1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " | " monitor " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link add link " DEVICE
50 .BR vlan " | " maclan " | " can " ]"
53 .BI "ip link delete " DEVICE
58 .BI "ip link set " DEVICE
59 .RB "{ " up " | " down " | " arp " { " on " | " off " } |"
61 .BR promisc " { " on " | " off " } |"
63 .BR allmulticast " { " on " | " off " } |"
65 .BR dynamic " { " on " | " off " } |"
67 .BR multicast " { " on " | " off " } |"
102 .RI "[ " DEVICE " | "
107 .BR "ip addr" " { " add " | " del " } "
108 .IB IFADDR " dev " STRING
111 .BR "ip addr" " { " show " | " flush " } [ " dev
116 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
121 .IR IFADDR " := " PREFIX " | " ADDR
135 .RB "[ " host " | " link " | " global " | "
139 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
143 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
144 tentative " | " deprecated " | " dadfailed " | " temporary " ]"
147 .BR "ip addrlabel" " { " add " | " del " } " prefix
155 .BR "ip addrlabel" " { " list " | " flush " }"
159 .BR list " | " flush " } "
167 .BR "ip route restore"
172 .BI from " ADDRESS " iif " STRING"
179 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
180 replace " | " monitor " } "
201 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
204 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
217 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
228 .IR NUMBER " ] " NHFLAGS
231 .IR OPTIONS " := " FLAGS " [ "
257 .BR unicast " | " local " | " broadcast " | " multicast " | "\
258 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
261 .IR TABLE_ID " := [ "
262 .BR local "| " main " | " default " | " all " |"
267 .BR host " | " link " | " global " |"
272 .BR onlink " | " pervasive " ]"
276 .BR kernel " | " boot " | " static " |"
281 .RB " [ " list " | " add " | " del " | " flush " ]"
285 .IR SELECTOR " := [ "
293 .IR FWMARK[/MASK] " ] [ "
307 .BR prohibit " | " reject " | " unreachable " ] [ " realms
308 .RI "[" SRCREALM "/]" DSTREALM " ]"
311 .IR TABLE_ID " := [ "
312 .BR local " | " main " | " default " |"
316 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
320 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
326 .BR "ip neigh" " { " show " | " flush " } [ " to
334 .BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
344 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
346 .RB "[" i "|" o "]" csum " ] ]"
365 .RB "[ [" no "]" pmtudisc " ]"
368 .RB "[ " "dscp inherit" " ]"
372 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
375 .IR ADDR " := { " IP_ADDRESS " |"
379 .IR TOS " := { " NUMBER " |"
389 .IR TTL " := { " 1 ".." 255 " | "
393 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
396 .IR TIME " := " NUMBER "[s|ms]"
399 .BR "ip maddr" " [ " add " | " del " ]"
400 .IB MULTIADDR " dev " STRING
403 .BR "ip maddr show" " [ " dev
407 .BR "ip mroute show" " ["
415 .BR "ip monitor" " [ " all " |"
416 .IR LISTofOBJECTS " ]"
420 .IR XFRM_OBJECT " { " COMMAND " }"
423 .IR XFRM_OBJECT " := { " state " | " policy " | " monitor " } "
426 .BR "ip xfrm state " { " add " | " update " } "
436 .RB " [ " replay-window
450 .BR "ip xfrm state allocspi "
464 .BR "ip xfrm state" " { " delete " | " get " } "
468 .BR "ip xfrm state" " { " deleteall " | " list " } [ "
479 .BR "ip xfrm state flush" " [ " proto
483 .BR "ip xfrm state count"
497 .IR XFRM_PROTO " := "
498 .RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
502 .RB " [ " transport " | " tunnel " | " ro " | " beet " ] "
503 .B (default=transport)
507 .RI " [ " FLAG-LIST " ] " FLAG
511 .RB " [ " noecn " | " decap-dscp " | " wildrecv " ] "
514 .IR ENCAP " := " ENCAP-TYPE " " SPORT " " DPORT " " OADDR
517 .IR ENCAP-TYPE " := "
523 .IR ALGO-LIST " := [ "
524 .IR ALGO-LIST " ] | [ "
535 .RB " [ " enc " | " auth " | " comp " ] "
540 .IR ADDR "[/" PLEN "]"
542 .IR ADDR "[/" PLEN "]"
543 .RI " [ " UPSPEC " ] "
565 .IR LIMIT-LIST " := [ " LIMIT-LIST " ] |"
571 .RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
573 .RB "[ ["byte-soft "|" byte-hard "]"
576 .RB " [ ["packet-soft "|" packet-hard "]"
580 .BR "ip xfrm policy" " { " add " | " update " } " " dir "
593 .RI " [ " LIMIT-LIST " ] [ "
597 .BR "ip xfrm policy" " { " delete " | " get " } " " dir "
598 .IR DIR " [ " SELECTOR " | "
607 .BR "ip xfrm policy" " { " deleteall " | " list " } "
620 .B "ip xfrm policy flush"
629 .RB " [ " main " | " sub " ] "
634 .RB " [ " in " | " out " | " fwd " ] "
639 .IR ADDR "[/" PLEN "]"
641 .IR ADDR "[/" PLEN] " [ " UPSPEC
664 .RB " [ " allow " | " block " ]"
668 .IR LIMIT-LIST " := "
670 .IR LIMIT-LIST " ] | "
676 .RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
678 .RB " [ [" byte-soft "|" byte-hard "]"
681 .RB "[" packet-soft "|" packet-hard "]"
687 .IR TMPL-LIST " ] | "
713 .IR XFRM_PROTO " := "
714 .RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
718 .RB " [ " transport " | " tunnel " | " beet " ] "
719 .B (default=transport)
723 .RB " [ " required " | " use " ] "
724 .B (default=required)
727 .BR "ip xfrm monitor" " [ " all " | "
728 .IR LISTofOBJECTS " ] "
736 .BR "\-V" , " -Version"
737 print the version of the
742 .BR "\-s" , " \-stats", " \-statistics"
743 output more information. If the option
744 appears twice or more, the amount of information increases.
