1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " | " monitor " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link add link " DEVICE
50 .BR vlan " | " maclan " | " can " ]"
53 .BI "ip link delete " DEVICE
58 .BI "ip link set " DEVICE
59 .RB "{ " up " | " down " | " arp " { " on " | " off " } |"
61 .BR promisc " { " on " | " off " } |"
63 .BR allmulticast " { " on " | " off " } |"
65 .BR dynamic " { " on " | " off " } |"
67 .BR multicast " { " on " | " off " } |"
105 .BR "ip addr" " { " add " | " del " } "
106 .IB IFADDR " dev " STRING
109 .BR "ip addr" " { " show " | " flush " } [ " dev
114 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
119 .IR IFADDR " := " PREFIX " | " ADDR
133 .RB "[ " host " | " link " | " global " | "
137 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
141 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
142 tentative " | " deprecated " | " dadfailed " | " temporary " ]"
145 .BR "ip addrlabel" " { " add " | " del " } " prefix
153 .BR "ip addrlabel" " { " list " | " flush " }"
157 .BR list " | " flush " } "
163 .BI from " ADDRESS " iif " STRING"
170 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
171 replace " | " monitor " } "
192 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
195 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
208 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
219 .IR NUMBER " ] " NHFLAGS
222 .IR OPTIONS " := " FLAGS " [ "
248 .BR unicast " | " local " | " broadcast " | " multicast " | "\
249 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
252 .IR TABLE_ID " := [ "
253 .BR local "| " main " | " default " | " all " |"
258 .BR host " | " link " | " global " |"
263 .BR onlink " | " pervasive " ]"
267 .BR kernel " | " boot " | " static " |"
272 .RB " [ " list " | " add " | " del " | " flush " ]"
276 .IR SELECTOR " := [ "
284 .IR FWMARK[/MASK] " ] [ "
298 .BR prohibit " | " reject " | " unreachable " ] [ " realms
299 .RI "[" SRCREALM "/]" DSTREALM " ]"
302 .IR TABLE_ID " := [ "
303 .BR local " | " main " | " default " |"
307 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
311 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
317 .BR "ip neigh" " { " show " | " flush " } [ " to
325 .BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
335 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
337 .RB "[" i "|" o "]" csum " ] ]"
356 .RB "[ [" no "]" pmtudisc " ]"
359 .RB "[ " "dscp inherit" " ]"
363 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
366 .IR ADDR " := { " IP_ADDRESS " |"
370 .IR TOS " := { " NUMBER " |"
380 .IR TTL " := { " 1 ".." 255 " | "
384 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
387 .IR TIME " := " NUMBER "[s|ms|us|ns|j]"
390 .BR "ip maddr" " [ " add " | " del " ]"
391 .IB MULTIADDR " dev " STRING
394 .BR "ip maddr show" " [ " dev
398 .BR "ip mroute show" " ["
406 .BR "ip monitor" " [ " all " |"
407 .IR LISTofOBJECTS " ]"
411 .IR XFRM_OBJECT " { " COMMAND " }"
414 .IR XFRM_OBJECT " := { " state " | " policy " | " monitor " } "
417 .BR "ip xfrm state " { " add " | " update " } "
427 .RB " [ " replay-window
441 .BR "ip xfrm state allocspi "
455 .BR "ip xfrm state" " { " delete " | " get " } "
459 .BR "ip xfrm state" " { " deleteall " | " list " } [ "
470 .BR "ip xfrm state flush" " [ " proto
474 .BR "ip xfrm state count"
488 .IR XFRM_PROTO " := "
489 .RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
493 .RB " [ " transport " | " tunnel " | " ro " | " beet " ] "
494 .B (default=transport)
498 .RI " [ " FLAG-LIST " ] " FLAG
502 .RB " [ " noecn " | " decap-dscp " | " wildrecv " ] "
505 .IR ENCAP " := " ENCAP-TYPE " " SPORT " " DPORT " " OADDR
508 .IR ENCAP-TYPE " := "
514 .IR ALGO-LIST " := [ "
515 .IR ALGO-LIST " ] | [ "
526 .RB " [ " enc " | " auth " | " comp " ] "
531 .IR ADDR "[/" PLEN "]"
533 .IR ADDR "[/" PLEN "]"
534 .RI " [ " UPSPEC " ] "
553 .IR LIMIT-LIST " := [ " LIMIT-LIST " ] |"
559 .RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
561 .RB "[ ["byte-soft "|" byte-hard "]"
564 .RB " [ ["packet-soft "|" packet-hard "]"
568 .BR "ip xfrm policy" " { " add " | " update " } " " dir "
581 .RI " [ " LIMIT-LIST " ] [ "
585 .BR "ip xfrm policy" " { " delete " | " get " } " " dir "
586 .IR DIR " [ " SELECTOR " | "
595 .BR "ip xfrm policy" " { " deleteall " | " list " } "
608 .B "ip xfrm policy flush"
617 .RB " [ " main " | " sub " ] "
622 .RB " [ " in " | " out " | " fwd " ] "
627 .IR ADDR "[/" PLEN "]"
629 .IR ADDR "[/" PLEN] " [ " UPSPEC
649 .RB " [ " allow " | " block " ]"
653 .IR LIMIT-LIST " := "
655 .IR LIMIT-LIST " ] | "
661 .RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
663 .RB " [ [" byte-soft "|" byte-hard "]"
666 .RB "[" packet-soft "|" packet-hard "]"
672 .IR TMPL-LIST " ] | "
698 .IR XFRM_PROTO " := "
699 .RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
703 .RB " [ " transport " | " tunnel " | " beet " ] "
704 .B (default=transport)
708 .RB " [ " required " | " use " ] "
709 .B (default=required)
712 .BR "ip xfrm monitor" " [ " all " | "
713 .IR LISTofOBJECTS " ] "
721 .BR "\-V" , " -Version"
722 print the version of the
727 .BR "\-s" , " \-stats", " \-statistics"
728 output more information. If the option
729 appears twice or more, the amount of information increases.
