xfrm: Update documentation

[lisovros/iproute2_canprio.git] / man / man8 / ip.8

.TH IP 8 "17 January 2002" "iproute2" "Linux"
.SH NAME
ip \- show / manipulate routing, devices, policy routing and tunnels
.SH SYNOPSIS

.ad l
.in +8
.ti -8
.B ip
.RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.IR OBJECT " := { "
.BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
 tunnel " | " maddr " | "  mroute " | " monitor " }"
.sp

.ti -8
.IR OPTIONS " := { "
\fB\-V\fR[\fIersion\fR] |
\fB\-s\fR[\fItatistics\fR] |
\fB\-r\fR[\fIesolve\fR] |
\fB\-f\fR[\fIamily\fR] {
.BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
\fB\-o\fR[\fIneline\fR] }

.ti -8
.BI "ip link add link " DEVICE
.RB "[ " name " ]"
.I NAME
.br
.RB "[ " txqueuelen 
.IR PACKETS " ]"
.br
.RB "[ " address
.IR LLADDR " ]"
.RB "[ " broadcast
.IR LLADDR " ]"
.br
.RB "[ " mtu
.IR MTU " ]"
.br
.BR type " TYPE"
.RI "[ " ARGS " ]"

.ti -8
.IR TYPE " := [ "
.BR vlan " | " maclan " | " can " ]"

.ti -8
.BI "ip link delete " DEVICE
.BI type " TYPE"
.RI "[ " ARGS " ]"

.ti -8
.BR "ip link set " {
.IR DEVICE " | "
.BI "group " GROUP
.RB "} { " up " | " down " | " arp " { " on " | " off " } |"
.br
.BR promisc " { " on " | " off " } |"
.br
.BR allmulticast " { " on " | " off " } |"
.br
.BR dynamic " { " on " | " off " } |"
.br
.BR multicast " { " on " | " off " } |"
.br
.B  txqueuelen
.IR PACKETS " |"
.br
.B  name
.IR NEWNAME " |"
.br
.B  address
.IR LLADDR " |"
.B  broadcast
.IR LLADDR " |"
.br
.B  mtu
.IR MTU " |"
.br
.B  netns
.IR PID " |"
.br
.B alias
.IR NAME  " |"
.br
.B vf
.IR NUM " ["
.B  mac
.IR LLADDR " ] ["
.B vlan
.IR VLANID " [ "
.B qos
.IR VLAN-QOS " ] ] ["
.B rate
.IR TXRATE " ] |"
.br
.B master
.IR DEVICE
.br
.B nomaster

.ti -8
.B ip link show
.RI "[ " DEVICE " | "
.B group
.IR GROUP " ]"

.ti -8
.BR "ip addr" " { " add " | " del " } "
.IB IFADDR " dev " STRING

.ti -8
.BR "ip addr" " { " show " | " flush " } [ " dev
.IR STRING " ] [ "
.B  scope
.IR SCOPE-ID " ] [ "
.B  to
.IR PREFIX " ] [ " FLAG-LIST " ] [ "
.B  label
.IR PATTERN " ]"

.ti -8
.IR IFADDR " := " PREFIX " | " ADDR
.B  peer
.IR PREFIX " [ "
.B  broadcast
.IR ADDR " ] [ "
.B  anycast
.IR ADDR " ] [ "
.B  label
.IR STRING " ] [ "
.B  scope
.IR SCOPE-ID " ]"

.ti -8
.IR SCOPE-ID " := "
.RB "[ " host " | " link " | " global " | "
.IR NUMBER " ]"

.ti -8
.IR FLAG-LIST " := [ "  FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " := "
.RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
tentative " | " deprecated " | " dadfailed " | " temporary " ]"

.ti -8
.BR "ip addrlabel" " { " add " | " del " } " prefix
.BR PREFIX " [ "
.B dev
.IR DEV " ] [ "
.B label
.IR NUMBER " ]"

.ti -8
.BR "ip addrlabel" " { " list " | " flush " }"

.ti -8
.BR "ip route" " { "
.BR list " | " flush " } "
.I  SELECTOR

.ti -8
.BR "ip route save"
.I SELECTOR

.ti -8
.BR "ip route restore"

.ti -8
.B  ip route get
.IR ADDRESS " [ "
.BI from " ADDRESS " iif " STRING"
.RB " ] [ " oif
.IR STRING " ] [ "
.B  tos
.IR TOS " ]"

.ti -8
.BR "ip route" " { " add " | " del " | " change " | " append " | "\
replace " | " monitor " } "
.I  ROUTE

.ti -8
.IR SELECTOR " := "
.RB "[ " root
.IR PREFIX " ] [ "
.B  match
.IR PREFIX " ] [ "
.B  exact
.IR PREFIX " ] [ "
.B  table
.IR TABLE_ID " ] [ "
.B  proto
.IR RTPROTO " ] [ "
.B  type
.IR TYPE " ] [ "
.B  scope
.IR SCOPE " ]"

.ti -8
.IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"

.ti -8
.IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
.B  tos
.IR TOS " ] [ "
.B  table
.IR TABLE_ID " ] [ "
.B  proto
.IR RTPROTO " ] [ "
.B  scope
.IR SCOPE " ] [ "
.B  metric
.IR METRIC " ]"

.ti -8
.IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
.B  nexthop
.IR NH " ] ..."

.ti -8
.IR NH " := [ "
.B  via
.IR ADDRESS " ] [ "
.B  dev
.IR STRING " ] [ "
.B  weight
.IR NUMBER " ] " NHFLAGS

.ti -8
.IR OPTIONS " := " FLAGS " [ "
.B  mtu
.IR NUMBER " ] [ "
.B  advmss
.IR NUMBER " ] [ "
.B  rtt
.IR TIME " ] [ "
.B  rttvar
.IR TIME " ] [ "
.B  window
.IR NUMBER " ] [ "
.B  cwnd
.IR NUMBER " ] [ "
.B  ssthresh
.IR REALM " ] [ "
.B  realms
.IR REALM " ] [ "
.B  rto_min
.IR TIME " ] [ "
.B  initcwnd
.IR NUMBER " ] [ "
.B  initrwnd
.IR NUMBER " ]"

.ti -8
.IR TYPE " := [ "
.BR unicast " | " local " | " broadcast " | " multicast " | "\
throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"

.ti -8
.IR TABLE_ID " := [ "
.BR local "| " main " | " default " | " all " |"
.IR NUMBER " ]"

.ti -8
.IR SCOPE " := [ "
.BR host " | " link " | " global " |"
.IR NUMBER " ]"

.ti -8
.IR NHFLAGS " := [ "
.BR onlink " | " pervasive " ]"

.ti -8
.IR RTPROTO " := [ "
.BR kernel " | " boot " | " static " |"
.IR NUMBER " ]"

.ti -8
.B  ip rule
.RB " [ " list " | " add " | " del " | " flush " ]"
.I  SELECTOR ACTION