745 As a rule, the information is statistics or some time values.
748 .BR "\-l" , " \-loops"
749 Specify maximum number of loops the 'ip addr flush' logic
750 will attempt before giving up. The default is 10.
751 Zero (0) means loop until all addresses are removed.
754 .BR "\-f" , " \-family"
755 followed by protocol family identifier:
756 .BR "inet" , " inet6"
759 ,enforce the protocol family to use. If the option is not present,
760 the protocol family is guessed from other arguments. If the rest
761 of the command line does not give enough information to guess the
764 falls back to the default one, usually
769 is a special family identifier meaning that no networking protocol
780 .BR "\-family inet6" .
785 .BR "\-family link" .
788 .BR "\-o" , " \-oneline"
789 output each record on a single line, replacing line feeds
792 character. This is convenient when you want to count records
800 .BR "\-r" , " \-resolve"
801 use the system's name resolver to print DNS names instead of
804 .SH IP - COMMAND SYNTAX
815 - protocol (IP or IPv6) address on a device.
819 - label configuration for protocol address selection.
823 - ARP or NDISC cache entry.
827 - routing table entry.
831 - rule in routing policy database.
839 - multicast routing cache entry.
847 - framework for IPsec protocol.
850 The names of all objects may be written in full or
851 abbreviated form, f.e.
861 Specifies the action to perform on the object.
862 The set of possible actions depends on the object type.
863 As a rule, it is possible to
864 .BR "add" , " delete"
869 ) objects, but some objects do not allow all of these operations
870 or have some additional commands. The
872 command is available for all objects. It prints
873 out a list of available commands and argument syntax conventions.
875 If no command is given, some default command is assumed.
878 or, if the objects of this class cannot be listed,
881 .SH ip link - network device configuration
884 is a network device and the corresponding commands
885 display and change the state of devices.
887 .SS ip link add - add virtual link
891 specifies the physical device to act operate on.
894 specifies the name of the new virtual device.
897 specifies the type of the new device.
903 - 802.1q tagged virrtual LAN interface
906 - virtual interface base on link layer address (MAC)
909 - Controller Area Network interface
912 .SS ip link delete - delete virtual link
914 specifies the virtual device to act operate on.
916 specifies the type of the device.
921 specifies the physical device to act operate on.
923 .SS ip link set - change device attributes
928 specifies network device to operate on. When configuring SR-IOV Virtual Fuction
929 (VF) devices, this keyword should specify the associated Physical Function (PF)
934 change the state of the device to
940 .BR "arp on " or " arp off"
946 .BR "multicast on " or " multicast off"
952 .BR "dynamic on " or " dynamic off"
959 change the name of the device. This operation is not
960 recommended if the device is running or has some addresses
964 .BI txqueuelen " NUMBER"
967 change the transmit queue length of the device.
976 .BI address " LLADDRESS"
977 change the station address of the interface.
980 .BI broadcast " LLADDRESS"
984 .BI peer " LLADDRESS"
985 change the link layer broadcast address or the peer address when
991 move the device to the network namespace associated with the process
996 give the device a symbolic name for easy reference.
1000 specify a Virtual Function device to be configured. The associated PF device
1001 must be specified using the
1006 .BI mac " LLADDRESS"
1007 - change the station address for the specified VF. The
1009 parameter must be specified.
1013 - change the assigned VLAN for the specified VF. When specified, all traffic
1014 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
1015 will be filtered for the specified VLAN ID, and will have all VLAN tags
1016 stripped before being passed to the VF. Setting this parameter to 0 disables
1017 VLAN tagging and filtering. The
1019 parameter must be specified.
1023 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1024 tags transmitted by the VF will include the specified priority bits in the
1025 VLAN tag. If not specified, the value is assumed to be 0. Both the
1029 parameters must be specified. Setting both
1033 as 0 disables VLAN tagging and filtering for the VF.
1037 - change the allowed transmit bandwidth, in Mbps, for the specified VF.
1038 Setting this parameter to 0 disables rate limiting. The
1040 parameter must be specified.
1045 If multiple parameter changes are requested,
1047 aborts immediately after any of the changes have failed.
1048 This is the only case when
1050 can move the system to an unpredictable state. The solution
1051 is to avoid changing several parameters with one
1055 .SS ip link show - display device attributes
1058 .BI dev " NAME " (default)
1060 specifies the network device to show.
1061 If this argument is omitted all devices in the default group are listed.
1066 specifies what group of devices to show.
1070 only display running interfaces.
1072 .SH ip address - protocol address management.
