[mirror_iproute2.git] / man / man8 / ip-xfrm.8

.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
.SH "NAME"
ip-xfrm \- transform configuration
.SH "SYNOPSIS"
.sp
.ad l
.in +8
.ti -8
.B ip
.RI "[ " OPTIONS " ]"
.B xfrm
.RI " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.B "ip xfrm"
.IR XFRM-OBJECT " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.IR XFRM-OBJECT " :="
.BR state " | " policy " | " monitor
.sp

.ti -8
.BR "ip xfrm state" " { " add " | " update " } "
.IR ID " [ " ALGO-LIST " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " replay-window
.IR SIZE " ]"
.RB "[ " replay-seq
.IR SEQ " ]"
.RB "[ " replay-oseq
.IR SEQ " ]"
.RB "[ " replay-seq-hi
.IR SEQ " ]"
.RB "[ " replay-oseq-hi
.IR SEQ " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RB "[ " sel
.IR SELECTOR " ] [ " LIMIT-LIST " ]"
.RB "[ " encap
.IR ENCAP " ]"
.RB "[ " coa
.IR ADDR "[/" PLEN "] ]"
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " extra-flag
.IR EXTRA-FLAG-LIST " ]"
.RB "[ " output-mark
.IR OUTPUT-MARK " ]"
.RB "[ " if_id
.IR IF-ID " ]"

.ti -8
.B "ip xfrm state allocspi"
.I ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " min
.I SPI
.B max
.IR SPI " ]"

.ti -8
.BR "ip xfrm state" " { " delete " | " get " } "
.I ID
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"

.ti -8
.BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
.IR ID " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"

.ti -8
.BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
.IR ID " ]"
.RB "[ " nokeys " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"

.ti -8
.BR "ip xfrm state flush" " [ " proto
.IR XFRM-PROTO " ]"

.ti -8
.BR "ip xfrm state count"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO

.ti -8
.IR ALGO " :="
.RB "{ " enc " | " auth " } "
.IR ALGO-NAME " " ALGO-KEYMAT " |"
.br
.B auth-trunc
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
.br
.B aead
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
.br
.B comp
.IR ALGO-NAME

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
.BR af-unspec " | " align4 " | " esn

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.br
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR ENCAP " :="
.RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
.IR SPORT " " DPORT " " OADDR

.ti -8
.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG

.ti -8
.IR EXTRA-FLAG " := "
.B dont-encap-dscp

.ti -8
.BR "ip xfrm policy" " { " add " | " update " }"
.I SELECTOR
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RB "[ " if_id
.IR IF-ID " ]"
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"

.ti -8
.BR "ip xfrm policy" " { " delete " | " get " }"
.RI "{ " SELECTOR " | "
.B index
.IR INDEX " }"
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " if_id
.IR IF-ID " ]"

.ti -8
.BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
.RB "[ " nosock " ]"
.RI "[ " SELECTOR " ]"
.RB "[ " dir
.IR DIR " ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST "]"

.ti -8
.B "ip xfrm policy flush"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.B "ip xfrm policy count"

.ti -8
.B "ip xfrm policy set"
.RB "[ " hthresh4
.IR LBITS " " RBITS " ]"
.RB "[ " hthresh6
.IR LBITS " " RBITS " ]"

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR DIR " := "
.BR in " | " out " | " fwd

.ti -8
.IR PTYPE " := "
.BR main " | " sub

.ti -8
.IR ACTION " := "
.BR allow " | " block

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR localok " | " icmp

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR TMPL-LIST " := [ " TMPL-LIST " ]"
.B tmpl
.I TMPL

.ti -8
.IR TMPL " := " ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " level
.IR LEVEL " ]"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger

.ti -8
.IR LEVEL " :="
.BR required " | " use

.ti -8
.BR "ip xfrm monitor" " ["
.BI all-nsid
] [
.BI nokeys
] [
.BI all
 |
.IR LISTofXFRM-OBJECTS " ]"

.ti -8
.IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT

.ti -8
.IR XFRM-OBJECT " := "
.BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report

.in -8
.ad b

.SH DESCRIPTION

xfrm is an IP framework for transforming packets (such as encrypting
their payloads). This framework is used to implement the IPsec protocol
suite (with the
.B state
object operating on the Security Association Database, and the
.B policy
object operating on the Security Policy Database). It is also used for
the IP Payload Compression Protocol and features of Mobile IPv6.

