1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " | " monitor " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link add link " DEVICE
50 .BR vlan " | " maclan " | " can " ]"
53 .BI "ip link delete " DEVICE
61 .RB "} { " up " | " down " | " arp " { " on " | " off " } |"
63 .BR promisc " { " on " | " off " } |"
65 .BR allmulticast " { " on " | " off " } |"
67 .BR dynamic " { " on " | " off " } |"
69 .BR multicast " { " on " | " off " } |"
109 .RI "[ " DEVICE " | "
114 .BR "ip addr" " { " add " | " del " } "
115 .IB IFADDR " dev " STRING
118 .BR "ip addr" " { " show " | " flush " } [ " dev
123 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
128 .IR IFADDR " := " PREFIX " | " ADDR
142 .RB "[ " host " | " link " | " global " | "
146 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
150 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
151 tentative " | " deprecated " | " dadfailed " | " temporary " ]"
154 .BR "ip addrlabel" " { " add " | " del " } " prefix
162 .BR "ip addrlabel" " { " list " | " flush " }"
166 .BR list " | " flush " } "
174 .BR "ip route restore"
179 .BI from " ADDRESS " iif " STRING"
186 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
187 replace " | " monitor " } "
208 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
211 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
224 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
235 .IR NUMBER " ] " NHFLAGS
238 .IR OPTIONS " := " FLAGS " [ "
264 .BR unicast " | " local " | " broadcast " | " multicast " | "\
265 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
268 .IR TABLE_ID " := [ "
269 .BR local "| " main " | " default " | " all " |"
274 .BR host " | " link " | " global " |"
279 .BR onlink " | " pervasive " ]"
283 .BR kernel " | " boot " | " static " |"
288 .RB " [ " list " | " add " | " del " | " flush " ]"
292 .IR SELECTOR " := [ "
300 .IR FWMARK[/MASK] " ] [ "
314 .BR prohibit " | " reject " | " unreachable " ] [ " realms
315 .RI "[" SRCREALM "/]" DSTREALM " ]"
318 .IR TABLE_ID " := [ "
319 .BR local " | " main " | " default " |"
323 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
327 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
333 .BR "ip neigh" " { " show " | " flush " } [ " to
341 .BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
351 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
353 .RB "[" i "|" o "]" csum " ] ]"
372 .RB "[ [" no "]" pmtudisc " ]"
375 .RB "[ " "dscp inherit" " ]"
379 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
382 .IR ADDR " := { " IP_ADDRESS " |"
386 .IR TOS " := { " NUMBER " |"
396 .IR TTL " := { " 1 ".." 255 " | "
400 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
403 .IR TIME " := " NUMBER "[s|ms]"
406 .BR "ip maddr" " [ " add " | " del " ]"
407 .IB MULTIADDR " dev " STRING
410 .BR "ip maddr show" " [ " dev
414 .BR "ip mroute show" " ["
422 .BR "ip monitor" " [ " all " |"
423 .IR LISTofOBJECTS " ]"
428 .IR XFRM-OBJECT " { " COMMAND " | "
433 .IR XFRM-OBJECT " :="
434 .BR state " | " policy " | " monitor
438 .BR "ip xfrm state " { " add " | " update " } "
439 .IR ID " [ " ALGO-LIST " ]"
450 .RB "[ " replay-window
459 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
463 .IR ADDR "[/" PLEN "] ]"
468 .B "ip xfrm state allocspi"
486 .BR "ip xfrm state" " { " delete " | " get " } "
494 .BR "ip xfrm state" " { " deleteall " | " list " } ["
504 .BR "ip xfrm state flush" " [ " proto
508 .BR "ip xfrm state count"
523 .BR esp " | " ah " | " comp " | " route2 " | " hao
526 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
530 .RB "{ " enc " | " auth " | " comp " } "
531 .IR ALGO-NAME " " ALGO-KEY
535 .IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN
539 .IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN
543 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
546 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
550 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
555 .IR ADDR "[/" PLEN "] ]"
557 .IR ADDR "[/" PLEN "] ]"
568 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
573 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
579 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
582 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
588 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
591 .RB "{ " byte-soft " | " byte-hard " }"
594 .RB "{ " packet-soft " | " packet-hard " }"
599 .RB "{ " espinudp " | " espinudp-nonike " }"
600 .IR SPORT " " DPORT " " OADDR
603 .BR "ip xfrm policy" " { " add " | " update " }"
623 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
626 .BR "ip xfrm policy" " { " delete " | " get " }"
627 .RI "{ " SELECTOR " | "
642 .BR "ip xfrm policy" " { " deleteall " | " list " }"
643 .RI "[ " SELECTOR " ]"
656 .B "ip xfrm policy flush"
661 .B "ip xfrm policy count"
666 .IR ADDR "[/" PLEN "] ]"
668 .IR ADDR "[/" PLEN "] ]"
678 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
683 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
689 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
693 .BR in " | " out " | " fwd
701 .BR allow " | " block
704 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
708 .BR localok " | " icmp
711 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
717 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
720 .RB "{ " byte-soft " | " byte-hard " }"
723 .RB "{ " packet-soft " | " packet-hard " }"
727 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
753 .BR esp " | " ah " | " comp " | " route2 " | " hao
757 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
761 .BR required " | " use
764 .BR "ip xfrm monitor" " [ " all " |"
765 .IR LISTofXFRM-OBJECTS " ]"
773 .BR "\-V" , " -Version"
774 print the version of the
779 .BR "\-s" , " \-stats", " \-statistics"
780 output more information. If the option
781 appears twice or more, the amount of information increases.