730 As a rule, the information is statistics or some time values.
733 .BR "\-f" , " \-family"
734 followed by protocol family identifier:
735 .BR "inet" , " inet6"
738 ,enforce the protocol family to use. If the option is not present,
739 the protocol family is guessed from other arguments. If the rest
740 of the command line does not give enough information to guess the
743 falls back to the default one, usually
748 is a special family identifier meaning that no networking protocol
759 .BR "\-family inet6" .
764 .BR "\-family link" .
767 .BR "\-o" , " \-oneline"
768 output each record on a single line, replacing line feeds
771 character. This is convenient when you want to count records
779 .BR "\-r" , " \-resolve"
780 use the system's name resolver to print DNS names instead of
783 .SH IP - COMMAND SYNTAX
794 - protocol (IP or IPv6) address on a device.
798 - label configuration for protocol address selection.
802 - ARP or NDISC cache entry.
806 - routing table entry.
810 - rule in routing policy database.
818 - multicast routing cache entry.
826 - framework for IPsec protocol.
829 The names of all objects may be written in full or
830 abbreviated form, f.e.
840 Specifies the action to perform on the object.
841 The set of possible actions depends on the object type.
842 As a rule, it is possible to
843 .BR "add" , " delete"
848 ) objects, but some objects do not allow all of these operations
849 or have some additional commands. The
851 command is available for all objects. It prints
852 out a list of available commands and argument syntax conventions.
854 If no command is given, some default command is assumed.
857 or, if the objects of this class cannot be listed,
860 .SH ip link - network device configuration
863 is a network device and the corresponding commands
864 display and change the state of devices.
866 .SS ip link add - add virtual link
870 specifies the physical device to act operate on.
873 specifies the name of the new virtual device.
876 specifies the type of the new device.
882 - 802.1q tagged virrtual LAN interface
885 - virtual interface base on link layer address (MAC)
888 - Controller Area Network interface
891 .SS ip link delete - delete virtual link
893 specifies the virtual device to act operate on.
895 specifies the type of the device.
900 specifies the physical device to act operate on.
902 .SS ip link set - change device attributes
907 specifies network device to operate on. When configuring SR-IOV Virtual Fuction
908 (VF) devices, this keyword should specify the associated Physical Function (PF)
913 change the state of the device to
919 .BR "arp on " or " arp off"
925 .BR "multicast on " or " multicast off"
931 .BR "dynamic on " or " dynamic off"
938 change the name of the device. This operation is not
939 recommended if the device is running or has some addresses
943 .BI txqueuelen " NUMBER"
946 change the transmit queue length of the device.
955 .BI address " LLADDRESS"
956 change the station address of the interface.
959 .BI broadcast " LLADDRESS"
963 .BI peer " LLADDRESS"
964 change the link layer broadcast address or the peer address when
970 move the device to the network namespace associated with the process
975 give the device a symbolic name for easy reference.
979 specify a Virtual Function device to be configured. The associated PF device
980 must be specified using the
986 - change the station address for the specified VF. The
988 parameter must be specified.
992 - change the assigned VLAN for the specified VF. When specified, all traffic
993 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
994 will be filtered for the specified VLAN ID, and will have all VLAN tags
995 stripped before being passed to the VF. Setting this parameter to 0 disables
996 VLAN tagging and filtering. The
998 parameter must be specified.
1002 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1003 tags transmitted by the VF will include the specified priority bits in the
1004 VLAN tag. If not specified, the value is assumed to be 0. Both the
1008 parameters must be specified. Setting both
1012 as 0 disables VLAN tagging and filtering for the VF.
1016 - change the allowed transmit bandwidth, in Mbps, for the specified VF.
1017 Setting this parameter to 0 disables rate limiting. The
1019 parameter must be specified.
1024 If multiple parameter changes are requested,
1026 aborts immediately after any of the changes have failed.
1027 This is the only case when
1029 can move the system to an unpredictable state. The solution
1030 is to avoid changing several parameters with one
1034 .SS ip link show - display device attributes
1037 .BI dev " NAME " (default)
1039 specifies the network device to show.
1040 If this argument is omitted all devices are listed.
1044 only display running interfaces.
1046 .SH ip address - protocol address management.
1050 is a protocol (IP or IPv6) address attached
1051 to a network device. Each device must have at least one address
1052 to use the corresponding protocol. It is possible to have several
1053 different addresses attached to one device. These addresses are not
1054 discriminated, so that the term
1056 is not quite appropriate for them and we do not use it in this document.
