1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link add link " DEVICE
50 .BR vlan " | " veth " | " vcan " | " dummy " | " ifb " | " macvlan " | " can " | " bridge ]"
53 .BI "ip link delete " DEVICE
61 .RB "} { " up " | " down " | " arp " { " on " | " off " } |"
63 .BR promisc " { " on " | " off " } |"
65 .BR allmulticast " { " on " | " off " } |"
67 .BR dynamic " { " on " | " off " } |"
69 .BR multicast " { " on " | " off " } |"
101 .IR VLAN-QOS " ] ] ["
104 .B spoofchk { on | off }
116 .RI "[ " DEVICE " | "
121 .BR "ip addr" " { " add " | " del " } "
122 .IB IFADDR " dev " STRING
125 .BR "ip addr" " { " show " | " flush " } [ " dev
130 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
135 .IR IFADDR " := " PREFIX " | " ADDR
149 .RB "[ " host " | " link " | " global " | "
153 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
157 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
158 tentative " | " deprecated " | " dadfailed " | " temporary " ]"
161 .BR "ip addrlabel" " { " add " | " del " } " prefix
169 .BR "ip addrlabel" " { " list " | " flush " }"
172 .BR "ip netns" " { " list " } "
175 .BR "ip netns" " { " add " | " delete " } "
180 .I NETNSNAME command ...
184 .BR list " | " flush " } "
192 .BR "ip route restore"
197 .BI from " ADDRESS " iif " STRING"
204 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
226 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
229 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
242 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
253 .IR NUMBER " ] " NHFLAGS
256 .IR OPTIONS " := " FLAGS " [ "
282 .BR unicast " | " local " | " broadcast " | " multicast " | "\
283 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
286 .IR TABLE_ID " := [ "
287 .BR local "| " main " | " default " | " all " |"
292 .BR host " | " link " | " global " |"
297 .BR onlink " | " pervasive " ]"
301 .BR kernel " | " boot " | " static " |"
306 .RB " [ " list " | " add " | " del " | " flush " ]"
310 .IR SELECTOR " := [ "
318 .IR FWMARK[/MASK] " ] [ "
332 .BR prohibit " | " reject " | " unreachable " ] [ " realms
333 .RI "[" SRCREALM "/]" DSTREALM " ]"
336 .IR TABLE_ID " := [ "
337 .BR local " | " main " | " default " |"
341 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
345 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
351 .BR "ip neigh" " { " show " | " flush " } [ " to
359 .BR "ip ntable change name"
377 .IR MSEC " | " "gc_stale MSEC " " | "
379 .IR MSEC " | " "queue LEN " " | "
383 .IR VAL " | " "mcast_probes VAL " " | "
387 .IR MSEC " | " "proxy_queue LEN " " | "
392 .BR "ip ntable show" " [ "
399 .BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
409 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
411 .RB "[" i "|" o "]" csum " ] ]"
430 .RB "[ [" no "]" pmtudisc " ]"
433 .RB "[ " "dscp inherit" " ]"
437 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
440 .IR ADDR " := { " IP_ADDRESS " |"
444 .IR TOS " := { " NUMBER " |"
454 .IR TTL " := { " 1 ".." 255 " | "
458 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
461 .IR TIME " := " NUMBER "[s|ms]"
464 .BR "ip maddr" " [ " add " | " del " ]"
465 .IB MULTIADDR " dev " STRING
468 .BR "ip maddr show" " [ " dev
472 .BR "ip mroute show" " ["
480 .BR "ip monitor" " [ " all " |"
481 .IR LISTofOBJECTS " ]"
486 .IR XFRM-OBJECT " { " COMMAND " | "
491 .IR XFRM-OBJECT " :="
492 .BR state " | " policy " | " monitor
496 .BR "ip xfrm state " { " add " | " update " } "
497 .IR ID " [ " ALGO-LIST " ]"
508 .RB "[ " replay-window
517 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
521 .IR ADDR "[/" PLEN "] ]"
526 .B "ip xfrm state allocspi"
544 .BR "ip xfrm state" " { " delete " | " get " } "
552 .BR "ip xfrm state" " { " deleteall " | " list " } ["
562 .BR "ip xfrm state flush" " [ " proto
566 .BR "ip xfrm state count"
581 .BR esp " | " ah " | " comp " | " route2 " | " hao
584 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
588 .RB "{ " enc " | " auth " | " comp " } "
589 .IR ALGO-NAME " " ALGO-KEY " |"
592 .IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN " |"
595 .IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN
599 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
602 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
606 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
611 .IR ADDR "[/" PLEN "] ]"
613 .IR ADDR "[/" PLEN "] ]"
624 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
629 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
635 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
638 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
644 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
647 .RB "{ " byte-soft " | " byte-hard " }"
650 .RB "{ " packet-soft " | " packet-hard " }"
655 .RB "{ " espinudp " | " espinudp-nonike " }"
656 .IR SPORT " " DPORT " " OADDR
659 .BR "ip xfrm policy" " { " add " | " update " }"
679 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
682 .BR "ip xfrm policy" " { " delete " | " get " }"
683 .RI "{ " SELECTOR " | "
698 .BR "ip xfrm policy" " { " deleteall " | " list " }"
699 .RI "[ " SELECTOR " ]"
712 .B "ip xfrm policy flush"
717 .B "ip xfrm policy count"
722 .IR ADDR "[/" PLEN "] ]"
724 .IR ADDR "[/" PLEN "] ]"
734 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
739 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
745 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
749 .BR in " | " out " | " fwd
757 .BR allow " | " block
760 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
764 .BR localok " | " icmp
767 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
773 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
776 .RB "{ " byte-soft " | " byte-hard " }"
779 .RB "{ " packet-soft " | " packet-hard " }"
783 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
809 .BR esp " | " ah " | " comp " | " route2 " | " hao
813 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
817 .BR required " | " use
820 .BR "ip xfrm monitor" " [ " all " |"
821 .IR LISTofXFRM-OBJECTS " ]"
829 .BR "\-V" , " -Version"
830 print the version of the
835 .BR "\-s" , " \-stats", " \-statistics"
836 output more information. If the option
837 appears twice or more, the amount of information increases.
