1 .TH IP 8 "17 January 2002" "iproute2" "Linux"
3 ip \- show / manipulate routing, devices, policy routing and tunnels
10 .RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
16 .BR link " | " addr " | " addrlabel " | " route " | " rule " | " neigh " | "\
17 tunnel " | " maddr " | " mroute " }"
22 \fB\-V\fR[\fIersion\fR] |
23 \fB\-s\fR[\fItatistics\fR] |
24 \fB\-r\fR[\fIesolve\fR] |
25 \fB\-f\fR[\fIamily\fR] {
26 .BR inet " | " inet6 " | " ipx " | " dnet " | " link " } | "
27 \fB\-o\fR[\fIneline\fR] }
30 .BI "ip link add link " DEVICE
50 .BR vlan " | " maclan " | " can " ]"
53 .BI "ip link delete " DEVICE
61 .RB "} { " up " | " down " | " arp " { " on " | " off " } |"
63 .BR promisc " { " on " | " off " } |"
65 .BR allmulticast " { " on " | " off " } |"
67 .BR dynamic " { " on " | " off " } |"
69 .BR multicast " { " on " | " off " } |"
101 .IR VLAN-QOS " ] ] ["
112 .RI "[ " DEVICE " | "
117 .BR "ip addr" " { " add " | " del " } "
118 .IB IFADDR " dev " STRING
121 .BR "ip addr" " { " show " | " flush " } [ " dev
126 .IR PREFIX " ] [ " FLAG-LIST " ] [ "
131 .IR IFADDR " := " PREFIX " | " ADDR
145 .RB "[ " host " | " link " | " global " | "
149 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
153 .RB "[ " permanent " | " dynamic " | " secondary " | " primary " | "\
154 tentative " | " deprecated " | " dadfailed " | " temporary " ]"
157 .BR "ip addrlabel" " { " add " | " del " } " prefix
165 .BR "ip addrlabel" " { " list " | " flush " }"
168 .BR "ip netns" " { " list " } "
171 .BR "ip netns" " { " add " | " delete " } "
176 .I NETNSNAME command ...
180 .BR list " | " flush " } "
188 .BR "ip route restore"
193 .BI from " ADDRESS " iif " STRING"
200 .BR "ip route" " { " add " | " del " | " change " | " append " | "\
222 .IR ROUTE " := " NODE_SPEC " [ " INFO_SPEC " ]"
225 .IR NODE_SPEC " := [ " TYPE " ] " PREFIX " ["
238 .IR INFO_SPEC " := " "NH OPTIONS FLAGS" " ["
249 .IR NUMBER " ] " NHFLAGS
252 .IR OPTIONS " := " FLAGS " [ "
278 .BR unicast " | " local " | " broadcast " | " multicast " | "\
279 throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
282 .IR TABLE_ID " := [ "
283 .BR local "| " main " | " default " | " all " |"
288 .BR host " | " link " | " global " |"
293 .BR onlink " | " pervasive " ]"
297 .BR kernel " | " boot " | " static " |"
302 .RB " [ " list " | " add " | " del " | " flush " ]"
306 .IR SELECTOR " := [ "
314 .IR FWMARK[/MASK] " ] [ "
328 .BR prohibit " | " reject " | " unreachable " ] [ " realms
329 .RI "[" SRCREALM "/]" DSTREALM " ]"
332 .IR TABLE_ID " := [ "
333 .BR local " | " main " | " default " |"
337 .BR "ip neigh" " { " add " | " del " | " change " | " replace " } { "
341 .BR nud " { " permanent " | " noarp " | " stale " | " reachable " } ] | " proxy
347 .BR "ip neigh" " { " show " | " flush " } [ " to
355 .BR "ip tunnel" " { " add " | " change " | " del " | " show " | " prl " }"
365 .RB "[ [" i "|" o "]" seq " ] [ [" i "|" o "]" key
367 .RB "[" i "|" o "]" csum " ] ]"
386 .RB "[ [" no "]" pmtudisc " ]"
389 .RB "[ " "dscp inherit" " ]"
393 .RB " { " ipip " | " gre " | " sit " | " isatap " | " ip6ip6 " | " ipip6 " | " any " }"
396 .IR ADDR " := { " IP_ADDRESS " |"
400 .IR TOS " := { " NUMBER " |"
410 .IR TTL " := { " 1 ".." 255 " | "
414 .IR KEY " := { " DOTTED_QUAD " | " NUMBER " }"
417 .IR TIME " := " NUMBER "[s|ms]"
420 .BR "ip maddr" " [ " add " | " del " ]"
421 .IB MULTIADDR " dev " STRING
424 .BR "ip maddr show" " [ " dev
428 .BR "ip mroute show" " ["
436 .BR "ip monitor" " [ " all " |"
437 .IR LISTofOBJECTS " ]"
442 .IR XFRM-OBJECT " { " COMMAND " | "
447 .IR XFRM-OBJECT " :="
448 .BR state " | " policy " | " monitor
452 .BR "ip xfrm state " { " add " | " update " } "
453 .IR ID " [ " ALGO-LIST " ]"
464 .RB "[ " replay-window
473 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
477 .IR ADDR "[/" PLEN "] ]"
482 .B "ip xfrm state allocspi"
500 .BR "ip xfrm state" " { " delete " | " get " } "
508 .BR "ip xfrm state" " { " deleteall " | " list " } ["
518 .BR "ip xfrm state flush" " [ " proto
522 .BR "ip xfrm state count"
537 .BR esp " | " ah " | " comp " | " route2 " | " hao
540 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
544 .RB "{ " enc " | " auth " | " comp " } "
545 .IR ALGO-NAME " " ALGO-KEY
549 .IR ALGO-NAME " " ALGO-KEY " " ALGO-ICV-LEN
553 .IR ALGO-NAME " " ALGO-KEY " " ALGO-TRUNC-LEN
557 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
560 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
564 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
569 .IR ADDR "[/" PLEN "] ]"
571 .IR ADDR "[/" PLEN "] ]"
582 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
587 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
593 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
596 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
602 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
605 .RB "{ " byte-soft " | " byte-hard " }"
608 .RB "{ " packet-soft " | " packet-hard " }"
613 .RB "{ " espinudp " | " espinudp-nonike " }"
614 .IR SPORT " " DPORT " " OADDR
617 .BR "ip xfrm policy" " { " add " | " update " }"
637 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
640 .BR "ip xfrm policy" " { " delete " | " get " }"
641 .RI "{ " SELECTOR " | "
656 .BR "ip xfrm policy" " { " deleteall " | " list " }"
657 .RI "[ " SELECTOR " ]"
670 .B "ip xfrm policy flush"
675 .B "ip xfrm policy count"
680 .IR ADDR "[/" PLEN "] ]"
682 .IR ADDR "[/" PLEN "] ]"
692 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
697 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
703 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
707 .BR in " | " out " | " fwd
715 .BR allow " | " block
718 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
722 .BR localok " | " icmp
725 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
731 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
734 .RB "{ " byte-soft " | " byte-hard " }"
737 .RB "{ " packet-soft " | " packet-hard " }"
741 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
767 .BR esp " | " ah " | " comp " | " route2 " | " hao
771 .BR transport " | " tunnel " | " ro " | " in_trigger " | " beet
775 .BR required " | " use
778 .BR "ip xfrm monitor" " [ " all " |"
779 .IR LISTofXFRM-OBJECTS " ]"
787 .BR "\-V" , " -Version"
788 print the version of the
793 .BR "\-s" , " \-stats", " \-statistics"
794 output more information. If the option
795 appears twice or more, the amount of information increases.