.ti -8
.IR SELECTOR " := [ "
.B  from
.IR PREFIX " ] [ "
.B  to
.IR PREFIX " ] [ "
.B  tos
.IR TOS " ] [ "
.B  fwmark
.IR FWMARK[/MASK] " ] [ "
.B  iif
.IR STRING " ] [ "
.B  oif
.IR STRING " ] [ "
.B  pref
.IR NUMBER " ]"

.ti -8
.IR ACTION " := [ "
.B  table
.IR TABLE_ID " ] [ "
.B  nat
.IR ADDRESS " ] [ "
.BR prohibit " | " reject " | " unreachable " ] [ " realms
.RI "[" SRCREALM "/]" DSTREALM " ]"

.ti -8
.IR TABLE_ID " := [ "
.BR local " | " main " | " default " |"
.IR NUMBER " ]"

.ti -8
.BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
.IR ADDR " [ "
.B  lladdr
.IR LLADDR " ] [ "
.BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
.IR ADDR " } [ "
.B  dev
.IR DEV " ]"

.ti -8
.BR "ip neigh" " { " show " | " flush " } [ " to
.IR PREFIX " ] [ "
.B  dev
.IR DEV " ] [ "
.B  nud
.IR STATE " ]"

.ti -8
.BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
.RI "[ " NAME " ]"
.br
.RB "[ " mode
.IR MODE " ] [ "
.B remote
.IR ADDR " ] [ "
.B  local
.IR ADDR " ]"
.br
.RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
.IR KEY " ] [ "
.RB "[" i "|" o "]" csum " ] ]"
.br
.RB "[ " encaplimit
.IR ELIM " ]"
.RB "[ " ttl
.IR TTL " ]"
.br
.RB "[ " tos
.IR TOS " ] [ "
.B flowlabel
.IR FLOWLABEL " ]"
.br
.RB "[ " prl-default
.IR ADDR " ] [ "
.B prl-nodefault
.IR ADDR " ] [ "
.B prl-delete
.IR ADDR " ]"
.br
.RB "[ [" no "]" pmtudisc " ]"
.RB "[ " dev
.IR PHYS_DEV " ]"
.RB "[ " "dscp inherit" " ]"

.ti -8
.IR MODE " := "
.RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"

.ti -8
.IR ADDR " := { " IP_ADDRESS " |"
.BR any " }"

.ti -8
.IR TOS " := { " NUMBER " |"
.BR inherit " }"

.ti -8
.IR ELIM " := {
.BR none " | "
.IR 0 ".." 255 " }"

.ti -8
.ti -8
.IR TTL " := { " 1 ".." 255 " | "
.BR inherit " }"

.ti -8
.IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"

.ti -8
.IR TIME " := " NUMBER "[s|ms]"

.ti -8
.BR "ip maddr" " [ " add " | " del " ]"
.IB MULTIADDR " dev " STRING

.ti -8
.BR "ip maddr show" " [ " dev
.IR STRING " ]"

.ti -8
.BR "ip mroute show" " ["
.IR PREFIX " ] [ "
.B  from
.IR PREFIX " ] [ "
.B  iif
.IR DEVICE " ]"

.ti -8
.BR "ip monitor" " [ " all " |"
.IR LISTofOBJECTS " ]"
.sp

.ti -8
.B "ip xfrm"
.IR XFRM-OBJECT " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.IR XFRM-OBJECT " :="
.BR state " | " policy " | " monitor
.sp

.ti -8
.BR "ip xfrm state " { " add " | " update " } "
.IR ID " [ " ALGO-LIST " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " replay-window
.IR SIZE " ]"
.RB "[ " replay-seq
.IR SEQ " ]"
.RB "[ " replay-oseq
.IR SEQ " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RB "[ " sel
.IR SELECTOR " ] [ " LIMIT-LIST " ]"
.RB "[ " encap
.IR ENCAP " ]"
.RB "[ " coa
.IR ADDR "[/" PLEN "] ]"
.RB "[ " ctx
.IR CTX " ]"

.ti -8
.B "ip xfrm state allocspi"
.I ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " min
.I SPI
.B max
.IR SPI " ]"

.ti -8
.BR "ip xfrm state" " { " delete " | " get " } "
.I ID
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"

.ti -8
.BR "ip xfrm state" " { " deleteall " | " list " } ["
.IR ID " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"

.ti -8
.BR "ip xfrm state flush" " [ " proto
.IR XFRM-PROTO " ]"

.ti -8
.BR "ip xfrm state count"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO

.ti -8
.IR ALGO " :="
.RB "{ " enc " | " auth " | " comp " } " 
.IR ALGO-NAME " " ALGO-KEY
.R "|"
.br
.B aead
.IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN
.R "|"
.br
.B auth-trunc
.IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " ro " | " in_trigger " | " beet

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.br
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR ENCAP " :="
.RB "{ " espinudp " | " espinudp-nonike " }"
.IR SPORT " " DPORT " " OADDR

.ti -8
.BR "ip xfrm policy" " { " add " | " update " }"
.I SELECTOR
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"

.ti -8
.BR "ip xfrm policy" " { " delete " | " get " }"
.RI "{ " SELECTOR " | "
.B index
.IR INDEX " }"
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.BR "ip xfrm policy" " { " deleteall " | " list " }"
.RI "[ " SELECTOR " ]"
.RB "[ " dir
.IR DIR " ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"

.ti -8
.B "ip xfrm policy flush"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.B "ip xfrm policy count"

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR DIR " := "
.BR in " | " out " | " fwd

.ti -8
.IR PTYPE " := "
.BR main " | " sub

.ti -8
.IR ACTION " := "
.BR allow " | " block

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR localok " | " icmp

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR TMPL-LIST " := [ " TMPL-LIST " ]"
.B tmpl
.I TMPL

.ti -8
.IR TMPL " := " ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " level
.IR LEVEL " ]"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " ro " | " in_trigger " | " beet

.ti -8
.IR LEVEL " :="
.BR required " | " use

.ti -8
.BR "ip xfrm monitor" " [ " all " |"
.IR LISTofXFRM-OBJECTS " ]"

.in -8
.ad b

.SH OPTIONS

.TP
.BR "\-V" , " -Version"
print the version of the
.B ip
utility and exit.

.TP
.BR "\-s" , " \-stats", " \-statistics"
output more information.  If the option
appears twice or more, the amount of information increases.
As a rule, the information is statistics or some time values.

.TP
.BR "\-l" , " \-loops"
Specify maximum number of loops the 'ip addr flush' logic
will attempt before giving up.  The default is 10.
Zero (0) means loop until all addresses are removed.

.TP
.BR "\-f" , " \-family"
followed by protocol family identifier:
.BR "inet" , " inet6"
or
.B link
,enforce the protocol family to use.  If the option is not present,
the protocol family is guessed from other arguments.  If the rest
of the command line does not give enough information to guess the
family,
.B ip
falls back to the default one, usually
.B inet
or
.BR "any" .
.B link
is a special family identifier meaning that no networking protocol
is involved.

.TP
.B \-4
shortcut for
.BR "-family inet" .

.TP
.B \-6
shortcut for
.BR "\-family inet6" .

.TP
.B \-0
shortcut for
.BR "\-family link" .

