1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " | " monitor " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link set " DEVICE
31 .RB "{ " up " | " down " | " arp " { " on " | " off " } |"
33 .BR promisc " { " on " | " off " } |"
35 .BR allmulticast " { " on " | " off " } |"
37 .BR dynamic " { " on " | " off " } |"
39 .BR multicast " { " on " | " off " } |"
60 .BR "ip addr" " { " add " | " del " } "
61 .IB IFADDR " dev " STRING
64 .BR "ip addr" " { " show " | " flush " } [ " dev
69 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
74 .IR IFADDR " := " PREFIX " | " ADDR
88 .RB "[ " host " | " link " | " global " | "
92 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
96 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
97 tentative " | " deprecated " ]"
100 .BR "ip addrlabel" " { " add " | " del " } " prefix
108 .BR "ip addrlabel" " { " list " | " flush " }"
112 .BR list " | " flush " } "
118 .BI from " ADDRESS " iif " STRING"
125 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
126 replace " | " monitor " } "
147 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
150 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
163 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
174 .IR NUMBER " ] " NHFLAGS
177 .IR OPTIONS " := " FLAGS " [ "
199 .BR unicast " | " local " | " broadcast " | " multicast " | "\
200 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
203 .IR TABLE_ID " := [ "
204 .BR local "| " main " | " default " | " all " |"
209 .BR host " | " link " | " global " |"
218 .BR onlink " | " pervasive " ]"
222 .BR kernel " | " boot " | " static " |"
227 .RB " [ " list " | " add " | " del " | " flush " ]"
231 .IR SELECTOR " := [ "
239 .IR FWMARK[/MASK] " ] [ "
251 .BR prohibit " | " reject " | " unreachable " ] [ " realms
252 .RI "[" SRCREALM "/]" DSTREALM " ]"
255 .IR TABLE_ID " := [ "
256 .BR local " | " main " | " default " |"
260 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
264 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
270 .BR "ip neigh" " { " show " | " flush " } [ " to
278 .BR "ip tunnel" " { " add " | " change " | " del " | " show " }"
288 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
290 .RB "[" i "|" o "]" csum " ] ]"
302 .RB "[ [" no "]" pmtudisc " ]"
305 .RB "[ " "dscp inherit" " ]"
309 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
312 .IR ADDR " := { " IP_ADDRESS " |"
316 .IR TOS " := { " NUMBER " |"
326 .IR TTL " := { " 1 ".." 255 " | "
330 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
333 .IR TIME " := " NUMBER "[s|ms|us|ns|j]"
336 .BR "ip maddr" " [ " add " | " del " ]"
337 .IB MULTIADDR " dev " STRING
340 .BR "ip maddr show" " [ " dev
344 .BR "ip mroute show" " ["
352 .BR "ip monitor" " [ " all " |"
353 .IR LISTofOBJECTS " ]"
357 .IR XFRM_OBJECT " { " COMMAND " }"
360 .IR XFRM_OBJECT " := { " state " | " policy " | " monitor " } "
363 .BR "ip xfrm state " { " add " | " update " } "
373 .RB " [ " replay-window
387 .BR "ip xfrm state allocspi "
401 .BR "ip xfrm state" " { " delete " | " get " } "
405 .BR "ip xfrm state" " { " deleteall " | " list " } [ "
416 .BR "ip xfrm state flush" " [ " proto
420 .BR "ip xfrm state count"
434 .IR XFRM_PROTO " := "
435 .RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
439 .RB " [ " transport " | " tunnel " | " ro " | " beet " ] "
440 .b (default=transport)
444 .RI " [ " FLAG-LIST " ] " FLAG
448 .RB " [ " noecn " | " decap-dscp " | " wildrecv " ] "
451 .IR ENCAP " := " ENCAP-TYPE " " SPORT " " DPORT " " OADDR
454 .IR ENCAP-TYPE " := "
460 .IR ALGO-LIST " := [ "
461 .IR ALGO-LIST " ] | [ "
472 .RB " [ " enc " | " auth " | " comp " ] "
477 .IR ADDR "[/" PLEN "]"
479 .IR ADDR "[/" PLEN "]"
480 .RI " [ " UPSPEC " ] "
499 .IR LIMIT-LIST " := [ " LIMIT-LIST " ] |"
505 .RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
507 .RB "[ ["byte-soft "|" byte-hard "]"
510 .RB " [ ["packet-soft "|" packet-hard "]"
514 .BR "ip xfrm policy" " { " add " | " update " } " " dir "
527 .RI " [ " LIMIT-LIST " ] [ "
531 .BR "ip xfrm policy" " { " delete " | " get " } " " dir "
532 .IR DIR " [ " SELECTOR " | "
541 .BR "ip xfrm policy" " { " deleteall " | " list " } "
554 .B "ip xfrm policy flush"
563 .RB " [ " main " | " sub " ] "
568 .RB " [ " in " | " out " | " fwd " ] "
573 .IR ADDR "[/" PLEN "]"
575 .IR ADDR "[/" PLEN] " [ " UPSPEC
595 .RB " [ " allow " | " block " ]"
599 .IR LIMIT-LIST " := "
601 .IR LIMIT-LIST " ] | "
607 .RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
609 .RB " [ [" byte-soft "|" byte-hard "]"
612 .RB "[" packet-soft "|" packet-hard "]"
618 .IR TMPL-LIST " ] | "
644 .IR XFRM_PROTO " := "
645 .RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
649 .RB " [ " transport " | " tunnel " | " beet " ] "
650 .b (default=transport)
654 .RB " [ " required " | " use " ] "
655 .b (default=required)
658 .BR "ip xfrm monitor" " [ " all " | "
659 .IR LISTofOBJECTS " ] "
667 .BR "\-V" , " -Version"
668 print the version of the
673 .BR "\-s" , " \-stats", " \-statistics"
674 output more information. If the option
675 appears twice or more, the amount of information increases.