1076 is a protocol (IP or IPv6) address attached
1077 to a network device. Each device must have at least one address
1078 to use the corresponding protocol. It is possible to have several
1079 different addresses attached to one device. These addresses are not
1080 discriminated, so that the term
1082 is not quite appropriate for them and we do not use it in this document.
1086 command displays addresses and their properties, adds new addresses
1087 and deletes old ones.
1089 .SS ip address add - add new protocol address.
1093 the name of the device to add the address to.
1096 .BI local " ADDRESS " (default)
1097 the address of the interface. The format of the address depends
1098 on the protocol. It is a dotted quad for IP and a sequence of
1099 hexadecimal halfwords separated by colons for IPv6. The
1101 may be followed by a slash and a decimal number which encodes
1102 the network prefix length.
1106 the address of the remote endpoint for pointopoint interfaces.
1109 may be followed by a slash and a decimal number, encoding the network
1110 prefix length. If a peer address is specified, the local address
1111 cannot have a prefix length. The network prefix is associated
1112 with the peer rather than with the local address.
1115 .BI broadcast " ADDRESS"
1116 the broadcast address on the interface.
1118 It is possible to use the special symbols
1122 instead of the broadcast address. In this case, the broadcast address
1123 is derived by setting/resetting the host bits of the interface prefix.
1127 Each address may be tagged with a label string.
1128 In order to preserve compatibility with Linux-2.0 net aliases,
1129 this string must coincide with the name of the device or must be prefixed
1130 with the device name followed by colon.
1133 .BI scope " SCOPE_VALUE"
1134 the scope of the area where this address is valid.
1135 The available scopes are listed in file
1136 .BR "/etc/iproute2/rt_scopes" .
1137 Predefined scope values are:
1141 - the address is globally valid.
1144 - (IPv6 only) the address is site local, i.e. it is
1145 valid inside this site.
1148 - the address is link local, i.e. it is valid only on this device.
1151 - the address is valid only inside this host.
1154 .SS ip address delete - delete protocol address
1156 coincide with the arguments of
1158 The device name is a required argument. The rest are optional.
1159 If no arguments are given, the first address is deleted.
1161 .SS ip address show - look at protocol addresses
1164 .BI dev " NAME " (default)
1168 .BI scope " SCOPE_VAL"
1169 only list addresses with this scope.
1173 only list addresses matching this prefix.
1176 .BI label " PATTERN"
1177 only list addresses with labels matching the
1180 is a usual shell style pattern.
1183 .BR dynamic " and " permanent
1184 (IPv6 only) only list addresses installed due to stateless
1185 address configuration or only list permanent (not dynamic)
1190 (IPv6 only) only list addresses which have not yet passed duplicate
1195 (IPv6 only) only list deprecated addresses.
1199 (IPv6 only) only list addresses which have failed duplicate
1204 (IPv6 only) only list temporary addresses.
1207 .BR primary " and " secondary
1208 only list primary (or secondary) addresses.
1210 .SS ip address flush - flush protocol addresses
1211 This command flushes the protocol addresses selected by some criteria.
1214 This command has the same arguments as
1216 The difference is that it does not run when no arguments are given.
1220 This command (and other
1222 commands described below) is pretty dangerous. If you make a mistake,
1223 it will not forgive it, but will cruelly purge all the addresses.
1228 option, the command becomes verbose. It prints out the number of deleted
1229 addresses and the number of rounds made to flush the address list. If
1230 this option is given twice,
1232 also dumps all the deleted addresses in the format described in the
1233 previous subsection.
1235 .SH ip addrlabel - protocol address label management.
1237 IPv6 address label is used for address selection
1238 described in RFC 3484. Precedence is managed by userspace,
1239 and only label is stored in kernel.
1241 .SS ip addrlabel add - add an address label
1242 the command adds an address label entry to the kernel.
1244 .BI prefix " PREFIX"
1247 the outgoing interface.
1250 the label for the prefix.
1251 0xffffffff is reserved.
1252 .SS ip addrlabel del - delete an address label
1253 the command deletes an address label entry in the kernel.
1255 coincide with the arguments of
1257 but label is not required.
1258 .SS ip addrlabel list - list address labels
1259 the command show contents of address labels.
1260 .SS ip addrlabel flush - flush address labels
1261 the command flushes the contents of address labels and it does not restore default settings.
1262 .SH ip neighbour - neighbour/arp tables management.
1265 objects establish bindings between protocol addresses and
1266 link layer addresses for hosts sharing the same link.
1267 Neighbour entries are organized into tables. The IPv4 neighbour table
1268 is known by another name - the ARP table.
1271 The corresponding commands display neighbour bindings
1272 and their properties, add new neighbour entries and delete old ones.
1274 .SS ip neighbour add - add a new neighbour entry
1275 .SS ip neighbour change - change an existing entry
1276 .SS ip neighbour replace - add a new entry or change an existing one
1278 These commands create new neighbour records or update existing ones.
1281 .BI to " ADDRESS " (default)
1282 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1286 the interface to which this neighbour is attached.
1289 .BI lladdr " LLADDRESS"
1290 the link layer address of the neighbour.
1296 .BI nud " NUD_STATE"
1297 the state of the neighbour entry.
1299 is an abbreviation for 'Neighbour Unreachability Detection'.
1300 The state can take one of the following values:
1304 - the neighbour entry is valid forever and can be only
1305 be removed administratively.
