interface
.Op Oo Fl Oc Ns Cm bssid Ar bssid
.Op Oo Fl Oc Ns Cm chan Op Ar n
.Op Oo Fl Oc Ns Cm join Ar id
.Op Oo Fl Oc Ns Cm joinlist
.Op Oo Fl Oc Ns Cm nwflag Ar flag
.Op Oo Fl Oc Ns Cm nwid Ar id
.Op Oo Fl Oc Ns Cm nwkey Ar key
.Op Oo Fl Oc Ns Cm powersave Op Ar duration
.Op Cm scan
.Op Oo Fl Oc Ns Cm wpa
.Op Cm wpaakms Ar akm,akm,...
.Op Cm wpaciphers Ar cipher,cipher,...
.Op Cm wpagroupcipher Ar cipher
.Op Oo Fl Oc Ns Cm wpakey Ar passphrase | hexkey
.Op Cm wpaprotos Ar proto,proto,...
.Ek
.nr nS 0
.Pp
The following options are available for a wireless interface:
.Bl -tag -width Ds
.It Cm bssid Ar bssid
Set the desired BSSID.
.It Cm -bssid
Unset the desired BSSID.
The interface will automatically select a BSSID in this mode, which is
the default.
.It Cm chan Op Ar n
Set the channel (radio frequency) to
.Ar n .
.Pp
With no channel specified,
show the list of channels supported by the device.
.It Cm -chan
Unset the desired channel.
It doesn't affect the channel to be created for IBSS or Host AP mode.
.It Cm join Ar id
Add the network with ESSID
.Ar id
to the
.Cm join
list.
The interface will automatically attempt to connect to networks on this
list if they are found during a scan.
.Pp
The
.Ar id
can either be a printable ASCII string up to 32 characters in length,
or a series of hexadecimal digits up to 64 digits preceded by
.Dq 0x .
If
.Ar id
is the empty string
.Pq Qq
and none of the networks on the
.Cm join
list are found during a scan, the interface will automatically
connect to any available networks, provided they do not require
WEP or WPA authentication.
.Pp
Apart from the
.Ar id ,
the
.Cm join
list will record
.Cm wpakey ,
.Cm wpaprotos ,
or
.Cm nwkey
parameters for the network, provided they are passed in the same invocation of
.Nm .
Because multiple access points may exist in a given network, the
.Cm mode
(11a/11b/11g/11n/11ac),
.Cm chan ,
and
.Cm bssid
parameters cannot be stored with
.Cm join .
However, they may be used separately to force the selection of a
particular access point when the automatic access point selection
turns out to be suboptimal.
.Pp
.Cm join
and
.Cm nwid
cannot be used together in the same invocation of
.Nm .
.It Cm -join Ar id
Remove the network with ESSID
.Ar id
from the
.Cm join
list and disconnect the interface from the access point if it is currently
connected to this network.
The interface will keep scanning for access points as long as it remains
marked as
.Dq up .
A new connection will be established either if a network on the
.Cm join
list is found during the scan or if a network ID is configured with
.Cm nwid .
.It Cm joinlist
Show the list of networks stored on the
.Cm join
list.
.It Cm -joinlist
Remove all networks from the
.Cm join
list.
.It Cm nwflag Ar flag
Set specified flag.
The flag name can be:
.Bl -tag -width tenletters
.It hidenwid
The
.Ql hidenwid
flag will hide the network ID (ESSID) in beacon frames when operating
in Host AP mode.
It will also prevent responses to probe requests with an unspecified
network ID.
.It nobridge
The
.Ql nobridge
flag will disable the direct bridging of frames between associated
nodes when operating in Host AP mode.
Setting this flag will block and filter direct inter-station
communications.
.It nomimo
The
.Ql nomimo
flag will disable MIMO reception and transmission even if the driver
and wireless network device support MIMO.
This flag can be used to work around packet loss in 11n mode if the
wireless network device has unused antenna connectors.
.It stayauth
The
.Ql stayauth
flag will cause the interface to ignore deauth frames.
This flag should only be used on wifi networks which are being
attacked with spoofed deauth frames.
It breaks interoperability with spectrum management solutions and access
points that perform band-steering of clients.
.El
.Pp
Note that the
.Ql hidenwid
and
.Ql nobridge
options do not provide any security.
The hidden network ID will be sent in clear text by associating
stations and can be easily discovered with tools like
.Xr tcpdump 8
and
.Xr hostapd 8 .
.It Cm -nwflag Ar flag
Remove specified flag.
.It Cm nwid Ar id
Connect to the network with NWID/ESSID
.Ar id .
The
.Ar id
can either be a printable ASCII string up to 32 characters in length,
or a series of hexadecimal digits up to 64 digits preceded by
.Dq 0x .
.Pp
Unlike
.Cm join ,
the
.Cm nwid
option only allows one network to be configured at a time.
The
.Cm nwid
option may not be used together with
.Cm join
in the same invocation of
.Nm
but may be used to momentarily override the automatic selection of
networks stored in the
.Cm join
list.
.It Cm -nwid
Clear the network ID configured with
.Cm nwid
and disconnect the interface from the access point if it is currently
connected to this network.
