{"id":13510883,"url":"https://github.com/catalyst/l3overlay","last_synced_at":"2025-06-13T15:35:33.735Z","repository":{"id":66891476,"uuid":"50635217","full_name":"catalyst/l3overlay","owner":"catalyst","description":"IPsec overlay network manager","archived":false,"fork":false,"pushed_at":"2017-08-09T04:43:21.000Z","size":550,"stargazers_count":16,"open_issues_count":1,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-05T00:41:21.650Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/catalyst.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-01-29T03:40:07.000Z","updated_at":"2020-03-15T06:10:45.000Z","dependencies_parsed_at":"2023-05-13T01:30:42.994Z","dependency_job_id":null,"html_url":"https://github.com/catalyst/l3overlay","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fl3overlay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fl3overlay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fl3overlay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fl3overlay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/catalyst","download_url":"https://codeload.github.com/catalyst/l3overlay/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251154579,"owners_count":21544523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T02:01:57.975Z","updated_at":"2025-04-27T14:33:26.871Z","avatar_url":"https://github.com/catalyst.png","language":"Python","funding_links":[],"categories":["Python","others"],"sub_categories":[],"readme":"l3overlay\n=========\n\nl3overlay is a tool used to build a MPLS-like VRF network between nodes/firewalls across the Internet. It uses a combination of network namespaces and gretap tunnels (with optional IPsec encapsulation for security) to create an \"overlay\" over the participating nodes' Internet connections.\n\nPrerequisites\n-------------\n\nThe following software packages are required to use the `Makefile` features:\n\n* **make**\n* **pylint**\n* **pip**\n\nThe following Python modules are required to use `setup.py` to install l3overlay:\n\n* **setuptools**\n\nThe following software packages are required to run l3overlay:\n\n* **Python**, version **3.4** or later\n* **iproute2**\n* **BIRD** routing daemon, version **1.4.3** or later\n* **strongSwan** IPsec and its optional OpenSSL plugin (if `use-ipsec` is set to `true` in `global.conf`)\n\nThe following Python modules are also required to run l3overlay:\n\n* **pyroute2**, version **0.4.6** or later\n* **jinja2**\n\nThe following configuration settings should be set in `/etc/sysctl.conf`, to enable IPv4 (and IPv6 if desired) packet forwarding:\n\n    net.ipv4.ip_forward=1\n    net.ipv6.conf.all.forwarding=1\n\nIf you intend to use the static VLAN functionality in the overlay, the following Linux kernel module should be enabled by inserting this line into `/etc/modprobe.conf`, if it is not enabled by default:\n\n    8021q\n\nInstallation\n------------\n\nl3overlay can be installed to the default location by simply using:\n\n    sudo make install\n\nBy default, this will install the executables into `/usr/local/sbin`.\n\nSee the `Makefile` for more details on how to change the installation locations.\n\n`l3overlayd` looks for files in the following directories, in the order shown:\n\n1. `(current working directory)`\n2. `(current working directory)/../etc/l3overlay`\n3. `(current working directory)/etc/l3overlay`\n4. `(executable directory)`\n5. `(executable directory)/../etc/l3overlay`\n6. `(executable directory)/etc/l3overlay`\n7. `/etc/l3overlay`\n8. `(package data)` (for the configuration templates directory)\n\nAny configuration files or directories mentioned in this document should be placed in any of the directories mentioned above. For instance, assuming `/etc/l3overlay` is the chosen directory, the global configuration and a test overlay configuration would be placed in the following filepaths:\n\n* `/etc/l3overlay/global.conf`\n* `/etc/l3overlay/overlays/example.conf`\n\nRunning\n-------\n\nOnce l3overlay is installed and configured, it can be executed by simply running the `l3overlayd` command if it is located in the `PATH` environment variable, or by running the executable directly if it is not.\n\nIf the `systemd-install`, `sysv-install` or `upstart-install` make targets are used, a systemd unit file, an Upstart configuration file or System V init script would have been installed to the system.