782 As a rule, the information is statistics or some time values.
785 .BR "\-l" , " \-loops"
786 Specify maximum number of loops the 'ip addr flush' logic
787 will attempt before giving up. The default is 10.
788 Zero (0) means loop until all addresses are removed.
791 .BR "\-f" , " \-family"
792 followed by protocol family identifier:
793 .BR "inet" , " inet6"
796 ,enforce the protocol family to use. If the option is not present,
797 the protocol family is guessed from other arguments. If the rest
798 of the command line does not give enough information to guess the
801 falls back to the default one, usually
806 is a special family identifier meaning that no networking protocol
817 .BR "\-family inet6" .
822 .BR "\-family link" .
825 .BR "\-o" , " \-oneline"
826 output each record on a single line, replacing line feeds
829 character. This is convenient when you want to count records
837 .BR "\-r" , " \-resolve"
838 use the system's name resolver to print DNS names instead of
841 .SH IP - COMMAND SYNTAX
852 - protocol (IP or IPv6) address on a device.
856 - label configuration for protocol address selection.
860 - ARP or NDISC cache entry.
864 - routing table entry.
868 - rule in routing policy database.
876 - multicast routing cache entry.
883 The names of all objects may be written in full or
884 abbreviated form, f.e.
894 Specifies the action to perform on the object.
895 The set of possible actions depends on the object type.
896 As a rule, it is possible to
897 .BR "add" , " delete"
902 ) objects, but some objects do not allow all of these operations
903 or have some additional commands. The
905 command is available for all objects. It prints
906 out a list of available commands and argument syntax conventions.
908 If no command is given, some default command is assumed.
911 or, if the objects of this class cannot be listed,
914 .SH ip link - network device configuration
917 is a network device and the corresponding commands
918 display and change the state of devices.
920 .SS ip link add - add virtual link
924 specifies the physical device to act operate on.
927 specifies the name of the new virtual device.
930 specifies the type of the new device.
936 - 802.1q tagged virrtual LAN interface
939 - virtual interface base on link layer address (MAC)
942 - Controller Area Network interface
945 .SS ip link delete - delete virtual link
947 specifies the virtual device to act operate on.
949 specifies the type of the device.
954 specifies the physical device to act operate on.
956 .SS ip link set - change device attributes
961 specifies network device to operate on. When configuring SR-IOV Virtual Fuction
962 (VF) devices, this keyword should specify the associated Physical Function (PF)
968 has a dual role: If both group and dev are present, then move the device to the
969 specified group. If only a group is specified, then the command operates on
970 all devices in that group.
974 change the state of the device to
980 .BR "arp on " or " arp off"
986 .BR "multicast on " or " multicast off"
992 .BR "dynamic on " or " dynamic off"
999 change the name of the device. This operation is not
1000 recommended if the device is running or has some addresses
1004 .BI txqueuelen " NUMBER"
1006 .BI txqlen " NUMBER"
1007 change the transmit queue length of the device.
1016 .BI address " LLADDRESS"
1017 change the station address of the interface.
1020 .BI broadcast " LLADDRESS"
1022 .BI brd " LLADDRESS"
1024 .BI peer " LLADDRESS"
1025 change the link layer broadcast address or the peer address when
1031 move the device to the network namespace associated with the process
1036 give the device a symbolic name for easy reference.
1040 specify the group the device belongs to.
1041 The available groups are listed in file
1042 .BR "/etc/iproute2/group" .
1046 specify a Virtual Function device to be configured. The associated PF device
1047 must be specified using the
1052 .BI mac " LLADDRESS"
1053 - change the station address for the specified VF. The
1055 parameter must be specified.
1059 - change the assigned VLAN for the specified VF. When specified, all traffic
1060 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
1061 will be filtered for the specified VLAN ID, and will have all VLAN tags
1062 stripped before being passed to the VF. Setting this parameter to 0 disables
1063 VLAN tagging and filtering. The
1065 parameter must be specified.
1069 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1070 tags transmitted by the VF will include the specified priority bits in the
1071 VLAN tag. If not specified, the value is assumed to be 0. Both the
1075 parameters must be specified. Setting both
1079 as 0 disables VLAN tagging and filtering for the VF.
1083 - change the allowed transmit bandwidth, in Mbps, for the specified VF.
1084 Setting this parameter to 0 disables rate limiting. The
1086 parameter must be specified.
1090 .BI master " DEVICE"
1091 set master device of the device (enslave device).
1095 unset master device of the device (release device).
1099 If multiple parameter changes are requested,
1101 aborts immediately after any of the changes have failed.
1102 This is the only case when
1104 can move the system to an unpredictable state. The solution
1105 is to avoid changing several parameters with one
1109 .SS ip link show - display device attributes
1112 .BI dev " NAME " (default)
1114 specifies the network device to show.
1115 If this argument is omitted all devices in the default group are listed.
1120 specifies what group of devices to show.
1124 only display running interfaces.
1126 .SH ip address - protocol address management.
1130 is a protocol (IP or IPv6) address attached
1131 to a network device. Each device must have at least one address
1132 to use the corresponding protocol. It is possible to have several
1133 different addresses attached to one device. These addresses are not
1134 discriminated, so that the term
1136 is not quite appropriate for them and we do not use it in this document.
1140 command displays addresses and their properties, adds new addresses
1141 and deletes old ones.
1143 .SS ip address add - add new protocol address.
1147 the name of the device to add the address to.
1150 .BI local " ADDRESS " (default)
1151 the address of the interface. The format of the address depends
1152 on the protocol. It is a dotted quad for IP and a sequence of
1153 hexadecimal halfwords separated by colons for IPv6. The
1155 may be followed by a slash and a decimal number which encodes
1156 the network prefix length.
1160 the address of the remote endpoint for pointopoint interfaces.