676 As a rule, the information is statistics or some time values.
679 .BR "\-f" , " \-family"
680 followed by protocol family identifier:
681 .BR "inet" , " inet6"
684 ,enforce the protocol family to use. If the option is not present,
685 the protocol family is guessed from other arguments. If the rest
686 of the command line does not give enough information to guess the
689 falls back to the default one, usually
694 is a special family identifier meaning that no networking protocol
705 .BR "\-family inet6" .
710 .BR "\-family link" .
713 .BR "\-o" , " \-oneline"
714 output each record on a single line, replacing line feeds
717 character. This is convenient when you want to count records
725 .BR "\-r" , " \-resolve"
726 use the system's name resolver to print DNS names instead of
729 .SH IP - COMMAND SYNTAX
740 - protocol (IP or IPv6) address on a device.
744 - label configuration for protocol address selection.
748 - ARP or NDISC cache entry.
752 - routing table entry.
756 - rule in routing policy database.
764 - multicast routing cache entry.
772 - framework for IPsec protocol.
775 The names of all objects may be written in full or
776 abbreviated form, f.e.
786 Specifies the action to perform on the object.
787 The set of possible actions depends on the object type.
788 As a rule, it is possible to
789 .BR "add" , " delete"
794 ) objects, but some objects do not allow all of these operations
795 or have some additional commands. The
797 command is available for all objects. It prints
798 out a list of available commands and argument syntax conventions.
800 If no command is given, some default command is assumed.
803 or, if the objects of this class cannot be listed,
806 .SH ip link - network device configuration
809 is a network device and the corresponding commands
810 display and change the state of devices.
812 .SS ip link set - change device attributes
815 .BI dev " NAME " (default)
817 specifies network device to operate on.
821 change the state of the device to
827 .BR "arp on " or " arp off"
833 .BR "multicast on " or " multicast off"
839 .BR "dynamic on " or " dynamic off"
846 change the name of the device. This operation is not
847 recommended if the device is running or has some addresses
851 .BI txqueuelen " NUMBER"
854 change the transmit queue length of the device.
863 .BI address " LLADDRESS"
864 change the station address of the interface.
867 .BI broadcast " LLADDRESS"
871 .BI peer " LLADDRESS"
872 change the link layer broadcast address or the peer address when
878 If multiple parameter changes are requested,
880 aborts immediately after any of the changes have failed.
881 This is the only case when
883 can move the system to an unpredictable state. The solution
884 is to avoid changing several parameters with one
888 .SS ip link show - display device attributes
891 .BI dev " NAME " (default)
893 specifies the network device to show.
894 If this argument is omitted all devices are listed.
898 only display running interfaces.
900 .SH ip address - protocol address management.
904 is a protocol (IP or IPv6) address attached
905 to a network device. Each device must have at least one address
906 to use the corresponding protocol. It is possible to have several
907 different addresses attached to one device. These addresses are not
908 discriminated, so that the term
910 is not quite appropriate for them and we do not use it in this document.
914 command displays addresses and their properties, adds new addresses
915 and deletes old ones.
917 .SS ip address add - add new protocol address.
921 the name of the device to add the address to.
924 .BI local " ADDRESS " (default)
925 the address of the interface. The format of the address depends
926 on the protocol. It is a dotted quad for IP and a sequence of
927 hexadecimal halfwords separated by colons for IPv6. The
929 may be followed by a slash and a decimal number which encodes
930 the network prefix length.
934 the address of the remote endpoint for pointopoint interfaces.
937 may be followed by a slash and a decimal number, encoding the network
938 prefix length. If a peer address is specified, the local address
939 cannot have a prefix length. The network prefix is associated
940 with the peer rather than with the local address.
943 .BI broadcast " ADDRESS"
944 the broadcast address on the interface.
946 It is possible to use the special symbols
950 instead of the broadcast address. In this case, the broadcast address
951 is derived by setting/resetting the host bits of the interface prefix.