838 As a rule, the information is statistics or some time values.
841 .BR "\-l" , " \-loops"
842 Specify maximum number of loops the 'ip addr flush' logic
843 will attempt before giving up. The default is 10.
844 Zero (0) means loop until all addresses are removed.
847 .BR "\-f" , " \-family"
848 followed by protocol family identifier:
849 .BR "inet" , " inet6"
852 ,enforce the protocol family to use. If the option is not present,
853 the protocol family is guessed from other arguments. If the rest
854 of the command line does not give enough information to guess the
857 falls back to the default one, usually
862 is a special family identifier meaning that no networking protocol
873 .BR "\-family inet6" .
878 .BR "\-family link" .
881 .BR "\-o" , " \-oneline"
882 output each record on a single line, replacing line feeds
885 character. This is convenient when you want to count records
893 .BR "\-r" , " \-resolve"
894 use the system's name resolver to print DNS names instead of
897 .SH IP - COMMAND SYNTAX
908 - protocol (IP or IPv6) address on a device.
912 - label configuration for protocol address selection.
916 - ARP or NDISC cache entry.
920 - routing table entry.
924 - rule in routing policy database.
932 - multicast routing cache entry.
939 The names of all objects may be written in full or
940 abbreviated form, f.e.
950 Specifies the action to perform on the object.
951 The set of possible actions depends on the object type.
952 As a rule, it is possible to
953 .BR "add" , " delete"
958 ) objects, but some objects do not allow all of these operations
959 or have some additional commands. The
961 command is available for all objects. It prints
962 out a list of available commands and argument syntax conventions.
964 If no command is given, some default command is assumed.
967 or, if the objects of this class cannot be listed,
970 .SH ip link - network device configuration
973 is a network device and the corresponding commands
974 display and change the state of devices.
976 .SS ip link add - add virtual link
980 specifies the physical device to act operate on.
983 specifies the name of the new virtual device.
986 specifies the type of the new device.
992 - 802.1q tagged virtual LAN interface
995 - Virtual ethernet interface
998 - Virtual Local CAN interface
1001 - Dummy network interface
1004 - Intermediate Functional Block device
1007 - virtual interface base on link layer address (MAC)
1010 - Controller Area Network interface
1013 - Ethernet Bridge device
1016 .SS ip link delete - delete virtual link
1018 specifies the virtual device to act operate on.
1020 specifies the type of the device.
1025 specifies the physical device to act operate on.
1027 .SS ip link set - change device attributes
1032 specifies network device to operate on. When configuring SR-IOV Virtual Fuction
1033 (VF) devices, this keyword should specify the associated Physical Function (PF)
1039 has a dual role: If both group and dev are present, then move the device to the
1040 specified group. If only a group is specified, then the command operates on
1041 all devices in that group.
1045 change the state of the device to
1051 .BR "arp on " or " arp off"
1057 .BR "multicast on " or " multicast off"
1063 .BR "dynamic on " or " dynamic off"
1070 change the name of the device. This operation is not
1071 recommended if the device is running or has some addresses
1075 .BI txqueuelen " NUMBER"
1077 .BI txqlen " NUMBER"
1078 change the transmit queue length of the device.
1087 .BI address " LLADDRESS"
1088 change the station address of the interface.
1091 .BI broadcast " LLADDRESS"
1093 .BI brd " LLADDRESS"
1095 .BI peer " LLADDRESS"
1096 change the link layer broadcast address or the peer address when
1102 move the device to the network namespace associated with the process
1106 .BI netns " NETNSNAME"
1107 move the device to the network namespace associated with name
1112 give the device a symbolic name for easy reference.
1116 specify the group the device belongs to.
1117 The available groups are listed in file
1118 .BR "/etc/iproute2/group" .
1122 specify a Virtual Function device to be configured. The associated PF device
1123 must be specified using the
1128 .BI mac " LLADDRESS"
1129 - change the station address for the specified VF. The
1131 parameter must be specified.
1135 - change the assigned VLAN for the specified VF. When specified, all traffic
1136 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
1137 will be filtered for the specified VLAN ID, and will have all VLAN tags
1138 stripped before being passed to the VF. Setting this parameter to 0 disables
1139 VLAN tagging and filtering. The
1141 parameter must be specified.
1145 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1146 tags transmitted by the VF will include the specified priority bits in the
1147 VLAN tag. If not specified, the value is assumed to be 0. Both the
1151 parameters must be specified. Setting both
1155 as 0 disables VLAN tagging and filtering for the VF.
1159 - change the allowed transmit bandwidth, in Mbps, for the specified VF.
1160 Setting this parameter to 0 disables rate limiting. The
1162 parameter must be specified.
1166 .BI master " DEVICE"
1167 set master device of the device (enslave device).
1171 unset master device of the device (release device).
1175 If multiple parameter changes are requested,
1177 aborts immediately after any of the changes have failed.
1178 This is the only case when
1180 can move the system to an unpredictable state. The solution
1181 is to avoid changing several parameters with one
1185 .SS ip link show - display device attributes
1188 .BI dev " NAME " (default)
1190 specifies the network device to show.
1191 If this argument is omitted all devices in the default group are listed.
1196 specifies what group of devices to show.
1200 only display running interfaces.
1202 .SH ip address - protocol address management.
1206 is a protocol (IP or IPv6) address attached
1207 to a network device. Each device must have at least one address
1208 to use the corresponding protocol. It is possible to have several
1209 different addresses attached to one device. These addresses are not
1210 discriminated, so that the term
1212 is not quite appropriate for them and we do not use it in this document.
1216 command displays addresses and their properties, adds new addresses
1217 and deletes old ones.
1219 .SS ip address add - add new protocol address.
1223 the name of the device to add the address to.