1060 command displays addresses and their properties, adds new addresses
1061 and deletes old ones.
1063 .SS ip address add - add new protocol address.
1067 the name of the device to add the address to.
1070 .BI local " ADDRESS " (default)
1071 the address of the interface. The format of the address depends
1072 on the protocol. It is a dotted quad for IP and a sequence of
1073 hexadecimal halfwords separated by colons for IPv6. The
1075 may be followed by a slash and a decimal number which encodes
1076 the network prefix length.
1080 the address of the remote endpoint for pointopoint interfaces.
1083 may be followed by a slash and a decimal number, encoding the network
1084 prefix length. If a peer address is specified, the local address
1085 cannot have a prefix length. The network prefix is associated
1086 with the peer rather than with the local address.
1089 .BI broadcast " ADDRESS"
1090 the broadcast address on the interface.
1092 It is possible to use the special symbols
1096 instead of the broadcast address. In this case, the broadcast address
1097 is derived by setting/resetting the host bits of the interface prefix.
1101 Each address may be tagged with a label string.
1102 In order to preserve compatibility with Linux-2.0 net aliases,
1103 this string must coincide with the name of the device or must be prefixed
1104 with the device name followed by colon.
1107 .BI scope " SCOPE_VALUE"
1108 the scope of the area where this address is valid.
1109 The available scopes are listed in file
1110 .BR "/etc/iproute2/rt_scopes" .
1111 Predefined scope values are:
1115 - the address is globally valid.
1118 - (IPv6 only) the address is site local, i.e. it is
1119 valid inside this site.
1122 - the address is link local, i.e. it is valid only on this device.
1125 - the address is valid only inside this host.
1128 .SS ip address delete - delete protocol address
1130 coincide with the arguments of
1132 The device name is a required argument. The rest are optional.
1133 If no arguments are given, the first address is deleted.
1135 .SS ip address show - look at protocol addresses
1138 .BI dev " NAME " (default)
1142 .BI scope " SCOPE_VAL"
1143 only list addresses with this scope.
1147 only list addresses matching this prefix.
1150 .BI label " PATTERN"
1151 only list addresses with labels matching the
1154 is a usual shell style pattern.
1157 .BR dynamic " and " permanent
1158 (IPv6 only) only list addresses installed due to stateless
1159 address configuration or only list permanent (not dynamic)
1164 (IPv6 only) only list addresses which have not yet passed duplicate
1169 (IPv6 only) only list deprecated addresses.
1173 (IPv6 only) only list addresses which have failed duplicate
1178 (IPv6 only) only list temporary addresses.
1181 .BR primary " and " secondary
1182 only list primary (or secondary) addresses.
1184 .SS ip address flush - flush protocol addresses
1185 This command flushes the protocol addresses selected by some criteria.
1188 This command has the same arguments as
1190 The difference is that it does not run when no arguments are given.
1194 This command (and other
1196 commands described below) is pretty dangerous. If you make a mistake,
1197 it will not forgive it, but will cruelly purge all the addresses.
1202 option, the command becomes verbose. It prints out the number of deleted
1203 addresses and the number of rounds made to flush the address list. If
1204 this option is given twice,
1206 also dumps all the deleted addresses in the format described in the
1207 previous subsection.
1209 .SH ip addrlabel - protocol address label management.
1211 IPv6 address label is used for address selection
1212 described in RFC 3484. Precedence is managed by userspace,
1213 and only label is stored in kernel.
1215 .SS ip addrlabel add - add an address label
1216 the command adds an address label entry to the kernel.
1218 .BI prefix " PREFIX"
1221 the outgoing interface.
1224 the label for the prefix.
1225 0xffffffff is reserved.
1226 .SS ip addrlabel del - delete an address label
1227 the command deletes an address label entry in the kernel.
1229 coincide with the arguments of
1231 but label is not required.
1232 .SS ip addrlabel list - list address labels
1233 the command show contents of address labels.
1234 .SS ip addrlabel flush - flush address labels
1235 the command flushes the contents of address labels and it does not restore default settings.
1236 .SH ip neighbour - neighbour/arp tables management.
1239 objects establish bindings between protocol addresses and
1240 link layer addresses for hosts sharing the same link.
1241 Neighbour entries are organized into tables. The IPv4 neighbour table
1242 is known by another name - the ARP table.
1245 The corresponding commands display neighbour bindings
1246 and their properties, add new neighbour entries and delete old ones.
1248 .SS ip neighbour add - add a new neighbour entry
1249 .SS ip neighbour change - change an existing entry
1250 .SS ip neighbour replace - add a new entry or change an existing one
1252 These commands create new neighbour records or update existing ones.
1255 .BI to " ADDRESS " (default)
1256 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1260 the interface to which this neighbour is attached.
1263 .BI lladdr " LLADDRESS"
1264 the link layer address of the neighbour.
1270 .BI nud " NUD_STATE"
1271 the state of the neighbour entry.
1273 is an abbreviation for 'Neigh bour Unreachability Detection'.
1274 The state can take one of the following values:
1278 - the neighbour entry is valid forever and can be only
1279 be removed administratively.
1283 - the neighbour entry is valid. No attempts to validate
1284 this entry will be made but it can be removed when its lifetime expires.