\n\nTo start l3overlay as a service, simply run:\n\n    sudo service l3overlay start\n\nTo ensure that l3overlay starts with the system using the System V init script, this command should also be run (on Ubuntu):\n\n    sudo update-rc.d l3overlay defaults\n\nThe command `l3overlayd --help` documents the optional arguments which can be used. Many of the optional arguments have equivalents in `global.conf`, and if both are defined, the command line arguments override the configuration values.\n\n```\nusage: l3overlayd [-h] [-dr] [-ll LEVEL] [-ui] [-im] [-ocd DIR] [-td DIR]\n                  [-fsd DIR] [-Ld DIR] [-gc FILE] [-oc FILE [FILE ...]]\n                  [-l FILE] [-p FILE] [-ic FILE] [-is FILE]\n\nConstruct one or more MPLS-like VRF networks using IPsec tunnels and network\nnamespaces.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -dr, --dry-run        test configuration and daemon without modifying the\n                        system\n  -ll LEVEL, --log-level LEVEL\n                        use LEVEL as the logging level parameter\n  -ui, --use-ipsec      use IPsec encapsulation on the overlay mesh\n  -im, --ipsec-manage   operate in IPsec daemon management mode\n  -ocd DIR, --overlay-conf-dir DIR\n                        use DIR as the overlay conf search directory\n  -td DIR, --template-dir DIR\n                        use DIR as the configuration template search directory\n  -fsd DIR, --fwbuilder-script-dir DIR\n                        use DIR as the fwbuilder script search directory\n  -Ld DIR, --lib-dir DIR\n                        use DIR as the runtime data directory\n  -gc FILE, --global-conf FILE\n                        use FILE as the global configuration file\n  -oc FILE [FILE ...], --overlay-conf FILE [FILE ...]\n                        configure the overlay defined in FILE, disables\n                        overlay config directory searching\n  -l FILE, --log FILE   log output to FILE\n  -p FILE, --pid FILE   write the daemon PID to FILE\n  -ic FILE, --ipsec-conf FILE\n                        write IPsec configuration to FILE\n  -is FILE, --ipsec-secrets FILE\n                        write IPsec secrets to FILE\n```\n\nAlso installed alongside `l3overlayd` is `l3overlay-birdc`, a wrapper script to `birdc` that uses the l3overlay configuration to allow it to easily connect to an overlay's internal BIRD server, without the user having to find its control socket file.\n\n```\nusage: l3overlay-birdc [-h] [-gc FILE] [-Ld DIR] [-6] OVERLAY [BIRDC-ARG [BIRDC-ARG...]]\n\nl3overlay overlay-specific birdc wrapper.\n\npositional arguments:\n  OVERLAY               launch birdc under overlay OVERLAY\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -gc FILE, --global-conf FILE\n                        use FILE as the global configuration file\n  -Ld DIR, --lib-dir DIR\n                        use DIR as the runtime data directory (overrides -gc)\n  -6, --use-bird6       launch birdc for bird6 (default is bird4)\n```\n\nExample configuration\n----------------------\n\nAn example configuration needed to get a working overlay set up may look something like this. More settings are available for the overlays to set up connections to be exposed to the overlay from the nodes, available in the *Global configuration* and *Overlay configuration* sections below.\n\n### global.conf\n\n```ini\n[global]\nlogging-level=INFO\nuse-ipsec=true\nipsec-psk={psk}\n```\n\n### overlays/example.conf (on node example-1)\n\n```ini\n[overlay]\nname=example\nasn=64666\nlinknet-pool=198.51.100.0/24\nthis-node=example-1\nnode-0=example-1 192.0.2.1\nnode-1=example-2 192.0.2.2\nnode-2=example-3 192.0.2.3\nnode-3=example-4 192.0.2.4\n```\n\nGlobal configuration\n--------------------\n\nGlobal configuration values for l3overlay are to be defined in `global.conf`.\n\nThis file is optional, since all of the configuration options defined here are not strictly required.\n\nIf an IPsec PSK is stored in the global configuration, the permissions should be set such that the user running `l3overlayd` is the only user with read permission to the global configuration.\n\n### [global]\n\nAll `global.conf` configuration values come under the `[global]` section.\n\n#### dry-run\n* Type: **boolean**\n* Required: no\n\nSpecifies whether or not to make any changes to the system during operation. Used for development and configuration testing purposes. The default value is `false`.\n\n#### log-level\n* Type: **enum**\n* Required: no\n* Values: `NOTSET`, `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`\n\nSpecifies the logging output level that l3overlay should use. The default value is `INFO`.\n\n#### use-ipsec\n* Type: **boolean**\n* Required: no\n\nSpecifies whether or not transport mode IPsec VPNs should be used to encrypt the overlay mesh tunnels. The default value is `false`. If set to `true`, strongSwan should be installed on the system.