]>
Commit | Line | Data |
---|---|---|
2a9721f1 SH |
1 | .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux" |
2 | .SH "NAME" | |
aab2702d | 3 | ip-xfrm \- transform configuration |
2a9721f1 SH |
4 | .SH "SYNOPSIS" |
5 | .sp | |
6 | .ad l | |
7 | .in +8 | |
8 | .ti -8 | |
9 | .B ip | |
10 | .RI "[ " OPTIONS " ]" | |
11 | .B xfrm | |
12 | .RI " { " COMMAND " | " | |
13 | .BR help " }" | |
14 | .sp | |
15 | ||
16 | .ti -8 | |
17 | .B "ip xfrm" | |
18 | .IR XFRM-OBJECT " { " COMMAND " | " | |
19 | .BR help " }" | |
20 | .sp | |
21 | ||
22 | .ti -8 | |
23 | .IR XFRM-OBJECT " :=" | |
24 | .BR state " | " policy " | " monitor | |
25 | .sp | |
26 | ||
27 | .ti -8 | |
28 | .BR "ip xfrm state" " { " add " | " update " } " | |
29 | .IR ID " [ " ALGO-LIST " ]" | |
30 | .RB "[ " mode | |
31 | .IR MODE " ]" | |
32 | .RB "[ " mark | |
33 | .I MARK | |
34 | .RB "[ " mask | |
35 | .IR MASK " ] ]" | |
36 | .RB "[ " reqid | |
37 | .IR REQID " ]" | |
38 | .RB "[ " seq | |
39 | .IR SEQ " ]" | |
40 | .RB "[ " replay-window | |
41 | .IR SIZE " ]" | |
42 | .RB "[ " replay-seq | |
43 | .IR SEQ " ]" | |
44 | .RB "[ " replay-oseq | |
45 | .IR SEQ " ]" | |
eeb669a7 ND |
46 | .RB "[ " replay-seq-hi |
47 | .IR SEQ " ]" | |
48 | .RB "[ " replay-oseq-hi | |
49 | .IR SEQ " ]" | |
2a9721f1 SH |
50 | .RB "[ " flag |
51 | .IR FLAG-LIST " ]" | |
52 | .RB "[ " sel | |
53 | .IR SELECTOR " ] [ " LIMIT-LIST " ]" | |
54 | .RB "[ " encap | |
55 | .IR ENCAP " ]" | |
56 | .RB "[ " coa | |
57 | .IR ADDR "[/" PLEN "] ]" | |
58 | .RB "[ " ctx | |
59 | .IR CTX " ]" | |
a7eef7aa PS |
60 | .RB "[ " extra-flag |
61 | .IR EXTRA-FLAG-LIST " ]" | |
2ecb61a0 SAK |
62 | .RB "[ " output-mark |
63 | .IR OUTPUT-MARK " ]" | |
ee93c110 EB |
64 | .RB "[ " if_id |
65 | .IR IF-ID " ]" | |
2a9721f1 SH |
66 | |
67 | .ti -8 | |
68 | .B "ip xfrm state allocspi" | |
69 | .I ID | |
70 | .RB "[ " mode | |
71 | .IR MODE " ]" | |
72 | .RB "[ " mark | |
73 | .I MARK | |
74 | .RB "[ " mask | |
75 | .IR MASK " ] ]" | |
76 | .RB "[ " reqid | |
77 | .IR REQID " ]" | |
78 | .RB "[ " seq | |
79 | .IR SEQ " ]" | |
80 | .RB "[ " min | |
81 | .I SPI | |
82 | .B max | |
83 | .IR SPI " ]" | |
84 | ||
85 | .ti -8 | |
86 | .BR "ip xfrm state" " { " delete " | " get " } " | |
87 | .I ID | |
88 | .RB "[ " mark | |
89 | .I MARK | |
90 | .RB "[ " mask | |
91 | .IR MASK " ] ]" | |
92 | ||
93 | .ti -8 | |
cd21ae40 | 94 | .BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " [" |
2a9721f1 SH |
95 | .IR ID " ]" |
96 | .RB "[ " mode | |
97 | .IR MODE " ]" | |
98 | .RB "[ " reqid | |
99 | .IR REQID " ]" | |
100 | .RB "[ " flag | |
101 | .IR FLAG-LIST " ]" | |
102 | ||
a6af9f2e | 103 | .ti -8 |
cd21ae40 | 104 | .BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " [" |
a6af9f2e BW |
105 | .IR ID " ]" |
106 | .RB "[ " nokeys " ]" | |
107 | .RB "[ " mode | |
108 | .IR MODE " ]" | |
109 | .RB "[ " reqid | |
110 | .IR REQID " ]" | |
111 | .RB "[ " flag | |
112 | .IR FLAG-LIST " ]" | |
113 | ||
2a9721f1 SH |
114 | .ti -8 |
115 | .BR "ip xfrm state flush" " [ " proto | |
116 | .IR XFRM-PROTO " ]" | |
117 | ||
118 | .ti -8 | |
119 | .BR "ip xfrm state count" | |
120 | ||
121 | .ti -8 | |
122 | .IR ID " :=" | |
123 | .RB "[ " src | |
124 | .IR ADDR " ]" | |
125 | .RB "[ " dst | |