1309 - the neighbour entry is valid. No attempts to validate
1310 this entry will be made but it can be removed when its lifetime expires.
1314 - the neighbour entry is valid until the reachability
1319 - the neighbour entry is valid but suspicious.
1322 does not change the neighbour state if it was valid and the address
1323 is not changed by this command.
1326 .SS ip neighbour delete - delete a neighbour entry
1327 This command invalidates a neighbour entry.
1330 The arguments are the same as with
1331 .BR "ip neigh add" ,
1340 Attempts to delete or manually change a
1342 entry created by the kernel may result in unpredictable behaviour.
1343 Particularly, the kernel may try to resolve this address even
1346 interface or if the address is multicast or broadcast.
1348 .SS ip neighbour show - list neighbour entries
1350 This commands displays neighbour tables.
1353 .BI to " ADDRESS " (default)
1354 the prefix selecting the neighbours to list.
1358 only list the neighbours attached to this device.
1362 only list neighbours which are not currently in use.
1365 .BI nud " NUD_STATE"
1366 only list neighbour entries in this state.
1368 takes values listed below or the special value
1370 which means all states. This option may occur more than once.
1371 If this option is absent,
1373 lists all entries except for
1378 .SS ip neighbour flush - flush neighbour entries
1379 This command flushes neighbour tables, selecting
1380 entries to flush by some criteria.
1383 This command has the same arguments as
1385 The differences are that it does not run when no arguments are given,
1386 and that the default neighbour states to be flushed do not include
1394 option, the command becomes verbose. It prints out the number of
1395 deleted neighbours and the number of rounds made to flush the
1396 neighbour table. If the option is given
1399 also dumps all the deleted neighbours.
1401 .SH ip route - routing table management
1402 Manipulate route entries in the kernel routing tables keep
1403 information about paths to other networked nodes.
1409 - the route entry describes real paths to the destinations covered
1410 by the route prefix.
1414 - these destinations are unreachable. Packets are discarded and the
1418 The local senders get an
1424 - these destinations are unreachable. Packets are discarded silently.
1425 The local senders get an
1431 - these destinations are unreachable. Packets are discarded and the
1433 .I communication administratively prohibited
1434 is generated. The local senders get an
1440 - the destinations are assigned to this host. The packets are looped
1441 back and delivered locally.
1445 - the destinations are broadcast addresses. The packets are sent as
1450 - a special control route used together with policy rules. If such a
1451 route is selected, lookup in this table is terminated pretending that
1452 no route was found. Without policy routing it is equivalent to the
1453 absence of the route in the routing table. The packets are dropped
1454 and the ICMP message
1456 is generated. The local senders get an
1462 - a special NAT route. Destinations covered by the prefix
1463 are considered to be dummy (or external) addresses which require translation
1464 to real (or internal) ones before forwarding. The addresses to translate to
1465 are selected with the attribute
1467 Route NAT is no longer supported in Linux 2.6.
1473 .RI "- " "not implemented"
1474 the destinations are
1476 addresses assigned to this host. They are mainly equivalent
1479 with one difference: such addresses are invalid when used
1480 as the source address of any packet.
1484 - a special type used for multicast routing. It is not present in
1485 normal routing tables.
1490 Linux-2.x can pack routes into several routing tables identified
1491 by a number in the range from 1 to 2^31 or by name from the file
1492 .B /etc/iproute2/rt_tables
1493 By default all normal routes are inserted into the
1495 table (ID 254) and the kernel only uses this table when calculating routes.
1496 Values (0, 253, 254, and 255) are reserved for built-in use.
1499 Actually, one other table always exists, which is invisible but
1500 even more important. It is the
1502 table (ID 255). This table
1503 consists of routes for local and broadcast addresses. The kernel maintains
1504 this table automatically and the administrator usually need not modify it
1507 The multiple routing tables enter the game when
1511 .SS ip route add - add new route
1512 .SS ip route change - change route
1513 .SS ip route replace - change or add new one
1516 .BI to " TYPE PREFIX " (default)
1517 the destination prefix of the route. If
1527 is an IP or IPv6 address optionally followed by a slash and the
1528 prefix length. If the length of the prefix is missing,
1530 assumes a full-length host route. There is also a special
1533 - which is equivalent to IP
1542 the Type Of Service (TOS) key. This key has no associated mask and
1543 the longest match is understood as: First, compare the TOS
1544 of the route and of the packet. If they are not equal, then the packet
1545 may still match a route with a zero TOS.
1547 is either an 8 bit hexadecimal number or an identifier
1549 .BR "/etc/iproute2/rt_dsfield" .
1552 .BI metric " NUMBER"
1554 .BI preference " NUMBER"
1555 the preference value of the route.
1557 is an arbitrary 32bit number.
1560 .BI table " TABLEID"
1561 the table to add this route to.
1563 may be a number or a string from the file
1564 .BR "/etc/iproute2/rt_tables" .
1565 If this parameter is omitted,
1569 table, with the exception of
1570 .BR local " , " broadcast " and " nat
1571 routes, which are put into the
1577 the output device name.
1581 the address of the nexthop router. Actually, the sense of this field
1582 depends on the route type. For normal
1584 routes it is either the true next hop router or, if it is a direct
1585 route installed in BSD compatibility mode, it can be a local address
1586 of the interface. For NAT routes it is the first address of the block
1587 of translated IP destinations.