.TS
l l.
ip xfrm state add	add new state into xfrm
ip xfrm state update	update existing state in xfrm
ip xfrm state allocspi	allocate an SPI value
ip xfrm state delete	delete existing state in xfrm
ip xfrm state get	get existing state in xfrm
ip xfrm state deleteall	delete all existing state in xfrm
ip xfrm state list	print out the list of existing state in xfrm
ip xfrm state flush	flush all state in xfrm
ip xfrm state count	count all existing state in xfrm
.TE

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
.IR SPI ".)"

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I ALGO-LIST
contains one or more algorithms to use. Each algorithm
.I ALGO
is specified by:
.RS
.IP \[bu]
the algorithm type:
.RB "encryption (" enc "),"
.RB "authentication (" auth " or " auth-trunc "),"
.RB "authenticated encryption with associated data (" aead "), or"
.RB "compression (" comp ")"
.IP \[bu]
the algorithm name
.IR ALGO-NAME
(see below)
.IP \[bu]
.RB "(for all except " comp ")"
the keying material
.IR ALGO-KEYMAT ","
which may include both a key and a salt or nonce value; refer to the
corresponding RFC
.IP \[bu]
.RB "(for " auth-trunc " only)"
the truncation length
.I ALGO-TRUNC-LEN
in bits
.IP \[bu]
.RB "(for " aead " only)"
the Integrity Check Value length
.I ALGO-ICV-LEN
in bits
.RE

.nh
.RS
Encryption algorithms include
.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."

Authentication algorithms include
.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."

Authenticated encryption with associated data (AEAD) algorithms include
.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."

Compression algorithms include
.BR deflate ", " lzs ", and " lzjh "."
.RE
.hy

.TP
.I MODE
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
.BR transport ", " tunnel ","
and (for IPsec ESP only) Bound End-to-End Tunnel
.RB "(" beet ")."
Mobile IPv6 modes are route optimization
.RB "(" ro ")"
and inbound trigger
.RB "(" in_trigger ")."

.TP
.I FLAG-LIST
contains one or more of the following optional flags:
.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
.BR af-unspec ", " align4 ", or " esn "."

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I ENCAP
encapsulates packets with protocol
.BR espinudp ", " espinudp-nonike ", or " espintcp ","
.RI "using source port " SPORT ", destination port "  DPORT
.RI ", and original address " OADDR "."

.TP
.I MARK
used to match xfrm policies and states

.TP
.I OUTPUT-MARK
used to set the output mark to influence the routing
of the packets emitted by the state

.TP
.I IF-ID
xfrm interface identifier used to in both xfrm policies and states

.sp
.PP
.TS
l l.
ip xfrm policy add	add a new policy
ip xfrm policy update	update an existing policy
ip xfrm policy delete	delete an existing policy
ip xfrm policy get	get an existing policy
ip xfrm policy deleteall	delete all existing xfrm policies
ip xfrm policy list	print out the list of xfrm policies
ip xfrm policy flush	flush policies
.TE

.TP
.BR nosock
filter (remove) all socket policies from the output.

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I DIR
selects the policy direction as
.BR in ", " out ", or " fwd "."

.TP
.I CTX
sets the security context.

.TP
.I PTYPE
can be
.BR main " (default) or " sub "."

.TP
.I ACTION
can be
.BR allow " (default) or " block "."

.TP
.I PRIORITY
is a number that defaults to zero.

.TP
.I FLAG-LIST
contains one or both of the following optional flags:
.BR local " or " icmp "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I TMPL-LIST
is a template list specified using
.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
.IR SPI ".)"

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I MODE
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
.BR transport ", " tunnel ","
and (for IPsec ESP only) Bound End-to-End Tunnel
.RB "(" beet ")."
Mobile IPv6 modes are route optimization
.RB "(" ro ")"
and inbound trigger
.RB "(" in_trigger ")."

.TP
.I LEVEL
can be
.BR required " (default) or " use "."

.sp
.PP
.TS
l l.
ip xfrm policy count	count existing policies
.TE

.PP
Use one or more -s options to display more details, including policy hash table
information.

.sp
.PP
.TS
l l.
ip xfrm policy set	configure the policy hash table
.TE

.PP
Security policies whose address prefix lengths are greater than or equal
policy hash table thresholds are hashed. Others are stored in the
policy_inexact chained list.

.TP
.I LBITS
specifies the minimum local address prefix length of policies that are
stored in the Security Policy Database hash table.

.TP
.I RBITS
specifies the minimum remote address prefix length of policies that are
stored in the Security Policy Database hash table.

.sp
.PP
.TS
l l.
ip xfrm monitor 	state monitoring for xfrm objects
.TE

.PP
The xfrm objects to monitor can be optionally specified.