126 | .IR ADDR " ]" | |
127 | .RB "[ " proto | |
128 | .IR XFRM-PROTO " ]" | |
129 | .RB "[ " spi | |
130 | .IR SPI " ]" | |
131 | ||
132 | .ti -8 | |
133 | .IR XFRM-PROTO " :=" | |
134 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
135 | ||
136 | .ti -8 | |
137 | .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO | |
138 | ||
139 | .ti -8 | |
140 | .IR ALGO " :=" | |
5699275b | 141 | .RB "{ " enc " | " auth " } " |
29665f92 | 142 | .IR ALGO-NAME " " ALGO-KEYMAT " |" |
2a9721f1 | 143 | .br |
2a9721f1 | 144 | .B auth-trunc |
29665f92 | 145 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |" |
f3b9aa3d DW |
146 | .br |
147 | .B aead | |
29665f92 | 148 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |" |
f3b9aa3d DW |
149 | .br |
150 | .B comp | |
151 | .IR ALGO-NAME | |
2a9721f1 SH |
152 | |
153 | .ti -8 | |
154 | .IR MODE " := " | |
29665f92 | 155 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
156 | |
157 | .ti -8 | |
158 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
159 | ||
160 | .ti -8 | |
161 | .IR FLAG " :=" | |
eeb669a7 ND |
162 | .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " |
163 | .BR af-unspec " | " align4 " | " esn | |
2a9721f1 SH |
164 | |
165 | .ti -8 | |
166 | .IR SELECTOR " :=" | |
167 | .RB "[ " src | |
168 | .IR ADDR "[/" PLEN "] ]" | |
169 | .RB "[ " dst | |
170 | .IR ADDR "[/" PLEN "] ]" | |
171 | .RB "[ " dev | |
172 | .IR DEV " ]" | |
173 | .br | |
174 | .RI "[ " UPSPEC " ]" | |
175 | ||
176 | .ti -8 | |
177 | .IR UPSPEC " := " | |
178 | .BR proto " {" | |
179 | .IR PROTO " |" | |
180 | .br | |
181 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
182 | .IR PORT " ]" | |
183 | .RB "[ " dport | |
184 | .IR PORT " ] |" | |
185 | .br | |
186 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
187 | .IR NUMBER " ]" | |
188 | .RB "[ " code | |
189 | .IR NUMBER " ] |" | |
190 | .br | |
191 | .BR gre " [ " key | |
192 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
193 | ||
194 | .ti -8 | |
195 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
196 | .B limit | |
197 | .I LIMIT | |
198 | ||
199 | .ti -8 | |
200 | .IR LIMIT " :=" | |
201 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
202 | .IR "SECONDS" " |" | |
203 | .br | |
204 | .RB "{ " byte-soft " | " byte-hard " }" | |
205 | .IR SIZE " |" | |
206 | .br | |
207 | .RB "{ " packet-soft " | " packet-hard " }" | |
208 | .I COUNT | |
209 | ||
210 | .ti -8 | |
211 | .IR ENCAP " :=" | |
22aec426 | 212 | .RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }" |
2a9721f1 SH |
213 | .IR SPORT " " DPORT " " OADDR |
214 | ||
a7eef7aa PS |
215 | .ti -8 |
216 | .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG | |
217 | ||
218 | .ti -8 | |
219 | .IR EXTRA-FLAG " := " | |
220 | .B dont-encap-dscp | |
221 | ||
2a9721f1 SH |
222 | .ti -8 |
223 | .BR "ip xfrm policy" " { " add " | " update " }" | |
224 | .I SELECTOR | |
225 | .B dir | |
226 | .I DIR | |
227 | .RB "[ " ctx | |
228 | .IR CTX " ]" | |
229 | .RB "[ " mark | |
230 | .I MARK | |
231 | .RB "[ " mask | |
232 | .IR MASK " ] ]" | |
233 | .RB "[ " index | |
234 | .IR INDEX " ]" | |
235 | .RB "[ " ptype | |
236 | .IR PTYPE " ]" | |
237 | .RB "[ " action | |
238 | .IR ACTION " ]" | |
239 | .RB "[ " priority | |