1226 .BI local " ADDRESS " (default)
1227 the address of the interface. The format of the address depends
1228 on the protocol. It is a dotted quad for IP and a sequence of
1229 hexadecimal halfwords separated by colons for IPv6. The
1231 may be followed by a slash and a decimal number which encodes
1232 the network prefix length.
1236 the address of the remote endpoint for pointopoint interfaces.
1239 may be followed by a slash and a decimal number, encoding the network
1240 prefix length. If a peer address is specified, the local address
1241 cannot have a prefix length. The network prefix is associated
1242 with the peer rather than with the local address.
1245 .BI broadcast " ADDRESS"
1246 the broadcast address on the interface.
1248 It is possible to use the special symbols
1252 instead of the broadcast address. In this case, the broadcast address
1253 is derived by setting/resetting the host bits of the interface prefix.
1257 Each address may be tagged with a label string.
1258 In order to preserve compatibility with Linux-2.0 net aliases,
1259 this string must coincide with the name of the device or must be prefixed
1260 with the device name followed by colon.
1263 .BI scope " SCOPE_VALUE"
1264 the scope of the area where this address is valid.
1265 The available scopes are listed in file
1266 .BR "/etc/iproute2/rt_scopes" .
1267 Predefined scope values are:
1271 - the address is globally valid.
1274 - (IPv6 only) the address is site local, i.e. it is
1275 valid inside this site.
1278 - the address is link local, i.e. it is valid only on this device.
1281 - the address is valid only inside this host.
1284 .SS ip address delete - delete protocol address
1286 coincide with the arguments of
1288 The device name is a required argument. The rest are optional.
1289 If no arguments are given, the first address is deleted.
1291 .SS ip address show - look at protocol addresses
1294 .BI dev " NAME " (default)
1298 .BI scope " SCOPE_VAL"
1299 only list addresses with this scope.
1303 only list addresses matching this prefix.
1306 .BI label " PATTERN"
1307 only list addresses with labels matching the
1310 is a usual shell style pattern.
1313 .BR dynamic " and " permanent
1314 (IPv6 only) only list addresses installed due to stateless
1315 address configuration or only list permanent (not dynamic)
1320 (IPv6 only) only list addresses which have not yet passed duplicate
1325 (IPv6 only) only list deprecated addresses.
1329 (IPv6 only) only list addresses which have failed duplicate
1334 (IPv6 only) only list temporary addresses.
1337 .BR primary " and " secondary
1338 only list primary (or secondary) addresses.
1340 .SS ip address flush - flush protocol addresses
1341 This command flushes the protocol addresses selected by some criteria.
1344 This command has the same arguments as
1346 The difference is that it does not run when no arguments are given.
1350 This command (and other
1352 commands described below) is pretty dangerous. If you make a mistake,
1353 it will not forgive it, but will cruelly purge all the addresses.
1358 option, the command becomes verbose. It prints out the number of deleted
1359 addresses and the number of rounds made to flush the address list. If
1360 this option is given twice,
1362 also dumps all the deleted addresses in the format described in the
1363 previous subsection.
1365 .SH ip addrlabel - protocol address label management.
1367 IPv6 address label is used for address selection
1368 described in RFC 3484. Precedence is managed by userspace,
1369 and only label is stored in kernel.
1371 .SS ip addrlabel add - add an address label
1372 the command adds an address label entry to the kernel.
1374 .BI prefix " PREFIX"
1377 the outgoing interface.
1380 the label for the prefix.
1381 0xffffffff is reserved.
1382 .SS ip addrlabel del - delete an address label
1383 the command deletes an address label entry in the kernel.
1385 coincide with the arguments of
1387 but label is not required.
1388 .SS ip addrlabel list - list address labels
1389 the command show contents of address labels.
1390 .SS ip addrlabel flush - flush address labels
1391 the command flushes the contents of address labels and it does not restore default settings.
1392 .SH ip neighbour - neighbour/arp tables management.
1395 objects establish bindings between protocol addresses and
1396 link layer addresses for hosts sharing the same link.
1397 Neighbour entries are organized into tables. The IPv4 neighbour table
1398 is known by another name - the ARP table.
1401 The corresponding commands display neighbour bindings
1402 and their properties, add new neighbour entries and delete old ones.
1404 .SS ip neighbour add - add a new neighbour entry
1405 .SS ip neighbour change - change an existing entry
1406 .SS ip neighbour replace - add a new entry or change an existing one
1408 These commands create new neighbour records or update existing ones.
1411 .BI to " ADDRESS " (default)
1412 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1416 the interface to which this neighbour is attached.
1419 .BI lladdr " LLADDRESS"
1420 the link layer address of the neighbour.
1426 .BI nud " NUD_STATE"
1427 the state of the neighbour entry.
1429 is an abbreviation for 'Neighbour Unreachability Detection'.
1430 The state can take one of the following values:
1434 - the neighbour entry is valid forever and can be only
1435 be removed administratively.
1439 - the neighbour entry is valid. No attempts to validate
1440 this entry will be made but it can be removed when its lifetime expires.
1444 - the neighbour entry is valid until the reachability
1449 - the neighbour entry is valid but suspicious.
1452 does not change the neighbour state if it was valid and the address
1453 is not changed by this command.
1456 .SS ip neighbour delete - delete a neighbour entry
1457 This command invalidates a neighbour entry.
1460 The arguments are the same as with
1461 .BR "ip neigh add" ,
1470 Attempts to delete or manually change a
1472 entry created by the kernel may result in unpredictable behaviour.
1473 Particularly, the kernel may try to resolve this address even
1476 interface or if the address is multicast or broadcast.
1478 .SS ip neighbour show - list neighbour entries
1480 This commands displays neighbour tables.
1483 .BI to " ADDRESS " (default)
1484 the prefix selecting the neighbours to list.
1488 only list the neighbours attached to this device.
1492 only list neighbours which are not currently in use.
1495 .BI nud " NUD_STATE"
1496 only list neighbour entries in this state.
1498 takes values listed below or the special value
1500 which means all states. This option may occur more than once.