.TP
.BR "\-o" , " \-oneline"
output each record on a single line, replacing line feeds
with the
.B '\e\'
character. This is convenient when you want to count records
with
.BR wc (1)
 or to
.BR grep (1)
the output.

.TP
.BR "\-r" , " \-resolve"
use the system's name resolver to print DNS names instead of
host addresses.

.SH IP - COMMAND SYNTAX

.SS
.I OBJECT

.TP
.B link
- network device.

.TP
.B address
- protocol (IP or IPv6) address on a device.

.TP
.B addrlabel
- label configuration for protocol address selection.

.TP
.B neighbour
- ARP or NDISC cache entry.

.TP
.B route
- routing table entry.

.TP
.B rule
- rule in routing policy database.

.TP
.B maddress
- multicast address.

.TP
.B mroute
- multicast routing cache entry.

.TP
.B tunnel
- tunnel over IP.

.PP
The names of all objects may be written in full or
abbreviated form, f.e.
.B address
is abbreviated as
.B addr
or just
.B a.

.SS
.I COMMAND

Specifies the action to perform on the object.
The set of possible actions depends on the object type.
As a rule, it is possible to
.BR "add" , " delete"
and
.B show
(or
.B list
) objects, but some objects do not allow all of these operations
or have some additional commands.  The
.B help
command is available for all objects.  It prints
out a list of available commands and argument syntax conventions.
.sp
If no command is given, some default command is assumed.
Usually it is
.B list
or, if the objects of this class cannot be listed,
.BR "help" .

.SH ip link - network device configuration

.B link
is a network device and the corresponding commands
display and change the state of devices.

.SS ip link add - add virtual link

.TP
.BI link " DEVICE "
specifies the physical device to act operate on.

.I NAME
specifies the name of the new virtual device.

.I TYPE
specifies the type of the new device.
.sp
Link types:

.in +8
.B vlan
- 802.1q tagged virrtual LAN interface
.sp
.B macvlan
- virtual interface base on link layer address (MAC)
.sp
.B can
- Controller Area Network interface
.in -8

.SS ip link delete - delete virtual link
.I DEVICE
specifies the virtual  device to act operate on.
.I TYPE
specifies the type of the device.


.TP
.BI dev " DEVICE "
specifies the physical device to act operate on.

.SS ip link set - change device attributes

.TP
.BI dev " DEVICE "
.I DEVICE
specifies network device to operate on. When configuring SR-IOV Virtual Fuction
(VF) devices, this keyword should specify the associated Physical Function (PF)
device.

.TP
.BI group " GROUP "
.I GROUP
has a dual role: If both group and dev are present, then move the device to the
specified group.  If only a group is specified, then the command operates on
all devices in that group.

.TP
.BR up " and " down
change the state of the device to
.B UP
or
.BR "DOWN" .

.TP
.BR "arp on " or " arp off"
change the
.B NOARP
flag on the device.

.TP
.BR "multicast on " or " multicast off"
change the
.B MULTICAST
flag on the device.

.TP
.BR "dynamic on " or " dynamic off"
change the
.B DYNAMIC
flag on the device.

.TP
.BI name " NAME"
change the name of the device.  This operation is not
recommended if the device is running or has some addresses
already configured.

.TP
.BI txqueuelen " NUMBER"
.TP
.BI txqlen " NUMBER"
change the transmit queue length of the device.

.TP
.BI mtu " NUMBER"
change the
.I MTU
of the device.

.TP
.BI address " LLADDRESS"
change the station address of the interface.

.TP
.BI broadcast " LLADDRESS"
.TP
.BI brd " LLADDRESS"
.TP
.BI peer " LLADDRESS"
change the link layer broadcast address or the peer address when
the interface is
.IR "POINTOPOINT" .

.TP
.BI netns " PID"
move the device to the network namespace associated with the process
.IR "PID".

.TP
.BI alias " NAME"
give the device a symbolic name for easy reference.

.TP
.BI group " GROUP"
specify the group the device belongs to.
The available groups are listed in file
.BR "/etc/iproute2/group" .

.TP
.BI vf " NUM"
specify a Virtual Function device to be configured. The associated PF device
must be specified using the
.B dev
parameter.

.in +8
.BI mac " LLADDRESS"
- change the station address for the specified VF. The
.B vf
parameter must be specified.

.sp
.BI vlan " VLANID"
- change the assigned VLAN for the specified VF. When specified, all traffic
sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
will be filtered for the specified VLAN ID, and will have all VLAN tags
stripped before being passed to the VF. Setting this parameter to 0 disables
VLAN tagging and filtering. The
.B vf
parameter must be specified.

.sp
.BI qos " VLAN-QOS"
- assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
tags transmitted by the VF will include the specified priority bits in the
VLAN tag. If not specified, the value is assumed to be 0. Both the
.B vf
and
.B vlan
parameters must be specified. Setting both
.B vlan
and
.B qos
as 0 disables VLAN tagging and filtering for the VF.

.sp
.BI rate " TXRATE"
- change the allowed transmit bandwidth, in Mbps, for the specified VF.
Setting this parameter to 0 disables rate limiting. The
.B vf
parameter must be specified.
.in -8

.TP
.BI master " DEVICE"
set master device of the device (enslave device).

.TP
.BI nomaster
unset master device of the device (release device).

.PP
.B Warning:
If multiple parameter changes are requested,
.B ip
aborts immediately after any of the changes have failed.
This is the only case when
.B ip
can move the system to an unpredictable state.  The solution
is to avoid changing several parameters with one
.B ip link set
call.

.SS  ip link show - display device attributes

.TP
.BI dev " NAME " (default)
.I NAME
specifies the network device to show.
If this argument is omitted all devices in the default group are listed.

.TP
.BI group " GROUP "
.I GROUP
specifies what group of devices to show.

.TP
.B up
only display running interfaces.

.SH ip address - protocol address management.

The
.B address
is a protocol (IP or IPv6) address attached
to a network device.  Each device must have at least one address
to use the corresponding protocol.  It is possible to have several
different addresses attached to one device.  These addresses are not
discriminated, so that the term
.B alias
is not quite appropriate for them and we do not use it in this document.
.sp
The
.B ip addr
command displays addresses and their properties, adds new addresses
and deletes old ones.

.SS ip address add - add new protocol address.

.TP
.BI dev " NAME"
the name of the device to add the address to.

.TP
.BI local " ADDRESS " (default)
the address of the interface. The format of the address depends
on the protocol. It is a dotted quad for IP and a sequence of
hexadecimal halfwords separated by colons for IPv6.  The
.I ADDRESS
may be followed by a slash and a decimal number which encodes
the network prefix length.

.TP
.BI peer " ADDRESS"
the address of the remote endpoint for pointopoint interfaces.
Again, the
.I ADDRESS
may be followed by a slash and a decimal number, encoding the network
prefix length.  If a peer address is specified, the local address
cannot have a prefix length.  The network prefix is associated
with the peer rather than with the local address.

.TP
.BI broadcast " ADDRESS"
the broadcast address on the interface.
.sp
It is possible to use the special symbols
.B '+'
and
.B '-'
instead of the broadcast address.  In this case, the broadcast address
is derived by setting/resetting the host bits of the interface prefix.