1163 may be followed by a slash and a decimal number, encoding the network
1164 prefix length. If a peer address is specified, the local address
1165 cannot have a prefix length. The network prefix is associated
1166 with the peer rather than with the local address.
1169 .BI broadcast " ADDRESS"
1170 the broadcast address on the interface.
1172 It is possible to use the special symbols
1176 instead of the broadcast address. In this case, the broadcast address
1177 is derived by setting/resetting the host bits of the interface prefix.
1181 Each address may be tagged with a label string.
1182 In order to preserve compatibility with Linux-2.0 net aliases,
1183 this string must coincide with the name of the device or must be prefixed
1184 with the device name followed by colon.
1187 .BI scope " SCOPE_VALUE"
1188 the scope of the area where this address is valid.
1189 The available scopes are listed in file
1190 .BR "/etc/iproute2/rt_scopes" .
1191 Predefined scope values are:
1195 - the address is globally valid.
1198 - (IPv6 only) the address is site local, i.e. it is
1199 valid inside this site.
1202 - the address is link local, i.e. it is valid only on this device.
1205 - the address is valid only inside this host.
1208 .SS ip address delete - delete protocol address
1210 coincide with the arguments of
1212 The device name is a required argument. The rest are optional.
1213 If no arguments are given, the first address is deleted.
1215 .SS ip address show - look at protocol addresses
1218 .BI dev " NAME " (default)
1222 .BI scope " SCOPE_VAL"
1223 only list addresses with this scope.
1227 only list addresses matching this prefix.
1230 .BI label " PATTERN"
1231 only list addresses with labels matching the
1234 is a usual shell style pattern.
1237 .BR dynamic " and " permanent
1238 (IPv6 only) only list addresses installed due to stateless
1239 address configuration or only list permanent (not dynamic)
1244 (IPv6 only) only list addresses which have not yet passed duplicate
1249 (IPv6 only) only list deprecated addresses.
1253 (IPv6 only) only list addresses which have failed duplicate
1258 (IPv6 only) only list temporary addresses.
1261 .BR primary " and " secondary
1262 only list primary (or secondary) addresses.
1264 .SS ip address flush - flush protocol addresses
1265 This command flushes the protocol addresses selected by some criteria.
1268 This command has the same arguments as
1270 The difference is that it does not run when no arguments are given.
1274 This command (and other
1276 commands described below) is pretty dangerous. If you make a mistake,
1277 it will not forgive it, but will cruelly purge all the addresses.
1282 option, the command becomes verbose. It prints out the number of deleted
1283 addresses and the number of rounds made to flush the address list. If
1284 this option is given twice,
1286 also dumps all the deleted addresses in the format described in the
1287 previous subsection.
1289 .SH ip addrlabel - protocol address label management.
1291 IPv6 address label is used for address selection
1292 described in RFC 3484. Precedence is managed by userspace,
1293 and only label is stored in kernel.
1295 .SS ip addrlabel add - add an address label
1296 the command adds an address label entry to the kernel.
1298 .BI prefix " PREFIX"
1301 the outgoing interface.
1304 the label for the prefix.
1305 0xffffffff is reserved.
1306 .SS ip addrlabel del - delete an address label
1307 the command deletes an address label entry in the kernel.
1309 coincide with the arguments of
1311 but label is not required.
1312 .SS ip addrlabel list - list address labels
1313 the command show contents of address labels.
1314 .SS ip addrlabel flush - flush address labels
1315 the command flushes the contents of address labels and it does not restore default settings.
1316 .SH ip neighbour - neighbour/arp tables management.
1319 objects establish bindings between protocol addresses and
1320 link layer addresses for hosts sharing the same link.
1321 Neighbour entries are organized into tables. The IPv4 neighbour table
1322 is known by another name - the ARP table.
1325 The corresponding commands display neighbour bindings
1326 and their properties, add new neighbour entries and delete old ones.
1328 .SS ip neighbour add - add a new neighbour entry
1329 .SS ip neighbour change - change an existing entry
1330 .SS ip neighbour replace - add a new entry or change an existing one
1332 These commands create new neighbour records or update existing ones.
1335 .BI to " ADDRESS " (default)
1336 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1340 the interface to which this neighbour is attached.
1343 .BI lladdr " LLADDRESS"
1344 the link layer address of the neighbour.
1350 .BI nud " NUD_STATE"
1351 the state of the neighbour entry.
1353 is an abbreviation for 'Neighbour Unreachability Detection'.
1354 The state can take one of the following values:
1358 - the neighbour entry is valid forever and can be only
1359 be removed administratively.
1363 - the neighbour entry is valid. No attempts to validate
1364 this entry will be made but it can be removed when its lifetime expires.
1368 - the neighbour entry is valid until the reachability
1373 - the neighbour entry is valid but suspicious.
1376 does not change the neighbour state if it was valid and the address
1377 is not changed by this command.
1380 .SS ip neighbour delete - delete a neighbour entry
1381 This command invalidates a neighbour entry.
1384 The arguments are the same as with
1385 .BR "ip neigh add" ,
1394 Attempts to delete or manually change a
1396 entry created by the kernel may result in unpredictable behaviour.
1397 Particularly, the kernel may try to resolve this address even
1400 interface or if the address is multicast or broadcast.
1402 .SS ip neighbour show - list neighbour entries
1404 This commands displays neighbour tables.
1407 .BI to " ADDRESS " (default)
1408 the prefix selecting the neighbours to list.
1412 only list the neighbours attached to this device.
1416 only list neighbours which are not currently in use.
1419 .BI nud " NUD_STATE"
1420 only list neighbour entries in this state.
1422 takes values listed below or the special value
1424 which means all states. This option may occur more than once.