1288 - the neighbour entry is valid until the reachability
1293 - the neighbour entry is valid but suspicious.
1296 does not change the neighbour state if it was valid and the address
1297 is not changed by this command.
1300 .SS ip neighbour delete - delete a neighbour entry
1301 This command invalidates a neighbour entry.
1304 The arguments are the same as with
1305 .BR "ip neigh add" ,
1314 Attempts to delete or manually change a
1316 entry created by the kernel may result in unpredictable behaviour.
1317 Particularly, the kernel may try to resolve this address even
1320 interface or if the address is multicast or broadcast.
1322 .SS ip neighbour show - list neighbour entries
1324 This commands displays neighbour tables.
1327 .BI to " ADDRESS " (default)
1328 the prefix selecting the neighbours to list.
1332 only list the neighbours attached to this device.
1336 only list neighbours which are not currently in use.
1339 .BI nud " NUD_STATE"
1340 only list neighbour entries in this state.
1342 takes values listed below or the special value
1344 which means all states. This option may occur more than once.
1345 If this option is absent,
1347 lists all entries except for
1352 .SS ip neighbour flush - flush neighbour entries
1353 This command flushes neighbour tables, selecting
1354 entries to flush by some criteria.
1357 This command has the same arguments as
1359 The differences are that it does not run when no arguments are given,
1360 and that the default neighbour states to be flushed do not include
1368 option, the command becomes verbose. It prints out the number of
1369 deleted neighbours and the number of rounds made to flush the
1370 neighbour table. If the option is given
1373 also dumps all the deleted neighbours.
1375 .SH ip route - routing table management
1376 Manipulate route entries in the kernel routing tables keep
1377 information about paths to other networked nodes.
1383 - the route entry describes real paths to the destinations covered
1384 by the route prefix.
1388 - these destinations are unreachable. Packets are discarded and the
1392 The local senders get an
1398 - these destinations are unreachable. Packets are discarded silently.
1399 The local senders get an
1405 - these destinations are unreachable. Packets are discarded and the
1407 .I communication administratively prohibited
1408 is generated. The local senders get an
1414 - the destinations are assigned to this host. The packets are looped
1415 back and delivered locally.
1419 - the destinations are broadcast addresses. The packets are sent as
1424 - a special control route used together with policy rules. If such a
1425 route is selected, lookup in this table is terminated pretending that
1426 no route was found. Without policy routing it is equivalent to the
1427 absence of the route in the routing table. The packets are dropped
1428 and the ICMP message
1430 is generated. The local senders get an
1436 - a special NAT route. Destinations covered by the prefix
1437 are considered to be dummy (or external) addresses which require translation
1438 to real (or internal) ones before forwarding. The addresses to translate to
1439 are selected with the attribute
1441 Route NAT is no longer supported in Linux 2.6.
1447 .RI "- " "not implemented"
1448 the destinations are
1450 addresses assigned to this host. They are mainly equivalent
1453 with one difference: such addresses are invalid when used
1454 as the source address of any packet.
1458 - a special type used for multicast routing. It is not present in
1459 normal routing tables.
1464 Linux-2.x can pack routes into several routing tables identified
1465 by a number in the range from 1 to 2^31 or by name from the file
1466 .B /etc/iproute2/rt_tables
1467 By default all normal routes are inserted into the
1469 table (ID 254) and the kernel only uses this table when calculating routes.
1470 Values (0, 253, 254, and 255) are reserved for built-in use.
1473 Actually, one other table always exists, which is invisible but
1474 even more important. It is the
1476 table (ID 255). This table
1477 consists of routes for local and broadcast addresses. The kernel maintains
1478 this table automatically and the administrator usually need not modify it
1481 The multiple routing tables enter the game when
1485 .SS ip route add - add new route
1486 .SS ip route change - change route
1487 .SS ip route replace - change or add new one
1490 .BI to " TYPE PREFIX " (default)
1491 the destination prefix of the route. If
1501 is an IP or IPv6 address optionally followed by a slash and the
1502 prefix length. If the length of the prefix is missing,
1504 assumes a full-length host route. There is also a special
1507 - which is equivalent to IP
1516 the Type Of Service (TOS) key. This key has no associated mask and
1517 the longest match is understood as: First, compare the TOS
1518 of the route and of the packet. If they are not equal, then the packet
1519 may still match a route with a zero TOS.
1521 is either an 8 bit hexadecimal number or an identifier
1523 .BR "/etc/iproute2/rt_dsfield" .
1526 .BI metric " NUMBER"
1528 .BI preference " NUMBER"
1529 the preference value of the route.
1531 is an arbitrary 32bit number.
1534 .BI table " TABLEID"
1535 the table to add this route to.
1537 may be a number or a string from the file
1538 .BR "/etc/iproute2/rt_tables" .
1539 If this parameter is omitted,
1543 table, with the exception of
1544 .BR local " , " broadcast " and " nat
1545 routes, which are put into the
1551 the output device name.
1555 the address of the nexthop router. Actually, the sense of this field
1556 depends on the route type. For normal
1558 routes it is either the true next hop router or, if it is a direct
1559 route installed in BSD compatibility mode, it can be a local address
1560 of the interface. For NAT routes it is the first address of the block
1561 of translated IP destinations.