240 | .IR PRIORITY " ]" | |
241 | .RB "[ " flag | |
242 | .IR FLAG-LIST " ]" | |
ee93c110 EB |
243 | .RB "[ " if_id |
244 | .IR IF-ID " ]" | |
2a9721f1 SH |
245 | .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]" |
246 | ||
247 | .ti -8 | |
248 | .BR "ip xfrm policy" " { " delete " | " get " }" | |
249 | .RI "{ " SELECTOR " | " | |
250 | .B index | |
251 | .IR INDEX " }" | |
252 | .B dir | |
253 | .I DIR | |
254 | .RB "[ " ctx | |
255 | .IR CTX " ]" | |
256 | .RB "[ " mark | |
257 | .I MARK | |
258 | .RB "[ " mask | |
259 | .IR MASK " ] ]" | |
260 | .RB "[ " ptype | |
261 | .IR PTYPE " ]" | |
f33a871b EB |
262 | .RB "[ " if_id |
263 | .IR IF-ID " ]" | |
2a9721f1 SH |
264 | |
265 | .ti -8 | |
cd21ae40 | 266 | .BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }" |
de3ddbc2 | 267 | .RB "[ " nosock " ]" |
2a9721f1 SH |
268 | .RI "[ " SELECTOR " ]" |
269 | .RB "[ " dir | |
270 | .IR DIR " ]" | |
271 | .RB "[ " index | |
272 | .IR INDEX " ]" | |
273 | .RB "[ " ptype | |
274 | .IR PTYPE " ]" | |
275 | .RB "[ " action | |
276 | .IR ACTION " ]" | |
277 | .RB "[ " priority | |
278 | .IR PRIORITY " ]" | |
a7eef7aa PS |
279 | .RB "[ " flag |
280 | .IR FLAG-LIST "]" | |
2a9721f1 SH |
281 | |
282 | .ti -8 | |
283 | .B "ip xfrm policy flush" | |
284 | .RB "[ " ptype | |
285 | .IR PTYPE " ]" | |
286 | ||
287 | .ti -8 | |
288 | .B "ip xfrm policy count" | |
289 | ||
811aca04 CG |
290 | .ti -8 |
291 | .B "ip xfrm policy set" | |
292 | .RB "[ " hthresh4 | |
293 | .IR LBITS " " RBITS " ]" | |
294 | .RB "[ " hthresh6 | |
295 | .IR LBITS " " RBITS " ]" | |
296 | ||
2a9721f1 SH |
297 | .ti -8 |
298 | .IR SELECTOR " :=" | |
299 | .RB "[ " src | |
300 | .IR ADDR "[/" PLEN "] ]" | |
301 | .RB "[ " dst | |
302 | .IR ADDR "[/" PLEN "] ]" | |
303 | .RB "[ " dev | |
304 | .IR DEV " ]" | |
305 | .RI "[ " UPSPEC " ]" | |
306 | ||
307 | .ti -8 | |
308 | .IR UPSPEC " := " | |
309 | .BR proto " {" | |
310 | .IR PROTO " |" | |
311 | .br | |
312 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
313 | .IR PORT " ]" | |
314 | .RB "[ " dport | |
315 | .IR PORT " ] |" | |
316 | .br | |
317 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
318 | .IR NUMBER " ]" | |
319 | .RB "[ " code | |
320 | .IR NUMBER " ] |" | |
321 | .br | |
322 | .BR gre " [ " key | |
323 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
324 | ||
325 | .ti -8 | |
326 | .IR DIR " := " | |
327 | .BR in " | " out " | " fwd | |
328 | ||
329 | .ti -8 | |
330 | .IR PTYPE " := " | |
331 | .BR main " | " sub | |
332 | ||
333 | .ti -8 | |
334 | .IR ACTION " := " | |
335 | .BR allow " | " block | |
336 | ||
337 | .ti -8 | |
338 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
339 | ||
340 | .ti -8 | |
341 | .IR FLAG " :=" | |
342 | .BR localok " | " icmp | |
343 | ||
344 | .ti -8 | |
345 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
346 | .B limit | |
347 | .I LIMIT | |
348 | ||
349 | .ti -8 | |
350 | .IR LIMIT " :=" | |
351 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
352 | .IR "SECONDS" " |" | |
353 | .br | |
354 | .RB "{ " byte-soft " | " byte-hard " }" | |
355 | .IR SIZE " |" | |
356 | .br | |
357 | .RB "{ " packet-soft " | " packet-hard " }" | |
358 | .I COUNT | |
359 | ||
360 | .ti -8 | |
361 | .IR TMPL-LIST " := [ " TMPL-LIST " ]" | |
