Gentoo Linux x86 Handbook: Network configuration

The following networking portion of the handbook describes 'advanced' network configuration for systems running the OpenRC init system utilizing netifrc as the network management system.

For systems running systemd, readers should review see the networking portion of the systemd article.

If, in /etc/rc.conf, the rc_depend_strict variable is set to YES, then all network interfaces that provide "net" must be active before a dependency on "net" is assumed to be met. In other words, if a system has a net.eth0 and net.eth1 and an init script depends on "net", then both must be enabled.

On the other hand, if rc_depend_strict="NO" is set, then the "net" dependency is marked as resolved the moment at least one network interface is brought up.

But what about net.br0 depending on net.eth0 and net.eth1? net.eth1 may be a wireless or PPP device that needs configuration before it can be added to the bridge. This cannot be done in /etc/init.d/net.br0 as that's a symbolic link to net.lo.

That alone, however, is not sufficient. Gentoo's networking init scripts use a virtual dependency called "net" to inform the system when networking is available. Clearly, in the above case, networking should only be marked as available when net.br0 is up, not when the others are. So we need to tell that in /etc/conf.d/net as well:

Variable names are dynamic. They normally follow the structure of variable_${interface|mac|essid|apmac}. For example, the variable dhcpcd_eth0 holds the value for dhcpcd options for eth0 and dhcpcd_essid holds the value for dhcpcd options when any interface connects to the ESSID "essid".

However, there is no hard and fast rule that states interface names must be ethx. In fact, many wireless interfaces have names like wlanx, rax as well as ethx. Also, some user defined interfaces such as bridges can be given any name. To make life more interesting, wireless Access Points can have names with non alpha-numeric characters in them - this is important because users can configure networking parameters per ESSID.

The downside of all this is that Gentoo uses bash variables for networking - and bash cannot use anything outside of English alpha-numerics. To get around this limitation we change every character that is not an English alpha-numeric into an _ (underscore) character.

Another downside of bash is the content of variables - some characters need to be escaped. This can be achieved by placing the \ (backslash) character in front of the character that needs to be escaped. The following list of characters needs to be escaped in this way: ", ' and \.

In this example we use wireless ESSID as they can contain the widest scope of characters. We shall use the ESSID My "\ NET:

The above sets the DNS domain to My "\ NET when a wireless card connects to an AP whose ESSID is My "\ NET.

Network interface names are not chosen arbitrarily: the Linux kernel and the device manager (most systems have udev as their device manager although others are available as well) choose the interface name through a fixed set of rules.

• The onboard (on the interface itself) registered name of the network card, which is later seen through the ID_NET_NAME_ONBOARD value.
• The slot in which the network card is plugged in, which is later seen through the ID_NET_NAME_SLOT value.
• The path through which the network card device can be accessed, which is later seen through the ID_NET_NAME_PATH value.
• The (vendor-provided) MAC address of the card, which is later seen through the ID_NET_NAME_MAC value.

Given an active interface name, the values of the provided variables can be shown using udevadm:

As the first (and actually only) hit of the top three variables is ID_NET_NAME_PATH, its value is used as the interface name. If none of the variables contain values, then the system reverts back to the kernel-provided naming (eth0, eth1, etc.)

Before this change, network interface cards were named by the Linux kernel itself, depending on the order that drivers are loaded (amongst other, possibly more obscure reasons). This behavior can still be enabled by setting the net.ifnames=0 boot parameter in the boot loader.

The entire idea behind the change in naming is not to confuse people, but to make changing the names easier. Suppose a system has two interfaces that are otherwise called eth0 and eth1. One is meant to access the network through a wire, the other one is for wireless access. With the support for interface naming, users can have these called lan0 (wired) and wifi0 (wireless - it is best to avoid using the previously well-known names like eth* and wlan* as those can still collide with the suggested names).

Find out what the parameters are for the cards and then use this information to set up a custom own naming rule:

Because the rules are triggered before the default one (rules are triggered in alphanumerical order, so 70 comes before 80) the names provided in the rule file will be used instead of the default ones. The number granted to the file should be between 76 and 79 (the environment variables are defined by a rule start starts with 75 and the fallback naming is done in a rule numbered 80).

Netifrc supports modular networking scripts, which means support for new interface types and configuration modules can easily be added while keeping compatibility with existing ones.

Modules load by default if the package they need is installed. If users specify a module here that doesn't have its package installed then they get an error stating which package they need to install. Ideally, the modules setting is only used when two or more packages are installed that supply the same service and one needs to be preferred over the other.

We provide two interface handlers: ifconfig and iproute2. You need one of these to do any kind of network configuration.

Both are installed by default as part of the system profile. iproute2 is the more powerful and flexible package. ifconfig and net-tools should not be used anymore for networking configuration setups.

As iproute2 and ifconfig do very similar things, we allow their basic configuration to work with each other. For example, the below configuration works regardless of the module used.

DHCP is a means of obtaining an IP address, together with other network information (DNS server(s), gateway, etc.) from a server. With a DHCP server running on a network, the user just has to tell each device to obtain configuration information via DHCP, which is then used to configure the device automatically. Of course, this requires a network connection (e.g. via a wireless access point, PPPoE, etc.).