1565 the source address to prefer when sending to the destinations
1566 covered by the route prefix.
1569 .BI realm " REALMID"
1570 the realm to which this route is assigned.
1572 may be a number or a string from the file
1573 .BR "/etc/iproute2/rt_realms" .
1578 .BI "mtu lock" " MTU"
1579 the MTU along the path to the destination. If the modifier
1581 is not used, the MTU may be updated by the kernel due to
1582 Path MTU Discovery. If the modifier
1584 is used, no path MTU discovery will be tried, all packets
1585 will be sent without the DF bit in IPv4 case or fragmented
1589 .BI window " NUMBER"
1590 the maximal window for TCP to advertise to these destinations,
1591 measured in bytes. It limits maximal data bursts that our TCP
1592 peers are allowed to send to us.
1596 the initial RTT ('Round Trip Time') estimate. If no suffix is
1597 specified the units are raw values passed directly to the
1598 routing code to maintain compatability with previous releases.
1599 Otherwise if a suffix of s, sec or secs is used to specify
1600 seconds; ms, msec or msecs to specify milliseconds; us, usec
1601 or usecs to specify microseconds; ns, nsec or nsecs to specify
1602 nanoseconds; j, hz or jiffies to specify jiffies, the value is
1603 converted to what the routing code expects.
1607 .BI rttvar " TIME " "(2.3.15+ only)"
1608 the initial RTT variance estimate. Values are specified as with
1613 .BI rto_min " TIME " "(2.6.23+ only)"
1614 the minimum TCP Retransmission TimeOut to use when communicating with this
1615 destination. Values are specified as with
1620 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1621 an estimate for the initial slow start threshold.
1624 .BI cwnd " NUMBER " "(2.3.15+ only)"
1625 the clamp for congestion window. It is ignored if the
1630 .BI initcwnd " NUMBER " "(2.5.70+ only)"
1631 the initial congestion window size for connections to this destination.
1632 Actual window size is this value multiplied by the MSS
1633 (``Maximal Segment Size'') for same connection. The default is
1634 zero, meaning to use the values specified in RFC2414.
1637 .BI initrwnd " NUMBER " "(2.6.33+ only)"
1638 the initial receive window size for connections to this destination.
1639 Actual window size is this value multiplied by the MSS of the connection.
1640 The default value is zero, meaning to use Slow Start value.
1643 .BI advmss " NUMBER " "(2.3.15+ only)"
1644 the MSS ('Maximal Segment Size') to advertise to these
1645 destinations when establishing TCP connections. If it is not given,
1646 Linux uses a default value calculated from the first hop device MTU.
1647 (If the path to these destination is asymmetric, this guess may be wrong.)
1650 .BI reordering " NUMBER " "(2.3.15+ only)"
1651 Maximal reordering on the path to this destination.
1652 If it is not given, Linux uses the value selected with
1655 .BR "net/ipv4/tcp_reordering" .
1658 .BI nexthop " NEXTHOP"
1659 the nexthop of a multipath route.
1661 is a complex value with its own syntax similar to the top level
1666 - is the nexthop router.
1670 - is the output device.
1673 .BI weight " NUMBER"
1674 - is a weight for this element of a multipath
1675 route reflecting its relative bandwidth or quality.
1679 .BI scope " SCOPE_VAL"
1680 the scope of the destinations covered by the route prefix.
1682 may be a number or a string from the file
1683 .BR "/etc/iproute2/rt_scopes" .
1684 If this parameter is omitted,
1693 .BR unicast " and " broadcast
1695 .BR host " for " local
1699 .BI protocol " RTPROTO"
1700 the routing protocol identifier of this route.
1702 may be a number or a string from the file
1703 .BR "/etc/iproute2/rt_protos" .
1704 If the routing protocol ID is not given,
1705 .B ip assumes protocol
1707 (i.e. it assumes the route was added by someone who doesn't
1708 understand what they are doing). Several protocol values have
1709 a fixed interpretation.
1714 - the route was installed due to an ICMP redirect.
1718 - the route was installed by the kernel during autoconfiguration.
1722 - the route was installed during the bootup sequence.
1723 If a routing daemon starts, it will purge all of them.
1727 - the route was installed by the administrator
1728 to override dynamic routing. Routing daemon will respect them
1729 and, probably, even advertise them to its peers.
1733 - the route was installed by Router Discovery protocol.
1737 The rest of the values are not reserved and the administrator is free
1738 to assign (or not to assign) protocol tags.
1742 pretend that the nexthop is directly attached to this link,
1743 even if it does not match any interface prefix.
1745 .SS ip route delete - delete route
1748 has the same arguments as
1749 .BR "ip route add" ,
1750 but their semantics are a bit different.
1753 .RB "(" to ", " tos ", " preference " and " table ")"
1754 select the route to delete. If optional attributes are present,
1756 verifies that they coincide with the attributes of the route to delete.
1757 If no route with the given key and attributes was found,
1761 .SS ip route show - list routes
1762 the command displays the contents of the routing tables or the route(s)
1763 selected by some criteria.
1766 .BI to " SELECTOR " (default)
1767 only select routes from the given range of destinations.