1591 the source address to prefer when sending to the destinations
1592 covered by the route prefix.
1595 .BI realm " REALMID"
1596 the realm to which this route is assigned.
1598 may be a number or a string from the file
1599 .BR "/etc/iproute2/rt_realms" .
1604 .BI "mtu lock" " MTU"
1605 the MTU along the path to the destination. If the modifier
1607 is not used, the MTU may be updated by the kernel due to
1608 Path MTU Discovery. If the modifier
1610 is used, no path MTU discovery will be tried, all packets
1611 will be sent without the DF bit in IPv4 case or fragmented
1615 .BI window " NUMBER"
1616 the maximal window for TCP to advertise to these destinations,
1617 measured in bytes. It limits maximal data bursts that our TCP
1618 peers are allowed to send to us.
1622 the initial RTT ('Round Trip Time') estimate. If no suffix is
1623 specified the units are raw values passed directly to the
1624 routing code to maintain compatibility with previous releases.
1625 Otherwise if a suffix of s, sec or secs is used to specify
1626 seconds and ms, msec or msecs to specify milliseconds.
1630 .BI rttvar " TIME " "(2.3.15+ only)"
1631 the initial RTT variance estimate. Values are specified as with
1636 .BI rto_min " TIME " "(2.6.23+ only)"
1637 the minimum TCP Retransmission TimeOut to use when communicating with this
1638 destination. Values are specified as with
1643 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1644 an estimate for the initial slow start threshold.
1647 .BI cwnd " NUMBER " "(2.3.15+ only)"
1648 the clamp for congestion window. It is ignored if the
1653 .BI initcwnd " NUMBER " "(2.5.70+ only)"
1654 the initial congestion window size for connections to this destination.
1655 Actual window size is this value multiplied by the MSS
1656 (``Maximal Segment Size'') for same connection. The default is
1657 zero, meaning to use the values specified in RFC2414.
1660 .BI initrwnd " NUMBER " "(2.6.33+ only)"
1661 the initial receive window size for connections to this destination.
1662 Actual window size is this value multiplied by the MSS of the connection.
1663 The default value is zero, meaning to use Slow Start value.
1666 .BI advmss " NUMBER " "(2.3.15+ only)"
1667 the MSS ('Maximal Segment Size') to advertise to these
1668 destinations when establishing TCP connections. If it is not given,
1669 Linux uses a default value calculated from the first hop device MTU.
1670 (If the path to these destination is asymmetric, this guess may be wrong.)
1673 .BI reordering " NUMBER " "(2.3.15+ only)"
1674 Maximal reordering on the path to this destination.
1675 If it is not given, Linux uses the value selected with
1678 .BR "net/ipv4/tcp_reordering" .
1681 .BI nexthop " NEXTHOP"
1682 the nexthop of a multipath route.
1684 is a complex value with its own syntax similar to the top level
1689 - is the nexthop router.
1693 - is the output device.
1696 .BI weight " NUMBER"
1697 - is a weight for this element of a multipath
1698 route reflecting its relative bandwidth or quality.
1702 .BI scope " SCOPE_VAL"
1703 the scope of the destinations covered by the route prefix.
1705 may be a number or a string from the file
1706 .BR "/etc/iproute2/rt_scopes" .
1707 If this parameter is omitted,
1716 .BR unicast " and " broadcast
1718 .BR host " for " local
1722 .BI protocol " RTPROTO"
1723 the routing protocol identifier of this route.
1725 may be a number or a string from the file
1726 .BR "/etc/iproute2/rt_protos" .
1727 If the routing protocol ID is not given,
1728 .B ip assumes protocol
1730 (i.e. it assumes the route was added by someone who doesn't
1731 understand what they are doing). Several protocol values have
1732 a fixed interpretation.
1737 - the route was installed due to an ICMP redirect.
1741 - the route was installed by the kernel during autoconfiguration.
1745 - the route was installed during the bootup sequence.
1746 If a routing daemon starts, it will purge all of them.
1750 - the route was installed by the administrator
1751 to override dynamic routing. Routing daemon will respect them
1752 and, probably, even advertise them to its peers.
1756 - the route was installed by Router Discovery protocol.
1760 The rest of the values are not reserved and the administrator is free
1761 to assign (or not to assign) protocol tags.
1765 pretend that the nexthop is directly attached to this link,
1766 even if it does not match any interface prefix.
1768 .SS ip route delete - delete route
1771 has the same arguments as
1772 .BR "ip route add" ,
1773 but their semantics are a bit different.
1776 .RB "(" to ", " tos ", " preference " and " table ")"
1777 select the route to delete. If optional attributes are present,
1779 verifies that they coincide with the attributes of the route to delete.
1780 If no route with the given key and attributes was found,
1784 .SS ip route show - list routes
1785 the command displays the contents of the routing tables or the route(s)
1786 selected by some criteria.
1789 .BI to " SELECTOR " (default)
1790 only select routes from the given range of destinations.
1792 consists of an optional modifier
1793 .RB "(" root ", " match " or " exact ")"
1796 selects routes with prefixes not shorter than
1800 selects the entire routing table.
1802 selects routes with prefixes not longer than
1805 .BI match " 10.0/16"
1808 .IR 10/8 " and " 0/0 ,
1809 but it does not select
1810 .IR 10.1/16 " and " 10.0.0/24 .
1815 selects routes with this exact prefix. If neither of these options
1820 i.e. it lists the entire table.