796 As a rule, the information is statistics or some time values.
799 .BR "\-l" , " \-loops"
800 Specify maximum number of loops the 'ip addr flush' logic
801 will attempt before giving up. The default is 10.
802 Zero (0) means loop until all addresses are removed.
805 .BR "\-f" , " \-family"
806 followed by protocol family identifier:
807 .BR "inet" , " inet6"
810 ,enforce the protocol family to use. If the option is not present,
811 the protocol family is guessed from other arguments. If the rest
812 of the command line does not give enough information to guess the
815 falls back to the default one, usually
820 is a special family identifier meaning that no networking protocol
831 .BR "\-family inet6" .
836 .BR "\-family link" .
839 .BR "\-o" , " \-oneline"
840 output each record on a single line, replacing line feeds
843 character. This is convenient when you want to count records
851 .BR "\-r" , " \-resolve"
852 use the system's name resolver to print DNS names instead of
855 .SH IP - COMMAND SYNTAX
866 - protocol (IP or IPv6) address on a device.
870 - label configuration for protocol address selection.
874 - ARP or NDISC cache entry.
878 - routing table entry.
882 - rule in routing policy database.
890 - multicast routing cache entry.
897 The names of all objects may be written in full or
898 abbreviated form, f.e.
908 Specifies the action to perform on the object.
909 The set of possible actions depends on the object type.
910 As a rule, it is possible to
911 .BR "add" , " delete"
916 ) objects, but some objects do not allow all of these operations
917 or have some additional commands. The
919 command is available for all objects. It prints
920 out a list of available commands and argument syntax conventions.
922 If no command is given, some default command is assumed.
925 or, if the objects of this class cannot be listed,
928 .SH ip link - network device configuration
931 is a network device and the corresponding commands
932 display and change the state of devices.
934 .SS ip link add - add virtual link
938 specifies the physical device to act operate on.
941 specifies the name of the new virtual device.
944 specifies the type of the new device.
950 - 802.1q tagged virrtual LAN interface
953 - virtual interface base on link layer address (MAC)
956 - Controller Area Network interface
959 .SS ip link delete - delete virtual link
961 specifies the virtual device to act operate on.
963 specifies the type of the device.
968 specifies the physical device to act operate on.
970 .SS ip link set - change device attributes
975 specifies network device to operate on. When configuring SR-IOV Virtual Fuction
976 (VF) devices, this keyword should specify the associated Physical Function (PF)
982 has a dual role: If both group and dev are present, then move the device to the
983 specified group. If only a group is specified, then the command operates on
984 all devices in that group.
988 change the state of the device to
994 .BR "arp on " or " arp off"
1000 .BR "multicast on " or " multicast off"
1006 .BR "dynamic on " or " dynamic off"
1013 change the name of the device. This operation is not
1014 recommended if the device is running or has some addresses
1018 .BI txqueuelen " NUMBER"
1020 .BI txqlen " NUMBER"
1021 change the transmit queue length of the device.
1030 .BI address " LLADDRESS"
1031 change the station address of the interface.
1034 .BI broadcast " LLADDRESS"
1036 .BI brd " LLADDRESS"
1038 .BI peer " LLADDRESS"
1039 change the link layer broadcast address or the peer address when
1045 move the device to the network namespace associated with the process
1049 .BI netns " NETNSNAME"
1050 move the device to the network namespace associated with name
1055 give the device a symbolic name for easy reference.
1059 specify the group the device belongs to.
1060 The available groups are listed in file
1061 .BR "/etc/iproute2/group" .
1065 specify a Virtual Function device to be configured. The associated PF device
1066 must be specified using the
1071 .BI mac " LLADDRESS"
1072 - change the station address for the specified VF. The
1074 parameter must be specified.
1078 - change the assigned VLAN for the specified VF. When specified, all traffic
1079 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
1080 will be filtered for the specified VLAN ID, and will have all VLAN tags
1081 stripped before being passed to the VF. Setting this parameter to 0 disables
1082 VLAN tagging and filtering. The
1084 parameter must be specified.
1088 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1089 tags transmitted by the VF will include the specified priority bits in the
1090 VLAN tag. If not specified, the value is assumed to be 0. Both the
1094 parameters must be specified. Setting both
1098 as 0 disables VLAN tagging and filtering for the VF.
1102 - change the allowed transmit bandwidth, in Mbps, for the specified VF.
1103 Setting this parameter to 0 disables rate limiting. The
1105 parameter must be specified.
1109 .BI master " DEVICE"
1110 set master device of the device (enslave device).
1114 unset master device of the device (release device).
1118 If multiple parameter changes are requested,
1120 aborts immediately after any of the changes have failed.