1769 consists of an optional modifier
1770 .RB "(" root ", " match " or " exact ")"
1773 selects routes with prefixes not shorter than
1777 selects the entire routing table.
1779 selects routes with prefixes not longer than
1782 .BI match " 10.0/16"
1785 .IR 10/8 " and " 0/0 ,
1786 but it does not select
1787 .IR 10.1/16 " and " 10.0.0/24 .
1792 selects routes with this exact prefix. If neither of these options
1797 i.e. it lists the entire table.
1802 only select routes with the given TOS.
1805 .BI table " TABLEID"
1806 show the routes from this table(s). The default setting is to show
1809 may either be the ID of a real table or one of the special values:
1813 - list all of the tables.
1816 - dump the routing cache.
1823 list cloned routes i.e. routes which were dynamically forked from
1824 other routes because some route attribute (f.e. MTU) was updated.
1825 Actually, it is equivalent to
1826 .BR "table cache" "."
1829 .BI from " SELECTOR"
1830 the same syntax as for
1832 but it binds the source address range rather than destinations.
1835 option only works with cloned routes.
1838 .BI protocol " RTPROTO"
1839 only list routes of this protocol.
1842 .BI scope " SCOPE_VAL"
1843 only list routes with this scope.
1847 only list routes of this type.
1851 only list routes going via this device.
1855 only list routes going via the nexthop routers selected by
1860 only list routes with preferred source addresses selected
1865 .BI realm " REALMID"
1867 .BI realms " FROMREALM/TOREALM"
1868 only list routes with these realms.
1870 .SS ip route flush - flush routing tables
1871 this command flushes routes selected by some criteria.
1874 The arguments have the same syntax and semantics as the arguments of
1875 .BR "ip route show" ,
1876 but routing tables are not listed but purged. The only difference is
1879 dumps all the IP main routing table but
1881 prints the helper page.
1886 option, the command becomes verbose. It prints out the number of
1887 deleted routes and the number of rounds made to flush the routing
1888 table. If the option is given
1891 also dumps all the deleted routes in the format described in the
1892 previous subsection.
1894 .SS ip route get - get a single route
1895 this command gets a single route to a destination and prints its
1896 contents exactly as the kernel sees it.
1899 .BI to " ADDRESS " (default)
1900 the destination address.
1910 the Type Of Service.
1914 the device from which this packet is expected to arrive.
1918 force the output device on which this packet will be routed.
1922 if no source address
1923 .RB "(option " from ")"
1924 was given, relookup the route with the source set to the preferred
1925 address received from the first lookup.
1926 If policy routing is used, it may be a different route.
1929 Note that this operation is not equivalent to
1930 .BR "ip route show" .
1932 shows existing routes.
1934 resolves them and creates new clones if necessary. Essentially,
1936 is equivalent to sending a packet along this path.
1939 argument is not given, the kernel creates a route
1940 to output packets towards the requested destination.
1941 This is equivalent to pinging the destination
1943 .BR "ip route ls cache" ,
1944 however, no packets are actually sent. With the
1946 argument, the kernel pretends that a packet arrived from this interface
1947 and searches for a path to forward the packet.
1949 .SH ip rule - routing policy database management
1952 in the routing policy database control the route selection algorithm.
1955 Classic routing algorithms used in the Internet make routing decisions
1956 based only on the destination address of packets (and in theory,
1957 but not in practice, on the TOS field).
1960 In some circumstances we want to route packets differently depending not only
1961 on destination addresses, but also on other packet fields: source address,
1962 IP protocol, transport protocol ports or even packet payload.
1963 This task is called 'policy routing'.
1966 To solve this task, the conventional destination based routing table, ordered
1967 according to the longest match rule, is replaced with a 'routing policy
1968 database' (or RPDB), which selects routes by executing some set of rules.
1971 Each policy routing rule consists of a
1974 .B action predicate.
1975 The RPDB is scanned in the order of increasing priority. The selector
1976 of each rule is applied to {source address, destination address, incoming
1977 interface, tos, fwmark} and, if the selector matches the packet,
1978 the action is performed. The action predicate may return with success.
1979 In this case, it will either give a route or failure indication
1980 and the RPDB lookup is terminated. Otherwise, the RPDB program
1981 continues on the next rule.
1984 Semantically, natural action is to select the nexthop and the output device.
1987 At startup time the kernel configures the default RPDB consisting of three
1992 Priority: 0, Selector: match anything, Action: lookup routing
1998 table is a special routing table containing
1999 high priority control routes for local and broadcast addresses.
2001 Rule 0 is special. It cannot be deleted or overridden.
2005 Priority: 32766, Selector: match anything, Action: lookup routing
2011 table is the normal routing table containing all non-policy
2012 routes. This rule may be deleted and/or overridden with other
2013 ones by the administrator.
2017 Priority: 32767, Selector: match anything, Action: lookup routing
2023 table is empty. It is reserved for some post-processing if no previous
2024 default rules selected the packet.
2025 This rule may also be deleted.
2028 Each RPDB entry has additional
2029 attributes. F.e. each rule has a pointer to some routing
2030 table. NAT and masquerading rules have an attribute to select new IP
2031 address to translate/masquerade. Besides that, rules have some
2032 optional attributes, which routes have, namely
2034 These values do not override those contained in the routing tables. They
2035 are only used if the route did not select any attributes.