.TP
.BI label " NAME"
Each address may be tagged with a label string.
In order to preserve compatibility with Linux-2.0 net aliases,
this string must coincide with the name of the device or must be prefixed
with the device name followed by colon.

.TP
.BI scope " SCOPE_VALUE"
the scope of the area where this address is valid.
The available scopes are listed in file
.BR "/etc/iproute2/rt_scopes" .
Predefined scope values are:

.in +8
.B global
- the address is globally valid.
.sp
.B site
- (IPv6 only) the address is site local, i.e. it is
valid inside this site.
.sp
.B link
- the address is link local, i.e. it is valid only on this device.
.sp
.B host
- the address is valid only inside this host.
.in -8

.SS ip address delete - delete protocol address
.B Arguments:
coincide with the arguments of
.B ip addr add.
The device name is a required argument.  The rest are optional.
If no arguments are given, the first address is deleted.

.SS ip address show - look at protocol addresses

.TP
.BI dev " NAME " (default)
name of device.

.TP
.BI scope " SCOPE_VAL"
only list addresses with this scope.

.TP
.BI to " PREFIX"
only list addresses matching this prefix.

.TP
.BI label " PATTERN"
only list addresses with labels matching the
.IR "PATTERN" .
.I PATTERN
is a usual shell style pattern.

.TP
.BR dynamic " and " permanent
(IPv6 only) only list addresses installed due to stateless
address configuration or only list permanent (not dynamic)
addresses.

.TP
.B tentative
(IPv6 only) only list addresses which have not yet passed duplicate
address detection.

.TP
.B deprecated
(IPv6 only) only list deprecated addresses.

.TP
.B dadfailed
(IPv6 only) only list addresses which have failed duplicate
address detection.

.TP
.B temporary
(IPv6 only) only list temporary addresses.

.TP
.BR primary " and " secondary
only list primary (or secondary) addresses.

.SS ip address flush - flush protocol addresses
This command flushes the protocol addresses selected by some criteria.

.PP
This command has the same arguments as
.B show.
The difference is that it does not run when no arguments are given.

.PP
.B Warning:
This command (and other
.B flush
commands described below) is pretty dangerous.  If you make a mistake,
it will not forgive it, but will cruelly purge all the addresses.

.PP
With the
.B -statistics
option, the command becomes verbose. It prints out the number of deleted
addresses and the number of rounds made to flush the address list.  If
this option is given twice,
.B ip addr flush
also dumps all the deleted addresses in the format described in the
previous subsection.

.SH ip addrlabel - protocol address label management.

IPv6 address label is used for address selection
described in RFC 3484.  Precedence is managed by userspace,
and only label is stored in kernel.

.SS ip addrlabel add - add an address label
the command adds an address label entry to the kernel.
.TP
.BI prefix " PREFIX"
.TP
.BI dev " DEV"
the outgoing interface.
.TP
.BI label " NUMBER"
the label for the prefix.
0xffffffff is reserved.
.SS ip addrlabel del - delete an address label
the command deletes an address label entry in the kernel.
.B Arguments:
coincide with the arguments of
.B ip addrlabel add
but label is not required.
.SS ip addrlabel list - list address labels
the command show contents of address labels.
.SS ip addrlabel flush - flush address labels
the command flushes the contents of address labels and it does not restore default settings.
.SH ip neighbour - neighbour/arp tables management.

.B neighbour
objects establish bindings between protocol addresses and
link layer addresses for hosts sharing the same link.
Neighbour entries are organized into tables. The IPv4 neighbour table
is known by another name - the ARP table.

.P
The corresponding commands display neighbour bindings
and their properties, add new neighbour entries and delete old ones.

.SS ip neighbour add - add a new neighbour entry
.SS ip neighbour change - change an existing entry
.SS ip neighbour replace - add a new entry or change an existing one

These commands create new neighbour records or update existing ones.

.TP
.BI to " ADDRESS " (default)
the protocol address of the neighbour. It is either an IPv4 or IPv6 address.

.TP
.BI dev " NAME"
the interface to which this neighbour is attached.

.TP
.BI lladdr " LLADDRESS"
the link layer address of the neighbour.
.I LLADDRESS
can also be
.BR "null" .

.TP
.BI nud " NUD_STATE"
the state of the neighbour entry.
.B nud
is an abbreviation for 'Neighbour Unreachability Detection'.
The state can take one of the following values:

.in +8
.B permanent
- the neighbour entry is valid forever and can be only
be removed administratively.
.sp

.B noarp
- the neighbour entry is valid. No attempts to validate
this entry will be made but it can be removed when its lifetime expires.
.sp

.B reachable
- the neighbour entry is valid until the reachability
timeout expires.
.sp

.B stale
- the neighbour entry is valid but suspicious.
This option to
.B ip neigh
does not change the neighbour state if it was valid and the address
is not changed by this command.
.in -8

.SS ip neighbour delete - delete a neighbour entry
This command invalidates a neighbour entry.

.PP
The arguments are the same as with
.BR "ip neigh add" ,
except that
.B lladdr
and
.B nud
are ignored.

.PP
.B Warning:
Attempts to delete or manually change a
.B noarp
entry created by the kernel may result in unpredictable behaviour.
Particularly, the kernel may try to resolve this address even
on a
.B NOARP
interface or if the address is multicast or broadcast.

.SS ip neighbour show - list neighbour entries

This commands displays neighbour tables.

.TP
.BI to " ADDRESS " (default)
the prefix selecting the neighbours to list.

.TP
.BI dev " NAME"
only list the neighbours attached to this device.

.TP
.B unused
only list neighbours which are not currently in use.

.TP
.BI nud " NUD_STATE"
only list neighbour entries in this state.
.I NUD_STATE
takes values listed below or the special value
.B all
which means all states.  This option may occur more than once.
If this option is absent,
.B ip
lists all entries except for
.B none
and
.BR "noarp" .

.SS ip neighbour flush - flush neighbour entries
This command flushes neighbour tables, selecting
entries to flush by some criteria.

.PP
This command has the same arguments as
.B show.
The differences are that it does not run when no arguments are given,
and that the default neighbour states to be flushed do not include
.B permanent
and
.BR "noarp" .

.PP
With the
.B -statistics
option, the command becomes verbose.  It prints out the number of
deleted neighbours and the number of rounds made to flush the
neighbour table.  If the option is given
twice,
.B ip neigh flush
also dumps all the deleted neighbours.

.SH ip route - routing table management
Manipulate route entries in the kernel routing tables keep
information about paths to other networked nodes.
.sp
.B Route types:

.in +8
.B unicast
- the route entry describes real paths to the destinations covered
by the route prefix.

.sp
.B unreachable
- these destinations are unreachable.  Packets are discarded and the
ICMP message
.I host unreachable
is generated.
The local senders get an
.I EHOSTUNREACH
error.

.sp
.B blackhole
- these destinations are unreachable.  Packets are discarded silently.
The local senders get an
.I EINVAL
error.