1825 only select routes with the given TOS.
1828 .BI table " TABLEID"
1829 show the routes from this table(s). The default setting is to show
1832 may either be the ID of a real table or one of the special values:
1836 - list all of the tables.
1839 - dump the routing cache.
1846 list cloned routes i.e. routes which were dynamically forked from
1847 other routes because some route attribute (f.e. MTU) was updated.
1848 Actually, it is equivalent to
1849 .BR "table cache" "."
1852 .BI from " SELECTOR"
1853 the same syntax as for
1855 but it binds the source address range rather than destinations.
1858 option only works with cloned routes.
1861 .BI protocol " RTPROTO"
1862 only list routes of this protocol.
1865 .BI scope " SCOPE_VAL"
1866 only list routes with this scope.
1870 only list routes of this type.
1874 only list routes going via this device.
1878 only list routes going via the nexthop routers selected by
1883 only list routes with preferred source addresses selected
1888 .BI realm " REALMID"
1890 .BI realms " FROMREALM/TOREALM"
1891 only list routes with these realms.
1893 .SS ip route flush - flush routing tables
1894 this command flushes routes selected by some criteria.
1897 The arguments have the same syntax and semantics as the arguments of
1898 .BR "ip route show" ,
1899 but routing tables are not listed but purged. The only difference is
1902 dumps all the IP main routing table but
1904 prints the helper page.
1909 option, the command becomes verbose. It prints out the number of
1910 deleted routes and the number of rounds made to flush the routing
1911 table. If the option is given
1914 also dumps all the deleted routes in the format described in the
1915 previous subsection.
1917 .SS ip route get - get a single route
1918 this command gets a single route to a destination and prints its
1919 contents exactly as the kernel sees it.
1922 .BI to " ADDRESS " (default)
1923 the destination address.
1933 the Type Of Service.
1937 the device from which this packet is expected to arrive.
1941 force the output device on which this packet will be routed.
1945 if no source address
1946 .RB "(option " from ")"
1947 was given, relookup the route with the source set to the preferred
1948 address received from the first lookup.
1949 If policy routing is used, it may be a different route.
1952 Note that this operation is not equivalent to
1953 .BR "ip route show" .
1955 shows existing routes.
1957 resolves them and creates new clones if necessary. Essentially,
1959 is equivalent to sending a packet along this path.
1962 argument is not given, the kernel creates a route
1963 to output packets towards the requested destination.
1964 This is equivalent to pinging the destination
1966 .BR "ip route ls cache" ,
1967 however, no packets are actually sent. With the
1969 argument, the kernel pretends that a packet arrived from this interface
1970 and searches for a path to forward the packet.
1972 .SS ip route save - save routing table information to stdout
1973 this command behaves like
1975 except that the output is raw data suitable for passing to
1976 .BR "ip route restore" .
1978 .SS ip route restore - restore routing table information from stdin
1979 this command expects to read a data stream as returned from
1980 .BR "ip route save" .
1981 It will attempt to restore the routing table information exactly as
1982 it was at the time of the save, so any translation of information
1983 in the stream (such as device indexes) must be done first. Any existing
1984 routes are left unchanged. Any routes specified in the data stream that
1985 already exist in the table will be ignored.
1987 .SH ip rule - routing policy database management
1990 in the routing policy database control the route selection algorithm.
1993 Classic routing algorithms used in the Internet make routing decisions
1994 based only on the destination address of packets (and in theory,
1995 but not in practice, on the TOS field).
1998 In some circumstances we want to route packets differently depending not only
1999 on destination addresses, but also on other packet fields: source address,
2000 IP protocol, transport protocol ports or even packet payload.
2001 This task is called 'policy routing'.
2004 To solve this task, the conventional destination based routing table, ordered
2005 according to the longest match rule, is replaced with a 'routing policy
2006 database' (or RPDB), which selects routes by executing some set of rules.
2009 Each policy routing rule consists of a
2012 .B action predicate.
2013 The RPDB is scanned in the order of increasing priority. The selector
2014 of each rule is applied to {source address, destination address, incoming
2015 interface, tos, fwmark} and, if the selector matches the packet,
2016 the action is performed. The action predicate may return with success.
2017 In this case, it will either give a route or failure indication
2018 and the RPDB lookup is terminated. Otherwise, the RPDB program
2019 continues on the next rule.
2022 Semantically, natural action is to select the nexthop and the output device.
2025 At startup time the kernel configures the default RPDB consisting of three
2030 Priority: 0, Selector: match anything, Action: lookup routing
2036 table is a special routing table containing
2037 high priority control routes for local and broadcast addresses.
2039 Rule 0 is special. It cannot be deleted or overridden.
2043 Priority: 32766, Selector: match anything, Action: lookup routing
2049 table is the normal routing table containing all non-policy
2050 routes. This rule may be deleted and/or overridden with other
2051 ones by the administrator.
2055 Priority: 32767, Selector: match anything, Action: lookup routing
2061 table is empty. It is reserved for some post-processing if no previous
2062 default rules selected the packet.
2063 This rule may also be deleted.
2066 Each RPDB entry has additional
2067 attributes. F.e. each rule has a pointer to some routing
2068 table. NAT and masquerading rules have an attribute to select new IP
2069 address to translate/masquerade. Besides that, rules have some
2070 optional attributes, which routes have, namely
2072 These values do not override those contained in the routing tables. They
2073 are only used if the route did not select any attributes.