955 Each address may be tagged with a label string.
956 In order to preserve compatibility with Linux-2.0 net aliases,
957 this string must coincide with the name of the device or must be prefixed
958 with the device name followed by colon.
961 .BI scope " SCOPE_VALUE"
962 the scope of the area where this address is valid.
963 The available scopes are listed in file
964 .BR "/etc/iproute2/rt_scopes" .
965 Predefined scope values are:
969 - the address is globally valid.
972 - (IPv6 only) the address is site local, i.e. it is
973 valid inside this site.
976 - the address is link local, i.e. it is valid only on this device.
979 - the address is valid only inside this host.
982 .SS ip address delete - delete protocol address
984 coincide with the arguments of
986 The device name is a required argument. The rest are optional.
987 If no arguments are given, the first address is deleted.
989 .SS ip address show - look at protocol addresses
992 .BI dev " NAME " (default)
996 .BI scope " SCOPE_VAL"
997 only list addresses with this scope.
1001 only list addresses matching this prefix.
1004 .BI label " PATTERN"
1005 only list addresses with labels matching the
1008 is a usual shell style pattern.
1011 .BR dynamic " and " permanent
1012 (IPv6 only) only list addresses installed due to stateless
1013 address configuration or only list permanent (not dynamic)
1018 (IPv6 only) only list addresses which did not pass duplicate
1023 (IPv6 only) only list deprecated addresses.
1026 .BR primary " and " secondary
1027 only list primary (or secondary) addresses.
1029 .SS ip address flush - flush protocol addresses
1030 This command flushes the protocol addresses selected by some criteria.
1033 This command has the same arguments as
1035 The difference is that it does not run when no arguments are given.
1039 This command (and other
1041 commands described below) is pretty dangerous. If you make a mistake,
1042 it will not forgive it, but will cruelly purge all the addresses.
1047 option, the command becomes verbose. It prints out the number of deleted
1048 addresses and the number of rounds made to flush the address list. If
1049 this option is given twice,
1051 also dumps all the deleted addresses in the format described in the
1052 previous subsection.
1054 .SH ip addrlabel - protocol address label management.
1056 IPv6 address label is used for address selection
1057 described in RFC 3484. Precedence is managed by userspace,
1058 and only label is stored in kernel.
1060 .SS ip addrlabel add - add an address label
1061 the command adds an address label entry to the kernel.
1063 .BI prefix " PREFIX"
1066 the outgoing interface.
1069 the label for the prefix.
1070 0xffffffff is reserved.
1071 .SS ip addrlabel del - delete an address label
1072 the command deletes an address label entry in the kernel.
1074 coincide with the arguments of
1076 but label is not required.
1077 .SS ip addrlabel list - list address labels
1078 the command show contents of address labels.
1079 .SS ip addrlabel flush - flush address labels
1080 the commoand flushes the contents of address labels and it does not restore default settings.
1081 .SH ip neighbour - neighbour/arp tables management.
1084 objects establish bindings between protocol addresses and
1085 link layer addresses for hosts sharing the same link.
1086 Neighbour entries are organized into tables. The IPv4 neighbour table
1087 is known by another name - the ARP table.
1090 The corresponding commands display neighbour bindings
1091 and their properties, add new neighbour entries and delete old ones.
1093 .SS ip neighbour add - add a new neighbour entry
1094 .SS ip neighbour change - change an existing entry
1095 .SS ip neighbour replace - add a new entry or change an existing one
1097 These commands create new neighbour records or update existing ones.
1100 .BI to " ADDRESS " (default)
1101 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1105 the interface to which this neighbour is attached.
1108 .BI lladdr " LLADDRESS"
1109 the link layer address of the neighbour.
1115 .BI nud " NUD_STATE"
1116 the state of the neighbour entry.
1118 is an abbreviation for 'Neigh bour Unreachability Detection'.
1119 The state can take one of the following values:
1123 - the neighbour entry is valid forever and can be only
1124 be removed administratively.
1128 - the neighbour entry is valid. No attempts to validate
1129 this entry will be made but it can be removed when its lifetime expires.
1133 - the neighbour entry is valid until the reachability
1138 - the neighbour entry is valid but suspicious.
1141 does not change the neighbour state if it was valid and the address
1142 is not changed by this command.
1145 .SS ip neighbour delete - delete a neighbour entry
1146 This command invalidates a neighbour entry.
1149 The arguments are the same as with
1150 .BR "ip neigh add" ,
1159 Attempts to delete or manually change a
1161 entry created by the kernel may result in unpredictable behaviour.
1162 Particularly, the kernel may try to resolve this address even
1165 interface or if the address is multicast or broadcast.
1167 .SS ip neighbour show - list neighbour entries
1169 This commands displays neighbour tables.
1172 .BI to " ADDRESS " (default)
1173 the prefix selecting the neighbours to list.
1177 only list the neighbours attached to this device.