1425 If this option is absent,
1427 lists all entries except for
1432 .SS ip neighbour flush - flush neighbour entries
1433 This command flushes neighbour tables, selecting
1434 entries to flush by some criteria.
1437 This command has the same arguments as
1439 The differences are that it does not run when no arguments are given,
1440 and that the default neighbour states to be flushed do not include
1448 option, the command becomes verbose. It prints out the number of
1449 deleted neighbours and the number of rounds made to flush the
1450 neighbour table. If the option is given
1453 also dumps all the deleted neighbours.
1455 .SH ip route - routing table management
1456 Manipulate route entries in the kernel routing tables keep
1457 information about paths to other networked nodes.
1463 - the route entry describes real paths to the destinations covered
1464 by the route prefix.
1468 - these destinations are unreachable. Packets are discarded and the
1472 The local senders get an
1478 - these destinations are unreachable. Packets are discarded silently.
1479 The local senders get an
1485 - these destinations are unreachable. Packets are discarded and the
1487 .I communication administratively prohibited
1488 is generated. The local senders get an
1494 - the destinations are assigned to this host. The packets are looped
1495 back and delivered locally.
1499 - the destinations are broadcast addresses. The packets are sent as
1504 - a special control route used together with policy rules. If such a
1505 route is selected, lookup in this table is terminated pretending that
1506 no route was found. Without policy routing it is equivalent to the
1507 absence of the route in the routing table. The packets are dropped
1508 and the ICMP message
1510 is generated. The local senders get an
1516 - a special NAT route. Destinations covered by the prefix
1517 are considered to be dummy (or external) addresses which require translation
1518 to real (or internal) ones before forwarding. The addresses to translate to
1519 are selected with the attribute
1521 Route NAT is no longer supported in Linux 2.6.
1527 .RI "- " "not implemented"
1528 the destinations are
1530 addresses assigned to this host. They are mainly equivalent
1533 with one difference: such addresses are invalid when used
1534 as the source address of any packet.
1538 - a special type used for multicast routing. It is not present in
1539 normal routing tables.
1544 Linux-2.x can pack routes into several routing tables identified
1545 by a number in the range from 1 to 2^31 or by name from the file
1546 .B /etc/iproute2/rt_tables
1547 By default all normal routes are inserted into the
1549 table (ID 254) and the kernel only uses this table when calculating routes.
1550 Values (0, 253, 254, and 255) are reserved for built-in use.
1553 Actually, one other table always exists, which is invisible but
1554 even more important. It is the
1556 table (ID 255). This table
1557 consists of routes for local and broadcast addresses. The kernel maintains
1558 this table automatically and the administrator usually need not modify it
1561 The multiple routing tables enter the game when
1565 .SS ip route add - add new route
1566 .SS ip route change - change route
1567 .SS ip route replace - change or add new one
1570 .BI to " TYPE PREFIX " (default)
1571 the destination prefix of the route. If
1581 is an IP or IPv6 address optionally followed by a slash and the
1582 prefix length. If the length of the prefix is missing,
1584 assumes a full-length host route. There is also a special
1587 - which is equivalent to IP
1596 the Type Of Service (TOS) key. This key has no associated mask and
1597 the longest match is understood as: First, compare the TOS
1598 of the route and of the packet. If they are not equal, then the packet
1599 may still match a route with a zero TOS.
1601 is either an 8 bit hexadecimal number or an identifier
1603 .BR "/etc/iproute2/rt_dsfield" .
1606 .BI metric " NUMBER"
1608 .BI preference " NUMBER"
1609 the preference value of the route.
1611 is an arbitrary 32bit number.
1614 .BI table " TABLEID"
1615 the table to add this route to.
1617 may be a number or a string from the file
1618 .BR "/etc/iproute2/rt_tables" .
1619 If this parameter is omitted,
1623 table, with the exception of
1624 .BR local " , " broadcast " and " nat
1625 routes, which are put into the
1631 the output device name.
1635 the address of the nexthop router. Actually, the sense of this field
1636 depends on the route type. For normal
1638 routes it is either the true next hop router or, if it is a direct
1639 route installed in BSD compatibility mode, it can be a local address
1640 of the interface. For NAT routes it is the first address of the block
1641 of translated IP destinations.
1645 the source address to prefer when sending to the destinations
1646 covered by the route prefix.
1649 .BI realm " REALMID"
1650 the realm to which this route is assigned.
1652 may be a number or a string from the file
1653 .BR "/etc/iproute2/rt_realms" .
1658 .BI "mtu lock" " MTU"
1659 the MTU along the path to the destination. If the modifier
1661 is not used, the MTU may be updated by the kernel due to
1662 Path MTU Discovery. If the modifier
1664 is used, no path MTU discovery will be tried, all packets
1665 will be sent without the DF bit in IPv4 case or fragmented
1669 .BI window " NUMBER"
1670 the maximal window for TCP to advertise to these destinations,
1671 measured in bytes. It limits maximal data bursts that our TCP
1672 peers are allowed to send to us.
1676 the initial RTT ('Round Trip Time') estimate. If no suffix is
1677 specified the units are raw values passed directly to the
1678 routing code to maintain compatibility with previous releases.
1679 Otherwise if a suffix of s, sec or secs is used to specify
1680 seconds and ms, msec or msecs to specify milliseconds.
1684 .BI rttvar " TIME " "(2.3.15+ only)"
1685 the initial RTT variance estimate. Values are specified as with
1690 .BI rto_min " TIME " "(2.6.23+ only)"
1691 the minimum TCP Retransmission TimeOut to use when communicating with this
1692 destination. Values are specified as with
1697 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1698 an estimate for the initial slow start threshold.
