1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link add link " DEVICE
50 .BR vlan " | " maclan " | " can " ]"
53 .BI "ip link delete " DEVICE
61 .RB "} { " up " | " down " | " arp " { " on " | " off " } |"
63 .BR promisc " { " on " | " off " } |"
65 .BR allmulticast " { " on " | " off " } |"
67 .BR dynamic " { " on " | " off " } |"
69 .BR multicast " { " on " | " off " } |"
101 .IR VLAN-QOS " ] ] ["
114 .RI "[ " DEVICE " | "
119 .BR "ip addr" " { " add " | " del " } "
120 .IB IFADDR " dev " STRING
123 .BR "ip addr" " { " show " | " flush " } [ " dev
128 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
133 .IR IFADDR " := " PREFIX " | " ADDR
147 .RB "[ " host " | " link " | " global " | "
151 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
155 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
156 tentative " | " deprecated " | " dadfailed " | " temporary " ]"
159 .BR "ip addrlabel" " { " add " | " del " } " prefix
167 .BR "ip addrlabel" " { " list " | " flush " }"
170 .BR "ip netns" " { " list " } "
173 .BR "ip netns" " { " add " | " delete " } "
178 .I NETNSNAME command ...
182 .BR list " | " flush " } "
190 .BR "ip route restore"
195 .BI from " ADDRESS " iif " STRING"
202 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
224 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
227 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
240 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
251 .IR NUMBER " ] " NHFLAGS
254 .IR OPTIONS " := " FLAGS " [ "
280 .BR unicast " | " local " | " broadcast " | " multicast " | "\
281 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
284 .IR TABLE_ID " := [ "
285 .BR local "| " main " | " default " | " all " |"
290 .BR host " | " link " | " global " |"
295 .BR onlink " | " pervasive " ]"
299 .BR kernel " | " boot " | " static " |"
304 .RB " [ " list " | " add " | " del " | " flush " ]"
308 .IR SELECTOR " := [ "
316 .IR FWMARK[/MASK] " ] [ "
330 .BR prohibit " | " reject " | " unreachable " ] [ " realms
331 .RI "[" SRCREALM "/]" DSTREALM " ]"
334 .IR TABLE_ID " := [ "
335 .BR local " | " main " | " default " |"
339 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
343 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
349 .BR "ip neigh" " { " show " | " flush " } [ " to
357 .BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
367 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
369 .RB "[" i "|" o "]" csum " ] ]"
388 .RB "[ [" no "]" pmtudisc " ]"
391 .RB "[ " "dscp inherit" " ]"
395 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
398 .IR ADDR " := { " IP_ADDRESS " |"
402 .IR TOS " := { " NUMBER " |"
412 .IR TTL " := { " 1 ".." 255 " | "
416 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
419 .IR TIME " := " NUMBER "[s|ms]"
422 .BR "ip maddr" " [ " add " | " del " ]"
423 .IB MULTIADDR " dev " STRING
426 .BR "ip maddr show" " [ " dev
430 .BR "ip mroute show" " ["
438 .BR "ip monitor" " [ " all " |"
439 .IR LISTofOBJECTS " ]"
444 .IR XFRM-OBJECT " { " COMMAND " | "
449 .IR XFRM-OBJECT " :="
450 .BR state " | " policy " | " monitor
454 .BR "ip xfrm state " { " add " | " update " } "
455 .IR ID " [ " ALGO-LIST " ]"
466 .RB "[ " replay-window
475 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
479 .IR ADDR "[/" PLEN "] ]"
484 .B "ip xfrm state allocspi"
502 .BR "ip xfrm state" " { " delete " | " get " } "
510 .BR "ip xfrm state" " { " deleteall " | " list " } ["
520 .BR "ip xfrm state flush" " [ " proto
524 .BR "ip xfrm state count"
539 .BR esp " | " ah " | " comp " | " route2 " | " hao
542 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
546 .RB "{ " enc " | " auth " | " comp " } "
547 .IR ALGO-NAME " " ALGO-KEY
551 .IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN
555 .IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN
559 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
562 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
566 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
571 .IR ADDR "[/" PLEN "] ]"
573 .IR ADDR "[/" PLEN "] ]"
584 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
589 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
595 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
598 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
604 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
607 .RB "{ " byte-soft " | " byte-hard " }"
610 .RB "{ " packet-soft " | " packet-hard " }"
615 .RB "{ " espinudp " | " espinudp-nonike " }"
616 .IR SPORT " " DPORT " " OADDR
619 .BR "ip xfrm policy" " { " add " | " update " }"
639 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
642 .BR "ip xfrm policy" " { " delete " | " get " }"
643 .RI "{ " SELECTOR " | "
658 .BR "ip xfrm policy" " { " deleteall " | " list " }"
659 .RI "[ " SELECTOR " ]"
672 .B "ip xfrm policy flush"
677 .B "ip xfrm policy count"
682 .IR ADDR "[/" PLEN "] ]"
684 .IR ADDR "[/" PLEN "] ]"
694 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
699 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
705 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
709 .BR in " | " out " | " fwd
717 .BR allow " | " block
720 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
724 .BR localok " | " icmp
727 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
733 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
736 .RB "{ " byte-soft " | " byte-hard " }"
739 .RB "{ " packet-soft " | " packet-hard " }"
743 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
769 .BR esp " | " ah " | " comp " | " route2 " | " hao
773 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
777 .BR required " | " use
780 .BR "ip xfrm monitor" " [ " all " |"
781 .IR LISTofXFRM-OBJECTS " ]"
789 .BR "\-V" , " -Version"
790 print the version of the
795 .BR "\-s" , " \-stats", " \-statistics"
796 output more information. If the option
797 appears twice or more, the amount of information increases.
798 As a rule, the information is statistics or some time values.
801 .BR "\-l" , " \-loops"
802 Specify maximum number of loops the 'ip addr flush' logic
803 will attempt before giving up. The default is 10.