1181 only list neighbours which are not currently in use.
1184 .BI nud " NUD_STATE"
1185 only list neighbour entries in this state.
1187 takes values listed below or the special value
1189 which means all states. This option may occur more than once.
1190 If this option is absent,
1192 lists all entries except for
1197 .SS ip neighbour flush - flush neighbour entries
1198 This command flushes neighbour tables, selecting
1199 entries to flush by some criteria.
1202 This command has the same arguments as
1204 The differences are that it does not run when no arguments are given,
1205 and that the default neighbour states to be flushed do not include
1213 option, the command becomes verbose. It prints out the number of
1214 deleted neighbours and the number of rounds made to flush the
1215 neighbour table. If the option is given
1218 also dumps all the deleted neighbours.
1220 .SH ip route - routing table management
1221 Manipulate route entries in the kernel routing tables keep
1222 information about paths to other networked nodes.
1228 - the route entry describes real paths to the destinations covered
1229 by the route prefix.
1233 - these destinations are unreachable. Packets are discarded and the
1237 The local senders get an
1243 - these destinations are unreachable. Packets are discarded silently.
1244 The local senders get an
1250 - these destinations are unreachable. Packets are discarded and the
1252 .I communication administratively prohibited
1253 is generated. The local senders get an
1259 - the destinations are assigned to this host. The packets are looped
1260 back and delivered locally.
1264 - the destinations are broadcast addresses. The packets are sent as
1269 - a special control route used together with policy rules. If such a
1270 route is selected, lookup in this table is terminated pretending that
1271 no route was found. Without policy routing it is equivalent to the
1272 absence of the route in the routing table. The packets are dropped
1273 and the ICMP message
1275 is generated. The local senders get an
1281 - a special NAT route. Destinations covered by the prefix
1282 are considered to be dummy (or external) addresses which require translation
1283 to real (or internal) ones before forwarding. The addresses to translate to
1284 are selected with the attribute
1286 Route NAT is no longer supported in Linux 2.6.
1292 .RI "- " "not implemented"
1293 the destinations are
1295 addresses assigned to this host. They are mainly equivalent
1298 with one difference: such addresses are invalid when used
1299 as the source address of any packet.
1303 - a special type used for multicast routing. It is not present in
1304 normal routing tables.
1309 Linux-2.x can pack routes into several routing
1310 tables identified by a number in the range from 1 to 255 or by
1312 .B /etc/iproute2/rt_tables
1313 By default all normal routes are inserted into the
1315 table (ID 254) and the kernel only uses this table when calculating routes.
1318 Actually, one other table always exists, which is invisible but
1319 even more important. It is the
1321 table (ID 255). This table
1322 consists of routes for local and broadcast addresses. The kernel maintains
1323 this table automatically and the administrator usually need not modify it
1326 The multiple routing tables enter the game when
1330 .SS ip route add - add new route
1331 .SS ip route change - change route
1332 .SS ip route replace - change or add new one
1335 .BI to " TYPE PREFIX " (default)
1336 the destination prefix of the route. If
1346 is an IP or IPv6 address optionally followed by a slash and the
1347 prefix length. If the length of the prefix is missing,
1349 assumes a full-length host route. There is also a special
1352 - which is equivalent to IP
1361 the Type Of Service (TOS) key. This key has no associated mask and
1362 the longest match is understood as: First, compare the TOS
1363 of the route and of the packet. If they are not equal, then the packet
1364 may still match a route with a zero TOS.
1366 is either an 8 bit hexadecimal number or an identifier
1368 .BR "/etc/iproute2/rt_dsfield" .
1371 .BI metric " NUMBER"
1373 .BI preference " NUMBER"
1374 the preference value of the route.
1376 is an arbitrary 32bit number.
1379 .BI table " TABLEID"
1380 the table to add this route to.
1382 may be a number or a string from the file
1383 .BR "/etc/iproute2/rt_tables" .
1384 If this parameter is omitted,
1388 table, with the exception of
1389 .BR local " , " broadcast " and " nat
1390 routes, which are put into the
1396 the output device name.
1400 the address of the nexthop router. Actually, the sense of this field
1401 depends on the route type. For normal
1403 routes it is either the true next hop router or, if it is a direct
1404 route installed in BSD compatibility mode, it can be a local address
1405 of the interface. For NAT routes it is the first address of the block
1406 of translated IP destinations.
1410 the source address to prefer when sending to the destinations
1411 covered by the route prefix.
1414 .BI realm " REALMID"
1415 the realm to which this route is assigned.
1417 may be a number or a string from the file
1418 .BR "/etc/iproute2/rt_realms" .
1423 .BI "mtu lock" " MTU"
1424 the MTU along the path to the destination. If the modifier
1426 is not used, the MTU may be updated by the kernel due to
1427 Path MTU Discovery. If the modifier
1429 is used, no path MTU discovery will be tried, all packets
1430 will be sent without the DF bit in IPv4 case or fragmented
1434 .BI window " NUMBER"
1435 the maximal window for TCP to advertise to these destinations,
1436 measured in bytes. It limits maximal data bursts that our TCP
1437 peers are allowed to send to us.