2038 The RPDB may contain rules of the following types:
2042 - the rule prescribes to return the route found
2043 in the routing table referenced by the rule.
2046 - the rule prescribes to silently drop the packet.
2049 - the rule prescribes to generate a 'Network is unreachable' error.
2052 - the rule prescribes to generate 'Communication is administratively
2056 - the rule prescribes to translate the source address
2057 of the IP packet into some other value.
2060 .SS ip rule add - insert a new rule
2061 .SS ip rule delete - delete a rule
2064 .BI type " TYPE " (default)
2065 the type of this rule. The list of valid types was given in the previous
2070 select the source prefix to match.
2074 select the destination prefix to match.
2078 select the incoming device to match. If the interface is loopback,
2079 the rule only matches packets originating from this host. This means
2080 that you may create separate routing tables for forwarded and local
2081 packets and, hence, completely segregate them.
2085 select the outgoing device to match. The outgoing interface is only
2086 available for packets originating from local sockets that are bound to
2093 select the TOS value to match.
2102 .BI priority " PREFERENCE"
2103 the priority of this rule. Each rule should have an explicitly
2107 The options preference and order are synonyms with priority.
2110 .BI table " TABLEID"
2111 the routing table identifier to lookup if the rule selector matches.
2112 It is also possible to use lookup instead of table.
2115 .BI realms " FROM/TO"
2116 Realms to select if the rule matched and the routing table lookup
2119 is only used if the route did not select any realm.
2123 The base of the IP address block to translate (for source addresses).
2126 may be either the start of the block of NAT addresses (selected by NAT
2127 routes) or a local host address (or even zero).
2128 In the last case the router does not translate the packets, but
2129 masquerades them to this address.
2130 Using map-to instead of nat means the same thing.
2133 Changes to the RPDB made with these commands do not become active
2134 immediately. It is assumed that after a script finishes a batch of
2135 updates, it flushes the routing cache with
2136 .BR "ip route flush cache" .
2138 .SS ip rule flush - also dumps all the deleted rules.
2139 This command has no arguments.
2141 .SS ip rule show - list rules
2142 This command has no arguments.
2143 The options list or lst are synonyms with show.
2145 .SH ip maddress - multicast addresses management
2148 objects are multicast addresses.
2150 .SS ip maddress show - list multicast addresses
2153 .BI dev " NAME " (default)
2156 .SS ip maddress add - add a multicast address
2157 .SS ip maddress delete - delete a multicast address
2158 these commands attach/detach a static link layer multicast address
2159 to listen on the interface.
2160 Note that it is impossible to join protocol multicast groups
2161 statically. This command only manages link layer addresses.
2164 .BI address " LLADDRESS " (default)
2165 the link layer multicast address.
2169 the device to join/leave this multicast address.
2171 .SH ip mroute - multicast routing cache management
2173 objects are multicast routing cache entries created by a user level
2174 mrouting daemon (f.e.
2180 Due to the limitations of the current interface to the multicast routing
2181 engine, it is impossible to change
2183 objects administratively, so we may only display them. This limitation
2184 will be removed in the future.
2186 .SS ip mroute show - list mroute cache entries
2189 .BI to " PREFIX " (default)
2190 the prefix selecting the destination multicast addresses to list.
2194 the interface on which multicast packets are received.
2198 the prefix selecting the IP source addresses of the multicast route.
2200 .SH ip tunnel - tunnel configuration
2202 objects are tunnels, encapsulating packets in IP packets and then
2203 sending them over the IP infrastructure.
2204 The encapulating (or outer) address family is specified by the
2206 option. The default is IPv4.
2208 .SS ip tunnel add - add a new tunnel
2209 .SS ip tunnel change - change an existing tunnel
2210 .SS ip tunnel delete - destroy a tunnel
2213 .BI name " NAME " (default)
2214 select the tunnel device name.
2218 set the tunnel mode. Available modes depend on the encapsulating address family.
2220 Modes for IPv4 encapsulation available:
2221 .BR ipip ", " sit ", " isatap " and " gre "."
2223 Modes for IPv6 encapsulation available:
2224 .BR ip6ip6 ", " ipip6 " and " any "."
2227 .BI remote " ADDRESS"
2228 set the remote endpoint of the tunnel.
2231 .BI local " ADDRESS"
2232 set the fixed local address for tunneled packets.
2233 It must be an address on another interface of this host.
2239 on tunneled packets.
2241 is a number in the range 1--255. 0 is a special value
2242 meaning that packets inherit the TTL value.
2243 The default value for IPv4 tunnels is:
2245 The default value for IPv6 tunnels is:
2255 set a fixed TOS (or traffic class in IPv6)
2257 on tunneled packets.
2258 The default value is:
2263 bind the tunnel to the device
2265 so that tunneled packets will only be routed via this device and will
2266 not be able to escape to another device when the route to endpoint
2271 disable Path MTU Discovery on this tunnel.
2272 It is enabled by default. Note that a fixed ttl is incompatible
2273 with this option: tunnelling with a fixed ttl always makes pmtu
2282 .RB ( " only GRE tunnels " )
2283 use keyed GRE with key
2285 is either a number or an IP address-like dotted quad.