2076 The RPDB may contain rules of the following types:
2080 - the rule prescribes to return the route found
2081 in the routing table referenced by the rule.
2084 - the rule prescribes to silently drop the packet.
2087 - the rule prescribes to generate a 'Network is unreachable' error.
2090 - the rule prescribes to generate 'Communication is administratively
2094 - the rule prescribes to translate the source address
2095 of the IP packet into some other value.
2098 .SS ip rule add - insert a new rule
2099 .SS ip rule delete - delete a rule
2102 .BI type " TYPE " (default)
2103 the type of this rule. The list of valid types was given in the previous
2108 select the source prefix to match.
2112 select the destination prefix to match.
2116 select the incoming device to match. If the interface is loopback,
2117 the rule only matches packets originating from this host. This means
2118 that you may create separate routing tables for forwarded and local
2119 packets and, hence, completely segregate them.
2123 select the outgoing device to match. The outgoing interface is only
2124 available for packets originating from local sockets that are bound to
2131 select the TOS value to match.
2140 .BI priority " PREFERENCE"
2141 the priority of this rule. Each rule should have an explicitly
2145 The options preference and order are synonyms with priority.
2148 .BI table " TABLEID"
2149 the routing table identifier to lookup if the rule selector matches.
2150 It is also possible to use lookup instead of table.
2153 .BI realms " FROM/TO"
2154 Realms to select if the rule matched and the routing table lookup
2157 is only used if the route did not select any realm.
2161 The base of the IP address block to translate (for source addresses).
2164 may be either the start of the block of NAT addresses (selected by NAT
2165 routes) or a local host address (or even zero).
2166 In the last case the router does not translate the packets, but
2167 masquerades them to this address.
2168 Using map-to instead of nat means the same thing.
2171 Changes to the RPDB made with these commands do not become active
2172 immediately. It is assumed that after a script finishes a batch of
2173 updates, it flushes the routing cache with
2174 .BR "ip route flush cache" .
2176 .SS ip rule flush - also dumps all the deleted rules.
2177 This command has no arguments.
2179 .SS ip rule show - list rules
2180 This command has no arguments.
2181 The options list or lst are synonyms with show.
2183 .SH ip maddress - multicast addresses management
2186 objects are multicast addresses.
2188 .SS ip maddress show - list multicast addresses
2191 .BI dev " NAME " (default)
2194 .SS ip maddress add - add a multicast address
2195 .SS ip maddress delete - delete a multicast address
2196 these commands attach/detach a static link layer multicast address
2197 to listen on the interface.
2198 Note that it is impossible to join protocol multicast groups
2199 statically. This command only manages link layer addresses.
2202 .BI address " LLADDRESS " (default)
2203 the link layer multicast address.
2207 the device to join/leave this multicast address.
2209 .SH ip mroute - multicast routing cache management
2211 objects are multicast routing cache entries created by a user level
2212 mrouting daemon (f.e.
2218 Due to the limitations of the current interface to the multicast routing
2219 engine, it is impossible to change
2221 objects administratively, so we may only display them. This limitation
2222 will be removed in the future.
2224 .SS ip mroute show - list mroute cache entries
2227 .BI to " PREFIX " (default)
2228 the prefix selecting the destination multicast addresses to list.
2232 the interface on which multicast packets are received.
2236 the prefix selecting the IP source addresses of the multicast route.
2238 .SH ip tunnel - tunnel configuration
2240 objects are tunnels, encapsulating packets in IP packets and then
2241 sending them over the IP infrastructure.
2242 The encapulating (or outer) address family is specified by the
2244 option. The default is IPv4.
2246 .SS ip tunnel add - add a new tunnel
2247 .SS ip tunnel change - change an existing tunnel
2248 .SS ip tunnel delete - destroy a tunnel
2251 .BI name " NAME " (default)
2252 select the tunnel device name.
2256 set the tunnel mode. Available modes depend on the encapsulating address family.
2258 Modes for IPv4 encapsulation available:
2259 .BR ipip ", " sit ", " isatap " and " gre "."
2261 Modes for IPv6 encapsulation available:
2262 .BR ip6ip6 ", " ipip6 " and " any "."
2265 .BI remote " ADDRESS"
2266 set the remote endpoint of the tunnel.
2269 .BI local " ADDRESS"
2270 set the fixed local address for tunneled packets.
2271 It must be an address on another interface of this host.
2277 on tunneled packets.
2279 is a number in the range 1--255. 0 is a special value
2280 meaning that packets inherit the TTL value.
2281 The default value for IPv4 tunnels is:
2283 The default value for IPv6 tunnels is:
2293 set a fixed TOS (or traffic class in IPv6)
2295 on tunneled packets.
2296 The default value is:
2301 bind the tunnel to the device
2303 so that tunneled packets will only be routed via this device and will
2304 not be able to escape to another device when the route to endpoint
2309 disable Path MTU Discovery on this tunnel.
2310 It is enabled by default. Note that a fixed ttl is incompatible
2311 with this option: tunnelling with a fixed ttl always makes pmtu
2320 .RB ( " only GRE tunnels " )
2321 use keyed GRE with key
2323 is either a number or an IP address-like dotted quad.
2326 parameter sets the key to use in both directions.