.P
If the
.BI all-nsid
option is set, the program listens to all network namespaces that have a
nsid assigned into the network namespace were the program is running.
A prefix is displayed to show the network namespace where the message
originates. Example:
.sp
.in +2
[nsid 1]Flushed state proto 0
.in -2
.sp

.SH AUTHOR
Manpage revised by David Ward <david.ward@ll.mit.edu>
.br
Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
.br
Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
Commit	Line	Data
2a9721f1 SH	1	.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
2a9721f1 SH	2	.SH "NAME"
aab2702d	3	ip-xfrm \- transform configuration
2a9721f1 SH	4	.SH "SYNOPSIS"
	5	.sp
	6	.ad l
	7	.in +8
	8	.ti -8
	9	.B ip
	10	.RI "[ " OPTIONS " ]"
	11	.B xfrm
	12	.RI " { " COMMAND " \| "
	13	.BR help " }"
	14	.sp
	15
	16	.ti -8
	17	.B "ip xfrm"
	18	.IR XFRM-OBJECT " { " COMMAND " \| "
	19	.BR help " }"
	20	.sp
	21
	22	.ti -8
	23	.IR XFRM-OBJECT " :="
	24	.BR state " \| " policy " \| " monitor
	25	.sp
	26
	27	.ti -8
	28	.BR "ip xfrm state" " { " add " \| " update " } "
	29	.IR ID " [ " ALGO-LIST " ]"
	30	.RB "[ " mode
	31	.IR MODE " ]"
	32	.RB "[ " mark
	33	.I MARK
	34	.RB "[ " mask
	35	.IR MASK " ] ]"
	36	.RB "[ " reqid
	37	.IR REQID " ]"
	38	.RB "[ " seq
	39	.IR SEQ " ]"
	40	.RB "[ " replay-window
	41	.IR SIZE " ]"
	42	.RB "[ " replay-seq
	43	.IR SEQ " ]"
	44	.RB "[ " replay-oseq
	45	.IR SEQ " ]"
eeb669a7 ND	46	.RB "[ " replay-seq-hi
	47	.IR SEQ " ]"
	48	.RB "[ " replay-oseq-hi
	49	.IR SEQ " ]"
2a9721f1 SH	50	.RB "[ " flag
	51	.IR FLAG-LIST " ]"
	52	.RB "[ " sel
	53	.IR SELECTOR " ] [ " LIMIT-LIST " ]"
	54	.RB "[ " encap
	55	.IR ENCAP " ]"
	56	.RB "[ " coa
	57	.IR ADDR "[/" PLEN "] ]"
	58	.RB "[ " ctx
	59	.IR CTX " ]"
a7eef7aa PS	60	.RB "[ " extra-flag
a7eef7aa PS	61	.IR EXTRA-FLAG-LIST " ]"
2ecb61a0 SAK	62	.RB "[ " output-mark
2ecb61a0 SAK	63	.IR OUTPUT-MARK " ]"
ee93c110 EB	64	.RB "[ " if_id
ee93c110 EB	65	.IR IF-ID " ]"
2a9721f1 SH	66
	67	.ti -8
	68	.B "ip xfrm state allocspi"
	69	.I ID
	70	.RB "[ " mode
	71	.IR MODE " ]"
	72	.RB "[ " mark
	73	.I MARK
	74	.RB "[ " mask
	75	.IR MASK " ] ]"
	76	.RB "[ " reqid
	77	.IR REQID " ]"
	78	.RB "[ " seq
	79	.IR SEQ " ]"
	80	.RB "[ " min
	81	.I SPI
	82	.B max
	83	.IR SPI " ]"
	84
	85	.ti -8
	86	.BR "ip xfrm state" " { " delete " \| " get " } "
	87	.I ID
	88	.RB "[ " mark
	89	.I MARK
	90	.RB "[ " mask
	91	.IR MASK " ] ]"
	92
	93	.ti -8
cd21ae40	94	.BR ip " [ " -4 " \| " -6 " ] " "xfrm state deleteall" " ["
2a9721f1 SH	95	.IR ID " ]"
	96	.RB "[ " mode
	97	.IR MODE " ]"
	98	.RB "[ " reqid
	99	.IR REQID " ]"
	100	.RB "[ " flag
	101	.IR FLAG-LIST " ]"
	102
a6af9f2e	103	.ti -8
cd21ae40	104	.BR ip " [ " -4 " \| " -6 " ] " "xfrm state list" " ["
a6af9f2e BW	105	.IR ID " ]"
	106	.RB "[ " nokeys " ]"
	107	.RB "[ " mode
	108	.IR MODE " ]"
	109	.RB "[ " reqid
	110	.IR REQID " ]"
	111	.RB "[ " flag
	112	.IR FLAG-LIST " ]"
	113
2a9721f1 SH	114	.ti -8
	115	.BR "ip xfrm state flush" " [ " proto
	116	.IR XFRM-PROTO " ]"
	117
	118	.ti -8
	119	.BR "ip xfrm state count"
	120
	121	.ti -8
	122	.IR ID " :="
	123	.RB "[ " src
	124	.IR ADDR " ]"
	125	.RB "[ " dst
	126	.IR ADDR " ]"
	127	.RB "[ " proto
	128	.IR XFRM-PROTO " ]"
	129	.RB "[ " spi
	130	.IR SPI " ]"
	131
	132	.ti -8
	133	.IR XFRM-PROTO " :="
	134	.BR esp " \| " ah " \| " comp " \| " route2 " \| " hao
	135
	136	.ti -8