2288 parameter sets the key to use in both directions.
2290 .BR ikey " and " okey
2291 parameters set different keys for input and output.
2294 .BR csum ", " icsum ", " ocsum
2295 .RB ( " only GRE tunnels " )
2296 generate/require checksums for tunneled packets.
2299 flag calculates checksums for outgoing packets.
2302 flag requires that all input packets have the correct
2305 flag is equivalent to the combination
2309 .BR seq ", " iseq ", " oseq
2310 .RB ( " only GRE tunnels " )
2314 flag enables sequencing of outgoing packets.
2317 flag requires that all input packets are serialized.
2320 flag is equivalent to the combination
2322 .B It isn't work. Don't use it.
2326 .RB ( " only IPv6 tunnels " )
2327 Inherit DS field between inner and outer header.
2330 .BI encaplim " ELIM"
2331 .RB ( " only IPv6 tunnels " )
2332 set a fixed encapsulation limit. Default is 4.
2335 .BI flowlabel " FLOWLABEL"
2336 .RB ( " only IPv6 tunnels " )
2337 set a fixed flowlabel.
2339 .SS ip tunnel prl - potential router list (ISATAP only)
2343 mandatory device name.
2346 .BI prl-default " ADDR"
2348 .BI prl-nodefault " ADDR"
2350 .BI prl-delete " ADDR"
2351 .RB "Add or delete " ADDR
2352 as a potential router or default router.
2354 .SS ip tunnel show - list tunnels
2355 This command has no arguments.
2357 .SH ip monitor and rtmon - state monitoring
2361 utility can monitor the state of devices, addresses
2362 and routes continuously. This option has a slightly different format.
2365 command is the first in the command line and then the object list follows:
2367 .BR "ip monitor" " [ " all " |"
2368 .IR LISTofOBJECTS " ]"
2371 is the list of object types that we want to monitor.
2373 .BR link ", " address " and " route "."
2378 opens RTNETLINK, listens on it and dumps state changes in the format
2379 described in previous sections.
2382 If a file name is given, it does not listen on RTNETLINK,
2383 but opens the file containing RTNETLINK messages saved in binary format
2384 and dumps them. Such a history file can be generated with the
2386 utility. This utility has a command line syntax similar to
2390 should be started before the first network configuration command
2391 is issued. F.e. if you insert:
2394 rtmon file /var/log/rtmon.log
2397 in a startup script, you will be able to view the full history
2401 Certainly, it is possible to start
2404 It prepends the history with the state snapshot dumped at the moment
2407 .SH ip xfrm - setting xfrm
2408 xfrm is an IP framework, which can transform format of the datagrams,
2410 i.e. encrypt the packets with some algorithm. xfrm policy and xfrm state
2411 are associated through templates
2413 This framework is used as a part of IPsec protocol.
2415 .SS ip xfrm state add - add new state into xfrm
2417 .SS ip xfrm state update - update existing xfrm state
2419 .SS ip xfrm state allocspi - allocate SPI value
2423 is set as default to
2425 but it could be set to
2426 .BR tunnel "," ro " or " beet "."
2430 contains one or more flags.
2435 .BR noecn ", " decap-dscp " or " wildrecv "."
2439 encapsulation is set to encapsulation type
2440 .IR ENCAP-TYPE ", source port " SPORT ", destination port " DPORT " and " OADDR "."
2445 .BR espinudp " or " espinudp-nonike "."
2449 contains one or more algorithms
2451 which depend on the type of algorithm set by
2453 It can be used these algoritms
2454 .BR enc ", " auth " or " comp "."
2456 .SS ip xfrm policy add - add a new policy
2458 .SS ip xfrm policy update - update an existing policy
2460 .SS ip xfrm policy delete - delete existing policy
2462 .SS ip xfrm policy get - get existing policy
2464 .SS ip xfrm policy deleteall - delete all existing xfrm policy
2466 .SS ip xfrm policy list - print out the list of xfrm policy
2468 .SS ip xfrm policy flush - flush policies
2471 policies or only those specified with
2476 directory could be one of these:
2477 .BR "inp", " out " or " fwd".
2481 selects for which addresses will be set up the policy. The selector
2482 is defined by source and destination address.
2486 is defined by source port
2496 specify network device.
2500 the number of indexed policy.
2504 type is set as default on
2510 .BI action " ACTION "
2511 is set as default on
2513 It could be switch on
2517 .BI priority " PRIORITY "
2518 priority is a number. Default priority is set on zero.
2522 limits are set in seconds, bytes or numbers of packets.
2526 template list is based on
2528 .BR mode ", " reqid " and " level ". "
2532 is specified by source address, destination address,
2540 .BR esp ", " ah ", " comp ", " route2 " or " hao "."
2544 is set as default on
2546 but it could be set on
2547 .BR tunnel " or " beet "."
2551 is set as default on
2553 and the other choice is
2565 .SS ip xfrm monitor - is used for listing all objects or defined group of them.
2568 can monitor the policies for all objects or defined group of them.
2572 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2576 .RB "IP Command reference " ip-cref.ps
2578 .RB "IP tunnels " ip-cref.ps
2580 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2583 Original Manpage by Michail Litvak <mci@owl.openwall.com>