804 Zero (0) means loop until all addresses are removed.
807 .BR "\-f" , " \-family"
808 followed by protocol family identifier:
809 .BR "inet" , " inet6"
812 ,enforce the protocol family to use. If the option is not present,
813 the protocol family is guessed from other arguments. If the rest
814 of the command line does not give enough information to guess the
817 falls back to the default one, usually
822 is a special family identifier meaning that no networking protocol
833 .BR "\-family inet6" .
838 .BR "\-family link" .
841 .BR "\-o" , " \-oneline"
842 output each record on a single line, replacing line feeds
845 character. This is convenient when you want to count records
853 .BR "\-r" , " \-resolve"
854 use the system's name resolver to print DNS names instead of
857 .SH IP - COMMAND SYNTAX
868 - protocol (IP or IPv6) address on a device.
872 - label configuration for protocol address selection.
876 - ARP or NDISC cache entry.
880 - routing table entry.
884 - rule in routing policy database.
892 - multicast routing cache entry.
899 The names of all objects may be written in full or
900 abbreviated form, f.e.
910 Specifies the action to perform on the object.
911 The set of possible actions depends on the object type.
912 As a rule, it is possible to
913 .BR "add" , " delete"
918 ) objects, but some objects do not allow all of these operations
919 or have some additional commands. The
921 command is available for all objects. It prints
922 out a list of available commands and argument syntax conventions.
924 If no command is given, some default command is assumed.
927 or, if the objects of this class cannot be listed,
930 .SH ip link - network device configuration
933 is a network device and the corresponding commands
934 display and change the state of devices.
936 .SS ip link add - add virtual link
940 specifies the physical device to act operate on.
943 specifies the name of the new virtual device.
946 specifies the type of the new device.
952 - 802.1q tagged virrtual LAN interface
955 - virtual interface base on link layer address (MAC)
958 - Controller Area Network interface
961 .SS ip link delete - delete virtual link
963 specifies the virtual device to act operate on.
965 specifies the type of the device.
970 specifies the physical device to act operate on.
972 .SS ip link set - change device attributes
977 specifies network device to operate on. When configuring SR-IOV Virtual Fuction
978 (VF) devices, this keyword should specify the associated Physical Function (PF)
984 has a dual role: If both group and dev are present, then move the device to the
985 specified group. If only a group is specified, then the command operates on
986 all devices in that group.
990 change the state of the device to
996 .BR "arp on " or " arp off"
1002 .BR "multicast on " or " multicast off"
1008 .BR "dynamic on " or " dynamic off"
1015 change the name of the device. This operation is not
1016 recommended if the device is running or has some addresses
1020 .BI txqueuelen " NUMBER"
1022 .BI txqlen " NUMBER"
1023 change the transmit queue length of the device.
1032 .BI address " LLADDRESS"
1033 change the station address of the interface.
1036 .BI broadcast " LLADDRESS"
1038 .BI brd " LLADDRESS"
1040 .BI peer " LLADDRESS"
1041 change the link layer broadcast address or the peer address when
1047 move the device to the network namespace associated with the process
1051 .BI netns " NETNSNAME"
1052 move the device to the network namespace associated with name
1057 give the device a symbolic name for easy reference.
1061 specify the group the device belongs to.
1062 The available groups are listed in file
1063 .BR "/etc/iproute2/group" .
1067 specify a Virtual Function device to be configured. The associated PF device
1068 must be specified using the
1073 .BI mac " LLADDRESS"
1074 - change the station address for the specified VF. The
1076 parameter must be specified.
1080 - change the assigned VLAN for the specified VF. When specified, all traffic
1081 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
1082 will be filtered for the specified VLAN ID, and will have all VLAN tags
1083 stripped before being passed to the VF. Setting this parameter to 0 disables
1084 VLAN tagging and filtering. The
1086 parameter must be specified.
1090 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1091 tags transmitted by the VF will include the specified priority bits in the
1092 VLAN tag. If not specified, the value is assumed to be 0. Both the
1096 parameters must be specified. Setting both
1100 as 0 disables VLAN tagging and filtering for the VF.
1104 - change the allowed transmit bandwidth, in Mbps, for the specified VF.
1105 Setting this parameter to 0 disables rate limiting. The
1107 parameter must be specified.
1111 .BI master " DEVICE"
1112 set master device of the device (enslave device).
1116 unset master device of the device (release device).
1120 If multiple parameter changes are requested,
1122 aborts immediately after any of the changes have failed.
1123 This is the only case when
1125 can move the system to an unpredictable state. The solution
1126 is to avoid changing several parameters with one
1130 .SS ip link show - display device attributes
1133 .BI dev " NAME " (default)
1135 specifies the network device to show.
1136 If this argument is omitted all devices in the default group are listed.
1141 specifies what group of devices to show.
1145 only display running interfaces.
1147 .SH ip address - protocol address management.
1151 is a protocol (IP or IPv6) address attached
1152 to a network device. Each device must have at least one address
1153 to use the corresponding protocol. It is possible to have several
1154 different addresses attached to one device. These addresses are not
1155 discriminated, so that the term
1157 is not quite appropriate for them and we do not use it in this document.
1161 command displays addresses and their properties, adds new addresses
1162 and deletes old ones.
1164 .SS ip address add - add new protocol address.
1168 the name of the device to add the address to.
1171 .BI local " ADDRESS " (default)
1172 the address of the interface. The format of the address depends
1173 on the protocol. It is a dotted quad for IP and a sequence of
1174 hexadecimal halfwords separated by colons for IPv6. The
1176 may be followed by a slash and a decimal number which encodes
1177 the network prefix length.
1181 the address of the remote endpoint for pointopoint interfaces.
1184 may be followed by a slash and a decimal number, encoding the network
1185 prefix length. If a peer address is specified, the local address
1186 cannot have a prefix length. The network prefix is associated
1187 with the peer rather than with the local address.