1501 If this option is absent,
1503 lists all entries except for
1508 .SS ip neighbour flush - flush neighbour entries
1509 This command flushes neighbour tables, selecting
1510 entries to flush by some criteria.
1513 This command has the same arguments as
1515 The differences are that it does not run when no arguments are given,
1516 and that the default neighbour states to be flushed do not include
1524 option, the command becomes verbose. It prints out the number of
1525 deleted neighbours and the number of rounds made to flush the
1526 neighbour table. If the option is given
1529 also dumps all the deleted neighbours.
1531 .SH ip ntable - neighbour table configuration
1532 Display and change the parameters for the neighbour tables.
1534 .SS ip ntable show - list the ip neighbour tables
1536 This commands displays neighbour table parameters and statistics.
1540 only list the table attached to this device.
1544 only lists the table with the given name.
1546 .SS ip ntable change - modify table parameter
1548 This command allows modifying table parameters such as timers and queue lengths.
1551 the name of the table to modify.
1555 the name of the device to modify the table values.
1557 .SH ip route - routing table management
1558 Manipulate route entries in the kernel routing tables keep
1559 information about paths to other networked nodes.
1565 - the route entry describes real paths to the destinations covered
1566 by the route prefix.
1570 - these destinations are unreachable. Packets are discarded and the
1574 The local senders get an
1580 - these destinations are unreachable. Packets are discarded silently.
1581 The local senders get an
1587 - these destinations are unreachable. Packets are discarded and the
1589 .I communication administratively prohibited
1590 is generated. The local senders get an
1596 - the destinations are assigned to this host. The packets are looped
1597 back and delivered locally.
1601 - the destinations are broadcast addresses. The packets are sent as
1606 - a special control route used together with policy rules. If such a
1607 route is selected, lookup in this table is terminated pretending that
1608 no route was found. Without policy routing it is equivalent to the
1609 absence of the route in the routing table. The packets are dropped
1610 and the ICMP message
1612 is generated. The local senders get an
1618 - a special NAT route. Destinations covered by the prefix
1619 are considered to be dummy (or external) addresses which require translation
1620 to real (or internal) ones before forwarding. The addresses to translate to
1621 are selected with the attribute
1623 Route NAT is no longer supported in Linux 2.6.
1629 .RI "- " "not implemented"
1630 the destinations are
1632 addresses assigned to this host. They are mainly equivalent
1635 with one difference: such addresses are invalid when used
1636 as the source address of any packet.
1640 - a special type used for multicast routing. It is not present in
1641 normal routing tables.
1646 Linux-2.x can pack routes into several routing tables identified
1647 by a number in the range from 1 to 2^31 or by name from the file
1648 .B /etc/iproute2/rt_tables
1649 By default all normal routes are inserted into the
1651 table (ID 254) and the kernel only uses this table when calculating routes.
1652 Values (0, 253, 254, and 255) are reserved for built-in use.
1655 Actually, one other table always exists, which is invisible but
1656 even more important. It is the
1658 table (ID 255). This table
1659 consists of routes for local and broadcast addresses. The kernel maintains
1660 this table automatically and the administrator usually need not modify it
1663 The multiple routing tables enter the game when
1667 .SS ip route add - add new route
1668 .SS ip route change - change route
1669 .SS ip route replace - change or add new one
1672 .BI to " TYPE PREFIX " (default)
1673 the destination prefix of the route. If
1683 is an IP or IPv6 address optionally followed by a slash and the
1684 prefix length. If the length of the prefix is missing,
1686 assumes a full-length host route. There is also a special
1689 - which is equivalent to IP
1698 the Type Of Service (TOS) key. This key has no associated mask and
1699 the longest match is understood as: First, compare the TOS
1700 of the route and of the packet. If they are not equal, then the packet
1701 may still match a route with a zero TOS.
1703 is either an 8 bit hexadecimal number or an identifier
1705 .BR "/etc/iproute2/rt_dsfield" .
1708 .BI metric " NUMBER"
1710 .BI preference " NUMBER"
1711 the preference value of the route.
1713 is an arbitrary 32bit number.
1716 .BI table " TABLEID"
1717 the table to add this route to.
1719 may be a number or a string from the file
1720 .BR "/etc/iproute2/rt_tables" .
1721 If this parameter is omitted,
1725 table, with the exception of
1726 .BR local " , " broadcast " and " nat
1727 routes, which are put into the
1733 the output device name.
1737 the address of the nexthop router. Actually, the sense of this field
1738 depends on the route type. For normal
1740 routes it is either the true next hop router or, if it is a direct
1741 route installed in BSD compatibility mode, it can be a local address
1742 of the interface. For NAT routes it is the first address of the block
1743 of translated IP destinations.
1747 the source address to prefer when sending to the destinations
1748 covered by the route prefix.
1751 .BI realm " REALMID"
1752 the realm to which this route is assigned.
1754 may be a number or a string from the file
1755 .BR "/etc/iproute2/rt_realms" .
1760 .BI "mtu lock" " MTU"
1761 the MTU along the path to the destination. If the modifier
1763 is not used, the MTU may be updated by the kernel due to
1764 Path MTU Discovery. If the modifier
1766 is used, no path MTU discovery will be tried, all packets
1767 will be sent without the DF bit in IPv4 case or fragmented
1771 .BI window " NUMBER"
1772 the maximal window for TCP to advertise to these destinations,
1773 measured in bytes. It limits maximal data bursts that our TCP
1774 peers are allowed to send to us.
1778 the initial RTT ('Round Trip Time') estimate. If no suffix is
1779 specified the units are raw values passed directly to the
1780 routing code to maintain compatibility with previous releases.
1781 Otherwise if a suffix of s, sec or secs is used to specify
1782 seconds and ms, msec or msecs to specify milliseconds.
1786 .BI rttvar " TIME " "(2.3.15+ only)"
1787 the initial RTT variance estimate. Values are specified as with
1792 .BI rto_min " TIME " "(2.6.23+ only)"
1793 the minimum TCP Retransmission TimeOut to use when communicating with this
1794 destination. Values are specified as with
1799 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1800 an estimate for the initial slow start threshold.