	137	.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
	138
	139	.ti -8
	140	.IR ALGO " :="
5699275b	141	.RB "{ " enc " \| " auth " } "
29665f92	142	.IR ALGO-NAME " " ALGO-KEYMAT " \|"
2a9721f1	143	.br
2a9721f1	144	.B auth-trunc
29665f92	145	.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " \|"
f3b9aa3d DW	146	.br
f3b9aa3d DW	147	.B aead
29665f92	148	.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " \|"
f3b9aa3d DW	149	.br
	150	.B comp
	151	.IR ALGO-NAME
2a9721f1 SH	152
	153	.ti -8
	154	.IR MODE " := "
29665f92	155	.BR transport " \| " tunnel " \| " beet " \| " ro " \| " in_trigger
2a9721f1 SH	156
	157	.ti -8
	158	.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
	159
	160	.ti -8
	161	.IR FLAG " :="
eeb669a7 ND	162	.BR noecn " \| " decap-dscp " \| " nopmtudisc " \| " wildrecv " \| " icmp " \| "
eeb669a7 ND	163	.BR af-unspec " \| " align4 " \| " esn
2a9721f1 SH	164
	165	.ti -8
	166	.IR SELECTOR " :="
	167	.RB "[ " src
	168	.IR ADDR "[/" PLEN "] ]"
	169	.RB "[ " dst
	170	.IR ADDR "[/" PLEN "] ]"
	171	.RB "[ " dev
	172	.IR DEV " ]"
	173	.br
	174	.RI "[ " UPSPEC " ]"
	175
	176	.ti -8
	177	.IR UPSPEC " := "
	178	.BR proto " {"
	179	.IR PROTO " \|"
	180	.br
	181	.RB "{ " tcp " \| " udp " \| " sctp " \| " dccp " } [ " sport
	182	.IR PORT " ]"
	183	.RB "[ " dport
	184	.IR PORT " ] \|"
	185	.br
	186	.RB "{ " icmp " \| " ipv6-icmp " \| " mobility-header " } [ " type
	187	.IR NUMBER " ]"
	188	.RB "[ " code
	189	.IR NUMBER " ] \|"
	190	.br
	191	.BR gre " [ " key
	192	.RI "{ " DOTTED-QUAD " \| " NUMBER " } ] }"
	193
	194	.ti -8
	195	.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
	196	.B limit
	197	.I LIMIT
	198
	199	.ti -8
	200	.IR LIMIT " :="
	201	.RB "{ " time-soft " \| " time-hard " \| " time-use-soft " \| " time-use-hard " }"
	202	.IR "SECONDS" " \|"
	203	.br
	204	.RB "{ " byte-soft " \| " byte-hard " }"
	205	.IR SIZE " \|"
	206	.br
	207	.RB "{ " packet-soft " \| " packet-hard " }"
	208	.I COUNT
	209
	210	.ti -8
	211	.IR ENCAP " :="
22aec426	212	.RB "{ " espinudp " \| " espinudp-nonike " \| " espintcp " }"
2a9721f1 SH	213	.IR SPORT " " DPORT " " OADDR
2a9721f1 SH	214
a7eef7aa PS	215	.ti -8
	216	.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
	217
	218	.ti -8
	219	.IR EXTRA-FLAG " := "
	220	.B dont-encap-dscp
	221
2a9721f1 SH	222	.ti -8
	223	.BR "ip xfrm policy" " { " add " \| " update " }"
	224	.I SELECTOR
	225	.B dir
	226	.I DIR
	227	.RB "[ " ctx
	228	.IR CTX " ]"
	229	.RB "[ " mark
	230	.I MARK
	231	.RB "[ " mask
	232	.IR MASK " ] ]"
	233	.RB "[ " index
	234	.IR INDEX " ]"
	235	.RB "[ " ptype
	236	.IR PTYPE " ]"
	237	.RB "[ " action
	238	.IR ACTION " ]"
	239	.RB "[ " priority
	240	.IR PRIORITY " ]"
	241	.RB "[ " flag
	242	.IR FLAG-LIST " ]"
ee93c110 EB	243	.RB "[ " if_id
ee93c110 EB	244	.IR IF-ID " ]"
2a9721f1 SH	245	.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
	246
	247	.ti -8
	248	.BR "ip xfrm policy" " { " delete " \| " get " }"
	249	.RI "{ " SELECTOR " \| "
	250	.B index
	251	.IR INDEX " }"
	252	.B dir
	253	.I DIR
	254	.RB "[ " ctx
	255	.IR CTX " ]"
	256	.RB "[ " mark
	257	.I MARK
	258	.RB "[ " mask
	259	.IR MASK " ] ]"
	260	.RB "[ " ptype
	261	.IR PTYPE " ]"
f33a871b EB	262	.RB "[ " if_id
f33a871b EB	263	.IR IF-ID " ]"
2a9721f1 SH	264
2a9721f1 SH	265	.ti -8
cd21ae40	266	.BR ip " [ " -4 " \| " -6 " ] " "xfrm policy" " { " deleteall " \| " list " }"