The interface will keep scanning for access points as long as it remains
marked as
.Dq up .
A new connection will be established either if a network on the
.Cm join
list is found during the scan or if a network ID is configured with
.Cm nwid .
.It Cm nwkey Ar key
Enable WEP encryption using the specified
.Ar key .
The
.Ar key
can either be a string, a series of hexadecimal digits (preceded by
.So 0x Sc ) ,
or a set of keys
of the form
.Dq n:k1,k2,k3,k4
where
.Sq n
specifies which of the keys will be used for transmitted packets,
and the four keys,
.Dq k1
through
.Dq k4 ,
are configured as WEP keys.
If a set of keys is specified, a comma
.Pq Sq \&,
within the key must be escaped with a backslash.
Note that if multiple keys are used, their order must be the same within
the network.
.Pp
The length of each key must be either 40 bits for 64-bit encryption
(5-character ASCII string
or 10 hexadecimal digits)
or 104 bits for 128-bit encryption
(13-character ASCII string
or 26 hexadecimal digits).
.It Cm -nwkey
Disable WEP encryption.
.It Cm nwkey Cm persist
Enable WEP encryption using the persistent key stored in the network card.
.It Cm nwkey Cm persist : Ns Ar key
Write
.Ar key
to the persistent memory of the network card, and
enable WEP encryption using that
.Ar key .
.It Cm powersave
Enable 802.11 power saving mode.
Power saving is disabled by default.
See driver specific manual pages
to see details of the implementation relevant to that device.
.\" XXX
.\" Undocumented because optional sleep period
.\" only configurable on legacy an(4) and atw(4) devices.
.\" XXX
.\" Op Ar duration
.\" If enabled, the receiver sleep period is set to 100ms,
.\" though some drivers allow this to be altered via the
.\" .Ar duration
.\" argument.
.It Cm -powersave
Disable 802.11 power saving mode.
.It Cm scan
Show the results of an access point scan.
In Host AP mode, this will dump the list of known nodes without scanning.
In station mode, this will list each access point's SSID, channel,
MAC address (BSSID), received signal strength indicator, maximum data
transfer rate, and supported feature flags.
If an access point cannot be selected due to incompatibilities with the
interface configuration,
.Nm
indicates mismatching configuration items with an exclamation mark.
.Pp
Because the list of access points is continuously updated while a scan
is in progress,
.Cm scan
may sometimes show incomplete scan results.
.Pp
Some interfaces support scanning in the background while remaining
associated to the current access point.
The superuser may use
.Cm scan
to trigger a background scan while associated, which will update the scan
result list and also trigger a search for a better access point to roam to.
.It Cm wpa
Enable Wi-Fi Protected Access.
WPA is a Wi-Fi Alliance protocol based on the IEEE 802.11i standard.
It was designed to enhance the security of wireless networks.
Notice that not all drivers support WPA.
Check the driver's manual page to know if this option is supported.
.It Cm -wpa
Disable Wi-Fi Protected Access.
.It Cm wpaakms Ar akm,akm,...
Set the comma-separated list of allowed authentication and key management
protocols.
.Pp
The supported values are
.Dq psk
and
.Dq 802.1x .
.Ar psk
authentication (also known as personal mode) uses a 256-bit pre-shared key.
.Ar 802.1x
authentication (also known as enterprise mode) is used with
an external IEEE 802.1X authentication server,
such as wpa_supplicant.
The default value is
.Dq psk .
.Dq psk
can only be used if a pre-shared key is configured using the
.Cm wpakey
option.
.It Cm wpaciphers Ar cipher,cipher,...
Set the comma-separated list of allowed pairwise ciphers.
.Pp
The supported values are
.Dq tkip ,
.Dq ccmp ,
and
.Dq usegroup .
.Ar usegroup
specifies that no pairwise ciphers are supported and that only group keys
should be used.
The default value is
.Dq ccmp .
If multiple pairwise ciphers are specified, the pairwise cipher will
be negotiated between the station and the access point at association
time.
A station will always try to use
.Ar ccmp
over
.Ar tkip
if both ciphers are allowed and supported by the access point.
If the selected cipher is not supported by the hardware, software
encryption will be used.
Check the driver's manual page to know which ciphers are supported in
hardware.
.It Cm wpagroupcipher Ar cipher
Set the group cipher used to encrypt broadcast and multicast traffic.
.Pp
The supported values are
.Dq wep40 ,
.Dq wep104 ,
.Dq tkip ,
and
.Dq ccmp .
The default value is
.Dq ccmp .
The use of
.Ar tkip
or
.Ar wep40
or
.Ar wep104
as the group cipher is discouraged due to weaknesses in TKIP and WEP.
The
.Cm wpagroupcipher
option is available in Host AP mode only.
A station will always use the group cipher of the BSS.
.It Cm wpakey Ar passphrase | hexkey
Set the WPA key and enable WPA.
The key can be given using either a passphrase or a full length hex key,
starting with 0x.
If a passphrase is used the
.Cm nwid
or
.Cm join
option must first be specified, since
.Nm
will hash the nwid along with the passphrase to create the key.
.It Cm -wpakey
Delete the pre-shared WPA key and disable WPA.