.sp
.B prohibit
- these destinations are unreachable.  Packets are discarded and the
ICMP message
.I communication administratively prohibited
is generated.  The local senders get an
.I EACCES
error.

.sp
.B local
- the destinations are assigned to this host.  The packets are looped
back and delivered locally.

.sp
.B broadcast
- the destinations are broadcast addresses.  The packets are sent as
link broadcasts.

.sp
.B throw
- a special control route used together with policy rules. If such a
route is selected, lookup in this table is terminated pretending that
no route was found.  Without policy routing it is equivalent to the
absence of the route in the routing table.  The packets are dropped
and the ICMP message
.I net unreachable
is generated.  The local senders get an
.I ENETUNREACH
error.

.sp
.B nat
- a special NAT route.  Destinations covered by the prefix
are considered to be dummy (or external) addresses which require translation
to real (or internal) ones before forwarding.  The addresses to translate to
are selected with the attribute
.B Warning:
Route NAT is no longer supported in Linux 2.6.


.BR "via" .
.sp
.B anycast
.RI "- " "not implemented"
the destinations are
.I anycast
addresses assigned to this host.  They are mainly equivalent
to
.B local
with one difference: such addresses are invalid when used
as the source address of any packet.

.sp
.B multicast
- a special type used for multicast routing.  It is not present in
normal routing tables.
.in -8

.P
.B Route tables:
Linux-2.x can pack routes into several routing tables identified 
by a number in the range from 1 to 2^31 or by name from the file
.B /etc/iproute2/rt_tables
By default all normal routes are inserted into the
.B main
table (ID 254) and the kernel only uses this table when calculating routes.
Values (0, 253, 254, and 255) are reserved for built-in use.

.sp
Actually, one other table always exists, which is invisible but
even more important.  It is the
.B local
table (ID 255).  This table
consists of routes for local and broadcast addresses.  The kernel maintains
this table automatically and the administrator usually need not modify it
or even look at it.

The multiple routing tables enter the game when
.I policy routing
is used.

.SS ip route add - add new route
.SS ip route change - change route
.SS ip route replace - change or add new one

.TP
.BI to " TYPE PREFIX " (default)
the destination prefix of the route.  If
.I TYPE
is omitted,
.B ip
assumes type
.BR "unicast" .
Other values of
.I TYPE
are listed above.
.I PREFIX
is an IP or IPv6 address optionally followed by a slash and the
prefix length.  If the length of the prefix is missing,
.B ip
assumes a full-length host route.  There is also a special
.I PREFIX
.B default
- which is equivalent to IP
.B 0/0
or to IPv6
.BR "::/0" .

.TP
.BI tos " TOS"
.TP
.BI dsfield " TOS"
the Type Of Service (TOS) key.  This key has no associated mask and
the longest match is understood as: First, compare the TOS
of the route and of the packet.  If they are not equal, then the packet
may still match a route with a zero TOS.
.I TOS
is either an 8 bit hexadecimal number or an identifier
from
.BR "/etc/iproute2/rt_dsfield" .

.TP
.BI metric " NUMBER"
.TP
.BI preference " NUMBER"
the preference value of the route.
.I NUMBER
is an arbitrary 32bit number.

.TP
.BI table " TABLEID"
the table to add this route to.
.I TABLEID
may be a number or a string from the file
.BR "/etc/iproute2/rt_tables" .
If this parameter is omitted,
.B ip
assumes the
.B main
table, with the exception of
.BR local " , " broadcast " and " nat
routes, which are put into the
.B local
table by default.

.TP
.BI dev " NAME"
the output device name.

.TP
.BI via " ADDRESS"
the address of the nexthop router.  Actually, the sense of this field
depends on the route type.  For normal
.B unicast
routes it is either the true next hop router or, if it is a direct
route installed in BSD compatibility mode, it can be a local address
of the interface.  For NAT routes it is the first address of the block
of translated IP destinations.

.TP
.BI src " ADDRESS"
the source address to prefer when sending to the destinations
covered by the route prefix.

.TP
.BI realm " REALMID"
the realm to which this route is assigned.
.I REALMID
may be a number or a string from the file
.BR "/etc/iproute2/rt_realms" .

.TP
.BI mtu " MTU"
.TP
.BI "mtu lock" " MTU"
the MTU along the path to the destination.  If the modifier
.B lock
is not used, the MTU may be updated by the kernel due to
Path MTU Discovery.  If the modifier
.B lock
is used, no path MTU discovery will be tried, all packets
will be sent without the DF bit in IPv4 case or fragmented
to MTU for IPv6.

.TP
.BI window " NUMBER"
the maximal window for TCP to advertise to these destinations,
measured in bytes.  It limits maximal data bursts that our TCP
peers are allowed to send to us.

.TP
.BI rtt " TIME"
the initial RTT ('Round Trip Time') estimate. If no suffix is
specified the units are raw values passed directly to the
routing code to maintain compatibility with previous releases.
Otherwise if a suffix of s, sec or secs is used to specify
seconds and ms, msec or msecs to specify milliseconds.


.TP
.BI rttvar " TIME " "(2.3.15+ only)"
the initial RTT variance estimate. Values are specified as with
.BI rtt
above.

.TP
.BI rto_min " TIME " "(2.6.23+ only)"
the minimum TCP Retransmission TimeOut to use when communicating with this
destination.  Values are specified as with
.BI rtt
above.

.TP
.BI ssthresh " NUMBER " "(2.3.15+ only)"
an estimate for the initial slow start threshold.

.TP
.BI cwnd " NUMBER " "(2.3.15+ only)"
the clamp for congestion window.  It is ignored if the
.B lock
flag is not used.

.TP
.BI initcwnd " NUMBER " "(2.5.70+ only)"
the initial congestion window size for connections to this destination.
Actual window size is this value multiplied by the MSS
(``Maximal Segment Size'') for same connection. The default is
zero, meaning to use the values specified in RFC2414.

.TP
.BI initrwnd " NUMBER " "(2.6.33+ only)"
the initial receive window size for connections to this destination.
Actual window size is this value multiplied by the MSS of the connection.
The default value is zero, meaning to use Slow Start value.

.TP
.BI advmss " NUMBER " "(2.3.15+ only)"
the MSS ('Maximal Segment Size') to advertise to these
destinations when establishing TCP connections.  If it is not given,
Linux uses a default value calculated from the first hop device MTU.
(If the path to these destination is asymmetric, this guess may be wrong.)

.TP
.BI reordering " NUMBER " "(2.3.15+ only)"
Maximal reordering on the path to this destination.
If it is not given, Linux uses the value selected with
.B sysctl
variable
.BR "net/ipv4/tcp_reordering" .

.TP
.BI nexthop " NEXTHOP"
the nexthop of a multipath route.
.I NEXTHOP
is a complex value with its own syntax similar to the top level
argument lists:

.in +8
.BI via " ADDRESS"
- is the nexthop router.
.sp

.BI dev " NAME"
- is the output device.
.sp

.BI weight " NUMBER"
- is a weight for this element of a multipath
route reflecting its relative bandwidth or quality.
.in -8

.TP
.BI scope " SCOPE_VAL"
the scope of the destinations covered by the route prefix.
.I SCOPE_VAL
may be a number or a string from the file
.BR "/etc/iproute2/rt_scopes" .
If this parameter is omitted,
.B ip
assumes scope
.B global
for all gatewayed
.B unicast
routes, scope
.B link
for direct
.BR unicast " and " broadcast
routes and scope
.BR host " for " local
routes.