1701 .BI cwnd " NUMBER " "(2.3.15+ only)"
1702 the clamp for congestion window. It is ignored if the
1707 .BI initcwnd " NUMBER " "(2.5.70+ only)"
1708 the initial congestion window size for connections to this destination.
1709 Actual window size is this value multiplied by the MSS
1710 (``Maximal Segment Size'') for same connection. The default is
1711 zero, meaning to use the values specified in RFC2414.
1714 .BI initrwnd " NUMBER " "(2.6.33+ only)"
1715 the initial receive window size for connections to this destination.
1716 Actual window size is this value multiplied by the MSS of the connection.
1717 The default value is zero, meaning to use Slow Start value.
1720 .BI advmss " NUMBER " "(2.3.15+ only)"
1721 the MSS ('Maximal Segment Size') to advertise to these
1722 destinations when establishing TCP connections. If it is not given,
1723 Linux uses a default value calculated from the first hop device MTU.
1724 (If the path to these destination is asymmetric, this guess may be wrong.)
1727 .BI reordering " NUMBER " "(2.3.15+ only)"
1728 Maximal reordering on the path to this destination.
1729 If it is not given, Linux uses the value selected with
1732 .BR "net/ipv4/tcp_reordering" .
1735 .BI nexthop " NEXTHOP"
1736 the nexthop of a multipath route.
1738 is a complex value with its own syntax similar to the top level
1743 - is the nexthop router.
1747 - is the output device.
1750 .BI weight " NUMBER"
1751 - is a weight for this element of a multipath
1752 route reflecting its relative bandwidth or quality.
1756 .BI scope " SCOPE_VAL"
1757 the scope of the destinations covered by the route prefix.
1759 may be a number or a string from the file
1760 .BR "/etc/iproute2/rt_scopes" .
1761 If this parameter is omitted,
1770 .BR unicast " and " broadcast
1772 .BR host " for " local
1776 .BI protocol " RTPROTO"
1777 the routing protocol identifier of this route.
1779 may be a number or a string from the file
1780 .BR "/etc/iproute2/rt_protos" .
1781 If the routing protocol ID is not given,
1782 .B ip assumes protocol
1784 (i.e. it assumes the route was added by someone who doesn't
1785 understand what they are doing). Several protocol values have
1786 a fixed interpretation.
1791 - the route was installed due to an ICMP redirect.
1795 - the route was installed by the kernel during autoconfiguration.
1799 - the route was installed during the bootup sequence.
1800 If a routing daemon starts, it will purge all of them.
1804 - the route was installed by the administrator
1805 to override dynamic routing. Routing daemon will respect them
1806 and, probably, even advertise them to its peers.
1810 - the route was installed by Router Discovery protocol.
1814 The rest of the values are not reserved and the administrator is free
1815 to assign (or not to assign) protocol tags.
1819 pretend that the nexthop is directly attached to this link,
1820 even if it does not match any interface prefix.
1822 .SS ip route delete - delete route
1825 has the same arguments as
1826 .BR "ip route add" ,
1827 but their semantics are a bit different.
1830 .RB "(" to ", " tos ", " preference " and " table ")"
1831 select the route to delete. If optional attributes are present,
1833 verifies that they coincide with the attributes of the route to delete.
1834 If no route with the given key and attributes was found,
1838 .SS ip route show - list routes
1839 the command displays the contents of the routing tables or the route(s)
1840 selected by some criteria.
1843 .BI to " SELECTOR " (default)
1844 only select routes from the given range of destinations.
1846 consists of an optional modifier
1847 .RB "(" root ", " match " or " exact ")"
1850 selects routes with prefixes not shorter than
1854 selects the entire routing table.
1856 selects routes with prefixes not longer than
1859 .BI match " 10.0/16"
1862 .IR 10/8 " and " 0/0 ,
1863 but it does not select
1864 .IR 10.1/16 " and " 10.0.0/24 .
1869 selects routes with this exact prefix. If neither of these options
1874 i.e. it lists the entire table.
1879 only select routes with the given TOS.
1882 .BI table " TABLEID"
1883 show the routes from this table(s). The default setting is to show
1886 may either be the ID of a real table or one of the special values:
1890 - list all of the tables.
1893 - dump the routing cache.
1900 list cloned routes i.e. routes which were dynamically forked from
1901 other routes because some route attribute (f.e. MTU) was updated.
1902 Actually, it is equivalent to
1903 .BR "table cache" "."
1906 .BI from " SELECTOR"
1907 the same syntax as for
1909 but it binds the source address range rather than destinations.
1912 option only works with cloned routes.
1915 .BI protocol " RTPROTO"
1916 only list routes of this protocol.
1919 .BI scope " SCOPE_VAL"
1920 only list routes with this scope.
1924 only list routes of this type.
1928 only list routes going via this device.
1932 only list routes going via the nexthop routers selected by
1937 only list routes with preferred source addresses selected
1942 .BI realm " REALMID"
1944 .BI realms " FROMREALM/TOREALM"
1945 only list routes with these realms.
1947 .SS ip route flush - flush routing tables
1948 this command flushes routes selected by some criteria.
1951 The arguments have the same syntax and semantics as the arguments of
1952 .BR "ip route show" ,
1953 but routing tables are not listed but purged. The only difference is
1956 dumps all the IP main routing table but
1958 prints the helper page.
1963 option, the command becomes verbose. It prints out the number of
1964 deleted routes and the number of rounds made to flush the routing
1965 table. If the option is given
1968 also dumps all the deleted routes in the format described in the
1969 previous subsection.
1971 .SS ip route get - get a single route
1972 this command gets a single route to a destination and prints its
1973 contents exactly as the kernel sees it.