1190 .BI broadcast " ADDRESS"
1191 the broadcast address on the interface.
1193 It is possible to use the special symbols
1197 instead of the broadcast address. In this case, the broadcast address
1198 is derived by setting/resetting the host bits of the interface prefix.
1202 Each address may be tagged with a label string.
1203 In order to preserve compatibility with Linux-2.0 net aliases,
1204 this string must coincide with the name of the device or must be prefixed
1205 with the device name followed by colon.
1208 .BI scope " SCOPE_VALUE"
1209 the scope of the area where this address is valid.
1210 The available scopes are listed in file
1211 .BR "/etc/iproute2/rt_scopes" .
1212 Predefined scope values are:
1216 - the address is globally valid.
1219 - (IPv6 only) the address is site local, i.e. it is
1220 valid inside this site.
1223 - the address is link local, i.e. it is valid only on this device.
1226 - the address is valid only inside this host.
1229 .SS ip address delete - delete protocol address
1231 coincide with the arguments of
1233 The device name is a required argument. The rest are optional.
1234 If no arguments are given, the first address is deleted.
1236 .SS ip address show - look at protocol addresses
1239 .BI dev " NAME " (default)
1243 .BI scope " SCOPE_VAL"
1244 only list addresses with this scope.
1248 only list addresses matching this prefix.
1251 .BI label " PATTERN"
1252 only list addresses with labels matching the
1255 is a usual shell style pattern.
1258 .BR dynamic " and " permanent
1259 (IPv6 only) only list addresses installed due to stateless
1260 address configuration or only list permanent (not dynamic)
1265 (IPv6 only) only list addresses which have not yet passed duplicate
1270 (IPv6 only) only list deprecated addresses.
1274 (IPv6 only) only list addresses which have failed duplicate
1279 (IPv6 only) only list temporary addresses.
1282 .BR primary " and " secondary
1283 only list primary (or secondary) addresses.
1285 .SS ip address flush - flush protocol addresses
1286 This command flushes the protocol addresses selected by some criteria.
1289 This command has the same arguments as
1291 The difference is that it does not run when no arguments are given.
1295 This command (and other
1297 commands described below) is pretty dangerous. If you make a mistake,
1298 it will not forgive it, but will cruelly purge all the addresses.
1303 option, the command becomes verbose. It prints out the number of deleted
1304 addresses and the number of rounds made to flush the address list. If
1305 this option is given twice,
1307 also dumps all the deleted addresses in the format described in the
1308 previous subsection.
1310 .SH ip addrlabel - protocol address label management.
1312 IPv6 address label is used for address selection
1313 described in RFC 3484. Precedence is managed by userspace,
1314 and only label is stored in kernel.
1316 .SS ip addrlabel add - add an address label
1317 the command adds an address label entry to the kernel.
1319 .BI prefix " PREFIX"
1322 the outgoing interface.
1325 the label for the prefix.
1326 0xffffffff is reserved.
1327 .SS ip addrlabel del - delete an address label
1328 the command deletes an address label entry in the kernel.
1330 coincide with the arguments of
1332 but label is not required.
1333 .SS ip addrlabel list - list address labels
1334 the command show contents of address labels.
1335 .SS ip addrlabel flush - flush address labels
1336 the command flushes the contents of address labels and it does not restore default settings.
1337 .SH ip neighbour - neighbour/arp tables management.
1340 objects establish bindings between protocol addresses and
1341 link layer addresses for hosts sharing the same link.
1342 Neighbour entries are organized into tables. The IPv4 neighbour table
1343 is known by another name - the ARP table.
1346 The corresponding commands display neighbour bindings
1347 and their properties, add new neighbour entries and delete old ones.
1349 .SS ip neighbour add - add a new neighbour entry
1350 .SS ip neighbour change - change an existing entry
1351 .SS ip neighbour replace - add a new entry or change an existing one
1353 These commands create new neighbour records or update existing ones.
1356 .BI to " ADDRESS " (default)
1357 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1361 the interface to which this neighbour is attached.
1364 .BI lladdr " LLADDRESS"
1365 the link layer address of the neighbour.
1371 .BI nud " NUD_STATE"
1372 the state of the neighbour entry.
1374 is an abbreviation for 'Neighbour Unreachability Detection'.
1375 The state can take one of the following values:
1379 - the neighbour entry is valid forever and can be only
1380 be removed administratively.
1384 - the neighbour entry is valid. No attempts to validate
1385 this entry will be made but it can be removed when its lifetime expires.
1389 - the neighbour entry is valid until the reachability
1394 - the neighbour entry is valid but suspicious.
1397 does not change the neighbour state if it was valid and the address
1398 is not changed by this command.
1401 .SS ip neighbour delete - delete a neighbour entry
1402 This command invalidates a neighbour entry.
1405 The arguments are the same as with
1406 .BR "ip neigh add" ,
1415 Attempts to delete or manually change a
1417 entry created by the kernel may result in unpredictable behaviour.
1418 Particularly, the kernel may try to resolve this address even
1421 interface or if the address is multicast or broadcast.
1423 .SS ip neighbour show - list neighbour entries
1425 This commands displays neighbour tables.
1428 .BI to " ADDRESS " (default)
1429 the prefix selecting the neighbours to list.
1433 only list the neighbours attached to this device.
1437 only list neighbours which are not currently in use.
1440 .BI nud " NUD_STATE"
1441 only list neighbour entries in this state.
1443 takes values listed below or the special value
1445 which means all states. This option may occur more than once.
1446 If this option is absent,
1448 lists all entries except for
1453 .SS ip neighbour flush - flush neighbour entries
1454 This command flushes neighbour tables, selecting
1455 entries to flush by some criteria.