\n\n#### ipsec-psk\n* Type: **hex**, 6-64 digits\n* Required: **yes**, **IF** `use-ipsec` is `true`\n\nThe hex string used as the pre-shared key (PSK) for authentication of the IPsec tunnels encapsulating the overlay. The PSK must be at least 6 digits long, and has a maximum length of 64 digits.\n\n#### ipsec-manage\n* Type: **boolean**\n* Required: no\n\nThe default value is `true`. Read the description for this configuration option carefully, as it completely changes the way l3overlay handles IPsec.\n\nIf `true`, l3overlay will assume that it is to manage the IPsec daemon. When it does this, it will install the IPsec configuration to `/etc/ipsec.conf`, and it will also take control of the `/etc/ipsec.secrets` file, making it a stub file which links to the l3overlay IPsec secrets located in `/etc/ipsec.l3overlay.secrets`. Also, it will start the IPsec daemon when `l3overlayd` starts, and shut it down with `l3overlayd` when it shuts down.\n\nIf `false`, l3overlay will assume that IPsec is being managed elsewhere. In this mode, it will install the IPsec configuration to `l3overlay.conf` under the `/etc/ipsec.d` directory, and stub file will not be installed to `/etc/ipsec.secrets`, instead relying on an existing one to include `/etc/ipsec.l3overlay.secrets`. When starting IPsec, `l3overlayd` will start the IPsec daemon if it is not running, but it will only make sure that its tunnels are started and stopped when `l3overlayd` is being started and stopped, respectively.\n\nNote that if this option is set to `false`, then `l3overlayd` will **NOT** manage IPsec, as it is assumed that the user will want to configure IPsec themselves. A suitable `/etc/ipsec.conf` and `/etc/ipsec.secrets` file **MUST** be provided, which will include the l3overlay IPsec configuration files described above.\n\n#### lib-dir\n* Type: **filepath**\n* Required: no\n\nSpecifies the directory to store `l3overlayd` runtime state information. The default value is `/var/lib/l3overlay`.\n\n#### fwbuilder-script-dir\n* Type: **filepath**\n* Required: no\n\nSpecifies the directory to look for `fwbuilder-script` relative paths defined in overlay configurations. The default value is found using the `l3overlayd` search mechanism defined in the *Installation* section, looking for a directory named `fwbuilder-scripts`.\n\n#### overlay-conf-dir\n* Type: **filepath**\n* Required: no\n\nSpecifies the directory to look for overlay configuration files. The default value is found using the `l3overlayd` search mechanism defined in the *Installation* section, looking for a directory named `overlays`.\n\n#### template-dir\n* Type: **filepath**\n* Required: no\n\nSpecifies the directory to look for the configuration template files. The default value is found using the `l3overlayd` search mechanism defined in the *Installation* section, looking for a directory named `templates`.\n\n#### log\n* Type: **filepath**\n* Required: no\n\nSpecifies the file path to write logging output to. `l3overlayd` does not log output to any file by default.\n\n#### pid\n* Type: **filepath**\n* Required: no\n\nSpecifies the file path to write the PID file to. The default value is `/var/run/l3overlayd.pid`.\n\n#### ipsec-conf\n* Type: **filepath**\n* Required: no\n\nSpecifies the file path to write the IPsec configuration file to. The default value is `/etc/ipsec/l3overlay.conf`.\n\n#### ipsec-secrets\n* Type: **filepath**\n* Required: no\n\nSpecifies the file path to write the IPsec secrets file to. The default value is `/etc/ipsec.secrets` if `ipsec-manage` is `true`, and `/etc/ipsec.l3overlay.secrets` if `ipsec-manage` is `false`.\n\nOverlay configuration\n---------------------\n\nEach overlay to be set up gets its own configuration file, to be located in the `overlays` directory.\n\n### [overlay]\n\nConfiguration settings for the overlay, and the mesh tunnels which make the communication channels for the overlay.\n\n#### name\n* Type: **name**\n* Required: **yes**\n\nThe name the overlay will be referred to. Also used to name the network namespace.\n\n#### asn\n* Type: **integer**, range 0 \u003c= **asn** \u003c= 65535\n* Required: **yes**\n\nThe BGP autonomous system (AS) number the overlay will configure the mesh tunnel routing system with.\n\n#### linknet-pool\n* Type: **ip network**\n* Required: **yes**\n\nThe IP network range which can be divided into two-node subnets (`/31` for IPv4, `/127` for IPv6), and then used to address the mesh tunnels in the overlay.