362 | .B tmpl | |
363 | .I TMPL | |
364 | ||
365 | .ti -8 | |
366 | .IR TMPL " := " ID | |
367 | .RB "[ " mode | |
368 | .IR MODE " ]" | |
369 | .RB "[ " reqid | |
370 | .IR REQID " ]" | |
371 | .RB "[ " level | |
372 | .IR LEVEL " ]" | |
373 | ||
374 | .ti -8 | |
375 | .IR ID " :=" | |
376 | .RB "[ " src | |
377 | .IR ADDR " ]" | |
378 | .RB "[ " dst | |
379 | .IR ADDR " ]" | |
380 | .RB "[ " proto | |
381 | .IR XFRM-PROTO " ]" | |
382 | .RB "[ " spi | |
383 | .IR SPI " ]" | |
384 | ||
385 | .ti -8 | |
386 | .IR XFRM-PROTO " :=" | |
387 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
388 | ||
389 | .ti -8 | |
390 | .IR MODE " := " | |
29665f92 | 391 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
392 | |
393 | .ti -8 | |
394 | .IR LEVEL " :=" | |
395 | .BR required " | " use | |
396 | ||
397 | .ti -8 | |
b6ec53e3 ND |
398 | .BR "ip xfrm monitor" " [" |
399 | .BI all-nsid | |
400 | ] [ | |
a6af9f2e BW |
401 | .BI nokeys |
402 | ] [ | |
b6ec53e3 ND |
403 | .BI all |
404 | | | |
2a9721f1 SH |
405 | .IR LISTofXFRM-OBJECTS " ]" |
406 | ||
811aca04 CG |
407 | .ti -8 |
408 | .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT | |
409 | ||
410 | .ti -8 | |
411 | .IR XFRM-OBJECT " := " | |
412 | .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report | |
413 | ||
2a9721f1 SH |
414 | .in -8 |
415 | .ad b | |
416 | ||
417 | .SH DESCRIPTION | |
418 | ||
419 | xfrm is an IP framework for transforming packets (such as encrypting | |
420 | their payloads). This framework is used to implement the IPsec protocol | |
421 | suite (with the | |
422 | .B state | |
423 | object operating on the Security Association Database, and the | |
424 | .B policy | |
425 | object operating on the Security Policy Database). It is also used for | |
426 | the IP Payload Compression Protocol and features of Mobile IPv6. | |
427 | ||
61f541fe | 428 | .TS |
429 | l l. | |
430 | ip xfrm state add add new state into xfrm | |
431 | ip xfrm state update update existing state in xfrm | |
432 | ip xfrm state allocspi allocate an SPI value | |
433 | ip xfrm state delete delete existing state in xfrm | |
434 | ip xfrm state get get existing state in xfrm | |
435 | ip xfrm state deleteall delete all existing state in xfrm | |
436 | ip xfrm state list print out the list of existing state in xfrm | |
437 | ip xfrm state flush flush all state in xfrm | |
438 | ip xfrm state count count all existing state in xfrm | |
61f541fe | 439 | .TE |
2a9721f1 SH |
440 | |
441 | .TP | |
442 | .IR ID | |
443 | is specified by a source address, destination address, | |
444 | .RI "transform protocol " XFRM-PROTO "," | |
445 | and/or Security Parameter Index | |
446 | .IR SPI "." | |
29665f92 DW |
447 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
448 | .IR SPI ".)" | |
2a9721f1 SH |
449 | |
450 | .TP | |
451 | .I XFRM-PROTO | |
452 | specifies a transform protocol: | |
453 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
454 | .RB "IPsec Authentication Header (" ah ")," | |
455 | .RB "IP Payload Compression (" comp ")," | |
456 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
457 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
458 | ||
459 | .TP | |
460 | .I ALGO-LIST | |
29665f92 DW |