1803 .BI cwnd " NUMBER " "(2.3.15+ only)"
1804 the clamp for congestion window. It is ignored if the
1809 .BI initcwnd " NUMBER " "(2.5.70+ only)"
1810 the initial congestion window size for connections to this destination.
1811 Actual window size is this value multiplied by the MSS
1812 (``Maximal Segment Size'') for same connection. The default is
1813 zero, meaning to use the values specified in RFC2414.
1816 .BI initrwnd " NUMBER " "(2.6.33+ only)"
1817 the initial receive window size for connections to this destination.
1818 Actual window size is this value multiplied by the MSS of the connection.
1819 The default value is zero, meaning to use Slow Start value.
1822 .BI advmss " NUMBER " "(2.3.15+ only)"
1823 the MSS ('Maximal Segment Size') to advertise to these
1824 destinations when establishing TCP connections. If it is not given,
1825 Linux uses a default value calculated from the first hop device MTU.
1826 (If the path to these destination is asymmetric, this guess may be wrong.)
1829 .BI reordering " NUMBER " "(2.3.15+ only)"
1830 Maximal reordering on the path to this destination.
1831 If it is not given, Linux uses the value selected with
1834 .BR "net/ipv4/tcp_reordering" .
1837 .BI nexthop " NEXTHOP"
1838 the nexthop of a multipath route.
1840 is a complex value with its own syntax similar to the top level
1845 - is the nexthop router.
1849 - is the output device.
1852 .BI weight " NUMBER"
1853 - is a weight for this element of a multipath
1854 route reflecting its relative bandwidth or quality.
1858 .BI scope " SCOPE_VAL"
1859 the scope of the destinations covered by the route prefix.
1861 may be a number or a string from the file
1862 .BR "/etc/iproute2/rt_scopes" .
1863 If this parameter is omitted,
1872 .BR unicast " and " broadcast
1874 .BR host " for " local
1878 .BI protocol " RTPROTO"
1879 the routing protocol identifier of this route.
1881 may be a number or a string from the file
1882 .BR "/etc/iproute2/rt_protos" .
1883 If the routing protocol ID is not given,
1884 .B ip assumes protocol
1886 (i.e. it assumes the route was added by someone who doesn't
1887 understand what they are doing). Several protocol values have
1888 a fixed interpretation.
1893 - the route was installed due to an ICMP redirect.
1897 - the route was installed by the kernel during autoconfiguration.
1901 - the route was installed during the bootup sequence.
1902 If a routing daemon starts, it will purge all of them.
1906 - the route was installed by the administrator
1907 to override dynamic routing. Routing daemon will respect them
1908 and, probably, even advertise them to its peers.
1912 - the route was installed by Router Discovery protocol.
1916 The rest of the values are not reserved and the administrator is free
1917 to assign (or not to assign) protocol tags.
1921 pretend that the nexthop is directly attached to this link,
1922 even if it does not match any interface prefix.
1924 .SS ip route delete - delete route
1927 has the same arguments as
1928 .BR "ip route add" ,
1929 but their semantics are a bit different.
1932 .RB "(" to ", " tos ", " preference " and " table ")"
1933 select the route to delete. If optional attributes are present,
1935 verifies that they coincide with the attributes of the route to delete.
1936 If no route with the given key and attributes was found,
1940 .SS ip route show - list routes
1941 the command displays the contents of the routing tables or the route(s)
1942 selected by some criteria.
1945 .BI to " SELECTOR " (default)
1946 only select routes from the given range of destinations.
1948 consists of an optional modifier
1949 .RB "(" root ", " match " or " exact ")"
1952 selects routes with prefixes not shorter than
1956 selects the entire routing table.
1958 selects routes with prefixes not longer than
1961 .BI match " 10.0/16"
1964 .IR 10/8 " and " 0/0 ,
1965 but it does not select
1966 .IR 10.1/16 " and " 10.0.0/24 .
1971 selects routes with this exact prefix. If neither of these options
1976 i.e. it lists the entire table.
1981 only select routes with the given TOS.
1984 .BI table " TABLEID"
1985 show the routes from this table(s). The default setting is to show
1988 may either be the ID of a real table or one of the special values:
1992 - list all of the tables.
1995 - dump the routing cache.
2002 list cloned routes i.e. routes which were dynamically forked from
2003 other routes because some route attribute (f.e. MTU) was updated.
2004 Actually, it is equivalent to
2005 .BR "table cache" "."
2008 .BI from " SELECTOR"
2009 the same syntax as for
2011 but it binds the source address range rather than destinations.
2014 option only works with cloned routes.
2017 .BI protocol " RTPROTO"
2018 only list routes of this protocol.
2021 .BI scope " SCOPE_VAL"
2022 only list routes with this scope.
2026 only list routes of this type.
2030 only list routes going via this device.
2034 only list routes going via the nexthop routers selected by
2039 only list routes with preferred source addresses selected
2044 .BI realm " REALMID"
2046 .BI realms " FROMREALM/TOREALM"
2047 only list routes with these realms.
2049 .SS ip route flush - flush routing tables
2050 this command flushes routes selected by some criteria.
2053 The arguments have the same syntax and semantics as the arguments of
2054 .BR "ip route show" ,
2055 but routing tables are not listed but purged. The only difference is
2058 dumps all the IP main routing table but
2060 prints the helper page.
2065 option, the command becomes verbose. It prints out the number of
2066 deleted routes and the number of rounds made to flush the routing
2067 table. If the option is given
2070 also dumps all the deleted routes in the format described in the
2071 previous subsection.
2073 .SS ip route get - get a single route
2074 this command gets a single route to a destination and prints its
2075 contents exactly as the kernel sees it.
2078 .BI to " ADDRESS " (default)
2079 the destination address.
2089 the Type Of Service.
2093 the device from which this packet is expected to arrive.
2097 force the output device on which this packet will be routed.
2101 if no source address
2102 .RB "(option " from ")"
2103 was given, relookup the route with the source set to the preferred
2104 address received from the first lookup.