.It Cm wpaprotos Ar proto,proto,...
Set the comma-separated list of allowed WPA protocol versions.
.Pp
The supported values are
.Dq wpa1
and
.Dq wpa2 .
.Ar wpa1
is based on draft 3 of the IEEE 802.11i standard whereas
.Ar wpa2
is based on the ratified standard.
The default value is
.Dq wpa2 .
If
.Dq wpa1,wpa2
is specified, a station will always use the
.Ar wpa2
protocol when supported by the access point.
.El
.Sh INET6
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar interface
.Cm inet6
.Op Oo Fl Oc Ns Cm anycast
.Op Oo Fl Oc Ns Cm temporary
.Op Cm eui64
.Op Cm pltime Ar n
.Op Oo Fl Oc Ns Cm soii
.Op Oo Fl Oc Ns Cm tentative
.Op Cm vltime Ar n
.Ek
.nr nS 0
.Pp
The following options are available for an
.Xr ip6 4
interface:
.Bl -tag -width Ds
.It Cm anycast
Set the IPv6 anycast address bit.
.It Cm -anycast
Clear the IPv6 anycast address bit.
.It Cm temporary
Enable temporary address extensions for stateless IPv6 address
autoconfiguration (RFC 8981) on the interface.
These extensions are enabled by default.
The purpose of these extensions is to prevent tracking of individual
devices which connect to the IPv6 internet from different networks
using stateless autoconfiguration.
The interface identifier often remains constant and provides the lower
64 bits of an autoconfigured IPv6 address, facilitating tracking of
individual devices (and hence, potentially, users of these devices)
over long periods of time (weeks to months to years).
When these extensions are active, random interface identifiers are used
for autoconfigured addresses.
.Pp
Autoconfigured addresses are also made temporary, which means that they
will automatically be replaced regularly.
Temporary addresses are deprecated after 24 hours.
Once a temporary address has been deprecated, a new temporary address
will be configured upon reception of a router advertisement indicating
that the prefix is still valid.
Deprecated addresses will not be used for new connections as long as a
non-deprecated address remains available.
Temporary addresses become invalid after another 24 hours, at which time they
will be removed from the interface.
.It Cm -temporary
Disable IPv6 autoconf temporary address extensions on the interface.
Currently configured addresses will not be removed until they become
invalid.
.It Cm eui64
Fill the interface index
.Pq the lowermost 64 bits of an IPv6 address
automatically.
.It Cm pltime Ar n
Set preferred lifetime for the address, in seconds.
.It Cm soii
Enable persistent Semantically Opaque Interface Identifiers (SOIIs),
as per RFC 7217, for SLAAC addresses on the interface.
The purpose of these identifiers is to make discovery of hosts by
scanning a whole prefix more difficult.
SOIIs use the whole 64 bits of the host part while SLAAC addresses are
formed from MAC addresses which can lower the entropy to 24 bits if
the host is running in a virtualization environment or the hardware
manufacturer is known.
See RFC 7721 and RFC 8064 for details.
SOIIs are enabled by default.
.It Cm -soii
Disable IPv6 persistent Semantically Opaque Interface Identifiers on the
interface.
Currently configured addresses will not be removed until they become
invalid.
.It Cm tentative
Set the IPv6 tentative address bit.
.It Cm -tentative
Clear the IPv6 tentative address bit.
.It Cm vltime Ar n
Set valid lifetime for the address, in seconds.
.El
.Sh INTERFACE GROUPS
.Nm ifconfig
.Fl g
.Ar group-name
.Oo
.Oo Fl Oc Ns Cm carpdemote
.Op Ar number
.Oc
.Pp
The following options are available for interface groups:
.Bl -tag -width Ds
.It Fl g Ar group-name
Specify the group.
.It Cm carpdemote Op Ar number
Increase
.Xr carp 4
demotion counter for given interface group by
.Ar number .
Acceptable values are 0 to 128.
If
.Ar number
is omitted, it is increased by 1.
The maximum value for a demotion counter is 255.
.It Cm -carpdemote Op Ar number
Decrease
.Xr carp 4
demotion counter for given interface group by
.Ar number .
Acceptable values are 0 to 128.
If
.Ar number
is omitted, it is decreased by 1.
.El
.Sh MPLS
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar mpls-interface
.Op Oo Fl Oc Ns Cm mplslabel Ar mpls-label
.Op Oo Fl Oc Ns Cm pwecw
.Op Oo Fl Oc Ns Cm pwefat
.Op Cm pweneighbor Ar mpls-label Ar neighbor
.Op Oo Fl Oc Ns Cm tunneldomain Ar rdomain
.Ek
.nr nS 0
.Pp
The following options are available for
.Xr mpe 4 ,
.Xr mpip 4 ,
and
.Xr mpw 4
interfaces:
.Bl -tag -width Ds
.It Cm mplslabel Ar mpls-label
Set the local MPLS label to
.Ar mpls-label .
MPLS packets sent to this label on the local system will be
decapsulated for input.
An MPLS label is a 20-bit number.
Labels 0 to 15 inclusive are reserved labels and cannot be used.
.It Cm -mplslabel
Unset the local MPLS label.