1441 the initial RTT ('Round Trip Time') estimate. If no suffix is
1442 specified the units are raw values passed directly to the
1443 routing code to maintain compatability with previous releases.
1444 Otherwise if a suffix of s, sec or secs is used to specify
1445 seconds; ms, msec or msecs to specify milliseconds; us, usec
1446 or usecs to specify microseconds; ns, nsec or nsecs to specify
1447 nanoseconds; j, hz or jiffies to specify jiffies, the value is
1448 converted to what the routing code expects.
1452 .BI rttvar " TIME " "(2.3.15+ only)"
1453 the initial RTT variance estimate. Values are specified as with
1458 .BI rto_min " TIME " "(2.6.23+ only)"
1459 the minimum TCP Retransmission TimeOut to use when communicating with this
1460 destination. Values are specified as with
1465 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1466 an estimate for the initial slow start threshold.
1469 .BI cwnd " NUMBER " "(2.3.15+ only)"
1470 the clamp for congestion window. It is ignored if the
1475 .BI advmss " NUMBER " "(2.3.15+ only)"
1476 the MSS ('Maximal Segment Size') to advertise to these
1477 destinations when establishing TCP connections. If it is not given,
1478 Linux uses a default value calculated from the first hop device MTU.
1479 (If the path to these destination is asymmetric, this guess may be wrong.)
1482 .BI reordering " NUMBER " "(2.3.15+ only)"
1483 Maximal reordering on the path to this destination.
1484 If it is not given, Linux uses the value selected with
1487 .BR "net/ipv4/tcp_reordering" .
1490 .BI nexthop " NEXTHOP"
1491 the nexthop of a multipath route.
1493 is a complex value with its own syntax similar to the top level
1498 - is the nexthop router.
1502 - is the output device.
1505 .BI weight " NUMBER"
1506 - is a weight for this element of a multipath
1507 route reflecting its relative bandwidth or quality.
1511 .BI scope " SCOPE_VAL"
1512 the scope of the destinations covered by the route prefix.
1514 may be a number or a string from the file
1515 .BR "/etc/iproute2/rt_scopes" .
1516 If this parameter is omitted,
1525 .BR unicast " and " broadcast
1527 .BR host " for " local
1531 .BI protocol " RTPROTO"
1532 the routing protocol identifier of this route.
1534 may be a number or a string from the file
1535 .BR "/etc/iproute2/rt_protos" .
1536 If the routing protocol ID is not given,
1537 .B ip assumes protocol
1539 (i.e. it assumes the route was added by someone who doesn't
1540 understand what they are doing). Several protocol values have
1541 a fixed interpretation.
1546 - the route was installed due to an ICMP redirect.
1550 - the route was installed by the kernel during autoconfiguration.
1554 - the route was installed during the bootup sequence.
1555 If a routing daemon starts, it will purge all of them.
1559 - the route was installed by the administrator
1560 to override dynamic routing. Routing daemon will respect them
1561 and, probably, even advertise them to its peers.
1565 - the route was installed by Router Discovery protocol.
1569 The rest of the values are not reserved and the administrator is free
1570 to assign (or not to assign) protocol tags.
1574 pretend that the nexthop is directly attached to this link,
1575 even if it does not match any interface prefix.
1579 allow packet by packet randomization on multipath routes.
1580 Without this modifier, the route will be frozen to one selected
1581 nexthop, so that load splitting will only occur on per-flow base.
1583 only works if the kernel is patched.
1585 .SS ip route delete - delete route
1588 has the same arguments as
1589 .BR "ip route add" ,
1590 but their semantics are a bit different.
1593 .RB "(" to ", " tos ", " preference " and " table ")"
1594 select the route to delete. If optional attributes are present,
1596 verifies that they coincide with the attributes of the route to delete.
1597 If no route with the given key and attributes was found,
1601 .SS ip route show - list routes
1602 the command displays the contents of the routing tables or the route(s)
1603 selected by some criteria.
1606 .BI to " SELECTOR " (default)
1607 only select routes from the given range of destinations.
1609 consists of an optional modifier
1610 .RB "(" root ", " match " or " exact ")"
1613 selects routes with prefixes not shorter than
1617 selects the entire routing table.
1619 selects routes with prefixes not longer than
1622 .BI match " 10.0/16"
1625 .IR 10/8 " and " 0/0 ,
1626 but it does not select
1627 .IR 10.1/16 " and " 10.0.0/24 .
1632 selects routes with this exact prefix. If neither of these options
1637 i.e. it lists the entire table.
1642 only select routes with the given TOS.
1645 .BI table " TABLEID"
1646 show the routes from this table(s). The default setting is to show
1649 may either be the ID of a real table or one of the special values:
1653 - list all of the tables.