\n\n#### this-node\n* Type: **name**\n* Required: **yes**\n\nThe name of the node to configure the overlay for. The name specified here **MUST** be located in the list of nodes, described below.\n\n#### node-*{int}*\n* Type: {**name**} {**ip address**}\n* Required: **yes**, at least **TWO**\n\nThe list of nodes in the mesh, with the Internet-accessible IP address used to build the overlay. A working overlay should have at least two nodes specified here.\n\nThe order of the nodes (`node-0`, `node-1`, ...) does not matter significantly, unless new nodes are to be added to the list. New nodes may **ONLY** be appended to the end of the list. This is because if new nodes are added at any other position in the list, it will cause the addresses assigned to mesh tunnel links to change, and l3overlay does not handle this intelligently (it does not ensure the other sides of the tunnel links are changed as well).\n\n#### enabled\n* Type: **boolean**\n* Required: no\n\nSpecifies whether or not this overlay should be configured. The default value is `true`.\n\n#### fwbuilder-script\n* Type: **filename** / **filepath**\n* Required: no\n\nThe location to the fwbuilder script used to build the firewall settings inside the overlay. This can be either an absolute filepath to the script, or simply a filename relative to the `fwbuilder_scripts` directory.\n\n### [static-bgp:*{name}*]\n\nThis section is used to define a static BGP protocol in the BIRD routing daemon, used for distributing routes in the overlay. This is made to be used in conjunction with static GRE tunnels, to distribute routes across it.\n\n#### neighbor\n* Type: **ip address**\n* Required: **yes**\n\nThe neighbour BGP node's IP address.\n\n#### local\n* Type: **ip address**\n* Required: no\n\nThe local IP address used to make the BGP connection with the neighbour. Optional.\n\n#### local-asn\n* Type: **integer**, range 0 \u003c= **local-asn** \u003c= 65535\n* Required: no\n\nThe BGP autonomous system (AS) number used to identify the AS the local node is part of. The default value is the ASN number set for the overlay (the `asn` value in the `[overlay]` section).\n\n#### neighbor-asn\n* Type: **integer**, range 0 \u003c= **neighbor-asn** \u003c= 65535\n* Required: no\n\nThe BGP autonomous system (AS) number used to identify the AS the neighbour node is part of.  The default value is the ASN number set for the overlay (the `asn` value in the `[overlay]` section).\n\n#### bfd\n* Type: **boolean**\n* Required: no\n\nEnable BFD for the BGP protocol, to monitor for neighbour availability and failure detection. Note that BFD also needs to be supported by the neighbour. Defaults to `false`.\n\n#### ttl-security\n* Type: **boolean**\n* Required: no\n\nEnable the RFC 5082 TTL security mechanism on this BGP protocol. Also needs to be enabled by the neighbour. Defaults to `false`.\n\n#### description\n* Type: **string**\n* Required: no\n\nAn optional description of the BGP protocol, displayed with the use of `show protocol all` in the BIRD client.\n\n#### import-prefix[-*{int}*]\n* Type: **bird prefix**\n* Required: no\n\nOne or more BIRD filters used to filter the routes which get imported into the BGP protocol. The default is to import all routes.\n\nSee the [BIRD filter documentation on data types](http://bird.network.cz/?get_doc\u0026f=bird-5.html#ss5.2) for more information.\n\n### [static-dummy:*{name}*]\n\nThis section is used to define a dummy interface in the overlay.\n\n#### address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the dummy interface.\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**\n\nThe subnet mask for the dummy interface address.\n\n### [static-external-tunnel:*{name}*]\n\nThis section is used to define a layer 2 (GRETAP) tunnel in the root namespace, which is then linked into the overlay by a bridged veth interface. It can be connected to any IP address available in the root namespace.\n\n**NOTE:** The static external tunnel can ONLY create **GRETAP (layer 2 GRE)** tunnel interfaces. It will not work when attempting to connect to a **GRE (layer 3)** tunnel interface.\n\n#### local\n* Type: **ip address**\n* Required: **yes**\n\nThe local endpoint IP address assigned to the GRETAP tunnel (in the root namespace).\n\n#### remote\n* Type: **ip address**\n* Required: **yes**\n\nThe remote endpoint IP address assigned to the GRETAP tunnel (in the root namespace).\n\n#### address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the overlay namespace veth interface (in the overlay namespace).