1121 This is the only case when
1123 can move the system to an unpredictable state. The solution
1124 is to avoid changing several parameters with one
1128 .SS ip link show - display device attributes
1131 .BI dev " NAME " (default)
1133 specifies the network device to show.
1134 If this argument is omitted all devices in the default group are listed.
1139 specifies what group of devices to show.
1143 only display running interfaces.
1145 .SH ip address - protocol address management.
1149 is a protocol (IP or IPv6) address attached
1150 to a network device. Each device must have at least one address
1151 to use the corresponding protocol. It is possible to have several
1152 different addresses attached to one device. These addresses are not
1153 discriminated, so that the term
1155 is not quite appropriate for them and we do not use it in this document.
1159 command displays addresses and their properties, adds new addresses
1160 and deletes old ones.
1162 .SS ip address add - add new protocol address.
1166 the name of the device to add the address to.
1169 .BI local " ADDRESS " (default)
1170 the address of the interface. The format of the address depends
1171 on the protocol. It is a dotted quad for IP and a sequence of
1172 hexadecimal halfwords separated by colons for IPv6. The
1174 may be followed by a slash and a decimal number which encodes
1175 the network prefix length.
1179 the address of the remote endpoint for pointopoint interfaces.
1182 may be followed by a slash and a decimal number, encoding the network
1183 prefix length. If a peer address is specified, the local address
1184 cannot have a prefix length. The network prefix is associated
1185 with the peer rather than with the local address.
1188 .BI broadcast " ADDRESS"
1189 the broadcast address on the interface.
1191 It is possible to use the special symbols
1195 instead of the broadcast address. In this case, the broadcast address
1196 is derived by setting/resetting the host bits of the interface prefix.
1200 Each address may be tagged with a label string.
1201 In order to preserve compatibility with Linux-2.0 net aliases,
1202 this string must coincide with the name of the device or must be prefixed
1203 with the device name followed by colon.
1206 .BI scope " SCOPE_VALUE"
1207 the scope of the area where this address is valid.
1208 The available scopes are listed in file
1209 .BR "/etc/iproute2/rt_scopes" .
1210 Predefined scope values are:
1214 - the address is globally valid.
1217 - (IPv6 only) the address is site local, i.e. it is
1218 valid inside this site.
1221 - the address is link local, i.e. it is valid only on this device.
1224 - the address is valid only inside this host.
1227 .SS ip address delete - delete protocol address
1229 coincide with the arguments of
1231 The device name is a required argument. The rest are optional.
1232 If no arguments are given, the first address is deleted.
1234 .SS ip address show - look at protocol addresses
1237 .BI dev " NAME " (default)
1241 .BI scope " SCOPE_VAL"
1242 only list addresses with this scope.
1246 only list addresses matching this prefix.
1249 .BI label " PATTERN"
1250 only list addresses with labels matching the
1253 is a usual shell style pattern.
1256 .BR dynamic " and " permanent
1257 (IPv6 only) only list addresses installed due to stateless
1258 address configuration or only list permanent (not dynamic)
1263 (IPv6 only) only list addresses which have not yet passed duplicate
1268 (IPv6 only) only list deprecated addresses.
1272 (IPv6 only) only list addresses which have failed duplicate
1277 (IPv6 only) only list temporary addresses.
1280 .BR primary " and " secondary
1281 only list primary (or secondary) addresses.
1283 .SS ip address flush - flush protocol addresses
1284 This command flushes the protocol addresses selected by some criteria.
1287 This command has the same arguments as
1289 The difference is that it does not run when no arguments are given.
1293 This command (and other
1295 commands described below) is pretty dangerous. If you make a mistake,
1296 it will not forgive it, but will cruelly purge all the addresses.
1301 option, the command becomes verbose. It prints out the number of deleted
1302 addresses and the number of rounds made to flush the address list. If
1303 this option is given twice,
1305 also dumps all the deleted addresses in the format described in the
1306 previous subsection.
1308 .SH ip addrlabel - protocol address label management.
1310 IPv6 address label is used for address selection
1311 described in RFC 3484. Precedence is managed by userspace,
1312 and only label is stored in kernel.
1314 .SS ip addrlabel add - add an address label
1315 the command adds an address label entry to the kernel.
1317 .BI prefix " PREFIX"
1320 the outgoing interface.
1323 the label for the prefix.
1324 0xffffffff is reserved.
1325 .SS ip addrlabel del - delete an address label
1326 the command deletes an address label entry in the kernel.
1328 coincide with the arguments of
1330 but label is not required.
1331 .SS ip addrlabel list - list address labels
1332 the command show contents of address labels.
1333 .SS ip addrlabel flush - flush address labels
1334 the command flushes the contents of address labels and it does not restore default settings.
1335 .SH ip neighbour - neighbour/arp tables management.
1338 objects establish bindings between protocol addresses and
1339 link layer addresses for hosts sharing the same link.
1340 Neighbour entries are organized into tables. The IPv4 neighbour table
1341 is known by another name - the ARP table.
1344 The corresponding commands display neighbour bindings
1345 and their properties, add new neighbour entries and delete old ones.
1347 .SS ip neighbour add - add a new neighbour entry
1348 .SS ip neighbour change - change an existing entry
1349 .SS ip neighbour replace - add a new entry or change an existing one
1351 These commands create new neighbour records or update existing ones.
1354 .BI to " ADDRESS " (default)
1355 the protocol address of the neighbour. It is either an IPv4 or IPv6 address.
1359 the interface to which this neighbour is attached.
1362 .BI lladdr " LLADDRESS"
1363 the link layer address of the neighbour.
1369 .BI nud " NUD_STATE"
1370 the state of the neighbour entry.
1372 is an abbreviation for 'Neighbour Unreachability Detection'.
1373 The state can take one of the following values:
1377 - the neighbour entry is valid forever and can be only
1378 be removed administratively.
1382 - the neighbour entry is valid. No attempts to validate
1383 this entry will be made but it can be removed when its lifetime expires.
1387 - the neighbour entry is valid until the reachability
1392 - the neighbour entry is valid but suspicious.
1395 does not change the neighbour state if it was valid and the address
1396 is not changed by this command.