.It Cm tunneldomain Ar rdomain
Use the routing domain
.Ar rdomain
for MPLS transit.
The MPLS encapsulated traffic does not need to terminate in the same
routing domain as the interface itself.
.It Cm -tunneldomain
Use the default routing domain 0 for MPLS transit.
.El
.Pp
The following options are available for the
.Xr mpip 4
and
.Xr mpw 4
interfaces that provide MPLS Pseudowire Emulation Edge-to-Edge (PWE3)
functionality:
.Bl -tag -width Ds
.It Cm pwecw
Enable the use of the PWE3 Control Word.
.It Fl Ns Cm pwecw
Disable the use of the PWE3 Control Word.
.It Cm pwefat
Enable the use of the Flow-Aware Transport (FAT) flow label.
.It Fl Ns Cm pwefat
Disable the use of the Flow-Aware Transport (FAT) flow label.
.It Cm pweneighbor Ar mpls-label Ar neighbor
Use
.Ar mpls-label
and
.Ar neighbor
as the remote MPLS label and neighbor respectively.
Remote MPLS labels have the same restrictions on values as local MPLS labels.
.El
.Sh PAIR
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar pair-interface
.Op Oo Fl Oc Ns Cm patch Ar interface
.Ek
.nr nS 0
.Pp
The following options are available for a
.Xr pair 4
interface:
.Bl -tag -width Ds
.It Cm patch Ar interface
Connect the interface with a second
.Xr pair 4
interface.
Any outgoing packets from the first
.Ar pair-interface
will be received by the second
.Ar interface ,
and vice versa.
This makes it possible to interconnect two routing domains locally.
.It Cm -patch
If configured, disconnect the interface pair.
.El
.Sh PFLOW
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar pflow-interface
.Op Oo Fl Oc Ns Cm flowdst Ar addr : Ns Ar port
.Op Oo Fl Oc Ns Cm flowsrc Ar addr Ns Oo : Ns Ar port Oc
.Op Cm pflowproto Ar n
.Ek
.nr nS 0
.Pp
The following options are available for a
.Xr pflow 4
interface:
.Bl -tag -width Ds
.It Cm flowdst Ar addr : Ns Ar port
Set the receiver address and the port for
.Xr pflow 4
packets.
Both must be defined to export pflow data.
.Ar addr
is the IP address and
.Ar port
is the port number of the flow collector.
Pflow data will be sent to this address/port.
.It Cm -flowdst
Unset the receiver address and stop sending pflow data.
.It Cm flowsrc Ar addr Ns Oo : Ns Ar port Oc
Set the source IP address for pflow packets.
.Ar addr
is the IP address used as sender of the UDP packets and may be used to
identify the source of the data on the pflow collector.
.It Cm -flowsrc
Unset the source address.
.It Cm pflowproto Ar n
Set the protocol version.
The default is version 5.
.El
.Sh PFSYNC
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar pfsync-interface
.Op Oo Fl Oc Ns Cm defer
.Op Cm maxupd Ar n
.Op Oo Fl Oc Ns Cm syncdev Ar iface
.Op Oo Fl Oc Ns Cm syncpeer Ar peer_address
.Ek
.nr nS 0
.Pp
The following options are available for a
.Xr pfsync 4
interface:
.Bl -tag -width Ds
.It Cm defer
Defer transmission of the first packet in a state until a peer has
acknowledged that the associated state has been inserted.
See
.Xr pfsync 4
for more information.
.It Cm -defer
Do not defer the first packet in a state.
This is the default.
.It Cm maxupd Ar n
Indicate the maximum number
of updates for a single state which can be collapsed into one.
This is an 8-bit number; the default value is 128.
.It Cm syncdev Ar iface
Use the specified interface
to send and receive pfsync state synchronisation messages.
.It Cm -syncdev
Stop sending pfsync state synchronisation messages over the network.
.It Cm syncpeer Ar peer_address
Make the pfsync link point-to-point rather than using
multicast to broadcast the state synchronisation messages.
The peer_address is the IP address of the other host taking part in
the pfsync cluster.
With this option,
.Xr pfsync 4
traffic can be protected using
.Xr ipsec 4 .
.It Cm -syncpeer
Broadcast the packets using multicast.
.El
.Sh PPPOE
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar pppoe-interface
.Op Cm authkey Ar key
.Op Cm authname Ar name
.Op Cm authproto Ar proto
.Op Oo Fl Oc Ns Cm peerflag Ar flag
.Op Cm peerkey Ar key
.Op Cm peername Ar name
.Op Cm peerproto Ar proto
.Op Oo Fl Oc Ns Cm pppoeac Ar access-concentrator
.Op Cm pppoedev Ar parent-interface
.Op Oo Fl Oc Ns Cm pppoesvc Ar service
.Ek
.nr nS 0
.Pp
.Xr pppoe 4
uses the
.Xr sppp 4
"generic" SPPP framework.
Any options not described in the section immediately following
are described in the
.Sx SPPP
section, below.
.Pp
The following options are available for a
.Xr pppoe 4
interface:
.Bl -tag -width Ds
.It Cm pppoeac Ar access-concentrator
Set the name of the access-concentrator.