.TP
.BI protocol " RTPROTO"
the routing protocol identifier of this route.
.I RTPROTO
may be a number or a string from the file
.BR "/etc/iproute2/rt_protos" .
If the routing protocol ID is not given,
.B ip assumes protocol
.B boot
(i.e. it assumes the route was added by someone who doesn't
understand what they are doing).  Several protocol values have
a fixed interpretation.
Namely:

.in +8
.B redirect
- the route was installed due to an ICMP redirect.
.sp

.B kernel
- the route was installed by the kernel during autoconfiguration.
.sp

.B boot
- the route was installed during the bootup sequence.
If a routing daemon starts, it will purge all of them.
.sp

.B static
- the route was installed by the administrator
to override dynamic routing. Routing daemon will respect them
and, probably, even advertise them to its peers.
.sp

.B ra
- the route was installed by Router Discovery protocol.
.in -8

.sp
The rest of the values are not reserved and the administrator is free
to assign (or not to assign) protocol tags.

.TP
.B onlink
pretend that the nexthop is directly attached to this link,
even if it does not match any interface prefix.

.SS ip route delete - delete route

.B ip route del
has the same arguments as
.BR "ip route add" ,
but their semantics are a bit different.

Key values
.RB "(" to ", " tos ", " preference " and " table ")"
select the route to delete.  If optional attributes are present,
.B ip
verifies that they coincide with the attributes of the route to delete.
If no route with the given key and attributes was found,
.B ip route del
fails.

.SS ip route show - list routes
the command displays the contents of the routing tables or the route(s)
selected by some criteria.

.TP
.BI to " SELECTOR " (default)
only select routes from the given range of destinations.
.I SELECTOR
consists of an optional modifier
.RB "(" root ", " match " or " exact ")"
and a prefix.
.BI root " PREFIX"
selects routes with prefixes not shorter than
.IR PREFIX "."
F.e.
.BI root " 0/0"
selects the entire routing table.
.BI match " PREFIX"
selects routes with prefixes not longer than
.IR PREFIX "."
F.e.
.BI match " 10.0/16"
selects
.IR 10.0/16 ","
.IR 10/8 " and " 0/0 ,
but it does not select
.IR 10.1/16 " and " 10.0.0/24 .
And
.BI exact " PREFIX"
(or just
.IR PREFIX ")"
selects routes with this exact prefix. If neither of these options
are present,
.B ip
assumes
.BI root " 0/0"
i.e. it lists the entire table.

.TP
.BI tos " TOS"
.BI dsfield " TOS"
only select routes with the given TOS.

.TP
.BI table " TABLEID"
show the routes from this table(s).  The default setting is to show
.BR table main "."
.I TABLEID
may either be the ID of a real table or one of the special values:
.sp
.in +8
.B all
- list all of the tables.
.sp
.B cache
- dump the routing cache.
.in -8

.TP
.B cloned
.TP
.B cached
list cloned routes i.e. routes which were dynamically forked from
other routes because some route attribute (f.e. MTU) was updated.
Actually, it is equivalent to
.BR "table cache" "."

.TP
.BI from " SELECTOR"
the same syntax as for
.BR to ","
but it binds the source address range rather than destinations.
Note that the
.B from
option only works with cloned routes.

.TP
.BI protocol " RTPROTO"
only list routes of this protocol.

.TP
.BI scope " SCOPE_VAL"
only list routes with this scope.

.TP
.BI type " TYPE"
only list routes of this type.

.TP
.BI dev " NAME"
only list routes going via this device.

.TP
.BI via " PREFIX"
only list routes going via the nexthop routers selected by
.IR PREFIX "."

.TP
.BI src " PREFIX"
only list routes with preferred source addresses selected
by
.IR PREFIX "."

.TP
.BI realm " REALMID"
.TP
.BI realms " FROMREALM/TOREALM"
only list routes with these realms.

.SS ip route flush - flush routing tables
this command flushes routes selected by some criteria.

.sp
The arguments have the same syntax and semantics as the arguments of
.BR "ip route show" ,
but routing tables are not listed but purged.  The only difference is
the default action:
.B show
dumps all the IP main routing table but
.B flush
prints the helper page.

.sp
With the
.B -statistics
option, the command becomes verbose. It prints out the number of
deleted routes and the number of rounds made to flush the routing
table. If the option is given
twice,
.B ip route flush
also dumps all the deleted routes in the format described in the
previous subsection.

.SS ip route get - get a single route
this command gets a single route to a destination and prints its
contents exactly as the kernel sees it.

.TP
.BI to " ADDRESS " (default)
the destination address.

.TP
.BI from " ADDRESS"
the source address.

.TP
.BI tos " TOS"
.TP
.BI dsfield " TOS"
the Type Of Service.

.TP
.BI iif " NAME"
the device from which this packet is expected to arrive.

.TP
.BI oif " NAME"
force the output device on which this packet will be routed.

.TP
.B connected
if no source address
.RB "(option " from ")"
was given, relookup the route with the source set to the preferred
address received from the first lookup.
If policy routing is used, it may be a different route.

.P
Note that this operation is not equivalent to
.BR "ip route show" .
.B show
shows existing routes.
.B get
resolves them and creates new clones if necessary.  Essentially,
.B get
is equivalent to sending a packet along this path.
If the
.B iif
argument is not given, the kernel creates a route
to output packets towards the requested destination.
This is equivalent to pinging the destination
with a subsequent
.BR "ip route ls cache" ,
however, no packets are actually sent.  With the
.B iif
argument, the kernel pretends that a packet arrived from this interface
and searches for a path to forward the packet.

.SS ip route save - save routing table information to stdout
this command behaves like
.BR "ip route show"
except that the output is raw data suitable for passing to
.BR "ip route restore" .

.SS ip route restore - restore routing table information from stdin
this command expects to read a data stream as returned from
.BR "ip route save" .
It will attempt to restore the routing table information exactly as
it was at the time of the save, so any translation of information
in the stream (such as device indexes) must be done first.  Any existing
routes are left unchanged.  Any routes specified in the data stream that
already exist in the table will be ignored.

.SH ip rule - routing policy database management

.BR "Rule" s
in the routing policy database control the route selection algorithm.

.P
Classic routing algorithms used in the Internet make routing decisions
based only on the destination address of packets (and in theory,
but not in practice, on the TOS field).

.P
In some circumstances we want to route packets differently depending not only
on destination addresses, but also on other packet fields: source address,
IP protocol, transport protocol ports or even packet payload.
This task is called 'policy routing'.

.P
To solve this task, the conventional destination based routing table, ordered
according to the longest match rule, is replaced with a 'routing policy
database' (or RPDB), which selects routes by executing some set of rules.