1399 .SS ip neighbour delete - delete a neighbour entry
1400 This command invalidates a neighbour entry.
1403 The arguments are the same as with
1404 .BR "ip neigh add" ,
1413 Attempts to delete or manually change a
1415 entry created by the kernel may result in unpredictable behaviour.
1416 Particularly, the kernel may try to resolve this address even
1419 interface or if the address is multicast or broadcast.
1421 .SS ip neighbour show - list neighbour entries
1423 This commands displays neighbour tables.
1426 .BI to " ADDRESS " (default)
1427 the prefix selecting the neighbours to list.
1431 only list the neighbours attached to this device.
1435 only list neighbours which are not currently in use.
1438 .BI nud " NUD_STATE"
1439 only list neighbour entries in this state.
1441 takes values listed below or the special value
1443 which means all states. This option may occur more than once.
1444 If this option is absent,
1446 lists all entries except for
1451 .SS ip neighbour flush - flush neighbour entries
1452 This command flushes neighbour tables, selecting
1453 entries to flush by some criteria.
1456 This command has the same arguments as
1458 The differences are that it does not run when no arguments are given,
1459 and that the default neighbour states to be flushed do not include
1467 option, the command becomes verbose. It prints out the number of
1468 deleted neighbours and the number of rounds made to flush the
1469 neighbour table. If the option is given
1472 also dumps all the deleted neighbours.
1474 .SH ip route - routing table management
1475 Manipulate route entries in the kernel routing tables keep
1476 information about paths to other networked nodes.
1482 - the route entry describes real paths to the destinations covered
1483 by the route prefix.
1487 - these destinations are unreachable. Packets are discarded and the
1491 The local senders get an
1497 - these destinations are unreachable. Packets are discarded silently.
1498 The local senders get an
1504 - these destinations are unreachable. Packets are discarded and the
1506 .I communication administratively prohibited
1507 is generated. The local senders get an
1513 - the destinations are assigned to this host. The packets are looped
1514 back and delivered locally.
1518 - the destinations are broadcast addresses. The packets are sent as
1523 - a special control route used together with policy rules. If such a
1524 route is selected, lookup in this table is terminated pretending that
1525 no route was found. Without policy routing it is equivalent to the
1526 absence of the route in the routing table. The packets are dropped
1527 and the ICMP message
1529 is generated. The local senders get an
1535 - a special NAT route. Destinations covered by the prefix
1536 are considered to be dummy (or external) addresses which require translation
1537 to real (or internal) ones before forwarding. The addresses to translate to
1538 are selected with the attribute
1540 Route NAT is no longer supported in Linux 2.6.
1546 .RI "- " "not implemented"
1547 the destinations are
1549 addresses assigned to this host. They are mainly equivalent
1552 with one difference: such addresses are invalid when used
1553 as the source address of any packet.
1557 - a special type used for multicast routing. It is not present in
1558 normal routing tables.
1563 Linux-2.x can pack routes into several routing tables identified
1564 by a number in the range from 1 to 2^31 or by name from the file
1565 .B /etc/iproute2/rt_tables
1566 By default all normal routes are inserted into the
1568 table (ID 254) and the kernel only uses this table when calculating routes.
1569 Values (0, 253, 254, and 255) are reserved for built-in use.
1572 Actually, one other table always exists, which is invisible but
1573 even more important. It is the
1575 table (ID 255). This table
1576 consists of routes for local and broadcast addresses. The kernel maintains
1577 this table automatically and the administrator usually need not modify it
1580 The multiple routing tables enter the game when
1584 .SS ip route add - add new route
1585 .SS ip route change - change route
1586 .SS ip route replace - change or add new one
1589 .BI to " TYPE PREFIX " (default)
1590 the destination prefix of the route. If
1600 is an IP or IPv6 address optionally followed by a slash and the
1601 prefix length. If the length of the prefix is missing,
1603 assumes a full-length host route. There is also a special
1606 - which is equivalent to IP
1615 the Type Of Service (TOS) key. This key has no associated mask and
1616 the longest match is understood as: First, compare the TOS
1617 of the route and of the packet. If they are not equal, then the packet
1618 may still match a route with a zero TOS.
1620 is either an 8 bit hexadecimal number or an identifier
1622 .BR "/etc/iproute2/rt_dsfield" .
1625 .BI metric " NUMBER"
1627 .BI preference " NUMBER"
1628 the preference value of the route.
1630 is an arbitrary 32bit number.
1633 .BI table " TABLEID"
1634 the table to add this route to.
1636 may be a number or a string from the file
1637 .BR "/etc/iproute2/rt_tables" .
1638 If this parameter is omitted,
1642 table, with the exception of
1643 .BR local " , " broadcast " and " nat
1644 routes, which are put into the
1650 the output device name.
1654 the address of the nexthop router. Actually, the sense of this field
1655 depends on the route type. For normal
1657 routes it is either the true next hop router or, if it is a direct
1658 route installed in BSD compatibility mode, it can be a local address
1659 of the interface. For NAT routes it is the first address of the block
1660 of translated IP destinations.
1664 the source address to prefer when sending to the destinations
1665 covered by the route prefix.
1668 .BI realm " REALMID"
1669 the realm to which this route is assigned.
1671 may be a number or a string from the file
1672 .BR "/etc/iproute2/rt_realms" .
1677 .BI "mtu lock" " MTU"
1678 the MTU along the path to the destination. If the modifier
1680 is not used, the MTU may be updated by the kernel due to
1681 Path MTU Discovery. If the modifier
1683 is used, no path MTU discovery will be tried, all packets
1684 will be sent without the DF bit in IPv4 case or fragmented
1688 .BI window " NUMBER"
1689 the maximal window for TCP to advertise to these destinations,
1690 measured in bytes. It limits maximal data bursts that our TCP
1691 peers are allowed to send to us.
1695 the initial RTT ('Round Trip Time') estimate. If no suffix is
1696 specified the units are raw values passed directly to the
1697 routing code to maintain compatibility with previous releases.
1698 Otherwise if a suffix of s, sec or secs is used to specify
1699 seconds and ms, msec or msecs to specify milliseconds.