2105 If policy routing is used, it may be a different route.
2108 Note that this operation is not equivalent to
2109 .BR "ip route show" .
2111 shows existing routes.
2113 resolves them and creates new clones if necessary. Essentially,
2115 is equivalent to sending a packet along this path.
2118 argument is not given, the kernel creates a route
2119 to output packets towards the requested destination.
2120 This is equivalent to pinging the destination
2122 .BR "ip route ls cache" ,
2123 however, no packets are actually sent. With the
2125 argument, the kernel pretends that a packet arrived from this interface
2126 and searches for a path to forward the packet.
2128 .SS ip route save - save routing table information to stdout
2129 this command behaves like
2131 except that the output is raw data suitable for passing to
2132 .BR "ip route restore" .
2134 .SS ip route restore - restore routing table information from stdin
2135 this command expects to read a data stream as returned from
2136 .BR "ip route save" .
2137 It will attempt to restore the routing table information exactly as
2138 it was at the time of the save, so any translation of information
2139 in the stream (such as device indexes) must be done first. Any existing
2140 routes are left unchanged. Any routes specified in the data stream that
2141 already exist in the table will be ignored.
2143 .SH ip rule - routing policy database management
2146 in the routing policy database control the route selection algorithm.
2149 Classic routing algorithms used in the Internet make routing decisions
2150 based only on the destination address of packets (and in theory,
2151 but not in practice, on the TOS field).
2154 In some circumstances we want to route packets differently depending not only
2155 on destination addresses, but also on other packet fields: source address,
2156 IP protocol, transport protocol ports or even packet payload.
2157 This task is called 'policy routing'.
2160 To solve this task, the conventional destination based routing table, ordered
2161 according to the longest match rule, is replaced with a 'routing policy
2162 database' (or RPDB), which selects routes by executing some set of rules.
2165 Each policy routing rule consists of a
2168 .B action predicate.
2169 The RPDB is scanned in the order of increasing priority. The selector
2170 of each rule is applied to {source address, destination address, incoming
2171 interface, tos, fwmark} and, if the selector matches the packet,
2172 the action is performed. The action predicate may return with success.
2173 In this case, it will either give a route or failure indication
2174 and the RPDB lookup is terminated. Otherwise, the RPDB program
2175 continues on the next rule.
2178 Semantically, natural action is to select the nexthop and the output device.
2181 At startup time the kernel configures the default RPDB consisting of three
2186 Priority: 0, Selector: match anything, Action: lookup routing
2192 table is a special routing table containing
2193 high priority control routes for local and broadcast addresses.
2195 Rule 0 is special. It cannot be deleted or overridden.
2199 Priority: 32766, Selector: match anything, Action: lookup routing
2205 table is the normal routing table containing all non-policy
2206 routes. This rule may be deleted and/or overridden with other
2207 ones by the administrator.
2211 Priority: 32767, Selector: match anything, Action: lookup routing
2217 table is empty. It is reserved for some post-processing if no previous
2218 default rules selected the packet.
2219 This rule may also be deleted.
2222 Each RPDB entry has additional
2223 attributes. F.e. each rule has a pointer to some routing
2224 table. NAT and masquerading rules have an attribute to select new IP
2225 address to translate/masquerade. Besides that, rules have some
2226 optional attributes, which routes have, namely
2228 These values do not override those contained in the routing tables. They
2229 are only used if the route did not select any attributes.
2232 The RPDB may contain rules of the following types:
2236 - the rule prescribes to return the route found
2237 in the routing table referenced by the rule.
2240 - the rule prescribes to silently drop the packet.
2243 - the rule prescribes to generate a 'Network is unreachable' error.
2246 - the rule prescribes to generate 'Communication is administratively
2250 - the rule prescribes to translate the source address
2251 of the IP packet into some other value.
2254 .SS ip rule add - insert a new rule
2255 .SS ip rule delete - delete a rule
2258 .BI type " TYPE " (default)
2259 the type of this rule. The list of valid types was given in the previous
2264 select the source prefix to match.
2268 select the destination prefix to match.
2272 select the incoming device to match. If the interface is loopback,
2273 the rule only matches packets originating from this host. This means
2274 that you may create separate routing tables for forwarded and local
2275 packets and, hence, completely segregate them.
2279 select the outgoing device to match. The outgoing interface is only
2280 available for packets originating from local sockets that are bound to
2287 select the TOS value to match.
2296 .BI priority " PREFERENCE"
2297 the priority of this rule. Each rule should have an explicitly
2301 The options preference and order are synonyms with priority.
2304 .BI table " TABLEID"
2305 the routing table identifier to lookup if the rule selector matches.
2306 It is also possible to use lookup instead of table.
2309 .BI realms " FROM/TO"
2310 Realms to select if the rule matched and the routing table lookup
2313 is only used if the route did not select any realm.
2317 The base of the IP address block to translate (for source addresses).
2320 may be either the start of the block of NAT addresses (selected by NAT
2321 routes) or a local host address (or even zero).
2322 In the last case the router does not translate the packets, but
2323 masquerades them to this address.
2324 Using map-to instead of nat means the same thing.
2327 Changes to the RPDB made with these commands do not become active
2328 immediately. It is assumed that after a script finishes a batch of
2329 updates, it flushes the routing cache with
2330 .BR "ip route flush cache" .
2332 .SS ip rule flush - also dumps all the deleted rules.
2333 This command has no arguments.
2335 .SS ip rule show - list rules
2336 This command has no arguments.
2337 The options list or lst are synonyms with show.
2339 .SH ip maddress - multicast addresses management
2342 objects are multicast addresses.
2344 .SS ip maddress show - list multicast addresses
2347 .BI dev " NAME " (default)
2350 .SS ip maddress add - add a multicast address
2351 .SS ip maddress delete - delete a multicast address
2352 these commands attach/detach a static link layer multicast address
2353 to listen on the interface.
2354 Note that it is impossible to join protocol multicast groups
2355 statically. This command only manages link layer addresses.