de3ddbc2	267	.RB "[ " nosock " ]"
2a9721f1 SH	268	.RI "[ " SELECTOR " ]"
	269	.RB "[ " dir
	270	.IR DIR " ]"
	271	.RB "[ " index
	272	.IR INDEX " ]"
	273	.RB "[ " ptype
	274	.IR PTYPE " ]"
	275	.RB "[ " action
	276	.IR ACTION " ]"
	277	.RB "[ " priority
	278	.IR PRIORITY " ]"
a7eef7aa PS	279	.RB "[ " flag
a7eef7aa PS	280	.IR FLAG-LIST "]"
2a9721f1 SH	281
	282	.ti -8
	283	.B "ip xfrm policy flush"
	284	.RB "[ " ptype
	285	.IR PTYPE " ]"
	286
	287	.ti -8
	288	.B "ip xfrm policy count"
	289
811aca04 CG	290	.ti -8
	291	.B "ip xfrm policy set"
	292	.RB "[ " hthresh4
	293	.IR LBITS " " RBITS " ]"
	294	.RB "[ " hthresh6
	295	.IR LBITS " " RBITS " ]"
	296
2a9721f1 SH	297	.ti -8
	298	.IR SELECTOR " :="
	299	.RB "[ " src
	300	.IR ADDR "[/" PLEN "] ]"
	301	.RB "[ " dst
	302	.IR ADDR "[/" PLEN "] ]"
	303	.RB "[ " dev
	304	.IR DEV " ]"
	305	.RI "[ " UPSPEC " ]"
	306
	307	.ti -8
	308	.IR UPSPEC " := "
	309	.BR proto " {"
	310	.IR PROTO " \|"
	311	.br
	312	.RB "{ " tcp " \| " udp " \| " sctp " \| " dccp " } [ " sport
	313	.IR PORT " ]"
	314	.RB "[ " dport
	315	.IR PORT " ] \|"
	316	.br
	317	.RB "{ " icmp " \| " ipv6-icmp " \| " mobility-header " } [ " type
	318	.IR NUMBER " ]"
	319	.RB "[ " code
	320	.IR NUMBER " ] \|"
	321	.br
	322	.BR gre " [ " key
	323	.RI "{ " DOTTED-QUAD " \| " NUMBER " } ] }"
	324
	325	.ti -8
	326	.IR DIR " := "
	327	.BR in " \| " out " \| " fwd
	328
	329	.ti -8
	330	.IR PTYPE " := "
	331	.BR main " \| " sub
	332
	333	.ti -8
	334	.IR ACTION " := "
	335	.BR allow " \| " block
	336
	337	.ti -8
	338	.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
	339
	340	.ti -8
	341	.IR FLAG " :="
	342	.BR localok " \| " icmp
	343
	344	.ti -8
	345	.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
	346	.B limit
	347	.I LIMIT
	348
	349	.ti -8
	350	.IR LIMIT " :="
	351	.RB "{ " time-soft " \| " time-hard " \| " time-use-soft " \| " time-use-hard " }"
	352	.IR "SECONDS" " \|"
	353	.br
	354	.RB "{ " byte-soft " \| " byte-hard " }"
	355	.IR SIZE " \|"
	356	.br
	357	.RB "{ " packet-soft " \| " packet-hard " }"
	358	.I COUNT
	359
	360	.ti -8
361	.IR TMPL-LIST " := [ " TMPL-LIST " ]"
362	.B tmpl
363	.I TMPL
364
365	.ti -8
366	.IR TMPL " := " ID
367	.RB "[ " mode
368	.IR MODE " ]"
369	.RB "[ " reqid
370	.IR REQID " ]"
371	.RB "[ " level
372	.IR LEVEL " ]"
373
374	.ti -8
375	.IR ID " :="
376	.RB "[ " src
377	.IR ADDR " ]"
378	.RB "[ " dst
379	.IR ADDR " ]"
380	.RB "[ " proto
381	.IR XFRM-PROTO " ]"
382	.RB "[ " spi
383	.IR SPI " ]"
384
385	.ti -8
386	.IR XFRM-PROTO " :="
387	.BR esp " \| " ah " \| " comp " \| " route2 " \| " hao
388
389	.ti -8
390	.IR MODE " := "
29665f92	391	.BR transport " \| " tunnel " \| " beet " \| " ro " \| " in_trigger
2a9721f1 SH	392
	393	.ti -8
	394	.IR LEVEL " :="
	395	.BR required " \| " use
	396
	397	.ti -8
b6ec53e3 ND	398	.BR "ip xfrm monitor" " ["
	399	.BI all-nsid
	400	] [
a6af9f2e BW	401	.BI nokeys
a6af9f2e BW	402	] [
b6ec53e3 ND	403	.BI all
b6ec53e3 ND	404	\|
2a9721f1 SH	405	.IR LISTofXFRM-OBJECTS " ]"
2a9721f1 SH	406
811aca04 CG	407	.ti -8
	408	.IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
	409
	410	.ti -8
	411	.IR XFRM-OBJECT " := "
	412	.BR acquire " \| " expire " \| " SA " \| " policy " \| " aevent " \| " report
	413
2a9721f1 SH	414	.in -8
	415	.ad b
	416
	417	.SH DESCRIPTION
	418
	419	xfrm is an IP framework for transforming packets (such as encrypting