.P
Each policy routing rule consists of a
.B selector
and an
.B action predicate.
The RPDB is scanned in the order of increasing priority. The selector
of each rule is applied to {source address, destination address, incoming
interface, tos, fwmark} and, if the selector matches the packet,
the action is performed.  The action predicate may return with success.
In this case, it will either give a route or failure indication
and the RPDB lookup is terminated. Otherwise, the RPDB program
continues on the next rule.

.P
Semantically, natural action is to select the nexthop and the output device.

.P
At startup time the kernel configures the default RPDB consisting of three
rules:

.TP
1.
Priority: 0, Selector: match anything, Action: lookup routing
table
.B local
(ID 255).
The
.B local
table is a special routing table containing
high priority control routes for local and broadcast addresses.
.sp
Rule 0 is special. It cannot be deleted or overridden.

.TP
2.
Priority: 32766, Selector: match anything, Action: lookup routing
table
.B main
(ID 254).
The
.B main
table is the normal routing table containing all non-policy
routes. This rule may be deleted and/or overridden with other
ones by the administrator.

.TP
3.
Priority: 32767, Selector: match anything, Action: lookup routing
table
.B default
(ID 253).
The
.B default
table is empty.  It is reserved for some post-processing if no previous
default rules selected the packet.
This rule may also be deleted.

.P
Each RPDB entry has additional
attributes.  F.e. each rule has a pointer to some routing
table.  NAT and masquerading rules have an attribute to select new IP
address to translate/masquerade.  Besides that, rules have some
optional attributes, which routes have, namely
.BR "realms" .
These values do not override those contained in the routing tables.  They
are only used if the route did not select any attributes.

.sp
The RPDB may contain rules of the following types:

.in +8
.B unicast
- the rule prescribes to return the route found
in the routing table referenced by the rule.

.B blackhole
- the rule prescribes to silently drop the packet.

.B unreachable
- the rule prescribes to generate a 'Network is unreachable' error.

.B prohibit
- the rule prescribes to generate 'Communication is administratively
prohibited' error.

.B nat
- the rule prescribes to translate the source address
of the IP packet into some other value.
.in -8

.SS ip rule add - insert a new rule
.SS ip rule delete - delete a rule

.TP
.BI type " TYPE " (default)
the type of this rule.  The list of valid types was given in the previous
subsection.

.TP
.BI from " PREFIX"
select the source prefix to match.

.TP
.BI to " PREFIX"
select the destination prefix to match.

.TP
.BI iif " NAME"
select the incoming device to match.  If the interface is loopback,
the rule only matches packets originating from this host.  This means
that you may create separate routing tables for forwarded and local
packets and, hence, completely segregate them.

.TP
.BI oif " NAME"
select the outgoing device to match.  The outgoing interface is only
available for packets originating from local sockets that are bound to
a device.

.TP
.BI tos " TOS"
.TP
.BI dsfield " TOS"
select the TOS value to match.

.TP
.BI fwmark " MARK"
select the
.B fwmark
value to match.

.TP
.BI priority " PREFERENCE"
the priority of this rule.  Each rule should have an explicitly
set
.I unique
priority value.
The options preference and order are synonyms with priority.

.TP
.BI table " TABLEID"
the routing table identifier to lookup if the rule selector matches.
It is also possible to use lookup instead of table.

.TP
.BI realms " FROM/TO"
Realms to select if the rule matched and the routing table lookup
succeeded.  Realm
.I TO
is only used if the route did not select any realm.

.TP
.BI nat " ADDRESS"
The base of the IP address block to translate (for source addresses).
The
.I ADDRESS
may be either the start of the block of NAT addresses (selected by NAT
routes) or a local host address (or even zero).
In the last case the router does not translate the packets, but
masquerades them to this address.
Using map-to instead of nat means the same thing.

.B Warning:
Changes to the RPDB made with these commands do not become active
immediately.  It is assumed that after a script finishes a batch of
updates, it flushes the routing cache with
.BR "ip route flush cache" .

.SS ip rule flush - also dumps all the deleted rules.
This command has no arguments.

.SS ip rule show - list rules
This command has no arguments.
The options list or lst are synonyms with show.

.SH ip maddress - multicast addresses management

.B maddress
objects are multicast addresses.

.SS ip maddress show - list multicast addresses

.TP
.BI dev " NAME " (default)
the device name.

.SS ip maddress add - add a multicast address
.SS ip maddress delete - delete a multicast address
these commands attach/detach a static link layer multicast address
to listen on the interface.
Note that it is impossible to join protocol multicast groups
statically.  This command only manages link layer addresses.

.TP
.BI address " LLADDRESS " (default)
the link layer multicast address.

.TP
.BI dev " NAME"
the device to join/leave this multicast address.

.SH ip mroute - multicast routing cache management
.B mroute
objects are multicast routing cache entries created by a user level
mrouting daemon (f.e.
.B pimd
or
.B mrouted
).

Due to the limitations of the current interface to the multicast routing
engine, it is impossible to change
.B mroute
objects administratively, so we may only display them.  This limitation
will be removed in the future.

.SS ip mroute show - list mroute cache entries

.TP
.BI to " PREFIX " (default)
the prefix selecting the destination multicast addresses to list.

.TP
.BI iif " NAME"
the interface on which multicast packets are received.

.TP
.BI from " PREFIX"
the prefix selecting the IP source addresses of the multicast route.

.SH ip tunnel - tunnel configuration
.B tunnel
objects are tunnels, encapsulating packets in IP packets and then
sending them over the IP infrastructure.
The encapulating (or outer) address family is specified by the
.B -f
option.  The default is IPv4.

.SS ip tunnel add - add a new tunnel
.SS ip tunnel change - change an existing tunnel
.SS ip tunnel delete - destroy a tunnel

.TP
.BI name " NAME " (default)
select the tunnel device name.

.TP
.BI mode " MODE"
set the tunnel mode. Available modes depend on the encapsulating address family.
.br
Modes for IPv4 encapsulation available:
.BR ipip ", " sit ", " isatap " and " gre "."
.br
Modes for IPv6 encapsulation available:
.BR ip6ip6 ", " ipip6 " and " any "."

.TP
.BI remote " ADDRESS"
set the remote endpoint of the tunnel.

.TP
.BI local " ADDRESS"
set the fixed local address for tunneled packets.
It must be an address on another interface of this host.

.TP
.BI ttl " N"
set a fixed TTL
.I N
on tunneled packets.
.I N
is a number in the range 1--255. 0 is a special value
meaning that packets inherit the TTL value.
The default value for IPv4 tunnels is:
.BR "inherit" .
The default value for IPv6 tunnels is:
.BR "64" .


.TP
.BI tos " T"
.TP
.BI dsfield " T"
.TP
.BI tclass " T"
set a fixed TOS (or traffic class in IPv6)
.I T
on tunneled packets.
The default value is:
.BR "inherit" .

.TP
.BI dev " NAME"
bind the tunnel to the device
.I NAME
so that tunneled packets will only be routed via this device and will
not be able to escape to another device when the route to endpoint
changes.