1656 - dump the routing cache.
1663 list cloned routes i.e. routes which were dynamically forked from
1664 other routes because some route attribute (f.e. MTU) was updated.
1665 Actually, it is equivalent to
1666 .BR "table cache" "."
1669 .BI from " SELECTOR"
1670 the same syntax as for
1672 but it binds the source address range rather than destinations.
1675 option only works with cloned routes.
1678 .BI protocol " RTPROTO"
1679 only list routes of this protocol.
1682 .BI scope " SCOPE_VAL"
1683 only list routes with this scope.
1687 only list routes of this type.
1691 only list routes going via this device.
1695 only list routes going via the nexthop routers selected by
1700 only list routes with preferred source addresses selected
1705 .BI realm " REALMID"
1707 .BI realms " FROMREALM/TOREALM"
1708 only list routes with these realms.
1710 .SS ip route flush - flush routing tables
1711 this command flushes routes selected by some criteria.
1714 The arguments have the same syntax and semantics as the arguments of
1715 .BR "ip route show" ,
1716 but routing tables are not listed but purged. The only difference is
1719 dumps all the IP main routing table but
1721 prints the helper page.
1726 option, the command becomes verbose. It prints out the number of
1727 deleted routes and the number of rounds made to flush the routing
1728 table. If the option is given
1731 also dumps all the deleted routes in the format described in the
1732 previous subsection.
1734 .SS ip route get - get a single route
1735 this command gets a single route to a destination and prints its
1736 contents exactly as the kernel sees it.
1739 .BI to " ADDRESS " (default)
1740 the destination address.
1750 the Type Of Service.
1754 the device from which this packet is expected to arrive.
1758 force the output device on which this packet will be routed.
1762 if no source address
1763 .RB "(option " from ")"
1764 was given, relookup the route with the source set to the preferred
1765 address received from the first lookup.
1766 If policy routing is used, it may be a different route.
1769 Note that this operation is not equivalent to
1770 .BR "ip route show" .
1772 shows existing routes.
1774 resolves them and creates new clones if necessary. Essentially,
1776 is equivalent to sending a packet along this path.
1779 argument is not given, the kernel creates a route
1780 to output packets towards the requested destination.
1781 This is equivalent to pinging the destination
1783 .BR "ip route ls cache" ,
1784 however, no packets are actually sent. With the
1786 argument, the kernel pretends that a packet arrived from this interface
1787 and searches for a path to forward the packet.
1789 .SH ip rule - routing policy database management
1792 in the routing policy database control the route selection algorithm.
1795 Classic routing algorithms used in the Internet make routing decisions
1796 based only on the destination address of packets (and in theory,
1797 but not in practice, on the TOS field).
1800 In some circumstances we want to route packets differently depending not only
1801 on destination addresses, but also on other packet fields: source address,
1802 IP protocol, transport protocol ports or even packet payload.
1803 This task is called 'policy routing'.
1806 To solve this task, the conventional destination based routing table, ordered
1807 according to the longest match rule, is replaced with a 'routing policy
1808 database' (or RPDB), which selects routes by executing some set of rules.
1811 Each policy routing rule consists of a
1814 .B action predicate.
1815 The RPDB is scanned in the order of increasing priority. The selector
1816 of each rule is applied to {source address, destination address, incoming
1817 interface, tos, fwmark} and, if the selector matches the packet,
1818 the action is performed. The action predicate may return with success.
1819 In this case, it will either give a route or failure indication
1820 and the RPDB lookup is terminated. Otherwise, the RPDB program
1821 continues on the next rule.
1824 Semantically, natural action is to select the nexthop and the output device.
1827 At startup time the kernel configures the default RPDB consisting of three
1832 Priority: 0, Selector: match anything, Action: lookup routing
1838 table is a special routing table containing
1839 high priority control routes for local and broadcast addresses.
1841 Rule 0 is special. It cannot be deleted or overridden.
1845 Priority: 32766, Selector: match anything, Action: lookup routing
1851 table is the normal routing table containing all non-policy
1852 routes. This rule may be deleted and/or overridden with other
1853 ones by the administrator.
1857 Priority: 32767, Selector: match anything, Action: lookup routing
1863 table is empty. It is reserved for some post-processing if no previous
1864 default rules selected the packet.
1865 This rule may also be deleted.
1868 Each RPDB entry has additional
1869 attributes. F.e. each rule has a pointer to some routing
1870 table. NAT and masquerading rules have an attribute to select new IP
1871 address to translate/masquerade. Besides that, rules have some
1872 optional attributes, which routes have, namely
1874 These values do not override those contained in the routing tables. They
1875 are only used if the route did not select any attributes.
1878 The RPDB may contain rules of the following types:
1882 - the rule prescribes to return the route found
1883 in the routing table referenced by the rule.
1886 - the rule prescribes to silently drop the packet.