	420	their payloads). This framework is used to implement the IPsec protocol
	421	suite (with the
	422	.B state
	423	object operating on the Security Association Database, and the
	424	.B policy
	425	object operating on the Security Policy Database). It is also used for
	426	the IP Payload Compression Protocol and features of Mobile IPv6.
	427
61f541fe	428	.TS
	429	l l.
	430	ip xfrm state add add new state into xfrm
	431	ip xfrm state update update existing state in xfrm
	432	ip xfrm state allocspi allocate an SPI value
	433	ip xfrm state delete delete existing state in xfrm
	434	ip xfrm state get get existing state in xfrm
	435	ip xfrm state deleteall delete all existing state in xfrm
	436	ip xfrm state list print out the list of existing state in xfrm
	437	ip xfrm state flush flush all state in xfrm
	438	ip xfrm state count count all existing state in xfrm
61f541fe	439	.TE
2a9721f1 SH	440
	441	.TP
	442	.IR ID
	443	is specified by a source address, destination address,
	444	.RI "transform protocol " XFRM-PROTO ","
	445	and/or Security Parameter Index
	446	.IR SPI "."
29665f92 DW	447	(For IP Payload Compression, the Compression Parameter Index or CPI is used for
29665f92 DW	448	.IR SPI ".)"
2a9721f1 SH	449
	450	.TP
	451	.I XFRM-PROTO
	452	specifies a transform protocol:
	453	.RB "IPsec Encapsulating Security Payload (" esp "),"
	454	.RB "IPsec Authentication Header (" ah "),"
	455	.RB "IP Payload Compression (" comp "),"
	456	.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
	457	.RB "Mobile IPv6 Home Address Option (" hao ")."
	458
	459	.TP
	460	.I ALGO-LIST
29665f92 DW	461	contains one or more algorithms to use. Each algorithm
	462	.I ALGO
	463	is specified by:
	464	.RS
	465	.IP \[bu]
	466	the algorithm type:
2a9721f1	467	.RB "encryption (" enc "),"
29665f92 DW	468	.RB "authentication (" auth " or " auth-trunc "),"
	469	.RB "authenticated encryption with associated data (" aead "), or"
	470	.RB "compression (" comp ")"
	471	.IP \[bu]
	472	the algorithm name
	473	.IR ALGO-NAME
	474	(see below)
	475	.IP \[bu]
	476	.RB "(for all except " comp ")"
	477	the keying material
	478	.IR ALGO-KEYMAT ","
	479	which may include both a key and a salt or nonce value; refer to the
	480	corresponding RFC
	481	.IP \[bu]
	482	.RB "(for " auth-trunc " only)"
	483	the truncation length
	484	.I ALGO-TRUNC-LEN
	485	in bits
	486	.IP \[bu]
	487	.RB "(for " aead " only)"
2a9721f1 SH	488	the Integrity Check Value length
2a9721f1 SH	489	.I ALGO-ICV-LEN
29665f92 DW	490	in bits
	491	.RE
	492
	493	.nh
	494	.RS
	495	Encryption algorithms include
	496	.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
	497	.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
	498	.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
	499
	500	Authentication algorithms include
	501	.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
7f977447	502	.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
29665f92 DW	503
	504	Authenticated encryption with associated data (AEAD) algorithms include
	505	.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
	506
	507	Compression algorithms include
	508	.BR deflate ", " lzs ", and " lzjh "."
	509	.RE
	510	.hy
2a9721f1 SH	511
	512	.TP
	513	.I MODE
29665f92 DW	514	specifies a mode of operation for the transform protocol. IPsec and IP Payload
	515	Compression modes are
	516	.BR transport ", " tunnel ","