.It Cm -pppoeac
Clear a previously set access-concentrator name.
.It Cm pppoedev Ar parent-interface
Set the name of the interface through which
packets will be transmitted and received.
.It Cm pppoesvc Ar service
Set the service name of the interface.
.It Cm -pppoesvc
Clear a previously set service name.
.El
.Sh SPPP (PPP LINK CONTROL PROTOCOL)
.nr nS 1
.Bk -words
.Nm
.Ar sppp-interface
.Op Cm authkey Ar key
.Op Cm authname Ar name
.Op Cm authproto Ar proto
.Op Oo Fl Oc Ns Cm peerflag Ar flag
.Op Cm peerkey Ar key
.Op Cm peername Ar name
.Op Cm peerproto Ar proto
.Ek
.nr nS 0
.Pp
The following options are available for an
.Xr sppp 4
or
.Xr pppoe 4
interface:
.Bl -tag -width Ds
.It Cm authkey Ar key
Set the client key or password for the PPP authentication protocol.
.It Cm authname Ar name
Set the client name for the PPP authentication protocol.
.It Cm authproto Ar proto
Set the PPP authentication protocol on the specified
interface acting as a client.
The protocol name can be either
.Ql chap ,
.Ql pap ,
or
.Ql none .
In the latter case, authentication will be turned off.
.It Cm peerflag Ar flag
Set a specified PPP flag for the remote authenticator.
The flag name can be either
.Ql callin
or
.Ql norechallenge .
The
.Ql callin
flag will require the remote peer to authenticate only when he's
calling in, but not when the peer is called by the local client.
This is required for some peers that do not implement the
authentication protocols symmetrically.
The
.Ql norechallenge
flag is only meaningful with the CHAP protocol to not re-challenge
once the initial CHAP handshake has been successful.
This is used to work around broken peer implementations that can't
grok being re-challenged once the connection is up.
.It Cm -peerflag Ar flag
Remove a specified PPP flag for the remote authenticator.
.It Cm peerkey Ar key
Set the authenticator key or password for the PPP authentication protocol.
.It Cm peername Ar name
Set the authenticator name for the PPP authentication protocol.
.It Cm peerproto Ar proto
Set the PPP authentication protocol on the specified
interface acting as an authenticator.
The protocol name can be either
.Ql chap ,
.Ql pap ,
or
.Ql none .
In the latter case, authentication will be turned off.
.El
.Sh TPMR
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar tpmr-interface
.Op Cm add Ar child-iface
.Op Cm del Ar child-iface
.Op Oo Fl Oc Ns Cm link0
.Op Oo Fl Oc Ns Cm link1
.Op Oo Fl Oc Ns Cm link2
.Ek
.Pp
The following options are available for a
.Xr tpmr 4
interface:
.Bl -tag -width Ds
.It Cm add Ar child-iface
Add
.Ar child-iface
as a member.
.It Cm del Ar child-iface
Remove the member
.Ar child-iface .
.It Cm link0
Disable the filtering of Ethernet frames destined for the TPMR
component reserved addresses, as specified by IEEE 802.1Q.
.It Cm -link0
Enable the filtering of Ethernet frames destined for the TPMR
component reserved addresses, as specified by IEEE 802.1Q.
This is the default.
.It Cm link1
Disable the filtering of IPv4 and IPv6 packets with
.Xr pf 4 .
.It Cm -link1
Enable the filtering of IPv4 and IPv6 packets with
.Xr pf 4 .
This is the default.
.It Cm link2
Disable the filtering of 802.1Q VLAN and QinQ SVLAN packets.
.It Cm -link2
Enable the filtering of 802.1Q VLAN and QinQ SVLAN packets.
This is the default.
.El
.Sh TRUNK (LINK AGGREGATION)
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar trunk-interface
.Op Cm lacpmode Cm active Ns | Ns Cm passive
.Op Cm lacptimeout Cm fast Ns | Ns Cm slow
.Op Oo Fl Oc Ns Cm trunkport Ar child-iface
.Op Cm trunkproto Ar proto
.Ek
.nr nS 0
.Pp
The following options are available for
.Xr aggr 4
and
.Xr trunk 4
interfaces:
.Bl -tag -width Ds
.It Cm lacpmode Cm active Ns | Ns Cm passive
Set the LACP trunk mode to either
.Cm active
(default) or
.Cm passive .
.It Cm lacptimeout Cm fast Ns | Ns Cm slow
Set the LACP timeout speed to either
.Cm fast
or
.Cm slow
(default).
.It Cm trunkport Ar child-iface
Add
.Ar child-iface
as a trunk port.
.It Cm -trunkport Ar child-iface
Remove the trunk port
.Ar child-iface .
.It Cm trunkproto Ar proto
Set the link aggregation protocol on
.Xr trunk 4
interfaces.
Refer to
.Xr trunk 4
for a complete list of the available protocols.