2328 .BR ikey " and " okey
2329 parameters set different keys for input and output.
2332 .BR csum ", " icsum ", " ocsum
2333 .RB ( " only GRE tunnels " )
2334 generate/require checksums for tunneled packets.
2337 flag calculates checksums for outgoing packets.
2340 flag requires that all input packets have the correct
2343 flag is equivalent to the combination
2347 .BR seq ", " iseq ", " oseq
2348 .RB ( " only GRE tunnels " )
2352 flag enables sequencing of outgoing packets.
2355 flag requires that all input packets are serialized.
2358 flag is equivalent to the combination
2360 .B It isn't work. Don't use it.
2364 .RB ( " only IPv6 tunnels " )
2365 Inherit DS field between inner and outer header.
2368 .BI encaplim " ELIM"
2369 .RB ( " only IPv6 tunnels " )
2370 set a fixed encapsulation limit. Default is 4.
2373 .BI flowlabel " FLOWLABEL"
2374 .RB ( " only IPv6 tunnels " )
2375 set a fixed flowlabel.
2377 .SS ip tunnel prl - potential router list (ISATAP only)
2381 mandatory device name.
2384 .BI prl-default " ADDR"
2386 .BI prl-nodefault " ADDR"
2388 .BI prl-delete " ADDR"
2389 .RB "Add or delete " ADDR
2390 as a potential router or default router.
2392 .SS ip tunnel show - list tunnels
2393 This command has no arguments.
2395 .SH ip monitor and rtmon - state monitoring
2399 utility can monitor the state of devices, addresses
2400 and routes continuously. This option has a slightly different format.
2403 command is the first in the command line and then the object list follows:
2405 .BR "ip monitor" " [ " all " |"
2406 .IR LISTofOBJECTS " ]"
2409 is the list of object types that we want to monitor.
2411 .BR link ", " address " and " route "."
2416 opens RTNETLINK, listens on it and dumps state changes in the format
2417 described in previous sections.
2420 If a file name is given, it does not listen on RTNETLINK,
2421 but opens the file containing RTNETLINK messages saved in binary format
2422 and dumps them. Such a history file can be generated with the
2424 utility. This utility has a command line syntax similar to
2428 should be started before the first network configuration command
2429 is issued. F.e. if you insert:
2432 rtmon file /var/log/rtmon.log
2435 in a startup script, you will be able to view the full history
2439 Certainly, it is possible to start
2442 It prepends the history with the state snapshot dumped at the moment
2445 .SH ip xfrm - setting xfrm
2446 xfrm is an IP framework, which can transform format of the datagrams,
2448 i.e. encrypt the packets with some algorithm. xfrm policy and xfrm state
2449 are associated through templates
2451 This framework is used as a part of IPsec protocol.
2453 .SS ip xfrm state add - add new state into xfrm
2455 .SS ip xfrm state update - update existing xfrm state
2457 .SS ip xfrm state allocspi - allocate SPI value
2461 is set as default to
2463 but it could be set to
2464 .BR tunnel "," ro " or " beet "."
2468 contains one or more flags.
2473 .BR noecn ", " decap-dscp " or " wildrecv "."
2477 encapsulation is set to encapsulation type
2478 .IR ENCAP-TYPE ", source port " SPORT ", destination port " DPORT " and " OADDR "."
2483 .BR espinudp " or " espinudp-nonike "."
2487 contains one or more algorithms
2489 which depend on the type of algorithm set by
2491 Valid algorithms are:
2492 .BR enc ", " auth " or " comp "."
2494 .SS ip xfrm policy add - add a new policy
2496 .SS ip xfrm policy update - update an existing policy
2498 .SS ip xfrm policy delete - delete existing policy
2500 .SS ip xfrm policy get - get existing policy
2502 .SS ip xfrm policy deleteall - delete all existing xfrm policy
2504 .SS ip xfrm policy list - print out the list of xfrm policy
2506 .SS ip xfrm policy flush - flush policies
2509 policies or only those specified with
2514 directory could be one of these:
2515 .BR "inp", " out " or " fwd".
2519 selects for which addresses will be set up the policy. The selector
2520 is defined by source and destination address.
2524 is defined by source port
2532 as dotted-quad or number.
2536 specify network device.
2540 the number of indexed policy.
2544 type is set as default on
2550 .BI action " ACTION "
2551 is set as default on
2553 It could be switch on
2557 .BI priority " PRIORITY "
2558 priority is a number. Default priority is set on zero.
2562 limits are set in seconds, bytes or numbers of packets.
2566 template list is based on
2568 .BR mode ", " reqid " and " level ". "
2572 is specified by source address, destination address,
2580 .BR esp ", " ah ", " comp ", " route2 " or " hao "."
2584 is set as default on
2586 but it could be set on
2587 .BR tunnel " or " beet "."
2591 is set as default on
2593 and the other choice is
2599 .BR sport " and " dport " (for UDP/TCP), "
2600 .BR type " and " code " (for ICMP; as number) or "
2601 .BR key " (for GRE; as dotted-quad or number)."
2604 .SS ip xfrm monitor - is used for listing all objects or defined group of them.
2607 can monitor the policies for all objects or defined group of them.
2611 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2615 .RB "IP Command reference " ip-cref.ps
2617 .RB "IP tunnels " ip-cref.ps
2619 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2622 Original Manpage by Michail Litvak <mci@owl.openwall.com>