	517	and (for IPsec ESP only) Bound End-to-End Tunnel
	518	.RB "(" beet ")."
	519	Mobile IPv6 modes are route optimization
	520	.RB "(" ro ")"
	521	and inbound trigger
	522	.RB "(" in_trigger ")."
2a9721f1 SH	523
	524	.TP
	525	.I FLAG-LIST
	526	contains one or more of the following optional flags:
	527	.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
eeb669a7	528	.BR af-unspec ", " align4 ", or " esn "."
2a9721f1 SH	529
	530	.TP
	531	.IR SELECTOR
	532	selects the traffic that will be controlled by the policy, based on the source
	533	address, the destination address, the network device, and/or
	534	.IR UPSPEC "."
	535
	536	.TP
	537	.IR UPSPEC
	538	selects traffic by protocol. For the
	539	.BR tcp ", " udp ", " sctp ", or " dccp
	540	protocols, the source and destination port can optionally be specified.
	541	For the
	542	.BR icmp ", " ipv6-icmp ", or " mobility-header
	543	protocols, the type and code numbers can optionally be specified.
	544	For the
	545	.B gre
	546	protocol, the key can optionally be specified as a dotted-quad or number.
	547	Other protocols can be selected by name or number
	548	.IR PROTO "."
	549
	550	.TP
	551	.I LIMIT-LIST
	552	sets limits in seconds, bytes, or numbers of packets.
	553
	554	.TP
	555	.I ENCAP
	556	encapsulates packets with protocol
22aec426	557	.BR espinudp ", " espinudp-nonike ", or " espintcp ","
2a9721f1 SH	558	.RI "using source port " SPORT ", destination port " DPORT
2a9721f1 SH	559	.RI ", and original address " OADDR "."
811aca04	560
2ecb61a0 SAK	561	.TP
	562	.I MARK
	563	used to match xfrm policies and states
	564
	565	.TP
	566	.I OUTPUT-MARK
	567	used to set the output mark to influence the routing
	568	of the packets emitted by the state
	569
ee93c110 EB	570	.TP
	571	.I IF-ID
	572	xfrm interface identifier used to in both xfrm policies and states
	573
61f541fe	574	.sp
811aca04	575	.PP
61f541fe	576	.TS
	577	l l.
	578	ip xfrm policy add add a new policy
	579	ip xfrm policy update update an existing policy
	580	ip xfrm policy delete delete an existing policy
	581	ip xfrm policy get get an existing policy
	582	ip xfrm policy deleteall delete all existing xfrm policies
	583	ip xfrm policy list print out the list of xfrm policies
	584	ip xfrm policy flush flush policies
61f541fe	585	.TE
2a9721f1	586
de3ddbc2 SR	587	.TP
	588	.BR nosock
	589	filter (remove) all socket policies from the output.
	590
2a9721f1 SH	591	.TP
	592	.IR SELECTOR
	593	selects the traffic that will be controlled by the policy, based on the source
	594	address, the destination address, the network device, and/or
	595	.IR UPSPEC "."
	596
	597	.TP
	598	.IR UPSPEC
	599	selects traffic by protocol. For the
	600	.BR tcp ", " udp ", " sctp ", or " dccp
	601	protocols, the source and destination port can optionally be specified.
	602	For the
	603	.BR icmp ", " ipv6-icmp ", or " mobility-header
	604	protocols, the type and code numbers can optionally be specified.
	605	For the
	606	.B gre
	607	protocol, the key can optionally be specified as a dotted-quad or number.
	608	Other protocols can be selected by name or number
	609	.IR PROTO "."
	610
	611	.TP
	612	.I DIR
	613	selects the policy direction as
	614	.BR in ", " out ", or " fwd "."
	615
	616	.TP
	617	.I CTX
	618	sets the security context.
	619
	620	.TP
	621	.I PTYPE
	622	can be
	623	.BR main " (default) or " sub "."