\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**\n\nThe subnet mask for the static overlay namespace veth interface address.\n\n#### key\n* Type: **integer**\n* Required: **yes**, **IF** there is more than one tunnel using the address pair and `ikey`/`okey` are not used\n\nThe unique (to the system) key number for this GRETAP tunnel address pair (`local`, `remote`). The peer's tunnel interface should use the same key nunber.\n\n#### ikey\n* Type: **integer**\n* Required: **yes**, **IF** there is more than one tunnel using the address pair and `key` is not used\n\nThe unique (to the system) input key number for this GRETAP tunnel address pair (`local`, `remote`). The peer's output key number should be the same value.\n\nIf this option is used, `okey` is also required to be used.\n\n#### okey\n* Type: **integer**\n* Required: **yes**, **IF** there is more than one tunnel using the address pair and `key` is not used\n\nThe unique output key number for this GRETAP tunnel address pair (`local`, `remote`). The peer's input key number should be the same value.\n\nIf this option is used, `ikey` is also required to be used.\n\n#### use-ipsec\n* Type: **boolean**\n* Required: no\n\nIf true, create a transport mode IPsec VPN to encapsulate the GRETAP tunnel.\n\n#### ipsec-psk\n* Type: **hex**, 6-64 digits\n* Required: no\n\nThe hex string used as the pre-shared key (PSK) for authentication of the encapsulating IPsec VPN. The PSK must be at least 6 digits long, and has a maximum length of 64 digits.\n\nIf unspecified, the default behaviour is to use the PSK defined in `global.conf`.\n\n### [static-overlay-link:*{name}*]\n\nThis section is used to create a link between two overlays, by creating a veth pair between them. The outer veth interface stays in the creating overlay, and gets bridged to a dummy interface, and the inner veth interface gets moved to the overlay to be linked to. A BGP peering is also set up between them, allowing route distribution to take place between the overlays. **NOTE:** you only need to define ONE static overlay link interface, in one overlay, for the two overlays to be connected. There is no need to define two corresponding static overlay link interfaces, as `l3overlayd` will automatically do this.\n\n#### outer-address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the bridge interface in this overlay, to address the link between the two overlays. This must be the same type of IP address as the value set in `inner-address`.\n\n#### inner-address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the veth interface in the opposing connected overlay, to address the link between the two overlays. This must be the same type of IP address as the value set in `outer-address`.\n\n#### inner-overlay-name\n* Type: **name**\n* Required: **yes**\n\nThe name of the overlay to link with.\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**\n\nThe subnet mask for the assigned addresses. Usually this would be set to `31`/`255.255.255.254` (IPv4) or `127` (IPv6) to configure the link as a two-node subnet.\n\n### [static-tunnel:*{name}*]\n\nThis section is used to define a layer 2/3 GRE tunnel in the overlay. It can be connected to any IP address available in the overlay.\n\n#### mode\n* Type: **enum**\n* Required: **yes**\n* Values: `gre`, `gretap`\n\nThe mode in which the GRE tunnel will operate, layer 2 (`gretap`) or layer 3 (`gre`).\n\n#### local\n* Type: **ip address**\n* Required: **yes**\n\nThe local endpoint IP address assigned to the static tunnel.\n\n#### remote\n* Type: **ip address**\n* Required: **yes**\n\nThe remote endpoint IP address assigned to the static tunnel.\n\n#### address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the static tunnel interface.\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**\n\nThe subnet mask for the static tunnel interface address.\n\n#### key\n* Type: **integer**\n* Required: **yes**, **IF** there is more than one tunnel using the address pair and `ikey`/`okey` are not used\n\nThe unique (to the system) key number for this static tunnel address pair (`local`, `remote`). The peer's tunnel interface should use the same key nunber.\n\n#### ikey\n* Type: **integer**\n* Required: **yes**, **IF** there is more than one tunnel using the address pair and `key` is not used\n\nThe unique (to the system) input key number for this static tunnel address pair (`local`, `remote`). The peer's output key number should be the same value.\n\nIf this option is used, `okey` is also required to be used.