.El
.Sh TUNNEL
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar tunnel-interface
.Op Oo Fl Oc Ns Cm keepalive Ar period count
.Op Cm rxprio Ar prio
.Op Oo Fl Oc Ns Cm tunnel Ar src_address dest_address
.Op Oo Fl Oc Ns Cm tunneldf
.Op Oo Fl Oc Ns Cm tunneldomain Ar rtable
.Op Cm tunnelttl Ar ttl
.Op Cm txprio Ar prio
.Op Oo Fl Oc Ns Cm vnetflowid
.Op Oo Fl Oc Ns Cm vnetid Ar network-id
.Ek
.nr nS 0
.Pp
.Xr egre 4 ,
.Xr eoip 4 ,
.Xr etherip 4 ,
.Xr gif 4 ,
.Xr gre 4 ,
.Xr mgre 4 ,
.Xr nvgre 4 ,
and
.Xr vxlan 4
are all tunnel interfaces.
The following options are available:
.Bl -tag -width Ds
.It Cm keepalive Ar period count
Enable
.Xr gre 4
keepalive with a packet sent every
.Ar period
seconds.
A second timer is run with a timeout of
.Ar count
*
.Ar period .
If no keepalive response is received during that time, the link is considered
down.
The minimal usable
.Ar count
is 2 since the round-trip time of keepalive packets needs to be accounted for.
.It Cm -keepalive
Disable the
.Xr gre 4
keepalive mechanism.
.It Cm rxprio Ar prio
Configure the source used for the packet priority when decapsulating a packet.
The value can be a priority number from 0 to 7, or
.Ar packet
to use the priority currently set on the packet.
If supported by the interface, the value may also be set to
.Ar outer
to have the priority field copied from the tunnel protocol headers, or
.Ar payload
to have the priority field copied from the encapsulated protocol headers.
.It Cm tunnel Ar src_address dest_address Ns Op : Ns Ar dest_port
Set the source and destination tunnel addresses on a tunnel interface.
Packets routed to this interface will be encapsulated in
IPv4 or IPv6, depending on the source and destination address families.
Both addresses must be of the same family.
The optional destination port can be specified for interfaces such as
.Xr vxlan 4 ,
which further encapsulate the packets in UDP datagrams.
.It Cm -tunnel
Remove the source and destination tunnel addresses.
.It Cm tunneldf
Do not allow fragmentation of encapsulated packets.
.It Cm -tunneldf
Allow fragmentation of encapsulated packets.
.It Cm tunneldomain Ar rtable
Use routing table
.Ar rtable
instead of the default table.
The tunnel does not need to terminate in the same routing domain as the
interface itself.
.Ar rtable
can be set to any valid routing table ID;
the corresponding routing domain is derived from this table.
.It Cm -tunneldomain
Use the default routing table and routing domain 0.
.It Cm tunnelttl Ar ttl
Set the IP or multicast TTL of the tunnel packets.
If supported by the tunnel protocol,
the value can also be set to
.Ar copy
to have the TTL copied between the encapsulated protocol headers
and the tunnel protocol headers.
.It Cm txprio Ar prio
Configure the value used for the priority field in the tunnel
protocol headers.
The value can be a priority number from 0 to 7, or
.Ar packet
to use the priority currently set on the packet.
If supported by the interface, the value can also be set to
.Ar payload
to have the priority field copied from the encapsulated protocol headers
to the tunnel protocol headers.
.It Cm vnetflowid
Use a portion of the virtual network identifier space for a flow identifier.
This allows load balancing of the encapsulated traffic over multiple
links.
.It Cm -vnetflowid
Disable the use of a flow identifier in the virtual network identifier.
.It Cm vnetid Ar network-id
Set the virtual network identifier.
This is a number which is used by tunnel protocols such as
.Xr eoip 4
and
.Xr vxlan 4
to identify packets with a virtual network.
The accepted size of the number depends on the individual tunnel protocol;
it is a 16-bit number for
.Xr eoip 4 ,
and a 24-bit number for
.Xr vxlan 4 .
If supported by the tunnel protocol,
the value can also be set to
.Ar any
to accept packets with arbitrary network identifiers (for example for
multipoint-to-multipoint modes).
.It Cm -vnetid
Clear the virtual network identifier.
.El
.Sh UMB
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar umb-interface
.Op Oo Fl Oc Ns Cm apn Ar apn
.Op Cm chgpin Ar oldpin newpin
.Op Oo Fl Oc Ns Cm class Ar class,class,...
.Op Cm pin Ar pin
.Op Cm puk Ar puk newpin
.Op Oo Fl Oc Ns Cm roaming
.Ek
.nr nS 0
.Pp
The following options are available for a
.Xr umb 4
interface:
.Bl -tag -width Ds
.It Cm apn Ar apn
Set the Access Point Name (APN) required by the network provider.
.It Cm -apn
Clear the current APN.
.It Cm chgpin Ar oldpin newpin
Permanently change the PIN of the SIM card from the current value
.Ar oldpin
to
.Ar newpin .
.It Cm class
List all available cell classes.
.It Cm class Ar class,class,...
Set the preferred cell classes.
Apart from those listed by
.Cm class
the following aliases can be used:
.Ar 4G ,
.Ar 3G ,
and
.Ar 2G .
.It Cm -class
Clear any cell class preferences.
.It Cm down
Marking the interface as "down" will terminate any existing data connection
and deregister with the service provider.