461 | contains one or more algorithms to use. Each algorithm |
462 | .I ALGO | |
463 | is specified by: | |
464 | .RS | |
465 | .IP \[bu] | |
466 | the algorithm type: | |
2a9721f1 | 467 | .RB "encryption (" enc ")," |
29665f92 DW |
468 | .RB "authentication (" auth " or " auth-trunc ")," |
469 | .RB "authenticated encryption with associated data (" aead "), or" | |
470 | .RB "compression (" comp ")" | |
471 | .IP \[bu] | |
472 | the algorithm name | |
473 | .IR ALGO-NAME | |
474 | (see below) | |
475 | .IP \[bu] | |
476 | .RB "(for all except " comp ")" | |
477 | the keying material | |
478 | .IR ALGO-KEYMAT "," | |
479 | which may include both a key and a salt or nonce value; refer to the | |
480 | corresponding RFC | |
481 | .IP \[bu] | |
482 | .RB "(for " auth-trunc " only)" | |
483 | the truncation length | |
484 | .I ALGO-TRUNC-LEN | |
485 | in bits | |
486 | .IP \[bu] | |
487 | .RB "(for " aead " only)" | |
2a9721f1 SH |
488 | the Integrity Check Value length |
489 | .I ALGO-ICV-LEN | |
29665f92 DW |
490 | in bits |
491 | .RE | |
492 | ||
493 | .nh | |
494 | .RS | |
495 | Encryption algorithms include | |
496 | .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) "," | |
497 | .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) "," | |
498 | .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "." | |
499 | ||
500 | Authentication algorithms include | |
501 | .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) "," | |
7f977447 | 502 | .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "." |
29665f92 DW |
503 | |
504 | Authenticated encryption with associated data (AEAD) algorithms include | |
505 | .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "." | |
506 | ||
507 | Compression algorithms include | |
508 | .BR deflate ", " lzs ", and " lzjh "." | |
509 | .RE | |
510 | .hy | |
2a9721f1 SH |
511 | |
512 | .TP | |
513 | .I MODE | |
29665f92 DW |
514 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
515 | Compression modes are | |
516 | .BR transport ", " tunnel "," | |
517 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
518 | .RB "(" beet ")." | |
519 | Mobile IPv6 modes are route optimization | |
520 | .RB "(" ro ")" | |
521 | and inbound trigger | |
522 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
523 | |
524 | .TP | |
525 | .I FLAG-LIST | |
526 | contains one or more of the following optional flags: | |
527 | .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", " | |
eeb669a7 | 528 | .BR af-unspec ", " align4 ", or " esn "." |
2a9721f1 SH |
529 | |
530 | .TP | |
531 | .IR SELECTOR | |
532 | selects the traffic that will be controlled by the policy, based on the source | |
533 | address, the destination address, the network device, and/or | |
534 | .IR UPSPEC "." | |
535 | ||
536 | .TP | |
537 | .IR UPSPEC | |
538 | selects traffic by protocol. For the | |
539 | .BR tcp ", " udp ", " sctp ", or " dccp | |
540 | protocols, the source and destination port can optionally be specified. | |
541 | For the | |
542 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
543 | protocols, the type and code numbers can optionally be specified. | |
544 | For the | |
545 | .B gre | |
546 | protocol, the key can optionally be specified as a dotted-quad or number. | |