1703 .BI rttvar " TIME " "(2.3.15+ only)"
1704 the initial RTT variance estimate. Values are specified as with
1709 .BI rto_min " TIME " "(2.6.23+ only)"
1710 the minimum TCP Retransmission TimeOut to use when communicating with this
1711 destination. Values are specified as with
1716 .BI ssthresh " NUMBER " "(2.3.15+ only)"
1717 an estimate for the initial slow start threshold.
1720 .BI cwnd " NUMBER " "(2.3.15+ only)"
1721 the clamp for congestion window. It is ignored if the
1726 .BI initcwnd " NUMBER " "(2.5.70+ only)"
1727 the initial congestion window size for connections to this destination.
1728 Actual window size is this value multiplied by the MSS
1729 (``Maximal Segment Size'') for same connection. The default is
1730 zero, meaning to use the values specified in RFC2414.
1733 .BI initrwnd " NUMBER " "(2.6.33+ only)"
1734 the initial receive window size for connections to this destination.
1735 Actual window size is this value multiplied by the MSS of the connection.
1736 The default value is zero, meaning to use Slow Start value.
1739 .BI advmss " NUMBER " "(2.3.15+ only)"
1740 the MSS ('Maximal Segment Size') to advertise to these
1741 destinations when establishing TCP connections. If it is not given,
1742 Linux uses a default value calculated from the first hop device MTU.
1743 (If the path to these destination is asymmetric, this guess may be wrong.)
1746 .BI reordering " NUMBER " "(2.3.15+ only)"
1747 Maximal reordering on the path to this destination.
1748 If it is not given, Linux uses the value selected with
1751 .BR "net/ipv4/tcp_reordering" .
1754 .BI nexthop " NEXTHOP"
1755 the nexthop of a multipath route.
1757 is a complex value with its own syntax similar to the top level
1762 - is the nexthop router.
1766 - is the output device.
1769 .BI weight " NUMBER"
1770 - is a weight for this element of a multipath
1771 route reflecting its relative bandwidth or quality.
1775 .BI scope " SCOPE_VAL"
1776 the scope of the destinations covered by the route prefix.
1778 may be a number or a string from the file
1779 .BR "/etc/iproute2/rt_scopes" .
1780 If this parameter is omitted,
1789 .BR unicast " and " broadcast
1791 .BR host " for " local
1795 .BI protocol " RTPROTO"
1796 the routing protocol identifier of this route.
1798 may be a number or a string from the file
1799 .BR "/etc/iproute2/rt_protos" .
1800 If the routing protocol ID is not given,
1801 .B ip assumes protocol
1803 (i.e. it assumes the route was added by someone who doesn't
1804 understand what they are doing). Several protocol values have
1805 a fixed interpretation.
1810 - the route was installed due to an ICMP redirect.
1814 - the route was installed by the kernel during autoconfiguration.
1818 - the route was installed during the bootup sequence.
1819 If a routing daemon starts, it will purge all of them.
1823 - the route was installed by the administrator
1824 to override dynamic routing. Routing daemon will respect them
1825 and, probably, even advertise them to its peers.
1829 - the route was installed by Router Discovery protocol.
1833 The rest of the values are not reserved and the administrator is free
1834 to assign (or not to assign) protocol tags.
1838 pretend that the nexthop is directly attached to this link,
1839 even if it does not match any interface prefix.
1841 .SS ip route delete - delete route
1844 has the same arguments as
1845 .BR "ip route add" ,
1846 but their semantics are a bit different.
1849 .RB "(" to ", " tos ", " preference " and " table ")"
1850 select the route to delete. If optional attributes are present,
1852 verifies that they coincide with the attributes of the route to delete.
1853 If no route with the given key and attributes was found,
1857 .SS ip route show - list routes
1858 the command displays the contents of the routing tables or the route(s)
1859 selected by some criteria.
1862 .BI to " SELECTOR " (default)
1863 only select routes from the given range of destinations.
1865 consists of an optional modifier
1866 .RB "(" root ", " match " or " exact ")"
1869 selects routes with prefixes not shorter than
1873 selects the entire routing table.
1875 selects routes with prefixes not longer than
1878 .BI match " 10.0/16"
1881 .IR 10/8 " and " 0/0 ,
1882 but it does not select
1883 .IR 10.1/16 " and " 10.0.0/24 .
1888 selects routes with this exact prefix. If neither of these options
1893 i.e. it lists the entire table.
1898 only select routes with the given TOS.
1901 .BI table " TABLEID"
1902 show the routes from this table(s). The default setting is to show
1905 may either be the ID of a real table or one of the special values:
1909 - list all of the tables.
1912 - dump the routing cache.
1919 list cloned routes i.e. routes which were dynamically forked from
1920 other routes because some route attribute (f.e. MTU) was updated.
1921 Actually, it is equivalent to
1922 .BR "table cache" "."
1925 .BI from " SELECTOR"
1926 the same syntax as for
1928 but it binds the source address range rather than destinations.
1931 option only works with cloned routes.
1934 .BI protocol " RTPROTO"
1935 only list routes of this protocol.
1938 .BI scope " SCOPE_VAL"
1939 only list routes with this scope.
1943 only list routes of this type.
1947 only list routes going via this device.
1951 only list routes going via the nexthop routers selected by
1956 only list routes with preferred source addresses selected
1961 .BI realm " REALMID"
1963 .BI realms " FROMREALM/TOREALM"
1964 only list routes with these realms.
1966 .SS ip route flush - flush routing tables
1967 this command flushes routes selected by some criteria.
1970 The arguments have the same syntax and semantics as the arguments of
1971 .BR "ip route show" ,
1972 but routing tables are not listed but purged. The only difference is
1975 dumps all the IP main routing table but
1977 prints the helper page.
1982 option, the command becomes verbose. It prints out the number of
1983 deleted routes and the number of rounds made to flush the routing
1984 table. If the option is given
1987 also dumps all the deleted routes in the format described in the
1988 previous subsection.
1990 .SS ip route get - get a single route
1991 this command gets a single route to a destination and prints its
1992 contents exactly as the kernel sees it.
1995 .BI to " ADDRESS " (default)
1996 the destination address.
2006 the Type Of Service.