1458 This command has the same arguments as
1460 The differences are that it does not run when no arguments are given,
1461 and that the default neighbour states to be flushed do not include
1469 option, the command becomes verbose. It prints out the number of
1470 deleted neighbours and the number of rounds made to flush the
1471 neighbour table. If the option is given
1474 also dumps all the deleted neighbours.
1476 .SH ip route - routing table management
1477 Manipulate route entries in the kernel routing tables keep
1478 information about paths to other networked nodes.
1484 - the route entry describes real paths to the destinations covered
1485 by the route prefix.
1489 - these destinations are unreachable. Packets are discarded and the
1493 The local senders get an
1499 - these destinations are unreachable. Packets are discarded silently.
1500 The local senders get an
1506 - these destinations are unreachable. Packets are discarded and the
1508 .I communication administratively prohibited
1509 is generated. The local senders get an
1515 - the destinations are assigned to this host. The packets are looped
1516 back and delivered locally.
1520 - the destinations are broadcast addresses. The packets are sent as
1525 - a special control route used together with policy rules. If such a
1526 route is selected, lookup in this table is terminated pretending that
1527 no route was found. Without policy routing it is equivalent to the
1528 absence of the route in the routing table. The packets are dropped
1529 and the ICMP message
1531 is generated. The local senders get an
1537 - a special NAT route. Destinations covered by the prefix
1538 are considered to be dummy (or external) addresses which require translation
1539 to real (or internal) ones before forwarding. The addresses to translate to
1540 are selected with the attribute
1542 Route NAT is no longer supported in Linux 2.6.
1548 .RI "- " "not implemented"
1549 the destinations are
1551 addresses assigned to this host. They are mainly equivalent
1554 with one difference: such addresses are invalid when used
1555 as the source address of any packet.
1559 - a special type used for multicast routing. It is not present in
1560 normal routing tables.
1565 Linux-2.x can pack routes into several routing tables identified
1566 by a number in the range from 1 to 2^31 or by name from the file
1567 .B /etc/iproute2/rt_tables
1568 By default all normal routes are inserted into the
1570 table (ID 254) and the kernel only uses this table when calculating routes.
1571 Values (0, 253, 254, and 255) are reserved for built-in use.
1574 Actually, one other table always exists, which is invisible but
1575 even more important. It is the
1577 table (ID 255). This table
1578 consists of routes for local and broadcast addresses. The kernel maintains
1579 this table automatically and the administrator usually need not modify it
1582 The multiple routing tables enter the game when
1586 .SS ip route add - add new route
1587 .SS ip route change - change route
1588 .SS ip route replace - change or add new one
1591 .BI to " TYPE PREFIX " (default)
1592 the destination prefix of the route. If
1602 is an IP or IPv6 address optionally followed by a slash and the
1603 prefix length. If the length of the prefix is missing,
1605 assumes a full-length host route. There is also a special
1608 - which is equivalent to IP
1617 the Type Of Service (TOS) key. This key has no associated mask and
1618 the longest match is understood as: First, compare the TOS
1619 of the route and of the packet. If they are not equal, then the packet
1620 may still match a route with a zero TOS.
1622 is either an 8 bit hexadecimal number or an identifier
1624 .BR "/etc/iproute2/rt_dsfield" .
1627 .BI metric " NUMBER"
1629 .BI preference " NUMBER"
1630 the preference value of the route.
1632 is an arbitrary 32bit number.
1635 .BI table " TABLEID"
1636 the table to add this route to.
1638 may be a number or a string from the file
1639 .BR "/etc/iproute2/rt_tables" .
1640 If this parameter is omitted,
1644 table, with the exception of
1645 .BR local " , " broadcast " and " nat
1646 routes, which are put into the
1652 the output device name.
1656 the address of the nexthop router. Actually, the sense of this field
1657 depends on the route type. For normal
1659 routes it is either the true next hop router or, if it is a direct
1660 route installed in BSD compatibility mode, it can be a local address
1661 of the interface. For NAT routes it is the first address of the block
1662 of translated IP destinations.
1666 the source address to prefer when sending to the destinations
1667 covered by the route prefix.
1670 .BI realm " REALMID"
1671 the realm to which this route is assigned.
1673 may be a number or a string from the file
1674 .BR "/etc/iproute2/rt_realms" .
1679 .BI "mtu lock" " MTU"
1680 the MTU along the path to the destination. If the modifier
1682 is not used, the MTU may be updated by the kernel due to
1683 Path MTU Discovery. If the modifier
1685 is used, no path MTU discovery will be tried, all packets
1686 will be sent without the DF bit in IPv4 case or fragmented
1690 .BI window " NUMBER"
1691 the maximal window for TCP to advertise to these destinations,
1692 measured in bytes. It limits maximal data bursts that our TCP
1693 peers are allowed to send to us.
1697 the initial RTT ('Round Trip Time') estimate. If no suffix is
1698 specified the units are raw values passed directly to the
1699 routing code to maintain compatibility with previous releases.
1700 Otherwise if a suffix of s, sec or secs is used to specify
1701 seconds and ms, msec or msecs to specify milliseconds.
1705 .BI rttvar " TIME " "(2.3.15+ only)"
1706 the initial RTT variance estimate. Values are specified as with
1711 .BI rto_min " TIME " "(2.6.23+ only)"
1712 the minimum TCP Retransmission TimeOut to use when communicating with this
1713 destination. Values are specified as with
1718 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1719 an estimate for the initial slow start threshold.
1722 .BI cwnd " NUMBER " "(2.3.15+ only)"
1723 the clamp for congestion window. It is ignored if the
1728 .BI initcwnd " NUMBER " "(2.5.70+ only)"
1729 the initial congestion window size for connections to this destination.
1730 Actual window size is this value multiplied by the MSS
1731 (``Maximal Segment Size'') for same connection. The default is
1732 zero, meaning to use the values specified in RFC2414.
1735 .BI initrwnd " NUMBER " "(2.6.33+ only)"
1736 the initial receive window size for connections to this destination.