547 | Other protocols can be selected by name or number | |
548 | .IR PROTO "." | |
549 | ||
550 | .TP | |
551 | .I LIMIT-LIST | |
552 | sets limits in seconds, bytes, or numbers of packets. | |
553 | ||
554 | .TP | |
555 | .I ENCAP | |
556 | encapsulates packets with protocol | |
22aec426 | 557 | .BR espinudp ", " espinudp-nonike ", or " espintcp "," |
2a9721f1 SH |
558 | .RI "using source port " SPORT ", destination port " DPORT |
559 | .RI ", and original address " OADDR "." | |
811aca04 | 560 | |
2ecb61a0 SAK |
561 | .TP |
562 | .I MARK | |
563 | used to match xfrm policies and states | |
564 | ||
565 | .TP | |
566 | .I OUTPUT-MARK | |
567 | used to set the output mark to influence the routing | |
568 | of the packets emitted by the state | |
569 | ||
ee93c110 EB |
570 | .TP |
571 | .I IF-ID | |
572 | xfrm interface identifier used to in both xfrm policies and states | |
573 | ||
61f541fe | 574 | .sp |
811aca04 | 575 | .PP |
61f541fe | 576 | .TS |
577 | l l. | |
578 | ip xfrm policy add add a new policy | |
579 | ip xfrm policy update update an existing policy | |
580 | ip xfrm policy delete delete an existing policy | |
581 | ip xfrm policy get get an existing policy | |
582 | ip xfrm policy deleteall delete all existing xfrm policies | |
583 | ip xfrm policy list print out the list of xfrm policies | |
584 | ip xfrm policy flush flush policies | |
61f541fe | 585 | .TE |
2a9721f1 | 586 | |
de3ddbc2 SR |
587 | .TP |
588 | .BR nosock | |
589 | filter (remove) all socket policies from the output. | |
590 | ||
2a9721f1 SH |
591 | .TP |
592 | .IR SELECTOR | |
593 | selects the traffic that will be controlled by the policy, based on the source | |
594 | address, the destination address, the network device, and/or | |
595 | .IR UPSPEC "." | |
596 | ||
597 | .TP | |
598 | .IR UPSPEC | |
599 | selects traffic by protocol. For the | |
600 | .BR tcp ", " udp ", " sctp ", or " dccp | |
601 | protocols, the source and destination port can optionally be specified. | |
602 | For the | |
603 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
604 | protocols, the type and code numbers can optionally be specified. | |
605 | For the | |
606 | .B gre | |
607 | protocol, the key can optionally be specified as a dotted-quad or number. | |
608 | Other protocols can be selected by name or number | |
609 | .IR PROTO "." | |
610 | ||
611 | .TP | |
612 | .I DIR | |
613 | selects the policy direction as | |
614 | .BR in ", " out ", or " fwd "." | |
615 | ||
616 | .TP | |
617 | .I CTX | |
618 | sets the security context. | |
619 | ||
620 | .TP | |
621 | .I PTYPE | |
622 | can be | |
623 | .BR main " (default) or " sub "." | |
624 | ||
625 | .TP | |
626 | .I ACTION | |
627 | can be | |
628 | .BR allow " (default) or " block "." | |
629 | ||
630 | .TP | |
631 | .I PRIORITY | |
632 | is a number that defaults to zero. | |
633 | ||
634 | .TP | |
635 | .I FLAG-LIST | |
636 | contains one or both of the following optional flags: | |
637 | .BR local " or " icmp "." | |
638 | ||
639 | .TP | |
640 | .I LIMIT-LIST | |
641 | sets limits in seconds, bytes, or numbers of packets. | |
642 | ||
643 | .TP | |
644 | .I TMPL-LIST | |
645 | is a template list specified using | |
646 | .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". " | |