2010 the device from which this packet is expected to arrive.
2014 force the output device on which this packet will be routed.
2018 if no source address
2019 .RB "(option " from ")"
2020 was given, relookup the route with the source set to the preferred
2021 address received from the first lookup.
2022 If policy routing is used, it may be a different route.
2025 Note that this operation is not equivalent to
2026 .BR "ip route show" .
2028 shows existing routes.
2030 resolves them and creates new clones if necessary. Essentially,
2032 is equivalent to sending a packet along this path.
2035 argument is not given, the kernel creates a route
2036 to output packets towards the requested destination.
2037 This is equivalent to pinging the destination
2039 .BR "ip route ls cache" ,
2040 however, no packets are actually sent. With the
2042 argument, the kernel pretends that a packet arrived from this interface
2043 and searches for a path to forward the packet.
2045 .SS ip route save - save routing table information to stdout
2046 this command behaves like
2048 except that the output is raw data suitable for passing to
2049 .BR "ip route restore" .
2051 .SS ip route restore - restore routing table information from stdin
2052 this command expects to read a data stream as returned from
2053 .BR "ip route save" .
2054 It will attempt to restore the routing table information exactly as
2055 it was at the time of the save, so any translation of information
2056 in the stream (such as device indexes) must be done first. Any existing
2057 routes are left unchanged. Any routes specified in the data stream that
2058 already exist in the table will be ignored.
2060 .SH ip rule - routing policy database management
2063 in the routing policy database control the route selection algorithm.
2066 Classic routing algorithms used in the Internet make routing decisions
2067 based only on the destination address of packets (and in theory,
2068 but not in practice, on the TOS field).
2071 In some circumstances we want to route packets differently depending not only
2072 on destination addresses, but also on other packet fields: source address,
2073 IP protocol, transport protocol ports or even packet payload.
2074 This task is called 'policy routing'.
2077 To solve this task, the conventional destination based routing table, ordered
2078 according to the longest match rule, is replaced with a 'routing policy
2079 database' (or RPDB), which selects routes by executing some set of rules.
2082 Each policy routing rule consists of a
2085 .B action predicate.
2086 The RPDB is scanned in the order of increasing priority. The selector
2087 of each rule is applied to {source address, destination address, incoming
2088 interface, tos, fwmark} and, if the selector matches the packet,
2089 the action is performed. The action predicate may return with success.
2090 In this case, it will either give a route or failure indication
2091 and the RPDB lookup is terminated. Otherwise, the RPDB program
2092 continues on the next rule.
2095 Semantically, natural action is to select the nexthop and the output device.
2098 At startup time the kernel configures the default RPDB consisting of three
2103 Priority: 0, Selector: match anything, Action: lookup routing
2109 table is a special routing table containing
2110 high priority control routes for local and broadcast addresses.
2112 Rule 0 is special. It cannot be deleted or overridden.
2116 Priority: 32766, Selector: match anything, Action: lookup routing
2122 table is the normal routing table containing all non-policy
2123 routes. This rule may be deleted and/or overridden with other
2124 ones by the administrator.
2128 Priority: 32767, Selector: match anything, Action: lookup routing
2134 table is empty. It is reserved for some post-processing if no previous
2135 default rules selected the packet.
2136 This rule may also be deleted.
2139 Each RPDB entry has additional
2140 attributes. F.e. each rule has a pointer to some routing
2141 table. NAT and masquerading rules have an attribute to select new IP
2142 address to translate/masquerade. Besides that, rules have some
2143 optional attributes, which routes have, namely
2145 These values do not override those contained in the routing tables. They
2146 are only used if the route did not select any attributes.
2149 The RPDB may contain rules of the following types:
2153 - the rule prescribes to return the route found
2154 in the routing table referenced by the rule.
2157 - the rule prescribes to silently drop the packet.
2160 - the rule prescribes to generate a 'Network is unreachable' error.
2163 - the rule prescribes to generate 'Communication is administratively
2167 - the rule prescribes to translate the source address
2168 of the IP packet into some other value.
2171 .SS ip rule add - insert a new rule
2172 .SS ip rule delete - delete a rule
2175 .BI type " TYPE " (default)
2176 the type of this rule. The list of valid types was given in the previous
2181 select the source prefix to match.
2185 select the destination prefix to match.
2189 select the incoming device to match. If the interface is loopback,
2190 the rule only matches packets originating from this host. This means
2191 that you may create separate routing tables for forwarded and local
2192 packets and, hence, completely segregate them.
2196 select the outgoing device to match. The outgoing interface is only
2197 available for packets originating from local sockets that are bound to
2204 select the TOS value to match.
2213 .BI priority " PREFERENCE"
2214 the priority of this rule. Each rule should have an explicitly
2218 The options preference and order are synonyms with priority.
2221 .BI table " TABLEID"
2222 the routing table identifier to lookup if the rule selector matches.
2223 It is also possible to use lookup instead of table.
2226 .BI realms " FROM/TO"
2227 Realms to select if the rule matched and the routing table lookup
2230 is only used if the route did not select any realm.
2234 The base of the IP address block to translate (for source addresses).
2237 may be either the start of the block of NAT addresses (selected by NAT
2238 routes) or a local host address (or even zero).
2239 In the last case the router does not translate the packets, but
2240 masquerades them to this address.
2241 Using map-to instead of nat means the same thing.
2244 Changes to the RPDB made with these commands do not become active
2245 immediately. It is assumed that after a script finishes a batch of
2246 updates, it flushes the routing cache with
2247 .BR "ip route flush cache" .
2249 .SS ip rule flush - also dumps all the deleted rules.
2250 This command has no arguments.
2252 .SS ip rule show - list rules
2253 This command has no arguments.
2254 The options list or lst are synonyms with show.
2256 .SH ip maddress - multicast addresses management
2259 objects are multicast addresses.
2261 .SS ip maddress show - list multicast addresses
2264 .BI dev " NAME " (default)
2267 .SS ip maddress add - add a multicast address
2268 .SS ip maddress delete - delete a multicast address
2269 these commands attach/detach a static link layer multicast address
2270 to listen on the interface.