1737 Actual window size is this value multiplied by the MSS of the connection.
1738 The default value is zero, meaning to use Slow Start value.
1741 .BI advmss " NUMBER " "(2.3.15+ only)"
1742 the MSS ('Maximal Segment Size') to advertise to these
1743 destinations when establishing TCP connections. If it is not given,
1744 Linux uses a default value calculated from the first hop device MTU.
1745 (If the path to these destination is asymmetric, this guess may be wrong.)
1748 .BI reordering " NUMBER " "(2.3.15+ only)"
1749 Maximal reordering on the path to this destination.
1750 If it is not given, Linux uses the value selected with
1753 .BR "net/ipv4/tcp_reordering" .
1756 .BI nexthop " NEXTHOP"
1757 the nexthop of a multipath route.
1759 is a complex value with its own syntax similar to the top level
1764 - is the nexthop router.
1768 - is the output device.
1771 .BI weight " NUMBER"
1772 - is a weight for this element of a multipath
1773 route reflecting its relative bandwidth or quality.
1777 .BI scope " SCOPE_VAL"
1778 the scope of the destinations covered by the route prefix.
1780 may be a number or a string from the file
1781 .BR "/etc/iproute2/rt_scopes" .
1782 If this parameter is omitted,
1791 .BR unicast " and " broadcast
1793 .BR host " for " local
1797 .BI protocol " RTPROTO"
1798 the routing protocol identifier of this route.
1800 may be a number or a string from the file
1801 .BR "/etc/iproute2/rt_protos" .
1802 If the routing protocol ID is not given,
1803 .B ip assumes protocol
1805 (i.e. it assumes the route was added by someone who doesn't
1806 understand what they are doing). Several protocol values have
1807 a fixed interpretation.
1812 - the route was installed due to an ICMP redirect.
1816 - the route was installed by the kernel during autoconfiguration.
1820 - the route was installed during the bootup sequence.
1821 If a routing daemon starts, it will purge all of them.
1825 - the route was installed by the administrator
1826 to override dynamic routing. Routing daemon will respect them
1827 and, probably, even advertise them to its peers.
1831 - the route was installed by Router Discovery protocol.
1835 The rest of the values are not reserved and the administrator is free
1836 to assign (or not to assign) protocol tags.
1840 pretend that the nexthop is directly attached to this link,
1841 even if it does not match any interface prefix.
1843 .SS ip route delete - delete route
1846 has the same arguments as
1847 .BR "ip route add" ,
1848 but their semantics are a bit different.
1851 .RB "(" to ", " tos ", " preference " and " table ")"
1852 select the route to delete. If optional attributes are present,
1854 verifies that they coincide with the attributes of the route to delete.
1855 If no route with the given key and attributes was found,
1859 .SS ip route show - list routes
1860 the command displays the contents of the routing tables or the route(s)
1861 selected by some criteria.
1864 .BI to " SELECTOR " (default)
1865 only select routes from the given range of destinations.
1867 consists of an optional modifier
1868 .RB "(" root ", " match " or " exact ")"
1871 selects routes with prefixes not shorter than
1875 selects the entire routing table.
1877 selects routes with prefixes not longer than
1880 .BI match " 10.0/16"
1883 .IR 10/8 " and " 0/0 ,
1884 but it does not select
1885 .IR 10.1/16 " and " 10.0.0/24 .
1890 selects routes with this exact prefix. If neither of these options
1895 i.e. it lists the entire table.
1900 only select routes with the given TOS.
1903 .BI table " TABLEID"
1904 show the routes from this table(s). The default setting is to show
1907 may either be the ID of a real table or one of the special values:
1911 - list all of the tables.
1914 - dump the routing cache.
1921 list cloned routes i.e. routes which were dynamically forked from
1922 other routes because some route attribute (f.e. MTU) was updated.
1923 Actually, it is equivalent to
1924 .BR "table cache" "."
1927 .BI from " SELECTOR"
1928 the same syntax as for
1930 but it binds the source address range rather than destinations.
1933 option only works with cloned routes.
1936 .BI protocol " RTPROTO"
1937 only list routes of this protocol.
1940 .BI scope " SCOPE_VAL"
1941 only list routes with this scope.
1945 only list routes of this type.
1949 only list routes going via this device.
1953 only list routes going via the nexthop routers selected by
1958 only list routes with preferred source addresses selected
1963 .BI realm " REALMID"
1965 .BI realms " FROMREALM/TOREALM"
1966 only list routes with these realms.
1968 .SS ip route flush - flush routing tables
1969 this command flushes routes selected by some criteria.
1972 The arguments have the same syntax and semantics as the arguments of
1973 .BR "ip route show" ,
1974 but routing tables are not listed but purged. The only difference is
1977 dumps all the IP main routing table but
1979 prints the helper page.
1984 option, the command becomes verbose. It prints out the number of
1985 deleted routes and the number of rounds made to flush the routing
1986 table. If the option is given
1989 also dumps all the deleted routes in the format described in the
1990 previous subsection.
1992 .SS ip route get - get a single route
1993 this command gets a single route to a destination and prints its
1994 contents exactly as the kernel sees it.
1997 .BI to " ADDRESS " (default)
1998 the destination address.
2008 the Type Of Service.
2012 the device from which this packet is expected to arrive.
2016 force the output device on which this packet will be routed.
2020 if no source address
2021 .RB "(option " from ")"
2022 was given, relookup the route with the source set to the preferred
2023 address received from the first lookup.
2024 If policy routing is used, it may be a different route.
2027 Note that this operation is not equivalent to
2028 .BR "ip route show" .
2030 shows existing routes.
2032 resolves them and creates new clones if necessary. Essentially,
2034 is equivalent to sending a packet along this path.
2037 argument is not given, the kernel creates a route
2038 to output packets towards the requested destination.