.It Cm pin Ar pin
Enter the PIN required to unlock the SIM card.
Most SIM cards will not be able to establish a network association without
providing a PIN.
.It Cm puk Ar puk newpin
Sets the PIN of the SIM card to
.Ar newpin
using the PUK
.Ar puk
to validate the request.
.It Cm roaming
Enable data roaming.
.It Cm -roaming
Disable data roaming.
.It Cm up
As soon as the interface is marked as "up", the
.Xr umb 4
device will try to establish a data connection with the service provider.
.El
.Sh VEB
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar veb-interface
.Op Cm add Ar child-iface
.Op Cm addspan Ar child-iface
.Op Cm del Ar child-iface
.Op Cm delspan Ar child-iface
.Op Oo Fl Oc Ns Cm discover Ar child-iface
.Op Oo Fl Oc Ns Cm learn Ar child-iface
.Op Oo Fl Oc Ns Cm link0
.Op Oo Fl Oc Ns Cm link1
.Op Oo Fl Oc Ns Cm protected Ar child-iface ids
.Ek
.nr nS 0
.Pp
The following options are available for a
.Xr veb 4
interface:
.Bl -tag -width Ds
.It Cm add Ar child-iface
Add
.Ar child-iface
as a member.
.It Cm addspan Ar child-iface
Add
.Ar child-iface
as a span port on the bridge.
.It Cm del Ar child-iface
Remove the member
.Ar child-iface .
.It Cm delspan Ar child-iface
Delete
.Ar child-iface
from the list of span ports of the bridge.
.It Cm discover Ar child-iface
Mark
.Ar child-iface
so that packets are sent out of the interface
if the destination port of the packet is unknown.
If the bridge has no address cache entry for the destination of
a packet, meaning that there is no static entry and no dynamically learned
entry for the destination, the bridge will forward the packet to all member
interfaces that have this flag set.
This is the default for interfaces added to the bridge.
.It Cm -discover Ar child-iface
Mark
.Ar child-iface
so that packets are not sent out of the interface
if the destination port of the packet is unknown.
Turning this flag
off means that the bridge will not send packets out of this interface
unless the packet is a broadcast packet, multicast packet, or a
packet with a destination address found on the interface's segment.
This, in combination with static address cache entries,
prevents potentially sensitive packets from being sent on
segments that have no need to see the packet.
.It Cm learn Ar child-iface
Mark
.Ar child-iface
so that the source address of packets received from
the interface
are entered into the address cache.
This is the default for interfaces added to the bridge.
.It Cm -learn Ar child-iface
Mark
.Ar child-iface
so that the source address of packets received from interface
are not entered into the address cache.
.It Cm link0
Disable the filtering of 802.1Q VLAN and QinQ SVLAN packets.
.It Cm -link0
Enable the filtering of 802.1Q VLAN and QinQ SVLAN packets.
This is the default.
.It Cm link1
Enable the filtering of IPv4 and IPv6 packets with
.Xr pf 4 .
.It Cm -link1
Disable the filtering of IPv4 and IPv6 packets with
.Xr pf 4 .
This is the default.
.It Cm protected Ar child-iface ids
Put
.Ar interface
in protected domains.
.Ar ids
is a comma delimited list of domain IDs, between 1 and 31, to put the
interface in.
Interfaces that are part of a protected domain cannot forward traffic to any
other interface in that domain.
Interfaces do not belong to any protected domain by default.
.It Cm -protected Ar child-iface
Remove
.Ar child-iface
from all protected domains.
.El
.Sh VLAN
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar vlan-interface
.Op Oo Fl Oc Ns Cm parent Ar parent-interface
.Op Cm rxprio Ar prio
.Op Cm txprio Ar prio
.Op Oo Fl Oc Ns Cm vnetid Ar vlan-tag
.Ek
.nr nS 0
.Pp
The following options are available for
.Xr vlan 4
and
.Xr svlan 4
VLAN interfaces:
.Bl -tag -width Ds
.It Cm parent Ar parent-interface
Associate the VLAN interface with the interface
.Ar parent-interface .
Packets transmitted on
.Xr vlan 4
or
.Xr svlan 4
interfaces will be tagged with 802.1Q or 802.1ad headers respectively
and transmitted on the specified parent interface.
Packets with 802.1Q or 802.1ad tags received
by the parent interface with the specified VLAN tag will be diverted to
the associated VLAN interface.
Unless a custom Ethernet address is assigned to the VLAN interface,
it will inherit a copy of the parent interface's Ethernet address.
.It Cm -parent
Disassociate from the parent interface.
This breaks the link between the VLAN interface and its parent.
.It Cm rxprio Ar prio
Set the value used for the packet priority field.
Values may be from 0 to 7,
.Ar packet
to maintain the current packet priority, or
.Ar outer
to use the priority field in the 802.1Q or 802.1ad headers.
.It Cm txprio Ar prio
Set the value used for the priority field in the 802.1Q or 802.1ad
headers.
Values may be from 0 to 7, or
.Ar packet
to use the priority of packets transmitted on the interface.
.It Cm vnetid Ar vlan-tag
Set the VLAN tag value to
.Ar vlan-tag .