2271 Note that it is impossible to join protocol multicast groups
2272 statically. This command only manages link layer addresses.
2275 .BI address " LLADDRESS " (default)
2276 the link layer multicast address.
2280 the device to join/leave this multicast address.
2282 .SH ip mroute - multicast routing cache management
2284 objects are multicast routing cache entries created by a user level
2285 mrouting daemon (f.e.
2291 Due to the limitations of the current interface to the multicast routing
2292 engine, it is impossible to change
2294 objects administratively, so we may only display them. This limitation
2295 will be removed in the future.
2297 .SS ip mroute show - list mroute cache entries
2300 .BI to " PREFIX " (default)
2301 the prefix selecting the destination multicast addresses to list.
2305 the interface on which multicast packets are received.
2309 the prefix selecting the IP source addresses of the multicast route.
2311 .SH ip tunnel - tunnel configuration
2313 objects are tunnels, encapsulating packets in IP packets and then
2314 sending them over the IP infrastructure.
2315 The encapulating (or outer) address family is specified by the
2317 option. The default is IPv4.
2319 .SS ip tunnel add - add a new tunnel
2320 .SS ip tunnel change - change an existing tunnel
2321 .SS ip tunnel delete - destroy a tunnel
2324 .BI name " NAME " (default)
2325 select the tunnel device name.
2329 set the tunnel mode. Available modes depend on the encapsulating address family.
2331 Modes for IPv4 encapsulation available:
2332 .BR ipip ", " sit ", " isatap " and " gre "."
2334 Modes for IPv6 encapsulation available:
2335 .BR ip6ip6 ", " ipip6 " and " any "."
2338 .BI remote " ADDRESS"
2339 set the remote endpoint of the tunnel.
2342 .BI local " ADDRESS"
2343 set the fixed local address for tunneled packets.
2344 It must be an address on another interface of this host.
2350 on tunneled packets.
2352 is a number in the range 1--255. 0 is a special value
2353 meaning that packets inherit the TTL value.
2354 The default value for IPv4 tunnels is:
2356 The default value for IPv6 tunnels is:
2366 set a fixed TOS (or traffic class in IPv6)
2368 on tunneled packets.
2369 The default value is:
2374 bind the tunnel to the device
2376 so that tunneled packets will only be routed via this device and will
2377 not be able to escape to another device when the route to endpoint
2382 disable Path MTU Discovery on this tunnel.
2383 It is enabled by default. Note that a fixed ttl is incompatible
2384 with this option: tunnelling with a fixed ttl always makes pmtu
2393 .RB ( " only GRE tunnels " )
2394 use keyed GRE with key
2396 is either a number or an IP address-like dotted quad.
2399 parameter sets the key to use in both directions.
2401 .BR ikey " and " okey
2402 parameters set different keys for input and output.
2405 .BR csum ", " icsum ", " ocsum
2406 .RB ( " only GRE tunnels " )
2407 generate/require checksums for tunneled packets.
2410 flag calculates checksums for outgoing packets.
2413 flag requires that all input packets have the correct
2416 flag is equivalent to the combination
2420 .BR seq ", " iseq ", " oseq
2421 .RB ( " only GRE tunnels " )
2425 flag enables sequencing of outgoing packets.
2428 flag requires that all input packets are serialized.
2431 flag is equivalent to the combination
2433 .B It isn't work. Don't use it.
2437 .RB ( " only IPv6 tunnels " )
2438 Inherit DS field between inner and outer header.
2441 .BI encaplim " ELIM"
2442 .RB ( " only IPv6 tunnels " )
2443 set a fixed encapsulation limit. Default is 4.
2446 .BI flowlabel " FLOWLABEL"
2447 .RB ( " only IPv6 tunnels " )
2448 set a fixed flowlabel.
2450 .SS ip tunnel prl - potential router list (ISATAP only)
2454 mandatory device name.
2457 .BI prl-default " ADDR"
2459 .BI prl-nodefault " ADDR"
2461 .BI prl-delete " ADDR"
2462 .RB "Add or delete " ADDR
2463 as a potential router or default router.
2465 .SS ip tunnel show - list tunnels
2466 This command has no arguments.
2468 .SH ip monitor and rtmon - state monitoring
2472 utility can monitor the state of devices, addresses
2473 and routes continuously. This option has a slightly different format.
2476 command is the first in the command line and then the object list follows:
2478 .BR "ip monitor" " [ " all " |"
2479 .IR LISTofOBJECTS " ]"
2482 is the list of object types that we want to monitor.
2484 .BR link ", " address " and " route "."
2489 opens RTNETLINK, listens on it and dumps state changes in the format
2490 described in previous sections.
2493 If a file name is given, it does not listen on RTNETLINK,
2494 but opens the file containing RTNETLINK messages saved in binary format
2495 and dumps them. Such a history file can be generated with the
2497 utility. This utility has a command line syntax similar to
2501 should be started before the first network configuration command
2502 is issued. F.e. if you insert:
2505 rtmon file /var/log/rtmon.log
2508 in a startup script, you will be able to view the full history
2512 Certainly, it is possible to start
2515 It prepends the history with the state snapshot dumped at the moment
2518 .SH ip netns - process network namespace management
2520 A network namespace is logically another copy of the network stack,
2521 with it's own routes, firewall rules, and network devices.
2523 By convention a named network namespace is an object at
2524 .BR "/var/run/netns/" NAME
2525 that can be opened. The file descriptor resulting from opening
2526 .BR "/var/run/netns/" NAME
2527 refers to the specified network namespace. Holding that file
2528 descriptor open keeps the network namespace alive. The file
2529 descriptor can be used with the
2531 system call to change the network namespace associated with a task.
2533 The convention for network namespace aware applications is to look
2534 for global network configuration files first in
2535 .BR "/etc/netns/" NAME "/"
2538 For example, if you want a different version of
2539 .BR /etc/resolv.conf
2540 for a network namespace used to isolate your vpn you would name it
2541 .BR /etc/netns/myvpn/resolv.conf.
2544 automates handling of this configuration, file convention for network
2545 namespace unaware applications, by creating a mount namespace and
2546 bind mounting all of the per network namespace configure files into
2547 their traditional location in /etc.