2039 This is equivalent to pinging the destination
2041 .BR "ip route ls cache" ,
2042 however, no packets are actually sent. With the
2044 argument, the kernel pretends that a packet arrived from this interface
2045 and searches for a path to forward the packet.
2047 .SS ip route save - save routing table information to stdout
2048 this command behaves like
2050 except that the output is raw data suitable for passing to
2051 .BR "ip route restore" .
2053 .SS ip route restore - restore routing table information from stdin
2054 this command expects to read a data stream as returned from
2055 .BR "ip route save" .
2056 It will attempt to restore the routing table information exactly as
2057 it was at the time of the save, so any translation of information
2058 in the stream (such as device indexes) must be done first. Any existing
2059 routes are left unchanged. Any routes specified in the data stream that
2060 already exist in the table will be ignored.
2062 .SH ip rule - routing policy database management
2065 in the routing policy database control the route selection algorithm.
2068 Classic routing algorithms used in the Internet make routing decisions
2069 based only on the destination address of packets (and in theory,
2070 but not in practice, on the TOS field).
2073 In some circumstances we want to route packets differently depending not only
2074 on destination addresses, but also on other packet fields: source address,
2075 IP protocol, transport protocol ports or even packet payload.
2076 This task is called 'policy routing'.
2079 To solve this task, the conventional destination based routing table, ordered
2080 according to the longest match rule, is replaced with a 'routing policy
2081 database' (or RPDB), which selects routes by executing some set of rules.
2084 Each policy routing rule consists of a
2087 .B action predicate.
2088 The RPDB is scanned in the order of increasing priority. The selector
2089 of each rule is applied to {source address, destination address, incoming
2090 interface, tos, fwmark} and, if the selector matches the packet,
2091 the action is performed. The action predicate may return with success.
2092 In this case, it will either give a route or failure indication
2093 and the RPDB lookup is terminated. Otherwise, the RPDB program
2094 continues on the next rule.
2097 Semantically, natural action is to select the nexthop and the output device.
2100 At startup time the kernel configures the default RPDB consisting of three
2105 Priority: 0, Selector: match anything, Action: lookup routing
2111 table is a special routing table containing
2112 high priority control routes for local and broadcast addresses.
2114 Rule 0 is special. It cannot be deleted or overridden.
2118 Priority: 32766, Selector: match anything, Action: lookup routing
2124 table is the normal routing table containing all non-policy
2125 routes. This rule may be deleted and/or overridden with other
2126 ones by the administrator.
2130 Priority: 32767, Selector: match anything, Action: lookup routing
2136 table is empty. It is reserved for some post-processing if no previous
2137 default rules selected the packet.
2138 This rule may also be deleted.
2141 Each RPDB entry has additional
2142 attributes. F.e. each rule has a pointer to some routing
2143 table. NAT and masquerading rules have an attribute to select new IP
2144 address to translate/masquerade. Besides that, rules have some
2145 optional attributes, which routes have, namely
2147 These values do not override those contained in the routing tables. They
2148 are only used if the route did not select any attributes.
2151 The RPDB may contain rules of the following types:
2155 - the rule prescribes to return the route found
2156 in the routing table referenced by the rule.
2159 - the rule prescribes to silently drop the packet.
2162 - the rule prescribes to generate a 'Network is unreachable' error.
2165 - the rule prescribes to generate 'Communication is administratively
2169 - the rule prescribes to translate the source address
2170 of the IP packet into some other value.
2173 .SS ip rule add - insert a new rule
2174 .SS ip rule delete - delete a rule
2177 .BI type " TYPE " (default)
2178 the type of this rule. The list of valid types was given in the previous
2183 select the source prefix to match.
2187 select the destination prefix to match.
2191 select the incoming device to match. If the interface is loopback,
2192 the rule only matches packets originating from this host. This means
2193 that you may create separate routing tables for forwarded and local
2194 packets and, hence, completely segregate them.
2198 select the outgoing device to match. The outgoing interface is only
2199 available for packets originating from local sockets that are bound to
2206 select the TOS value to match.
2215 .BI priority " PREFERENCE"
2216 the priority of this rule. Each rule should have an explicitly
2220 The options preference and order are synonyms with priority.
2223 .BI table " TABLEID"
2224 the routing table identifier to lookup if the rule selector matches.
2225 It is also possible to use lookup instead of table.
2228 .BI realms " FROM/TO"
2229 Realms to select if the rule matched and the routing table lookup
2232 is only used if the route did not select any realm.
2236 The base of the IP address block to translate (for source addresses).
2239 may be either the start of the block of NAT addresses (selected by NAT
2240 routes) or a local host address (or even zero).
2241 In the last case the router does not translate the packets, but
2242 masquerades them to this address.
2243 Using map-to instead of nat means the same thing.
2246 Changes to the RPDB made with these commands do not become active
2247 immediately. It is assumed that after a script finishes a batch of
2248 updates, it flushes the routing cache with
2249 .BR "ip route flush cache" .
2251 .SS ip rule flush - also dumps all the deleted rules.
2252 This command has no arguments.
2254 .SS ip rule show - list rules
2255 This command has no arguments.
2256 The options list or lst are synonyms with show.
2258 .SH ip maddress - multicast addresses management
2261 objects are multicast addresses.
2263 .SS ip maddress show - list multicast addresses
2266 .BI dev " NAME " (default)
2269 .SS ip maddress add - add a multicast address
2270 .SS ip maddress delete - delete a multicast address
2271 these commands attach/detach a static link layer multicast address
2272 to listen on the interface.
2273 Note that it is impossible to join protocol multicast groups
2274 statically. This command only manages link layer addresses.
2277 .BI address " LLADDRESS " (default)
2278 the link layer multicast address.
2282 the device to join/leave this multicast address.
2284 .SH ip mroute - multicast routing cache management
2286 objects are multicast routing cache entries created by a user level
2287 mrouting daemon (f.e.