	624
	625	.TP
	626	.I ACTION
	627	can be
	628	.BR allow " (default) or " block "."
	629
	630	.TP
	631	.I PRIORITY
	632	is a number that defaults to zero.
	633
	634	.TP
	635	.I FLAG-LIST
	636	contains one or both of the following optional flags:
	637	.BR local " or " icmp "."
	638
	639	.TP
	640	.I LIMIT-LIST
	641	sets limits in seconds, bytes, or numbers of packets.
	642
	643	.TP
	644	.I TMPL-LIST
	645	is a template list specified using
	646	.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
	647
	648	.TP
	649	.IR ID
	650	is specified by a source address, destination address,
	651	.RI "transform protocol " XFRM-PROTO ","
	652	and/or Security Parameter Index
	653	.IR SPI "."
29665f92 DW	654	(For IP Payload Compression, the Compression Parameter Index or CPI is used for
29665f92 DW	655	.IR SPI ".)"
2a9721f1 SH	656
	657	.TP
	658	.I XFRM-PROTO
	659	specifies a transform protocol:
	660	.RB "IPsec Encapsulating Security Payload (" esp "),"
	661	.RB "IPsec Authentication Header (" ah "),"
	662	.RB "IP Payload Compression (" comp "),"
	663	.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
	664	.RB "Mobile IPv6 Home Address Option (" hao ")."
	665
	666	.TP
	667	.I MODE
29665f92 DW	668	specifies a mode of operation for the transform protocol. IPsec and IP Payload
	669	Compression modes are
	670	.BR transport ", " tunnel ","
	671	and (for IPsec ESP only) Bound End-to-End Tunnel
	672	.RB "(" beet ")."
	673	Mobile IPv6 modes are route optimization
	674	.RB "(" ro ")"
	675	and inbound trigger
	676	.RB "(" in_trigger ")."
2a9721f1 SH	677
	678	.TP
	679	.I LEVEL
	680	can be
	681	.BR required " (default) or " use "."
	682
811aca04 CG	683	.sp
	684	.PP
	685	.TS
	686	l l.
	687	ip xfrm policy count count existing policies
	688	.TE
	689
	690	.PP
	691	Use one or more -s options to display more details, including policy hash table
	692	information.
	693
	694	.sp
	695	.PP
	696	.TS
	697	l l.
	698	ip xfrm policy set configure the policy hash table
	699	.TE
	700
	701	.PP
	702	Security policies whose address prefix lengths are greater than or equal
	703	policy hash table thresholds are hashed. Others are stored in the
	704	policy_inexact chained list.
	705
	706	.TP
	707	.I LBITS
	708	specifies the minimum local address prefix length of policies that are
	709	stored in the Security Policy Database hash table.
	710
	711	.TP
	712	.I RBITS
	713	specifies the minimum remote address prefix length of policies that are
	714	stored in the Security Policy Database hash table.
	715
	716	.sp
	717	.PP
	718	.TS
	719	l l.
	720	ip xfrm monitor state monitoring for xfrm objects
	721	.TE
	722
	723	.PP
2a9721f1 SH	724	The xfrm objects to monitor can be optionally specified.
2a9721f1 SH	725
b6ec53e3 ND	726	.P
	727	If the
	728	.BI all-nsid
	729	option is set, the program listens to all network namespaces that have a
	730	nsid assigned into the network namespace were the program is running.
	731	A prefix is displayed to show the network namespace where the message
	732	originates. Example:
	733	.sp
	734	.in +2
	735	[nsid 1]Flushed state proto 0
	736	.in -2
	737	.sp
	738
2a9721f1	739	.SH AUTHOR
29665f92	740	Manpage revised by David Ward <david.ward@ll.mit.edu>
811aca04 CG	741	.br
811aca04 CG	742	Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
b6ec53e3 ND	743	.br
b6ec53e3 ND	744	Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>