1976 .BI to " ADDRESS " (default)
1977 the destination address.
1987 the Type Of Service.
1991 the device from which this packet is expected to arrive.
1995 force the output device on which this packet will be routed.
1999 if no source address
2000 .RB "(option " from ")"
2001 was given, relookup the route with the source set to the preferred
2002 address received from the first lookup.
2003 If policy routing is used, it may be a different route.
2006 Note that this operation is not equivalent to
2007 .BR "ip route show" .
2009 shows existing routes.
2011 resolves them and creates new clones if necessary. Essentially,
2013 is equivalent to sending a packet along this path.
2016 argument is not given, the kernel creates a route
2017 to output packets towards the requested destination.
2018 This is equivalent to pinging the destination
2020 .BR "ip route ls cache" ,
2021 however, no packets are actually sent. With the
2023 argument, the kernel pretends that a packet arrived from this interface
2024 and searches for a path to forward the packet.
2026 .SS ip route save - save routing table information to stdout
2027 this command behaves like
2029 except that the output is raw data suitable for passing to
2030 .BR "ip route restore" .
2032 .SS ip route restore - restore routing table information from stdin
2033 this command expects to read a data stream as returned from
2034 .BR "ip route save" .
2035 It will attempt to restore the routing table information exactly as
2036 it was at the time of the save, so any translation of information
2037 in the stream (such as device indexes) must be done first. Any existing
2038 routes are left unchanged. Any routes specified in the data stream that
2039 already exist in the table will be ignored.
2041 .SH ip rule - routing policy database management
2044 in the routing policy database control the route selection algorithm.
2047 Classic routing algorithms used in the Internet make routing decisions
2048 based only on the destination address of packets (and in theory,
2049 but not in practice, on the TOS field).
2052 In some circumstances we want to route packets differently depending not only
2053 on destination addresses, but also on other packet fields: source address,
2054 IP protocol, transport protocol ports or even packet payload.
2055 This task is called 'policy routing'.
2058 To solve this task, the conventional destination based routing table, ordered
2059 according to the longest match rule, is replaced with a 'routing policy
2060 database' (or RPDB), which selects routes by executing some set of rules.
2063 Each policy routing rule consists of a
2066 .B action predicate.
2067 The RPDB is scanned in the order of increasing priority. The selector
2068 of each rule is applied to {source address, destination address, incoming
2069 interface, tos, fwmark} and, if the selector matches the packet,
2070 the action is performed. The action predicate may return with success.
2071 In this case, it will either give a route or failure indication
2072 and the RPDB lookup is terminated. Otherwise, the RPDB program
2073 continues on the next rule.
2076 Semantically, natural action is to select the nexthop and the output device.
2079 At startup time the kernel configures the default RPDB consisting of three
2084 Priority: 0, Selector: match anything, Action: lookup routing
2090 table is a special routing table containing
2091 high priority control routes for local and broadcast addresses.
2093 Rule 0 is special. It cannot be deleted or overridden.
2097 Priority: 32766, Selector: match anything, Action: lookup routing
2103 table is the normal routing table containing all non-policy
2104 routes. This rule may be deleted and/or overridden with other
2105 ones by the administrator.
2109 Priority: 32767, Selector: match anything, Action: lookup routing
2115 table is empty. It is reserved for some post-processing if no previous
2116 default rules selected the packet.
2117 This rule may also be deleted.
2120 Each RPDB entry has additional
2121 attributes. F.e. each rule has a pointer to some routing
2122 table. NAT and masquerading rules have an attribute to select new IP
2123 address to translate/masquerade. Besides that, rules have some
2124 optional attributes, which routes have, namely
2126 These values do not override those contained in the routing tables. They
2127 are only used if the route did not select any attributes.
2130 The RPDB may contain rules of the following types:
2134 - the rule prescribes to return the route found
2135 in the routing table referenced by the rule.
2138 - the rule prescribes to silently drop the packet.
2141 - the rule prescribes to generate a 'Network is unreachable' error.
2144 - the rule prescribes to generate 'Communication is administratively
2148 - the rule prescribes to translate the source address
2149 of the IP packet into some other value.
2152 .SS ip rule add - insert a new rule
2153 .SS ip rule delete - delete a rule
2156 .BI type " TYPE " (default)
2157 the type of this rule. The list of valid types was given in the previous
2162 select the source prefix to match.
2166 select the destination prefix to match.
2170 select the incoming device to match. If the interface is loopback,
2171 the rule only matches packets originating from this host. This means
2172 that you may create separate routing tables for forwarded and local
2173 packets and, hence, completely segregate them.
2177 select the outgoing device to match. The outgoing interface is only
2178 available for packets originating from local sockets that are bound to
2185 select the TOS value to match.
2194 .BI priority " PREFERENCE"
2195 the priority of this rule. Each rule should have an explicitly
2199 The options preference and order are synonyms with priority.
2202 .BI table " TABLEID"
2203 the routing table identifier to lookup if the rule selector matches.
2204 It is also possible to use lookup instead of table.
2207 .BI realms " FROM/TO"
2208 Realms to select if the rule matched and the routing table lookup
2211 is only used if the route did not select any realm.
2215 The base of the IP address block to translate (for source addresses).
2218 may be either the start of the block of NAT addresses (selected by NAT
2219 routes) or a local host address (or even zero).
2220 In the last case the router does not translate the packets, but
2221 masquerades them to this address.
2222 Using map-to instead of nat means the same thing.
2225 Changes to the RPDB made with these commands do not become active
2226 immediately. It is assumed that after a script finishes a batch of
2227 updates, it flushes the routing cache with
2228 .BR "ip route flush cache" .