1889 - the rule prescribes to generate a 'Network is unreachable' error.
1892 - the rule prescribes to generate 'Communication is administratively
1896 - the rule prescribes to translate the source address
1897 of the IP packet into some other value.
1900 .SS ip rule add - insert a new rule
1901 .SS ip rule delete - delete a rule
1904 .BI type " TYPE " (default)
1905 the type of this rule. The list of valid types was given in the previous
1910 select the source prefix to match.
1914 select the destination prefix to match.
1918 select the incoming device to match. If the interface is loopback,
1919 the rule only matches packets originating from this host. This means
1920 that you may create separate routing tables for forwarded and local
1921 packets and, hence, completely segregate them.
1927 select the TOS value to match.
1936 .BI priority " PREFERENCE"
1937 the priority of this rule. Each rule should have an explicitly
1941 The options preference and order are synonyms with priority.
1944 .BI table " TABLEID"
1945 the routing table identifier to lookup if the rule selector matches.
1946 It is also possible to use lookup instead of table.
1949 .BI realms " FROM/TO"
1950 Realms to select if the rule matched and the routing table lookup
1953 is only used if the route did not select any realm.
1957 The base of the IP address block to translate (for source addresses).
1960 may be either the start of the block of NAT addresses (selected by NAT
1961 routes) or a local host address (or even zero).
1962 In the last case the router does not translate the packets, but
1963 masquerades them to this address.
1964 Using map-to instead of nat means the same thing.
1967 Changes to the RPDB made with these commands do not become active
1968 immediately. It is assumed that after a script finishes a batch of
1969 updates, it flushes the routing cache with
1970 .BR "ip route flush cache" .
1972 .SS ip rule flush - also dumps all the deleted rules.
1973 This command has no arguments.
1975 .SS ip rule show - list rules
1976 This command has no arguments.
1977 The options list or lst are synonyms with show.
1979 .SH ip maddress - multicast addresses management
1982 objects are multicast addresses.
1984 .SS ip maddress show - list multicast addresses
1987 .BI dev " NAME " (default)
1990 .SS ip maddress add - add a multicast address
1991 .SS ip maddress delete - delete a multicast address
1992 these commands attach/detach a static link layer multicast address
1993 to listen on the interface.
1994 Note that it is impossible to join protocol multicast groups
1995 statically. This command only manages link layer addresses.
1998 .BI address " LLADDRESS " (default)
1999 the link layer multicast address.
2003 the device to join/leave this multicast address.
2005 .SH ip mroute - multicast routing cache management
2007 objects are multicast routing cache entries created by a user level
2008 mrouting daemon (f.e.
2014 Due to the limitations of the current interface to the multicast routing
2015 engine, it is impossible to change
2017 objects administratively, so we may only display them. This limitation
2018 will be removed in the future.
2020 .SS ip mroute show - list mroute cache entries
2023 .BI to " PREFIX " (default)
2024 the prefix selecting the destination multicast addresses to list.
2028 the interface on which multicast packets are received.
2032 the prefix selecting the IP source addresses of the multicast route.
2034 .SH ip tunnel - tunnel configuration
2036 objects are tunnels, encapsulating packets in IP packets and then
2037 sending them over the IP infrastructure.
2038 The encapulating (or outer) address family is specified by the
2040 option. The default is IPv4.
2042 .SS ip tunnel add - add a new tunnel
2043 .SS ip tunnel change - change an existing tunnel
2044 .SS ip tunnel delete - destroy a tunnel
2047 .BI name " NAME " (default)
2048 select the tunnel device name.
2052 set the tunnel mode. Available modes depend on the encapsulating address family.
2054 Modes for IPv4 encapsulation available:
2055 .BR ipip ", " sit ", " isatap " and " gre "."
2057 Modes for IPv6 encapsulation available:
2058 .BR ip6ip6 ", " ipip6 " and " any "."
2061 .BI remote " ADDRESS"
2062 set the remote endpoint of the tunnel.
2065 .BI local " ADDRESS"
2066 set the fixed local address for tunneled packets.
2067 It must be an address on another interface of this host.
2073 on tunneled packets.
2075 is a number in the range 1--255. 0 is a special value
2076 meaning that packets inherit the TTL value.
2077 The default value for IPv4 tunnels is:
2079 The default value for IPv6 tunnels is:
2089 set a fixed TOS (or traffic class in IPv6)
2091 on tunneled packets.
2092 The default value is:
2097 bind the tunnel to the device
2099 so that tunneled packets will only be routed via this device and will
2100 not be able to escape to another device when the route to endpoint
2105 disable Path MTU Discovery on this tunnel.
2106 It is enabled by default. Note that a fixed ttl is incompatible
2107 with this option: tunnelling with a fixed ttl always makes pmtu
2116 .RB ( " only GRE tunnels " )
2117 use keyed GRE with key
2119 is either a number or an IP address-like dotted quad.