\n\n#### okey\n* Type: **integer**\n* Required: **yes**, **IF** there is more than one tunnel using the address pair and `key` is not used\n\nThe unique output key number for this static tunnel address pair (`local`, `remote`). The peer's input key number should be the same value.\n\nIf this option is used, `ikey` is also required to be used.\n\n### [static-tuntap:*{name}*]\n\nThis section is used to define a TUN or TAP virtual interface in the overlay.\n\n#### mode\n* Type: **enum**\n* Required: **yes**\n* Values: `tun`, `tap`\n\nThe mode in which the virtual interface will operate.\n\n#### address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the virtual interface.\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**\n\nThe subnet mask for the virtual interface address.\n\n#### uid\n* Type: **integer**\n* Required: no\n\nThe user ID which owns and is allowed to attach to the 'network/wire' side of the interface.\n\n#### gid\n* Type: **integer**\n* Required: no\n\nThe group ID which is allowed to attach to the 'network/wire' side of the interface.\n\n### [static-veth:*{name}*]\n\nThis section is used to configure a static veth pair, with an inner interface inside the overlay, and an outer interface, either in the root namespace, or an externally created network namespace.\n\n#### inner-address|outer-address\n* Type: **ip address**\n* Required: no\n\nThe IP address assigned to the either the inner interface inside the overlay, or the outer interface in the root namespace.\n\nIn a veth pair, only one of the two interfaces should be configured. Therefore, either `inner-address` or `outer-address` can be specified, but not both at the same time.\n\nHowever, if `inner-interface-bridged` is set to `true`, the inner interface will be bridged to a dummy interface, allowing both `inner-address` and `outer-address` to be used.\n\nIf both are specified, they must both be the same type of IP address. In other words, both must be IPv4, or both must be IPv6, but not a mix of IPv4 and IPv6.\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**, **IF** `inner-address` or `outer-address` is defined\n\nThe subnet mask for the assigned address. If both `inner-address` and `outer-address` are defined with the help of `inner-interface-bridged`, this option will be used as the netmask value for both of them, as they should be part of the same subnet. \n\n#### inner-namespace\n* Type: **name**\n* Required: no\n\nThe name of the network namespace to move the inner interface into. The network namespace will be created if it does not already exist, but it will not be deleted once the static veth pair is shut down.\n\nThis option can also be used to connect two overlays together, via the static veth pair. To link overlays this way, define `inner-namespace` in just one of the overlays. The overlay which the static veth is defined in will get the outer interface, and the overlay specified in `inner-namespace` will get the inner interface.\n\nNote that this does not do any additional configuration to overlays when they are linked via this option, it is simply a veth pair. To allow traffic to flow in the veth pair, additional work needs to be done.\n\nFor a fully configured and routed link between overlays, consider using a `[static-overlay-link]`.\n\n#### outer-interface-bridged\n* Type: **boolean**\n* Required: no\n\nAttaches the outer interface of the static veth to a bridge interface, along with a dummy interface. This allows both `inner-address` and `outer-address` to be used at the same time. The default value is `false`.\n\nWith this option set, `inner-address` goes to the inner interface as normal, but `outer-address` will be assigned to the bridge interface rather than being directly assigned to the inner interface.\n\n### [static-vlan:*{name}*]\n\nThis section is used to statically define a IEEE 802.1Q VLAN interface, assigned to a physical interface, which will be accessible in the overlay via a veth pair.\n\n#### id\n* Type: **integer**\n* Required: **yes**\n\nThe IEEE 802.1Q VLAN ID tag for the static VLAN interface.\n\n#### physical-interface\n* Type: **name**\n* Required: **yes**\n\nThe physical interface assigned to the static VLAN interface.\n\n#### address\n* Type: **ip address**\n* Required: **yes**\n\nThe IP address assigned to the static VLAN interface.\n\n#### netmask\n* Type: **subnet mask**\n* Required: **yes**\n\nThe subnet mask for the VLAN interface address.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcatalyst%2Fl3overlay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcatalyst%2Fl3overlay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcatalyst%2Fl3overlay/lists"}