2230 .SS ip rule flush - also dumps all the deleted rules.
2231 This command has no arguments.
2233 .SS ip rule show - list rules
2234 This command has no arguments.
2235 The options list or lst are synonyms with show.
2237 .SH ip maddress - multicast addresses management
2240 objects are multicast addresses.
2242 .SS ip maddress show - list multicast addresses
2245 .BI dev " NAME " (default)
2248 .SS ip maddress add - add a multicast address
2249 .SS ip maddress delete - delete a multicast address
2250 these commands attach/detach a static link layer multicast address
2251 to listen on the interface.
2252 Note that it is impossible to join protocol multicast groups
2253 statically. This command only manages link layer addresses.
2256 .BI address " LLADDRESS " (default)
2257 the link layer multicast address.
2261 the device to join/leave this multicast address.
2263 .SH ip mroute - multicast routing cache management
2265 objects are multicast routing cache entries created by a user level
2266 mrouting daemon (f.e.
2272 Due to the limitations of the current interface to the multicast routing
2273 engine, it is impossible to change
2275 objects administratively, so we may only display them. This limitation
2276 will be removed in the future.
2278 .SS ip mroute show - list mroute cache entries
2281 .BI to " PREFIX " (default)
2282 the prefix selecting the destination multicast addresses to list.
2286 the interface on which multicast packets are received.
2290 the prefix selecting the IP source addresses of the multicast route.
2292 .SH ip tunnel - tunnel configuration
2294 objects are tunnels, encapsulating packets in IP packets and then
2295 sending them over the IP infrastructure.
2296 The encapulating (or outer) address family is specified by the
2298 option. The default is IPv4.
2300 .SS ip tunnel add - add a new tunnel
2301 .SS ip tunnel change - change an existing tunnel
2302 .SS ip tunnel delete - destroy a tunnel
2305 .BI name " NAME " (default)
2306 select the tunnel device name.
2310 set the tunnel mode. Available modes depend on the encapsulating address family.
2312 Modes for IPv4 encapsulation available:
2313 .BR ipip ", " sit ", " isatap " and " gre "."
2315 Modes for IPv6 encapsulation available:
2316 .BR ip6ip6 ", " ipip6 " and " any "."
2319 .BI remote " ADDRESS"
2320 set the remote endpoint of the tunnel.
2323 .BI local " ADDRESS"
2324 set the fixed local address for tunneled packets.
2325 It must be an address on another interface of this host.
2331 on tunneled packets.
2333 is a number in the range 1--255. 0 is a special value
2334 meaning that packets inherit the TTL value.
2335 The default value for IPv4 tunnels is:
2337 The default value for IPv6 tunnels is:
2347 set a fixed TOS (or traffic class in IPv6)
2349 on tunneled packets.
2350 The default value is:
2355 bind the tunnel to the device
2357 so that tunneled packets will only be routed via this device and will
2358 not be able to escape to another device when the route to endpoint
2363 disable Path MTU Discovery on this tunnel.
2364 It is enabled by default. Note that a fixed ttl is incompatible
2365 with this option: tunnelling with a fixed ttl always makes pmtu
2374 .RB ( " only GRE tunnels " )
2375 use keyed GRE with key
2377 is either a number or an IP address-like dotted quad.
2380 parameter sets the key to use in both directions.
2382 .BR ikey " and " okey
2383 parameters set different keys for input and output.
2386 .BR csum ", " icsum ", " ocsum
2387 .RB ( " only GRE tunnels " )
2388 generate/require checksums for tunneled packets.
2391 flag calculates checksums for outgoing packets.
2394 flag requires that all input packets have the correct
2397 flag is equivalent to the combination
2401 .BR seq ", " iseq ", " oseq
2402 .RB ( " only GRE tunnels " )
2406 flag enables sequencing of outgoing packets.
2409 flag requires that all input packets are serialized.
2412 flag is equivalent to the combination
2414 .B It isn't work. Don't use it.
2418 .RB ( " only IPv6 tunnels " )
2419 Inherit DS field between inner and outer header.
2422 .BI encaplim " ELIM"
2423 .RB ( " only IPv6 tunnels " )
2424 set a fixed encapsulation limit. Default is 4.
2427 .BI flowlabel " FLOWLABEL"
2428 .RB ( " only IPv6 tunnels " )
2429 set a fixed flowlabel.
2431 .SS ip tunnel prl - potential router list (ISATAP only)
2435 mandatory device name.
2438 .BI prl-default " ADDR"
2440 .BI prl-nodefault " ADDR"
2442 .BI prl-delete " ADDR"
2443 .RB "Add or delete " ADDR
2444 as a potential router or default router.
2446 .SS ip tunnel show - list tunnels
2447 This command has no arguments.
2449 .SH ip monitor and rtmon - state monitoring
2453 utility can monitor the state of devices, addresses
2454 and routes continuously. This option has a slightly different format.
2457 command is the first in the command line and then the object list follows:
2459 .BR "ip monitor" " [ " all " |"
2460 .IR LISTofOBJECTS " ]"
2463 is the list of object types that we want to monitor.
2465 .BR link ", " address " and " route "."
2470 opens RTNETLINK, listens on it and dumps state changes in the format
2471 described in previous sections.
2474 If a file name is given, it does not listen on RTNETLINK,
2475 but opens the file containing RTNETLINK messages saved in binary format
2476 and dumps them. Such a history file can be generated with the
2478 utility. This utility has a command line syntax similar to
2482 should be started before the first network configuration command
2483 is issued. F.e. if you insert:
2486 rtmon file /var/log/rtmon.log
2489 in a startup script, you will be able to view the full history
2493 Certainly, it is possible to start
2496 It prepends the history with the state snapshot dumped at the moment
2499 .SH ip xfrm - transform configuration
2500 xfrm is an IP framework for transforming packets (such as encrypting
2501 their payloads). This framework is used to implement the IPsec protocol
2504 object operating on the Security Association Database, and the
2506 object operating on the Security Policy Database). It is also used for
2507 the IP Payload Compression Protocol and features of Mobile IPv6.