2293 Due to the limitations of the current interface to the multicast routing
2294 engine, it is impossible to change
2296 objects administratively, so we may only display them. This limitation
2297 will be removed in the future.
2299 .SS ip mroute show - list mroute cache entries
2302 .BI to " PREFIX " (default)
2303 the prefix selecting the destination multicast addresses to list.
2307 the interface on which multicast packets are received.
2311 the prefix selecting the IP source addresses of the multicast route.
2313 .SH ip tunnel - tunnel configuration
2315 objects are tunnels, encapsulating packets in IP packets and then
2316 sending them over the IP infrastructure.
2317 The encapulating (or outer) address family is specified by the
2319 option. The default is IPv4.
2321 .SS ip tunnel add - add a new tunnel
2322 .SS ip tunnel change - change an existing tunnel
2323 .SS ip tunnel delete - destroy a tunnel
2326 .BI name " NAME " (default)
2327 select the tunnel device name.
2331 set the tunnel mode. Available modes depend on the encapsulating address family.
2333 Modes for IPv4 encapsulation available:
2334 .BR ipip ", " sit ", " isatap " and " gre "."
2336 Modes for IPv6 encapsulation available:
2337 .BR ip6ip6 ", " ipip6 " and " any "."
2340 .BI remote " ADDRESS"
2341 set the remote endpoint of the tunnel.
2344 .BI local " ADDRESS"
2345 set the fixed local address for tunneled packets.
2346 It must be an address on another interface of this host.
2352 on tunneled packets.
2354 is a number in the range 1--255. 0 is a special value
2355 meaning that packets inherit the TTL value.
2356 The default value for IPv4 tunnels is:
2358 The default value for IPv6 tunnels is:
2368 set a fixed TOS (or traffic class in IPv6)
2370 on tunneled packets.
2371 The default value is:
2376 bind the tunnel to the device
2378 so that tunneled packets will only be routed via this device and will
2379 not be able to escape to another device when the route to endpoint
2384 disable Path MTU Discovery on this tunnel.
2385 It is enabled by default. Note that a fixed ttl is incompatible
2386 with this option: tunnelling with a fixed ttl always makes pmtu
2395 .RB ( " only GRE tunnels " )
2396 use keyed GRE with key
2398 is either a number or an IP address-like dotted quad.
2401 parameter sets the key to use in both directions.
2403 .BR ikey " and " okey
2404 parameters set different keys for input and output.
2407 .BR csum ", " icsum ", " ocsum
2408 .RB ( " only GRE tunnels " )
2409 generate/require checksums for tunneled packets.
2412 flag calculates checksums for outgoing packets.
2415 flag requires that all input packets have the correct
2418 flag is equivalent to the combination
2422 .BR seq ", " iseq ", " oseq
2423 .RB ( " only GRE tunnels " )
2427 flag enables sequencing of outgoing packets.
2430 flag requires that all input packets are serialized.
2433 flag is equivalent to the combination
2435 .B It isn't work. Don't use it.
2439 .RB ( " only IPv6 tunnels " )
2440 Inherit DS field between inner and outer header.
2443 .BI encaplim " ELIM"
2444 .RB ( " only IPv6 tunnels " )
2445 set a fixed encapsulation limit. Default is 4.
2448 .BI flowlabel " FLOWLABEL"
2449 .RB ( " only IPv6 tunnels " )
2450 set a fixed flowlabel.
2452 .SS ip tunnel prl - potential router list (ISATAP only)
2456 mandatory device name.
2459 .BI prl-default " ADDR"
2461 .BI prl-nodefault " ADDR"
2463 .BI prl-delete " ADDR"
2464 .RB "Add or delete " ADDR
2465 as a potential router or default router.
2467 .SS ip tunnel show - list tunnels
2468 This command has no arguments.
2470 .SH ip monitor and rtmon - state monitoring
2474 utility can monitor the state of devices, addresses
2475 and routes continuously. This option has a slightly different format.
2478 command is the first in the command line and then the object list follows:
2480 .BR "ip monitor" " [ " all " |"
2481 .IR LISTofOBJECTS " ]"
2484 is the list of object types that we want to monitor.
2486 .BR link ", " address " and " route "."
2491 opens RTNETLINK, listens on it and dumps state changes in the format
2492 described in previous sections.
2495 If a file name is given, it does not listen on RTNETLINK,
2496 but opens the file containing RTNETLINK messages saved in binary format
2497 and dumps them. Such a history file can be generated with the
2499 utility. This utility has a command line syntax similar to
2503 should be started before the first network configuration command
2504 is issued. F.e. if you insert:
2507 rtmon file /var/log/rtmon.log
2510 in a startup script, you will be able to view the full history
2514 Certainly, it is possible to start
2517 It prepends the history with the state snapshot dumped at the moment
2520 .SH ip netns - process network namespace management
2522 A network namespace is logically another copy of the network stack,
2523 with it's own routes, firewall rules, and network devices.
2525 By convention a named network namespace is an object at
2526 .BR "/var/run/netns/" NAME
2527 that can be opened. The file descriptor resulting from opening
2528 .BR "/var/run/netns/" NAME
2529 refers to the specified network namespace. Holding that file
2530 descriptor open keeps the network namespace alive. The file
2531 descriptor can be used with the
2533 system call to change the network namespace associated with a task.
2535 The convention for network namespace aware applications is to look
2536 for global network configuration files first in
2537 .BR "/etc/netns/" NAME "/"
2540 For example, if you want a different version of
2541 .BR /etc/resolv.conf
2542 for a network namespace used to isolate your vpn you would name it
2543 .BR /etc/netns/myvpn/resolv.conf.
2546 automates handling of this configuration, file convention for network
2547 namespace unaware applications, by creating a mount namespace and
2548 bind mounting all of the per network namespace configure files into
2549 their traditional location in /etc.