2122 parameter sets the key to use in both directions.
2124 .BR ikey " and " okey
2125 parameters set different keys for input and output.
2128 .BR csum ", " icsum ", " ocsum
2129 .RB ( " only GRE tunnels " )
2130 generate/require checksums for tunneled packets.
2133 flag calculates checksums for outgoing packets.
2136 flag requires that all input packets have the correct
2139 flag is equivalent to the combination
2143 .BR seq ", " iseq ", " oseq
2144 .RB ( " only GRE tunnels " )
2148 flag enables sequencing of outgoing packets.
2151 flag requires that all input packets are serialized.
2154 flag is equivalent to the combination
2156 .B It isn't work. Don't use it.
2161 .RB ( " only IPv6 tunnels " )
2162 Inherit DS field between inner and outer header.
2166 .BI encaplim " ELIM"
2167 .RB ( " only IPv6 tunnels " )
2168 set a fixed encapsulation limit. Default is 4.
2172 .BI flowlabel " FLOWLABEL"
2173 .RB ( " only IPv6 tunnels " )
2174 set a fixed flowlabel.
2176 .SS ip tunnel show - list tunnels
2177 This command has no arguments.
2179 .SH ip monitor and rtmon - state monitoring
2183 utility can monitor the state of devices, addresses
2184 and routes continuously. This option has a slightly different format.
2187 command is the first in the command line and then the object list follows:
2189 .BR "ip monitor" " [ " all " |"
2190 .IR LISTofOBJECTS " ]"
2193 is the list of object types that we want to monitor.
2195 .BR link ", " address " and " route "."
2200 opens RTNETLINK, listens on it and dumps state changes in the format
2201 described in previous sections.
2204 If a file name is given, it does not listen on RTNETLINK,
2205 but opens the file containing RTNETLINK messages saved in binary format
2206 and dumps them. Such a history file can be generated with the
2208 utility. This utility has a command line syntax similar to
2212 should be started before the first network configuration command
2213 is issued. F.e. if you insert:
2216 rtmon file /var/log/rtmon.log
2219 in a startup script, you will be able to view the full history
2223 Certainly, it is possible to start
2226 It prepends the history with the state snapshot dumped at the moment
2229 .SH ip xfrm - setting xfrm
2230 xfrm is an IP framework, which can transform format of the datagrams,
2232 i.e. encrypt the packets with some algorithm. xfrm policy and xfrm state
2233 are associated through templates
2235 This framework is used as a part of IPsec protocol.
2237 .SS ip xfrm state add - add new state into xfrm
2239 .SS ip xfrm state update - update existing xfrm state
2241 .SS ip xfrm state allocspi - allocate SPI value
2245 is set as default to
2247 but it could be set to
2248 .BR tunnel "," ro " or " beet "."
2252 contains one or more flags.
2257 .BR noecn ", " decap-dscp " or " wildrecv "."
2261 encapsulation is set to encapsulation type
2262 .IR ENCAP-TYPE ", source port " SPORT ", destination port " DPORT " and " OADDR "."
2267 .BR espinudp " or " espinudp-nonike "."
2271 contains one or more algorithms
2273 which depend on the type of algorithm set by
2275 It can be used these algoritms
2276 .BR enc ", " auth " or " comp "."
2278 .SS ip xfrm policy add - add a new policy
2280 .SS ip xfrm policy update - update an existing policy
2282 .SS ip xfrm policy delete - delete existing policy
2284 .SS ip xfrm policy get - get existing policy
2286 .SS ip xfrm policy deleteall - delete all existing xfrm policy
2288 .SS ip xfrm policy list - print out the list of xfrm policy
2290 .SS ip xfrm policy flush - flush policies
2293 policies or only those specified with
2298 directory could be one of these:
2299 .BR "inp", " out " or " fwd".
2303 selects for which addresses will be set up the policy. The selector
2304 is defined by source and destination address.
2308 is defined by source port
2318 specify network device.
2322 the number of indexed policy.
2326 type is set as default on
2332 .BI action " ACTION "
2333 is set as default on
2335 It could be switch on
2339 .BI priority " PRIORITY "
2340 priority is a number. Default priority is set on zero.
2344 limits are set in seconds, bytes or numbers of packets.
2348 template list is based on
2350 .BR mode ", " reqid " and " level ". "
2354 is specified by source address, destination address,
2362 .BR esp ", " ah ", " comp ", " route2 " or " hao "."
2366 is set as default on
2368 but it could be set on
2369 .BR tunnel " or " beet "."
2373 is set as default on
2375 and the other choice is
2387 .SS ip xfrm monitor - is used for listing all objects or defined group of them.
2390 can monitor the policies for all objects or defined group of them.
2394 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2398 .RB "IP Command reference " ip-cref.ps
2400 .RB "IP tunnels " ip-cref.ps
2402 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2405 Original Manpage by Michail Litvak <mci@owl.openwall.com>