647 | ||
648 | .TP | |
649 | .IR ID | |
650 | is specified by a source address, destination address, | |
651 | .RI "transform protocol " XFRM-PROTO "," | |
652 | and/or Security Parameter Index | |
653 | .IR SPI "." | |
29665f92 DW |
654 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
655 | .IR SPI ".)" | |
2a9721f1 SH |
656 | |
657 | .TP | |
658 | .I XFRM-PROTO | |
659 | specifies a transform protocol: | |
660 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
661 | .RB "IPsec Authentication Header (" ah ")," | |
662 | .RB "IP Payload Compression (" comp ")," | |
663 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
664 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
665 | ||
666 | .TP | |
667 | .I MODE | |
29665f92 DW |
668 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
669 | Compression modes are | |
670 | .BR transport ", " tunnel "," | |
671 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
672 | .RB "(" beet ")." | |
673 | Mobile IPv6 modes are route optimization | |
674 | .RB "(" ro ")" | |
675 | and inbound trigger | |
676 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
677 | |
678 | .TP | |
679 | .I LEVEL | |
680 | can be | |
681 | .BR required " (default) or " use "." | |
682 | ||
811aca04 CG |
683 | .sp |
684 | .PP | |
685 | .TS | |
686 | l l. | |
687 | ip xfrm policy count count existing policies | |
688 | .TE | |
689 | ||
690 | .PP | |
691 | Use one or more -s options to display more details, including policy hash table | |
692 | information. | |
693 | ||
694 | .sp | |
695 | .PP | |
696 | .TS | |
697 | l l. | |
698 | ip xfrm policy set configure the policy hash table | |
699 | .TE | |
700 | ||
701 | .PP | |
702 | Security policies whose address prefix lengths are greater than or equal | |
703 | policy hash table thresholds are hashed. Others are stored in the | |
704 | policy_inexact chained list. | |
705 | ||
706 | .TP | |
707 | .I LBITS | |
708 | specifies the minimum local address prefix length of policies that are | |
709 | stored in the Security Policy Database hash table. | |
710 | ||
711 | .TP | |
712 | .I RBITS | |
713 | specifies the minimum remote address prefix length of policies that are | |
714 | stored in the Security Policy Database hash table. | |
715 | ||
716 | .sp | |
717 | .PP | |
718 | .TS | |
719 | l l. | |
720 | ip xfrm monitor state monitoring for xfrm objects | |
721 | .TE | |
722 | ||
723 | .PP | |
2a9721f1 SH |
724 | The xfrm objects to monitor can be optionally specified. |
725 | ||
b6ec53e3 ND |
726 | .P |
727 | If the | |
728 | .BI all-nsid | |
729 | option is set, the program listens to all network namespaces that have a | |
730 | nsid assigned into the network namespace were the program is running. | |
731 | A prefix is displayed to show the network namespace where the message | |
732 | originates. Example: | |
733 | .sp | |
734 | .in +2 | |
735 | [nsid 1]Flushed state proto 0 | |
736 | .in -2 | |
737 | .sp | |
738 | ||
2a9721f1 | 739 | .SH AUTHOR |
29665f92 | 740 | Manpage revised by David Ward <david.ward@ll.mit.edu> |
811aca04 CG |
741 | .br |
742 | Manpage revised by Christophe Gouault <christophe.gouault@6wind.com> | |
b6ec53e3 ND |
743 | .br |
744 | Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com> |