2551 .SS ip netns list - show all of the named network namespaces
2552 .SS ip netns add NAME - create a new named network namespace
2553 .SS ip netns delete NAME - delete the name of a network namespace
2554 .SS ip netns exec NAME cmd ... - Run cmd in the named network namespace
2556 .SH ip xfrm - transform configuration
2557 xfrm is an IP framework for transforming packets (such as encrypting
2558 their payloads). This framework is used to implement the IPsec protocol
2561 object operating on the Security Association Database, and the
2563 object operating on the Security Policy Database). It is also used for
2564 the IP Payload Compression Protocol and features of Mobile IPv6.
2566 .SS ip xfrm state add - add new state into xfrm
2568 .SS ip xfrm state update - update existing state in xfrm
2570 .SS ip xfrm state allocspi - allocate an SPI value
2572 .SS ip xfrm state delete - delete existing state in xfrm
2574 .SS ip xfrm state get - get existing state in xfrm
2576 .SS ip xfrm state deleteall - delete all existing state in xfrm
2578 .SS ip xfrm state list - print out the list of existing state in xfrm
2580 .SS ip xfrm state flush - flush all state in xfrm
2582 .SS ip xfrm state count - count all existing state in xfrm
2586 is specified by a source address, destination address,
2587 .RI "transform protocol " XFRM-PROTO ","
2588 and/or Security Parameter Index
2593 specifies a transform protocol:
2594 .RB "IPsec Encapsulating Security Payload (" esp "),"
2595 .RB "IPsec Authentication Header (" ah "),"
2596 .RB "IP Payload Compression (" comp "),"
2597 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2598 .RB "Mobile IPv6 Home Address Option (" hao ")."
2602 specifies one or more algorithms
2604 to use. Algorithm types include
2605 .RB "encryption (" enc "),"
2606 .RB "authentication (" auth "),"
2607 .RB "authentication with a specified truncation length (" auth-trunc "),"
2608 .RB "authenticated encryption with associated data (" aead "), and"
2609 .RB "compression (" comp ")."
2610 For each algorithm used, the algorithm type, the algorithm name
2614 must be specified. For
2616 the Integrity Check Value length
2618 must additionally be specified.
2621 the signature truncation length
2623 must additionally be specified.
2627 specifies a mode of operation:
2628 .RB "IPsec transport mode (" transport "), "
2629 .RB "IPsec tunnel mode (" tunnel "), "
2630 .RB "Mobile IPv6 route optimization mode (" ro "), "
2631 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2632 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2636 contains one or more of the following optional flags:
2637 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
2638 .BR af-unspec ", or " align4 "."
2642 selects the traffic that will be controlled by the policy, based on the source
2643 address, the destination address, the network device, and/or
2648 selects traffic by protocol. For the
2649 .BR tcp ", " udp ", " sctp ", or " dccp
2650 protocols, the source and destination port can optionally be specified.
2652 .BR icmp ", " ipv6-icmp ", or " mobility-header
2653 protocols, the type and code numbers can optionally be specified.
2656 protocol, the key can optionally be specified as a dotted-quad or number.
2657 Other protocols can be selected by name or number
2662 sets limits in seconds, bytes, or numbers of packets.
2666 encapsulates packets with protocol
2667 .BR espinudp " or " espinudp-nonike ","
2668 .RI "using source port " SPORT ", destination port " DPORT
2669 .RI ", and original address " OADDR "."
2671 .SS ip xfrm policy add - add a new policy
2673 .SS ip xfrm policy update - update an existing policy
2675 .SS ip xfrm policy delete - delete an existing policy
2677 .SS ip xfrm policy get - get an existing policy
2679 .SS ip xfrm policy deleteall - delete all existing xfrm policies
2681 .SS ip xfrm policy list - print out the list of xfrm policies
2683 .SS ip xfrm policy flush - flush policies
2685 .SS ip xfrm policy count - count existing policies
2689 selects the traffic that will be controlled by the policy, based on the source
2690 address, the destination address, the network device, and/or
2695 selects traffic by protocol. For the
2696 .BR tcp ", " udp ", " sctp ", or " dccp
2697 protocols, the source and destination port can optionally be specified.
2699 .BR icmp ", " ipv6-icmp ", or " mobility-header
2700 protocols, the type and code numbers can optionally be specified.
2703 protocol, the key can optionally be specified as a dotted-quad or number.
2704 Other protocols can be selected by name or number
2709 selects the policy direction as
2710 .BR in ", " out ", or " fwd "."
2714 sets the security context.
2719 .BR main " (default) or " sub "."
2724 .BR allow " (default) or " block "."
2728 is a number that defaults to zero.
2732 contains one or both of the following optional flags:
2733 .BR local " or " icmp "."
2737 sets limits in seconds, bytes, or numbers of packets.
2741 is a template list specified using
2742 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
2746 is specified by a source address, destination address,
2747 .RI "transform protocol " XFRM-PROTO ","
2748 and/or Security Parameter Index
2753 specifies a transform protocol:
2754 .RB "IPsec Encapsulating Security Payload (" esp "),"
2755 .RB "IPsec Authentication Header (" ah "),"
2756 .RB "IP Payload Compression (" comp "),"
2757 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2758 .RB "Mobile IPv6 Home Address Option (" hao ")."
2762 specifies a mode of operation:
2763 .RB "IPsec transport mode (" transport "), "
2764 .RB "IPsec tunnel mode (" tunnel "), "
2765 .RB "Mobile IPv6 route optimization mode (" ro "), "
2766 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2767 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2772 .BR required " (default) or " use "."
2774 .SS ip xfrm monitor - state monitoring for xfrm objects
2775 The xfrm objects to monitor can be optionally specified.
2779 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2783 .RB "IP Command reference " ip-cref.ps
2785 .RB "IP tunnels " ip-cref.ps
2787 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2790 Original Manpage by Michail Litvak <mci@owl.openwall.com>