2509 .SS ip xfrm state add - add new state into xfrm
2511 .SS ip xfrm state update - update existing state in xfrm
2513 .SS ip xfrm state allocspi - allocate an SPI value
2515 .SS ip xfrm state delete - delete existing state in xfrm
2517 .SS ip xfrm state get - get existing state in xfrm
2519 .SS ip xfrm state deleteall - delete all existing state in xfrm
2521 .SS ip xfrm state list - print out the list of existing state in xfrm
2523 .SS ip xfrm state flush - flush all state in xfrm
2525 .SS ip xfrm state count - count all existing state in xfrm
2529 is specified by a source address, destination address,
2530 .RI "transform protocol " XFRM-PROTO ","
2531 and/or Security Parameter Index
2536 specifies a transform protocol:
2537 .RB "IPsec Encapsulating Security Payload (" esp "),"
2538 .RB "IPsec Authentication Header (" ah "),"
2539 .RB "IP Payload Compression (" comp "),"
2540 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2541 .RB "Mobile IPv6 Home Address Option (" hao ")."
2545 specifies one or more algorithms
2547 to use. Algorithm types include
2548 .RB "encryption (" enc "),"
2549 .RB "authentication (" auth "),"
2550 .RB "authentication with a specified truncation length (" auth-trunc "),"
2551 .RB "authenticated encryption with associated data (" aead "), and"
2552 .RB "compression (" comp ")."
2553 For each algorithm used, the algorithm type, the algorithm name
2557 must be specified. For
2559 the Integrity Check Value length
2561 must additionally be specified.
2564 the signature truncation length
2566 must additionally be specified.
2570 specifies a mode of operation:
2571 .RB "IPsec transport mode (" transport "), "
2572 .RB "IPsec tunnel mode (" tunnel "), "
2573 .RB "Mobile IPv6 route optimization mode (" ro "), "
2574 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2575 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2579 contains one or more of the following optional flags:
2580 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
2581 .BR af-unspec ", or " align4 "."
2585 selects the traffic that will be controlled by the policy, based on the source
2586 address, the destination address, the network device, and/or
2591 selects traffic by protocol. For the
2592 .BR tcp ", " udp ", " sctp ", or " dccp
2593 protocols, the source and destination port can optionally be specified.
2595 .BR icmp ", " ipv6-icmp ", or " mobility-header
2596 protocols, the type and code numbers can optionally be specified.
2599 protocol, the key can optionally be specified as a dotted-quad or number.
2600 Other protocols can be selected by name or number
2605 sets limits in seconds, bytes, or numbers of packets.
2609 encapsulates packets with protocol
2610 .BR espinudp " or " espinudp-nonike ","
2611 .RI "using source port " SPORT ", destination port " DPORT
2612 .RI ", and original address " OADDR "."
2614 .SS ip xfrm policy add - add a new policy
2616 .SS ip xfrm policy update - update an existing policy
2618 .SS ip xfrm policy delete - delete an existing policy
2620 .SS ip xfrm policy get - get an existing policy
2622 .SS ip xfrm policy deleteall - delete all existing xfrm policies
2624 .SS ip xfrm policy list - print out the list of xfrm policies
2626 .SS ip xfrm policy flush - flush policies
2628 .SS ip xfrm policy count - count existing policies
2632 selects the traffic that will be controlled by the policy, based on the source
2633 address, the destination address, the network device, and/or
2638 selects traffic by protocol. For the
2639 .BR tcp ", " udp ", " sctp ", or " dccp
2640 protocols, the source and destination port can optionally be specified.
2642 .BR icmp ", " ipv6-icmp ", or " mobility-header
2643 protocols, the type and code numbers can optionally be specified.
2646 protocol, the key can optionally be specified as a dotted-quad or number.
2647 Other protocols can be selected by name or number
2652 selects the policy direction as
2653 .BR in ", " out ", or " fwd "."
2657 sets the security context.
2662 .BR main " (default) or " sub "."
2667 .BR allow " (default) or " block "."
2671 is a number that defaults to zero.
2675 contains one or both of the following optional flags:
2676 .BR local " or " icmp "."
2680 sets limits in seconds, bytes, or numbers of packets.
2684 is a template list specified using
2685 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
2689 is specified by a source address, destination address,
2690 .RI "transform protocol " XFRM-PROTO ","
2691 and/or Security Parameter Index
2696 specifies a transform protocol:
2697 .RB "IPsec Encapsulating Security Payload (" esp "),"
2698 .RB "IPsec Authentication Header (" ah "),"
2699 .RB "IP Payload Compression (" comp "),"
2700 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2701 .RB "Mobile IPv6 Home Address Option (" hao ")."
2705 specifies a mode of operation:
2706 .RB "IPsec transport mode (" transport "), "
2707 .RB "IPsec tunnel mode (" tunnel "), "
2708 .RB "Mobile IPv6 route optimization mode (" ro "), "
2709 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2710 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2715 .BR required " (default) or " use "."
2717 .SS ip xfrm monitor - state monitoring for xfrm objects
2718 The xfrm objects to monitor can be optionally specified.
2722 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2726 .RB "IP Command reference " ip-cref.ps
2728 .RB "IP tunnels " ip-cref.ps
2730 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2733 Original Manpage by Michail Litvak <mci@owl.openwall.com>