.TP
.B nopmtudisc
disable Path MTU Discovery on this tunnel.
It is enabled by default.  Note that a fixed ttl is incompatible
with this option: tunnelling with a fixed ttl always makes pmtu
discovery.

.TP
.BI key " K"
.TP
.BI ikey " K"
.TP
.BI okey " K"
.RB ( " only GRE tunnels " )
use keyed GRE with key
.IR K ". " K
is either a number or an IP address-like dotted quad.
The
.B key
parameter sets the key to use in both directions.
The
.BR ikey " and " okey
parameters set different keys for input and output.

.TP
.BR csum ", " icsum ", " ocsum
.RB ( " only GRE tunnels " )
generate/require checksums for tunneled packets.
The
.B ocsum
flag calculates checksums for outgoing packets.
The
.B icsum
flag requires that all input packets have the correct
checksum.  The
.B csum
flag is equivalent to the combination
.BR "icsum ocsum" .

.TP
.BR seq ", " iseq ", " oseq
.RB ( " only GRE tunnels " )
serialize packets.
The
.B oseq
flag enables sequencing of outgoing packets.
The
.B iseq
flag requires that all input packets are serialized.
The
.B  seq
flag is equivalent to the combination
.BR "iseq oseq" .
.B It isn't work. Don't use it.

.TP
.BR "dscp inherit"
.RB ( " only IPv6 tunnels " )
Inherit DS field between inner and outer header.

.TP
.BI encaplim " ELIM"
.RB ( " only IPv6 tunnels " )
set a fixed encapsulation limit.  Default is 4.

.TP
.BI flowlabel " FLOWLABEL"
.RB ( " only IPv6 tunnels " )
set a fixed flowlabel.

.SS ip tunnel prl - potential router list (ISATAP only)

.TP
.BI dev " NAME"
mandatory device name.

.TP
.BI prl-default " ADDR"
.TP
.BI prl-nodefault " ADDR"
.TP
.BI prl-delete " ADDR"
.RB "Add or delete " ADDR
as a potential router or default router.

.SS ip tunnel show - list tunnels
This command has no arguments.

.SH ip monitor and rtmon - state monitoring

The
.B ip
utility can monitor the state of devices, addresses
and routes continuously.  This option has a slightly different format.
Namely, the
.B monitor
command is the first in the command line and then the object list follows:

.BR "ip monitor" " [ " all " |"
.IR LISTofOBJECTS " ]"

.I OBJECT-LIST
is the list of object types that we want to monitor.
It may contain
.BR link ", " address " and " route "."
If no
.B file
argument is given,
.B ip
opens RTNETLINK, listens on it and dumps state changes in the format
described in previous sections.

.P
If a file name is given, it does not listen on RTNETLINK,
but opens the file containing RTNETLINK messages saved in binary format
and dumps them.  Such a history file can be generated with the
.B rtmon
utility.  This utility has a command line syntax similar to
.BR "ip monitor" .
Ideally,
.B rtmon
should be started before the first network configuration command
is issued. F.e. if you insert:
.sp
.in +8
rtmon file /var/log/rtmon.log
.in -8
.sp
in a startup script, you will be able to view the full history
later.

.P
Certainly, it is possible to start
.B rtmon
at any time.
It prepends the history with the state snapshot dumped at the moment
of starting.

.SH ip xfrm - transform configuration
xfrm is an IP framework for transforming packets (such as encrypting
their payloads). This framework is used to implement the IPsec protocol
suite (with the
.B state
object operating on the Security Association Database, and the
.B policy
object operating on the Security Policy Database). It is also used for
the IP Payload Compression Protocol and features of Mobile IPv6.

.SS ip xfrm state add - add new state into xfrm

.SS ip xfrm state update - update existing state in xfrm

.SS ip xfrm state allocspi - allocate an SPI value

.SS ip xfrm state delete - delete existing state in xfrm

.SS ip xfrm state get - get existing state in xfrm

.SS ip xfrm state deleteall - delete all existing state in xfrm

.SS ip xfrm state list - print out the list of existing state in xfrm

.SS ip xfrm state flush - flush all state in xfrm

.SS ip xfrm state count - count all existing state in xfrm

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I ALGO-LIST
specifies one or more algorithms
.IR ALGO
to use. Algorithm types include
.RB "encryption (" enc "),"
.RB "authentication (" auth "),"
.RB "authentication with a specified truncation length (" auth-trunc "),"
.RB "authenticated encryption with associated data (" aead "), and"
.RB "compression (" comp ")."
For each algorithm used, the algorithm type, the algorithm name
.IR ALGO-NAME ","
and the key
.I ALGO-KEY
must be specified. For
.BR aead ","
the Integrity Check Value length
.I ALGO-ICV-LEN
must additionally be specified.
For
.BR auth-trunc ","
the signature truncation length
.I ALGO-TRUNC-LEN
must additionally be specified.

.TP
.I MODE
specifies a mode of operation:
.RB "IPsec transport mode (" transport "), "
.RB "IPsec tunnel mode (" tunnel "), "
.RB "Mobile IPv6 route optimization mode (" ro "), "
.RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
.RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."

.TP
.I FLAG-LIST
contains one or more of the following optional flags:
.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
.BR af-unspec ", or " align4 "."

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I ENCAP
encapsulates packets with protocol
.BR espinudp " or " espinudp-nonike ","
.RI "using source port " SPORT ", destination port "  DPORT
.RI ", and original address " OADDR "."

.SS ip xfrm policy add - add a new policy

.SS ip xfrm policy update - update an existing policy

.SS ip xfrm policy delete - delete an existing policy

.SS ip xfrm policy get - get an existing policy

.SS ip xfrm policy deleteall - delete all existing xfrm policies

.SS ip xfrm policy list - print out the list of xfrm policies

.SS ip xfrm policy flush - flush policies

.SS ip xfrm policy count - count existing policies

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I DIR
selects the policy direction as
.BR in ", " out ", or " fwd "."

.TP
.I CTX
sets the security context.

.TP
.I PTYPE
can be
.BR main " (default) or " sub "."

.TP
.I ACTION
can be
.BR allow " (default) or " block "."

.TP
.I PRIORITY
is a number that defaults to zero.

.TP
.I FLAG-LIST
contains one or both of the following optional flags:
.BR local " or " icmp "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I TMPL-LIST
is a template list specified using
.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I MODE
specifies a mode of operation:
.RB "IPsec transport mode (" transport "), "
.RB "IPsec tunnel mode (" tunnel "), "
.RB "Mobile IPv6 route optimization mode (" ro "), "
.RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
.RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."

.TP
.I LEVEL
can be
.BR required " (default) or " use "."

.SS ip xfrm monitor - state monitoring for xfrm objects
The xfrm objects to monitor can be optionally specified.

.SH HISTORY
.B ip
was written by Alexey N. Kuznetsov and added in Linux 2.2.
.SH SEE ALSO
.BR tc (8)
.br
.RB "IP Command reference " ip-cref.ps
.br
.RB "IP tunnels " ip-cref.ps
.br
.RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>

.SH AUTHOR
Original Manpage  by Michail Litvak <mci@owl.openwall.com>