2549 .SS ip netns list - show all of the named network namespaces
2550 .SS ip netns add NAME - create a new named network namespace
2551 .SS ip netns delete NAME - delete the name of a network namespace
2552 .SS ip netns exec NAME cmd ... - Run cmd in the named network namespace
2554 .SH ip xfrm - transform configuration
2555 xfrm is an IP framework for transforming packets (such as encrypting
2556 their payloads). This framework is used to implement the IPsec protocol
2559 object operating on the Security Association Database, and the
2561 object operating on the Security Policy Database). It is also used for
2562 the IP Payload Compression Protocol and features of Mobile IPv6.
2564 .SS ip xfrm state add - add new state into xfrm
2566 .SS ip xfrm state update - update existing state in xfrm
2568 .SS ip xfrm state allocspi - allocate an SPI value
2570 .SS ip xfrm state delete - delete existing state in xfrm
2572 .SS ip xfrm state get - get existing state in xfrm
2574 .SS ip xfrm state deleteall - delete all existing state in xfrm
2576 .SS ip xfrm state list - print out the list of existing state in xfrm
2578 .SS ip xfrm state flush - flush all state in xfrm
2580 .SS ip xfrm state count - count all existing state in xfrm
2584 is specified by a source address, destination address,
2585 .RI "transform protocol " XFRM-PROTO ","
2586 and/or Security Parameter Index
2591 specifies a transform protocol:
2592 .RB "IPsec Encapsulating Security Payload (" esp "),"
2593 .RB "IPsec Authentication Header (" ah "),"
2594 .RB "IP Payload Compression (" comp "),"
2595 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2596 .RB "Mobile IPv6 Home Address Option (" hao ")."
2600 specifies one or more algorithms
2602 to use. Algorithm types include
2603 .RB "encryption (" enc "),"
2604 .RB "authentication (" auth "),"
2605 .RB "authentication with a specified truncation length (" auth-trunc "),"
2606 .RB "authenticated encryption with associated data (" aead "), and"
2607 .RB "compression (" comp ")."
2608 For each algorithm used, the algorithm type, the algorithm name
2612 must be specified. For
2614 the Integrity Check Value length
2616 must additionally be specified.
2619 the signature truncation length
2621 must additionally be specified.
2625 specifies a mode of operation:
2626 .RB "IPsec transport mode (" transport "), "
2627 .RB "IPsec tunnel mode (" tunnel "), "
2628 .RB "Mobile IPv6 route optimization mode (" ro "), "
2629 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2630 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2634 contains one or more of the following optional flags:
2635 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
2636 .BR af-unspec ", or " align4 "."
2640 selects the traffic that will be controlled by the policy, based on the source
2641 address, the destination address, the network device, and/or
2646 selects traffic by protocol. For the
2647 .BR tcp ", " udp ", " sctp ", or " dccp
2648 protocols, the source and destination port can optionally be specified.
2650 .BR icmp ", " ipv6-icmp ", or " mobility-header
2651 protocols, the type and code numbers can optionally be specified.
2654 protocol, the key can optionally be specified as a dotted-quad or number.
2655 Other protocols can be selected by name or number
2660 sets limits in seconds, bytes, or numbers of packets.
2664 encapsulates packets with protocol
2665 .BR espinudp " or " espinudp-nonike ","
2666 .RI "using source port " SPORT ", destination port " DPORT
2667 .RI ", and original address " OADDR "."
2669 .SS ip xfrm policy add - add a new policy
2671 .SS ip xfrm policy update - update an existing policy
2673 .SS ip xfrm policy delete - delete an existing policy
2675 .SS ip xfrm policy get - get an existing policy
2677 .SS ip xfrm policy deleteall - delete all existing xfrm policies
2679 .SS ip xfrm policy list - print out the list of xfrm policies
2681 .SS ip xfrm policy flush - flush policies
2683 .SS ip xfrm policy count - count existing policies
2687 selects the traffic that will be controlled by the policy, based on the source
2688 address, the destination address, the network device, and/or
2693 selects traffic by protocol. For the
2694 .BR tcp ", " udp ", " sctp ", or " dccp
2695 protocols, the source and destination port can optionally be specified.
2697 .BR icmp ", " ipv6-icmp ", or " mobility-header
2698 protocols, the type and code numbers can optionally be specified.
2701 protocol, the key can optionally be specified as a dotted-quad or number.
2702 Other protocols can be selected by name or number
2707 selects the policy direction as
2708 .BR in ", " out ", or " fwd "."
2712 sets the security context.
2717 .BR main " (default) or " sub "."
2722 .BR allow " (default) or " block "."
2726 is a number that defaults to zero.
2730 contains one or both of the following optional flags:
2731 .BR local " or " icmp "."
2735 sets limits in seconds, bytes, or numbers of packets.
2739 is a template list specified using
2740 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
2744 is specified by a source address, destination address,
2745 .RI "transform protocol " XFRM-PROTO ","
2746 and/or Security Parameter Index
2751 specifies a transform protocol:
2752 .RB "IPsec Encapsulating Security Payload (" esp "),"
2753 .RB "IPsec Authentication Header (" ah "),"
2754 .RB "IP Payload Compression (" comp "),"
2755 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
2756 .RB "Mobile IPv6 Home Address Option (" hao ")."
2760 specifies a mode of operation:
2761 .RB "IPsec transport mode (" transport "), "
2762 .RB "IPsec tunnel mode (" tunnel "), "
2763 .RB "Mobile IPv6 route optimization mode (" ro "), "
2764 .RB "Mobile IPv6 inbound trigger mode (" in_trigger "), or "
2765 .RB "IPsec ESP Bound End-to-End Tunnel Mode (" beet ")."
2770 .BR required " (default) or " use "."
2772 .SS ip xfrm monitor - state monitoring for xfrm objects
2773 The xfrm objects to monitor can be optionally specified.
2777 was written by Alexey N. Kuznetsov and added in Linux 2.2.
2781 .RB "IP Command reference " ip-cref.ps
2783 .RB "IP tunnels " ip-cref.ps
2785 .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
2788 Original Manpage by Michail Litvak <mci@owl.openwall.com>