2358 .BI address " LLADDRESS " (default)
2359 the link layer multicast address.
2363 the device to join/leave this multicast address.
2365 .SH ip mroute - multicast routing cache management
2367 objects are multicast routing cache entries created by a user level
2368 mrouting daemon (f.e.
2374 Due to the limitations of the current interface to the multicast routing
2375 engine, it is impossible to change
2377 objects administratively, so we may only display them. This limitation
2378 will be removed in the future.
2380 .SS ip mroute show - list mroute cache entries
2383 .BI to " PREFIX " (default)
2384 the prefix selecting the destination multicast addresses to list.
2388 the interface on which multicast packets are received.
2392 the prefix selecting the IP source addresses of the multicast route.
2394 .SH ip tunnel - tunnel configuration
2396 objects are tunnels, encapsulating packets in IP packets and then
2397 sending them over the IP infrastructure.
2398 The encapulating (or outer) address family is specified by the
2400 option. The default is IPv4.
2402 .SS ip tunnel add - add a new tunnel
2403 .SS ip tunnel change - change an existing tunnel
2404 .SS ip tunnel delete - destroy a tunnel
2407 .BI name " NAME " (default)
2408 select the tunnel device name.
2412 set the tunnel mode. Available modes depend on the encapsulating address family.
2414 Modes for IPv4 encapsulation available:
2415 .BR ipip ", " sit ", " isatap " and " gre "."
2417 Modes for IPv6 encapsulation available:
2418 .BR ip6ip6 ", " ipip6 " and " any "."
2421 .BI remote " ADDRESS"
2422 set the remote endpoint of the tunnel.
2425 .BI local " ADDRESS"
2426 set the fixed local address for tunneled packets.
2427 It must be an address on another interface of this host.
2433 on tunneled packets.
2435 is a number in the range 1--255. 0 is a special value
2436 meaning that packets inherit the TTL value.
2437 The default value for IPv4 tunnels is:
2439 The default value for IPv6 tunnels is:
2449 set a fixed TOS (or traffic class in IPv6)
2451 on tunneled packets.
2452 The default value is:
2457 bind the tunnel to the device
2459 so that tunneled packets will only be routed via this device and will
2460 not be able to escape to another device when the route to endpoint
2465 disable Path MTU Discovery on this tunnel.
2466 It is enabled by default. Note that a fixed ttl is incompatible
2467 with this option: tunnelling with a fixed ttl always makes pmtu
2476 .RB ( " only GRE tunnels " )
2477 use keyed GRE with key
2479 is either a number or an IP address-like dotted quad.
2482 parameter sets the key to use in both directions.
2484 .BR ikey " and " okey
2485 parameters set different keys for input and output.
2488 .BR csum ", " icsum ", " ocsum
2489 .RB ( " only GRE tunnels " )
2490 generate/require checksums for tunneled packets.
2493 flag calculates checksums for outgoing packets.
2496 flag requires that all input packets have the correct
2499 flag is equivalent to the combination
2503 .BR seq ", " iseq ", " oseq
2504 .RB ( " only GRE tunnels " )
2508 flag enables sequencing of outgoing packets.
2511 flag requires that all input packets are serialized.
2514 flag is equivalent to the combination
2516 .B It isn't work. Don't use it.
2520 .RB ( " only IPv6 tunnels " )
2521 Inherit DS field between inner and outer header.
2524 .BI encaplim " ELIM"
2525 .RB ( " only IPv6 tunnels " )
2526 set a fixed encapsulation limit. Default is 4.
2529 .BI flowlabel " FLOWLABEL"
2530 .RB ( " only IPv6 tunnels " )
2531 set a fixed flowlabel.
2533 .SS ip tunnel prl - potential router list (ISATAP only)
2537 mandatory device name.
2540 .BI prl-default " ADDR"
2542 .BI prl-nodefault " ADDR"
2544 .BI prl-delete " ADDR"
2545 .RB "Add or delete " ADDR
2546 as a potential router or default router.
2548 .SS ip tunnel show - list tunnels
2549 This command has no arguments.
2551 .SH ip monitor and rtmon - state monitoring
2555 utility can monitor the state of devices, addresses
2556 and routes continuously. This option has a slightly different format.
2559 command is the first in the command line and then the object list follows:
2561 .BR "ip monitor" " [ " all " |"
2562 .IR LISTofOBJECTS " ]"
2565 is the list of object types that we want to monitor.
2567 .BR link ", " address " and " route "."
2572 opens RTNETLINK, listens on it and dumps state changes in the format
2573 described in previous sections.
2576 If a file name is given, it does not listen on RTNETLINK,
2577 but opens the file containing RTNETLINK messages saved in binary format
2578 and dumps them. Such a history file can be generated with the
2580 utility. This utility has a command line syntax similar to
2584 should be started before the first network configuration command
2585 is issued. F.e. if you insert:
2588 rtmon file /var/log/rtmon.log
2591 in a startup script, you will be able to view the full history
2595 Certainly, it is possible to start
2598 It prepends the history with the state snapshot dumped at the moment
2601 .SH ip netns - process network namespace management
2603 A network namespace is logically another copy of the network stack,
2604 with it's own routes, firewall rules, and network devices.
2606 By convention a named network namespace is an object at
2607 .BR "/var/run/netns/" NAME
2608 that can be opened. The file descriptor resulting from opening
2609 .BR "/var/run/netns/" NAME
2610 refers to the specified network namespace. Holding that file
2611 descriptor open keeps the network namespace alive. The file
2612 descriptor can be used with the
2614 system call to change the network namespace associated with a task.
2616 The convention for network namespace aware applications is to look
2617 for global network configuration files first in
2618 .BR "/etc/netns/" NAME "/"
2621 For example, if you want a different version of
2622 .BR /etc/resolv.conf
2623 for a network namespace used to isolate your vpn you would name it
2624 .BR /etc/netns/myvpn/resolv.conf.
2627 automates handling of this configuration, file convention for network
2628 namespace unaware applications, by creating a mount namespace and
2629 bind mounting all of the per network namespace configure files into
2630 their traditional location in /etc.
2632 .SS ip netns list - show all of the named network namespaces
2633 .SS ip netns add NAME - create a new named network namespace
2634 .SS ip netns delete NAME - delete the name of a network namespace
2635 .SS ip netns exec NAME cmd ... - Run cmd in the named network namespace
2637 .SH ip xfrm - transform configuration
2638 xfrm is an IP framework for transforming packets (such as encrypting
2639 their payloads). This framework is used to implement the IPsec protocol
2642 object operating on the Security Association Database, and the
2644 object operating on the Security Policy Database). It is also used for
2645 the IP Payload Compression Protocol and features of Mobile IPv6.
2647 .SS ip xfrm state add - add new state into xfrm
2649 .SS ip xfrm state update - update existing state in xfrm
2651 .SS ip xfrm state allocspi - allocate an SPI value
2653 .SS ip xfrm state delete - delete existing state in xfrm
2655 .SS ip xfrm state get - get existing state in xfrm
2657 .SS ip xfrm state deleteall - delete all existing state in xfrm
2659 .SS ip xfrm state list - print out the list of existing state in xfrm
2661 .SS ip xfrm state flush - flush all state in xfrm
2663 .SS ip xfrm state count - count all existing state in xfrm
2667 is specified by a source address, destination address,
2668 .RI "transform protocol " XFRM-PROTO ","
2669 and/or Security Parameter Index
2674 specifies a transform protocol:
2675 .RB "IPsec Encapsulating Security Payload (" esp "),"
2676 .RB "IPsec Authentication Header (" ah "),"
2677 .RB "IP Payload Compression (" comp "),"
2678 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2679 .RB "Mobile IPv6 Home Address Option (" hao ")."
2683 specifies one or more algorithms
2685 to use. Algorithm types include
2686 .RB "encryption (" enc "),"
2687 .RB "authentication (" auth "),"
2688 .RB "authentication with a specified truncation length (" auth-trunc "),"
2689 .RB "authenticated encryption with associated data (" aead "), and"
2690 .RB "compression (" comp ")."
2691 For each algorithm used, the algorithm type, the algorithm name
2695 must be specified. For
2697 the Integrity Check Value length
2699 must additionally be specified.
2702 the signature truncation length
2704 must additionally be specified.
2708 specifies a mode of operation:
2709 .RB "IPsec transport mode (" transport "), "
2710 .RB "IPsec tunnel mode (" tunnel "), "
2711 .RB "Mobile IPv6 route optimization mode (" ro "), "
2712 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2713 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2717 contains one or more of the following optional flags:
2718 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
2719 .BR af-unspec ", or " align4 "."
2723 selects the traffic that will be controlled by the policy, based on the source
2724 address, the destination address, the network device, and/or
2729 selects traffic by protocol. For the
2730 .BR tcp ", " udp ", " sctp ", or " dccp
2731 protocols, the source and destination port can optionally be specified.
2733 .BR icmp ", " ipv6-icmp ", or " mobility-header
2734 protocols, the type and code numbers can optionally be specified.
2737 protocol, the key can optionally be specified as a dotted-quad or number.
2738 Other protocols can be selected by name or number
2743 sets limits in seconds, bytes, or numbers of packets.
2747 encapsulates packets with protocol
2748 .BR espinudp " or " espinudp-nonike ","
2749 .RI "using source port " SPORT ", destination port " DPORT
2750 .RI ", and original address " OADDR "."
2752 .SS ip xfrm policy add - add a new policy
2754 .SS ip xfrm policy update - update an existing policy
2756 .SS ip xfrm policy delete - delete an existing policy
2758 .SS ip xfrm policy get - get an existing policy
2760 .SS ip xfrm policy deleteall - delete all existing xfrm policies
2762 .SS ip xfrm policy list - print out the list of xfrm policies
2764 .SS ip xfrm policy flush - flush policies
2766 .SS ip xfrm policy count - count existing policies
2770 selects the traffic that will be controlled by the policy, based on the source
2771 address, the destination address, the network device, and/or
2776 selects traffic by protocol. For the
2777 .BR tcp ", " udp ", " sctp ", or " dccp
2778 protocols, the source and destination port can optionally be specified.
2780 .BR icmp ", " ipv6-icmp ", or " mobility-header
2781 protocols, the type and code numbers can optionally be specified.
2784 protocol, the key can optionally be specified as a dotted-quad or number.
2785 Other protocols can be selected by name or number
2790 selects the policy direction as
2791 .BR in ", " out ", or " fwd "."
2795 sets the security context.
2800 .BR main " (default) or " sub "."
2805 .BR allow " (default) or " block "."
2809 is a number that defaults to zero.
2813 contains one or both of the following optional flags:
2814 .BR local " or " icmp "."
2818 sets limits in seconds, bytes, or numbers of packets.
2822 is a template list specified using
2823 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
2827 is specified by a source address, destination address,
2828 .RI "transform protocol " XFRM-PROTO ","
2829 and/or Security Parameter Index
2834 specifies a transform protocol:
2835 .RB "IPsec Encapsulating Security Payload (" esp "),"
2836 .RB "IPsec Authentication Header (" ah "),"
2837 .RB "IP Payload Compression (" comp "),"
2838 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2839 .RB "Mobile IPv6 Home Address Option (" hao ")."
2843 specifies a mode of operation:
2844 .RB "IPsec transport mode (" transport "), "
2845 .RB "IPsec tunnel mode (" tunnel "), "
2846 .RB "Mobile IPv6 route optimization mode (" ro "), "
2847 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2848 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2853 .BR required " (default) or " use "."
2855 .SS ip xfrm monitor - state monitoring for xfrm objects
2856 The xfrm objects to monitor can be optionally specified.
2860 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2864 .RB "IP Command reference " ip-cref.ps
2866 .RB "IP tunnels " ip-cref.ps
2868 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2871 Original Manpage by Michail Litvak <mci@owl.openwall.com>