DHCP can be provided by dhclient or dhcpcd. Each DHCP module has its pros and cons - here is a quick run down:

If more than one DHCP client is installed, it is possible to specify which client to use by setting the "modules" variable, e.g. modules="dhcpcd". Otherwise, if dhcpcd is installed, it's used by default.

To send specific options to the DHCP module, use module_eth0="...", where module is the name of the DHCP module being used - for example, "dhcpcd_eth0".

We try to make DHCP relatively agnostic - as such we support the following commands using the dhcp_eth0 variable. The default is not to set any of them:

release

Releases the IP address for re-use.

nodns

Don't overwrite /etc/resolv.conf

nontp

Don't overwrite /etc/ntp.conf

nonis

Don't overwrite /etc/yp.conf

If PPPoE is used with a USB modem then make sure to emerge br2684ctl. Please read /var/db/repos/gentoo/net-dialup/speedtouch-usb/files/README for information on how to properly configure it.

APIPA tries to find a free address in the range 169.254.0.0-169.254.255.255 by using arping to ping a random address in that range on the interface. If no reply is received, that address is assigned to the interface.

This is only useful for LANs where:

• there is no DHCP server;
• the system doesn't connect directly to the Internet; and
• all other computers use APIPA.

For APIPA support, emerge net-misc/iputils with the arping USE flag or net-analyzer/arping.

Bonding is used to increase network bandwidth or to improve resiliency in the face of hardware failures. If a system has two network cards going to the same network, they can be bonded: applications will see just one interface, but both network cards will be used.

There are many ways to configure bonding. Some of them, such as the 802.3ad LACP mode, require support and additional configuration of the network switch. For a reference of the individual options, please refer to the local copy of /usr/src/linux/Documentation/networking/bonding.txt.

First, clear the configuration of the participating interfaces:

Next, define the bonding between the interfaces:

Remove the net.eth* services from the relevant runlevel, create a net.bond0 service, and add that service to the appropriate runlevel.

Bridging is used to join networks together. For example, a network may have a server that connects to the Internet via an ADSL modem, and also has a wireless adapter to allow other devices on the network to access the Internet via that modem. It is possible to create a bridge to join the two interfaces together.

It is possible to change the MAC address of the interfaces through the network configuration file too.

Tunneling does not require any additional software to be installed as the interface handler can do it.

A VLAN, Virtual LAN, is a group of network devices that behave as if they were connected to a single network segment, even though they may not be. Members of a VLAN can only see other members of the same VLAN, even when they share the same physical network.

To configure VLANs, first specify the VLAN numbers in /etc/conf.d/net like so:

Wireless networking on Linux is usually pretty straightforward. There are three ways of configuring wifi: graphical clients, text-mode interfaces, and command-line interfaces.

Wireless can also be configured from the command line by editing a few configuration files. This takes a bit more time to setup, but it also requires the fewest packages to download and install. Since the graphical clients are mostly self-explanatory (with helpful screen shots at their home pages), we'll focus on the command line alternatives.

There are three tools that support command-line driven wireless configurations: net-wireless/iw, net-wireless/wireless-tools, and net-wireless/wpa_supplicant. Of these three, net-wireless/wpa_supplicant is the preferred one. The important thing to remember is that wireless networks are configured on a global basis and not an interface basis.

The net-wireless/iw software, the successor of net-wireless/wireless-tools, supports nearly all cards and drivers, but it cannot connect to WPA-only Access Points. If the networks only offer WEP encryption or are completely open, then net-wireless/iw beats the other package over simplicity.

Some wireless cards are deactivated by default. To activate them, please consult the hardware documentation. Some of these cards can be unblocked using the rfkill application. If that is the case, use rfkill list to see the available cards and rfkill unblock INDEX to activate the wireless functionality. If not, then the wireless card might need to be unlocked through a button, switch or special key combination on the laptop.

Next, configure /etc/conf.d/net so that the wpa_supplicant module is preferred over wireless-tools (if both are installed, wireless-tools is the default).

Next configure wpa_supplicant itself (which is a bit more tricky depending on how secure the Access Points are). The below example is taken and simplified from /usr/share/doc/wpa_supplicant-<version>/wpa_supplicant.conf.gz which ships with wpa_supplicant.

The wireless tools project provides a generic way to configure basic wireless interfaces up to the WEP security level. While WEP is a weak security method it's still prevalent in the world.

Wireless tools configuration is controlled by a few main variables. The sample configuration file below should describe all that is needed. One thing to bear in mind is that no configuration means "connect to the strongest unencrypted Access Point" - wireless tools will always try and connect the system to something.

One way is to configure the system so it only connects to preferred APs. By default if everything configured has failed and wireless-tools can connect to an unencrypted Access Point then it will. This can be controlled by the associate_order variable. Here's a table of values and how they control this.

There is also the blacklist_aps and unique_ap selection. blacklist_aps works in a similar way to preferred_aps. unique_ap is a yes or no value that says if a second wireless interface can connect to the same Access Point as the first interface.

To set the system up as an ad-hoc node when it fails to connect to any Access Point in managed mode, use this as a fallback:

It is also possible to connect to ad-hoc networks, or to run the system in master mode so it becomes an access point itself.

There are some more variables that can help to get the wireless up and running due to driver or environment problems. Here's a table of other things that can be tried.

In this section, we show how to configure network settings based on the ESSID. For instance, with the wireless network with ESSID ESSID1 configure a static IP address while ESSID ESSID2 uses DHCP.