This value is a 12-bit number which is used in the 802.1Q or 802.1ad
headers in packets handled by
.Xr vlan 4
or
.Xr svlan 4
interfaces respectively.
Valid tag values are from 1 to 4094 inclusive.
.It Cm -vnetid
Clear the tag value.
Packets on a VLAN interface without a tag set will use a value of
0 in their headers.
.El
.Sh WIREGUARD
.nr nS 1
.Bk -words
.Nm ifconfig
.Ar wg-interface
.Op Cm wgkey Ar privatekey
.Op Cm wgport Ar port
.Op Cm wgrtable Ar rtable
.Op Fl wgpeerall
.Oo
.Oo Fl Oc Ns Cm wgpeer Ar publickey
.Op Cm wgaip Ar allowed-ip_address/prefix
.Op Cm wgendpoint Ar peer_address port
.Op Cm wgpka Ar interval
.Op Cm wgpsk Ar presharedkey
.Op Fl wgpsk
.Oc
.Ek
.nr nS 0
.Pp
The following options are available for
.Xr wg 4
interfaces:
.Bl -tag -width Ds
.It Cm wgkey Ar privatekey
Set the private key of the interface.
The
.Ar privatekey
is 32 bytes, base64-encoded.
It can be generated as follows:
.Pp
.Dl $ openssl rand -base64 32
.Pp
The corresponding public key will then be displayed
in the interface status for distribution to peers.
.It Cm wgpeer Ar publickey
Specify an interface peer by its
.Ar publickey ,
which is 32 bytes, base64-encoded.
Repeat the option to specify multiple peers in a single command.
.It Cm -wgpeer Ar publickey
Remove the peer with the given
.Ar publickey .
.It Cm -wgpeerall
Remove all peers from the interface.
.It Cm wgport Ar port
Set the interface's UDP
.Ar port
for exchanging traffic with its peers.
The interface will bind to
.Dv INADDR_ANY
and
.Dv IN6ADDR_ANY_INIT .
By default, the interface will choose a port.
.It Cm wgrtable Ar rtable
Exchange traffic with peers under the routing table
.Ar rtable ,
instead of the default
.Xr rtable 4 .
The routing domain of the
.Ar rtable
needn't be the routing domain to which the interface is attached, in which
the interface's tunneled traffic appears.
.El
.Pp
Peer configuration options, which apply to the
.Cm wgpeer
immediately preceding them,
are as follows:
.Bl -tag -width Ds
.It Cm wgaip Ar allowed-ip_address/prefix
Set the peer's IPv4 or IPv6
.Ar allowed-ip_address
range for tunneled traffic.
Repeat the option to set multiple ranges.
By default, no addresses are allowed.
.It Cm wgendpoint Ar peer_address port
Address traffic to the peer's IPv4 or IPv6
.Ar peer_address
and UDP
.Ar port .
The interface will track the peer, updating
.Cm wgendpoint
to the source of its last authenticated packet.
By default, the endpoint is unknown and so the peer cannot be addressed until
it initiates communication.
This implies that at least one peer in each pair must specify
.Cm wgendpoint .
.It Cm wgpka Ar interval
Set the
.Ar interval
of persistent keepalive packets in seconds.
The default, zero, disables these.
They can be used to maintain connectivity to a peer otherwise blocked
to unsolicited traffic by an intermediate firewall or NAT device.
For this, an
.Ar interval
of 25 seconds should suffice.
.It Cm wgpsk Ar presharedkey
Set a unique key pre-shared with the peer.
This strengthens the Diffie-Hellman exchange should in future a
quantum-computational attack on it become feasible.
The
.Ar presharedkey
is 32 bytes, base64-encoded.
It is optional but recommended and can be generated as follows:
.Pp
.Dl $ openssl rand -base64 32
.It Cm -wgpsk
Remove the pre-shared key for this peer.
.El
.Sh EXAMPLES
Assign the
address of 192.168.1.10 with a network mask of
255.255.255.0 to interface fxp0:
.Pp
.Dl # ifconfig fxp0 inet 192.168.1.10 netmask 255.255.255.0
.Pp
Configure the xl0 interface to use 100baseTX, full duplex:
.Pp
.Dl # ifconfig xl0 media 100baseTX mediaopt full-duplex
.Pp
Label the em0 interface as an uplink:
.Pp
.Dl # ifconfig em0 description \&"Uplink to Gigabit Switch 2\&"
.Pp
Create the gif1 network interface:
.Pp
.Dl # ifconfig gif1 create
.Pp
Put the athn0 wireless interface into monitor mode:
.Pp
.Dl # ifconfig athn0 mediaopt monitor
.Sh DIAGNOSTICS
Messages indicating the specified interface does not exist, the
requested address is unknown, or the user is not privileged and
tried to alter an interface's configuration.
.Sh SEE ALSO
.Xr netstat 1 ,
.Xr ifmedia 4 ,
.Xr inet 4 ,
.Xr intro 4 ,
.Xr netintro 4 ,
.Xr route 4 ,
.Xr rtable 4 ,
.Xr hostname.if 5 ,
.Xr hosts 5 ,
.Xr rc 8 ,
.Xr slaacd 8 ,
.Xr tcpdump 8
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .