[mirror_iproute2.git] / man / man8 / ip-xfrm.8

.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
.SH "NAME"
ip-xfrm \- transform configuration
.SH "SYNOPSIS"
.sp
.ad l
.in +8
.ti -8
.B ip
.RI "[ " OPTIONS " ]"
.B xfrm
.RI " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.B "ip xfrm"
.IR XFRM-OBJECT " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.IR XFRM-OBJECT " :="
.BR state " | " policy " | " monitor
.sp

.ti -8
.BR "ip xfrm state" " { " add " | " update " } "
.IR ID " [ " ALGO-LIST " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " replay-window
.IR SIZE " ]"
.RB "[ " replay-seq
.IR SEQ " ]"
.RB "[ " replay-oseq
.IR SEQ " ]"
.RB "[ " replay-seq-hi
.IR SEQ " ]"
.RB "[ " replay-oseq-hi
.IR SEQ " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RB "[ " sel
.IR SELECTOR " ] [ " LIMIT-LIST " ]"
.RB "[ " encap
.IR ENCAP " ]"
.RB "[ " coa
.IR ADDR "[/" PLEN "] ]"
.RB "[ " ctx
.IR CTX " ]"

.ti -8
.B "ip xfrm state allocspi"
.I ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " min
.I SPI
.B max
.IR SPI " ]"

.ti -8
.BR "ip xfrm state" " { " delete " | " get " } "
.I ID
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"

.ti -8
.BR "ip xfrm state" " { " deleteall " | " list " } ["
.IR ID " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"

.ti -8
.BR "ip xfrm state flush" " [ " proto
.IR XFRM-PROTO " ]"

.ti -8
.BR "ip xfrm state count"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO

.ti -8
.IR ALGO " :="
.RB "{ " enc " | " auth " } " 
.IR ALGO-NAME " " ALGO-KEYMAT " |"
.br
.B auth-trunc
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
.br
.B aead
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
.br
.B comp
.IR ALGO-NAME

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
.BR af-unspec " | " align4 " | " esn

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.br
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR ENCAP " :="
.RB "{ " espinudp " | " espinudp-nonike " }"
.IR SPORT " " DPORT " " OADDR

.ti -8
.BR "ip xfrm policy" " { " add " | " update " }"
.I SELECTOR
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"

.ti -8
.BR "ip xfrm policy" " { " delete " | " get " }"
.RI "{ " SELECTOR " | "
.B index
.IR INDEX " }"
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.BR "ip xfrm policy" " { " deleteall " | " list " }"
.RI "[ " SELECTOR " ]"
.RB "[ " dir
.IR DIR " ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"

.ti -8
.B "ip xfrm policy flush"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.B "ip xfrm policy count"

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR DIR " := "
.BR in " | " out " | " fwd

.ti -8
.IR PTYPE " := "
.BR main " | " sub

.ti -8
.IR ACTION " := "
.BR allow " | " block

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR localok " | " icmp

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR TMPL-LIST " := [ " TMPL-LIST " ]"
.B tmpl
.I TMPL

.ti -8
.IR TMPL " := " ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " level
.IR LEVEL " ]"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger

.ti -8
.IR LEVEL " :="
.BR required " | " use

.ti -8
.BR "ip xfrm monitor" " [ " all " |"
.IR LISTofXFRM-OBJECTS " ]"

.in -8
.ad b

.SH DESCRIPTION

xfrm is an IP framework for transforming packets (such as encrypting
their payloads). This framework is used to implement the IPsec protocol
suite (with the
.B state
object operating on the Security Association Database, and the
.B policy
object operating on the Security Policy Database). It is also used for
the IP Payload Compression Protocol and features of Mobile IPv6.

.TS
l l.
ip xfrm state add	add new state into xfrm
ip xfrm state update	update existing state in xfrm
ip xfrm state allocspi	allocate an SPI value
ip xfrm state delete	delete existing state in xfrm
ip xfrm state get	get existing state in xfrm
ip xfrm state deleteall	delete all existing state in xfrm
ip xfrm state list	print out the list of existing state in xfrm
ip xfrm state flush	flush all state in xfrm
ip xfrm state count	count all existing state in xfrm
ip xfrm monitor 	state monitoring for xfrm objects
.TE

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
.IR SPI ".)"

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I ALGO-LIST
contains one or more algorithms to use. Each algorithm
.I ALGO
is specified by:
.RS
.IP \[bu]
the algorithm type:
.RB "encryption (" enc "),"
.RB "authentication (" auth " or " auth-trunc "),"
.RB "authenticated encryption with associated data (" aead "), or"
.RB "compression (" comp ")"
.IP \[bu]
the algorithm name
.IR ALGO-NAME
(see below)
.IP \[bu]
.RB "(for all except " comp ")"
the keying material
.IR ALGO-KEYMAT ","
which may include both a key and a salt or nonce value; refer to the
corresponding RFC
.IP \[bu]
.RB "(for " auth-trunc " only)"
the truncation length
.I ALGO-TRUNC-LEN
in bits
.IP \[bu]
.RB "(for " aead " only)"
the Integrity Check Value length
.I ALGO-ICV-LEN
in bits
.RE

.nh
.RS
Encryption algorithms include
.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."

Authentication algorithms include
.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."

Authenticated encryption with associated data (AEAD) algorithms include
.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."

Compression algorithms include
.BR deflate ", " lzs ", and " lzjh "."
.RE
.hy

.TP
.I MODE
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
.BR transport ", " tunnel ","
and (for IPsec ESP only) Bound End-to-End Tunnel
.RB "(" beet ")."
Mobile IPv6 modes are route optimization
.RB "(" ro ")"
and inbound trigger
.RB "(" in_trigger ")."

.TP
.I FLAG-LIST
contains one or more of the following optional flags:
.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
.BR af-unspec ", " align4 ", or " esn "."

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I ENCAP
encapsulates packets with protocol
.BR espinudp " or " espinudp-nonike ","
.RI "using source port " SPORT ", destination port "  DPORT
.RI ", and original address " OADDR "."
.sp
.TS
l l.
ip xfrm policy add	add a new policy
ip xfrm policy update	update an existing policy
ip xfrm policy delete	delete an existing policy
ip xfrm policy get	get an existing policy
ip xfrm policy deleteall	delete all existing xfrm policies
ip xfrm policy list	print out the list of xfrm policies
ip xfrm policy flush	flush policies
ip xfrm policy count	count existing policies
.TE

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I DIR
selects the policy direction as
.BR in ", " out ", or " fwd "."

.TP
.I CTX
sets the security context.

.TP
.I PTYPE
can be
.BR main " (default) or " sub "."

.TP
.I ACTION
can be
.BR allow " (default) or " block "."

.TP
.I PRIORITY
is a number that defaults to zero.

.TP
.I FLAG-LIST
contains one or both of the following optional flags:
.BR local " or " icmp "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I TMPL-LIST
is a template list specified using
.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
.IR SPI ".)"

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I MODE
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
.BR transport ", " tunnel ","
and (for IPsec ESP only) Bound End-to-End Tunnel
.RB "(" beet ")."
Mobile IPv6 modes are route optimization
.RB "(" ro ")"
and inbound trigger
.RB "(" in_trigger ")."

.TP
.I LEVEL
can be
.BR required " (default) or " use "."

The xfrm objects to monitor can be optionally specified.

.SH AUTHOR
Manpage revised by David Ward <david.ward@ll.mit.edu>
Commit	Line	Data
2a9721f1 SH	1	.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
2a9721f1 SH	2	.SH "NAME"
aab2702d	3	ip-xfrm \- transform configuration
2a9721f1 SH	4	.SH "SYNOPSIS"
	5	.sp
	6	.ad l
	7	.in +8
	8	.ti -8
	9	.B ip
	10	.RI "[ " OPTIONS " ]"
	11	.B xfrm
	12	.RI " { " COMMAND " \| "
	13	.BR help " }"
	14	.sp
	15
	16	.ti -8
	17	.B "ip xfrm"
	18	.IR XFRM-OBJECT " { " COMMAND " \| "
	19	.BR help " }"
	20	.sp
	21
	22	.ti -8
	23	.IR XFRM-OBJECT " :="
	24	.BR state " \| " policy " \| " monitor
	25	.sp
	26
	27	.ti -8
	28	.BR "ip xfrm state" " { " add " \| " update " } "
	29	.IR ID " [ " ALGO-LIST " ]"
	30	.RB "[ " mode
	31	.IR MODE " ]"
	32	.RB "[ " mark
	33	.I MARK
	34	.RB "[ " mask
	35	.IR MASK " ] ]"
	36	.RB "[ " reqid
	37	.IR REQID " ]"
	38	.RB "[ " seq
	39	.IR SEQ " ]"
	40	.RB "[ " replay-window
	41	.IR SIZE " ]"
	42	.RB "[ " replay-seq
	43	.IR SEQ " ]"
	44	.RB "[ " replay-oseq
	45	.IR SEQ " ]"
eeb669a7 ND	46	.RB "[ " replay-seq-hi
	47	.IR SEQ " ]"
	48	.RB "[ " replay-oseq-hi
	49	.IR SEQ " ]"
2a9721f1 SH	50	.RB "[ " flag
	51	.IR FLAG-LIST " ]"
	52	.RB "[ " sel
	53	.IR SELECTOR " ] [ " LIMIT-LIST " ]"
	54	.RB "[ " encap
	55	.IR ENCAP " ]"
	56	.RB "[ " coa
	57	.IR ADDR "[/" PLEN "] ]"
	58	.RB "[ " ctx
	59	.IR CTX " ]"
	60
	61	.ti -8
	62	.B "ip xfrm state allocspi"
	63	.I ID
	64	.RB "[ " mode
	65	.IR MODE " ]"
	66	.RB "[ " mark
	67	.I MARK
	68	.RB "[ " mask
	69	.IR MASK " ] ]"
	70	.RB "[ " reqid
	71	.IR REQID " ]"
	72	.RB "[ " seq
	73	.IR SEQ " ]"
	74	.RB "[ " min
	75	.I SPI
	76	.B max
	77	.IR SPI " ]"
	78
	79	.ti -8
	80	.BR "ip xfrm state" " { " delete " \| " get " } "
	81	.I ID
	82	.RB "[ " mark
	83	.I MARK
	84	.RB "[ " mask
	85	.IR MASK " ] ]"
	86
	87	.ti -8
	88	.BR "ip xfrm state" " { " deleteall " \| " list " } ["
	89	.IR ID " ]"
	90	.RB "[ " mode
	91	.IR MODE " ]"
	92	.RB "[ " reqid
	93	.IR REQID " ]"
	94	.RB "[ " flag
	95	.IR FLAG-LIST " ]"
	96
	97	.ti -8
	98	.BR "ip xfrm state flush" " [ " proto
	99	.IR XFRM-PROTO " ]"
	100
	101	.ti -8
	102	.BR "ip xfrm state count"
	103
	104	.ti -8
	105	.IR ID " :="
	106	.RB "[ " src
	107	.IR ADDR " ]"
	108	.RB "[ " dst
	109	.IR ADDR " ]"
	110	.RB "[ " proto
	111	.IR XFRM-PROTO " ]"
	112	.RB "[ " spi
	113	.IR SPI " ]"
114
115	.ti -8
116	.IR XFRM-PROTO " :="
117	.BR esp " \| " ah " \| " comp " \| " route2 " \| " hao
118
119	.ti -8
120	.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
121
122	.ti -8
123	.IR ALGO " :="
f3b9aa3d	124	.RB "{ " enc " \| " auth " } "
29665f92	125	.IR ALGO-NAME " " ALGO-KEYMAT " \|"
2a9721f1	126	.br
2a9721f1	127	.B auth-trunc
29665f92	128	.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " \|"
f3b9aa3d DW	129	.br
f3b9aa3d DW	130	.B aead
29665f92	131	.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " \|"
f3b9aa3d DW	132	.br
	133	.B comp
	134	.IR ALGO-NAME
2a9721f1 SH	135
	136	.ti -8
	137	.IR MODE " := "
29665f92	138	.BR transport " \| " tunnel " \| " beet " \| " ro " \| " in_trigger
2a9721f1 SH	139
	140	.ti -8
	141	.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
	142
	143	.ti -8
	144	.IR FLAG " :="
eeb669a7 ND	145	.BR noecn " \| " decap-dscp " \| " nopmtudisc " \| " wildrecv " \| " icmp " \| "
eeb669a7 ND	146	.BR af-unspec " \| " align4 " \| " esn
2a9721f1 SH	147
	148	.ti -8
	149	.IR SELECTOR " :="
	150	.RB "[ " src
	151	.IR ADDR "[/" PLEN "] ]"
	152	.RB "[ " dst
	153	.IR ADDR "[/" PLEN "] ]"
	154	.RB "[ " dev
	155	.IR DEV " ]"
	156	.br
	157	.RI "[ " UPSPEC " ]"
	158
	159	.ti -8
	160	.IR UPSPEC " := "
	161	.BR proto " {"
	162	.IR PROTO " \|"
	163	.br
	164	.RB "{ " tcp " \| " udp " \| " sctp " \| " dccp " } [ " sport
	165	.IR PORT " ]"
	166	.RB "[ " dport
	167	.IR PORT " ] \|"
	168	.br
	169	.RB "{ " icmp " \| " ipv6-icmp " \| " mobility-header " } [ " type
	170	.IR NUMBER " ]"
	171	.RB "[ " code
	172	.IR NUMBER " ] \|"
	173	.br
	174	.BR gre " [ " key
	175	.RI "{ " DOTTED-QUAD " \| " NUMBER " } ] }"
	176
	177	.ti -8
	178	.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
	179	.B limit
	180	.I LIMIT
	181
	182	.ti -8
	183	.IR LIMIT " :="
	184	.RB "{ " time-soft " \| " time-hard " \| " time-use-soft " \| " time-use-hard " }"
	185	.IR "SECONDS" " \|"
	186	.br
	187	.RB "{ " byte-soft " \| " byte-hard " }"
	188	.IR SIZE " \|"
	189	.br
	190	.RB "{ " packet-soft " \| " packet-hard " }"
	191	.I COUNT
	192
	193	.ti -8
	194	.IR ENCAP " :="
	195	.RB "{ " espinudp " \| " espinudp-nonike " }"
	196	.IR SPORT " " DPORT " " OADDR
	197
	198	.ti -8
	199	.BR "ip xfrm policy" " { " add " \| " update " }"
	200	.I SELECTOR
	201	.B dir
	202	.I DIR
	203	.RB "[ " ctx
	204	.IR CTX " ]"
	205	.RB "[ " mark
	206	.I MARK
	207	.RB "[ " mask
	208	.IR MASK " ] ]"
	209	.RB "[ " index
	210	.IR INDEX " ]"
211	.RB "[ " ptype
212	.IR PTYPE " ]"
213	.RB "[ " action
214	.IR ACTION " ]"
215	.RB "[ " priority
216	.IR PRIORITY " ]"
217	.RB "[ " flag
218	.IR FLAG-LIST " ]"
219	.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
220
221	.ti -8
222	.BR "ip xfrm policy" " { " delete " \| " get " }"
223	.RI "{ " SELECTOR " \| "
224	.B index
225	.IR INDEX " }"
226	.B dir
227	.I DIR
228	.RB "[ " ctx
229	.IR CTX " ]"
230	.RB "[ " mark
231	.I MARK
232	.RB "[ " mask
233	.IR MASK " ] ]"
234	.RB "[ " ptype
235	.IR PTYPE " ]"
236
237	.ti -8
238	.BR "ip xfrm policy" " { " deleteall " \| " list " }"
239	.RI "[ " SELECTOR " ]"
240	.RB "[ " dir
241	.IR DIR " ]"
242	.RB "[ " index
243	.IR INDEX " ]"
244	.RB "[ " ptype
245	.IR PTYPE " ]"
246	.RB "[ " action
247	.IR ACTION " ]"
248	.RB "[ " priority
249	.IR PRIORITY " ]"
250
251	.ti -8
252	.B "ip xfrm policy flush"
253	.RB "[ " ptype
254	.IR PTYPE " ]"
255
256	.ti -8
257	.B "ip xfrm policy count"
258
259	.ti -8
260	.IR SELECTOR " :="
261	.RB "[ " src
262	.IR ADDR "[/" PLEN "] ]"
263	.RB "[ " dst
264	.IR ADDR "[/" PLEN "] ]"
265	.RB "[ " dev
266	.IR DEV " ]"
267	.RI "[ " UPSPEC " ]"
268
269	.ti -8
270	.IR UPSPEC " := "
271	.BR proto " {"
272	.IR PROTO " \|"
273	.br
274	.RB "{ " tcp " \| " udp " \| " sctp " \| " dccp " } [ " sport
275	.IR PORT " ]"
276	.RB "[ " dport
277	.IR PORT " ] \|"
278	.br
279	.RB "{ " icmp " \| " ipv6-icmp " \| " mobility-header " } [ " type
280	.IR NUMBER " ]"
281	.RB "[ " code
282	.IR NUMBER " ] \|"
283	.br
284	.BR gre " [ " key
285	.RI "{ " DOTTED-QUAD " \| " NUMBER " } ] }"
286
287	.ti -8
288	.IR DIR " := "
289	.BR in " \| " out " \| " fwd
290
291	.ti -8
292	.IR PTYPE " := "
293	.BR main " \| " sub
294
295	.ti -8
296	.IR ACTION " := "
297	.BR allow " \| " block
298
299	.ti -8
300	.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
301
302	.ti -8
303	.IR FLAG " :="
304	.BR localok " \| " icmp
305
306	.ti -8
307	.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
308	.B limit
309	.I LIMIT
310
311	.ti -8
312	.IR LIMIT " :="
313	.RB "{ " time-soft " \| " time-hard " \| " time-use-soft " \| " time-use-hard " }"
314	.IR "SECONDS" " \|"
315	.br
316	.RB "{ " byte-soft " \| " byte-hard " }"
317	.IR SIZE " \|"
318	.br
319	.RB "{ " packet-soft " \| " packet-hard " }"
320	.I COUNT
321
322	.ti -8
323	.IR TMPL-LIST " := [ " TMPL-LIST " ]"
324	.B tmpl
325	.I TMPL
326
327	.ti -8
328	.IR TMPL " := " ID
329	.RB "[ " mode
330	.IR MODE " ]"
331	.RB "[ " reqid
332	.IR REQID " ]"
333	.RB "[ " level
334	.IR LEVEL " ]"
335
336	.ti -8
337	.IR ID " :="
338	.RB "[ " src
339	.IR ADDR " ]"
340	.RB "[ " dst
341	.IR ADDR " ]"
342	.RB "[ " proto
343	.IR XFRM-PROTO " ]"
344	.RB "[ " spi
345	.IR SPI " ]"
346
347	.ti -8
348	.IR XFRM-PROTO " :="
349	.BR esp " \| " ah " \| " comp " \| " route2 " \| " hao
350
351	.ti -8
352	.IR MODE " := "
29665f92	353	.BR transport " \| " tunnel " \| " beet " \| " ro " \| " in_trigger
2a9721f1 SH	354
	355	.ti -8
	356	.IR LEVEL " :="
	357	.BR required " \| " use
	358
	359	.ti -8
	360	.BR "ip xfrm monitor" " [ " all " \|"
	361	.IR LISTofXFRM-OBJECTS " ]"
	362
	363	.in -8
	364	.ad b
	365
	366	.SH DESCRIPTION
	367
	368	xfrm is an IP framework for transforming packets (such as encrypting
	369	their payloads). This framework is used to implement the IPsec protocol
	370	suite (with the
	371	.B state
	372	object operating on the Security Association Database, and the
	373	.B policy
	374	object operating on the Security Policy Database). It is also used for
	375	the IP Payload Compression Protocol and features of Mobile IPv6.
	376
61f541fe	377	.TS
	378	l l.
	379	ip xfrm state add add new state into xfrm
	380	ip xfrm state update update existing state in xfrm
	381	ip xfrm state allocspi allocate an SPI value
	382	ip xfrm state delete delete existing state in xfrm
	383	ip xfrm state get get existing state in xfrm
	384	ip xfrm state deleteall delete all existing state in xfrm
	385	ip xfrm state list print out the list of existing state in xfrm
	386	ip xfrm state flush flush all state in xfrm
	387	ip xfrm state count count all existing state in xfrm
	388	ip xfrm monitor state monitoring for xfrm objects
	389	.TE
2a9721f1 SH	390
	391	.TP
	392	.IR ID
	393	is specified by a source address, destination address,
	394	.RI "transform protocol " XFRM-PROTO ","
	395	and/or Security Parameter Index
	396	.IR SPI "."
29665f92 DW	397	(For IP Payload Compression, the Compression Parameter Index or CPI is used for
29665f92 DW	398	.IR SPI ".)"
2a9721f1 SH	399
	400	.TP
	401	.I XFRM-PROTO
	402	specifies a transform protocol:
	403	.RB "IPsec Encapsulating Security Payload (" esp "),"
	404	.RB "IPsec Authentication Header (" ah "),"
	405	.RB "IP Payload Compression (" comp "),"
	406	.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
	407	.RB "Mobile IPv6 Home Address Option (" hao ")."
	408
	409	.TP
	410	.I ALGO-LIST
29665f92 DW	411	contains one or more algorithms to use. Each algorithm
	412	.I ALGO
	413	is specified by:
	414	.RS
	415	.IP \[bu]
	416	the algorithm type:
2a9721f1	417	.RB "encryption (" enc "),"
29665f92 DW	418	.RB "authentication (" auth " or " auth-trunc "),"
	419	.RB "authenticated encryption with associated data (" aead "), or"
	420	.RB "compression (" comp ")"
	421	.IP \[bu]
	422	the algorithm name
	423	.IR ALGO-NAME
	424	(see below)
	425	.IP \[bu]
	426	.RB "(for all except " comp ")"
	427	the keying material
	428	.IR ALGO-KEYMAT ","
	429	which may include both a key and a salt or nonce value; refer to the
	430	corresponding RFC
	431	.IP \[bu]
	432	.RB "(for " auth-trunc " only)"
	433	the truncation length
	434	.I ALGO-TRUNC-LEN
	435	in bits
	436	.IP \[bu]
	437	.RB "(for " aead " only)"
2a9721f1 SH	438	the Integrity Check Value length
2a9721f1 SH	439	.I ALGO-ICV-LEN
29665f92 DW	440	in bits
	441	.RE
	442
	443	.nh
	444	.RS
	445	Encryption algorithms include
	446	.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
	447	.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
	448	.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
	449
	450	Authentication algorithms include
	451	.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
	452	.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
	453
	454	Authenticated encryption with associated data (AEAD) algorithms include
	455	.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
	456
	457	Compression algorithms include
	458	.BR deflate ", " lzs ", and " lzjh "."
	459	.RE
	460	.hy
2a9721f1 SH	461
	462	.TP
	463	.I MODE
29665f92 DW	464	specifies a mode of operation for the transform protocol. IPsec and IP Payload
	465	Compression modes are
	466	.BR transport ", " tunnel ","
	467	and (for IPsec ESP only) Bound End-to-End Tunnel
	468	.RB "(" beet ")."
	469	Mobile IPv6 modes are route optimization
	470	.RB "(" ro ")"
	471	and inbound trigger
	472	.RB "(" in_trigger ")."
2a9721f1 SH	473
	474	.TP
	475	.I FLAG-LIST
	476	contains one or more of the following optional flags:
	477	.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
eeb669a7	478	.BR af-unspec ", " align4 ", or " esn "."
2a9721f1 SH	479
	480	.TP
	481	.IR SELECTOR
	482	selects the traffic that will be controlled by the policy, based on the source
	483	address, the destination address, the network device, and/or
	484	.IR UPSPEC "."
	485
	486	.TP
	487	.IR UPSPEC
	488	selects traffic by protocol. For the
	489	.BR tcp ", " udp ", " sctp ", or " dccp
	490	protocols, the source and destination port can optionally be specified.
	491	For the
	492	.BR icmp ", " ipv6-icmp ", or " mobility-header
	493	protocols, the type and code numbers can optionally be specified.
	494	For the
	495	.B gre
	496	protocol, the key can optionally be specified as a dotted-quad or number.
	497	Other protocols can be selected by name or number
	498	.IR PROTO "."
	499
	500	.TP
	501	.I LIMIT-LIST
	502	sets limits in seconds, bytes, or numbers of packets.
	503
	504	.TP
	505	.I ENCAP
	506	encapsulates packets with protocol
	507	.BR espinudp " or " espinudp-nonike ","
	508	.RI "using source port " SPORT ", destination port " DPORT
	509	.RI ", and original address " OADDR "."
61f541fe	510	.sp
	511	.TS
	512	l l.
	513	ip xfrm policy add add a new policy
	514	ip xfrm policy update update an existing policy
	515	ip xfrm policy delete delete an existing policy
	516	ip xfrm policy get get an existing policy
	517	ip xfrm policy deleteall delete all existing xfrm policies
	518	ip xfrm policy list print out the list of xfrm policies
	519	ip xfrm policy flush flush policies
	520	ip xfrm policy count count existing policies
	521	.TE
2a9721f1 SH	522
	523	.TP
	524	.IR SELECTOR
	525	selects the traffic that will be controlled by the policy, based on the source
	526	address, the destination address, the network device, and/or
	527	.IR UPSPEC "."
	528
	529	.TP
	530	.IR UPSPEC
	531	selects traffic by protocol. For the
	532	.BR tcp ", " udp ", " sctp ", or " dccp
	533	protocols, the source and destination port can optionally be specified.
	534	For the
	535	.BR icmp ", " ipv6-icmp ", or " mobility-header
	536	protocols, the type and code numbers can optionally be specified.
	537	For the
	538	.B gre
	539	protocol, the key can optionally be specified as a dotted-quad or number.
	540	Other protocols can be selected by name or number
	541	.IR PROTO "."
	542
	543	.TP
	544	.I DIR
	545	selects the policy direction as
	546	.BR in ", " out ", or " fwd "."
	547
	548	.TP
	549	.I CTX
	550	sets the security context.
	551
	552	.TP
	553	.I PTYPE
	554	can be
	555	.BR main " (default) or " sub "."
	556
	557	.TP
	558	.I ACTION
	559	can be
	560	.BR allow " (default) or " block "."
	561
	562	.TP
	563	.I PRIORITY
	564	is a number that defaults to zero.
	565
	566	.TP
	567	.I FLAG-LIST
	568	contains one or both of the following optional flags:
	569	.BR local " or " icmp "."
	570
	571	.TP
	572	.I LIMIT-LIST
	573	sets limits in seconds, bytes, or numbers of packets.
	574
	575	.TP
	576	.I TMPL-LIST
	577	is a template list specified using
	578	.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
	579
	580	.TP
	581	.IR ID
	582	is specified by a source address, destination address,
	583	.RI "transform protocol " XFRM-PROTO ","
	584	and/or Security Parameter Index
	585	.IR SPI "."
29665f92 DW	586	(For IP Payload Compression, the Compression Parameter Index or CPI is used for
29665f92 DW	587	.IR SPI ".)"
2a9721f1 SH	588
	589	.TP
	590	.I XFRM-PROTO
	591	specifies a transform protocol:
	592	.RB "IPsec Encapsulating Security Payload (" esp "),"
	593	.RB "IPsec Authentication Header (" ah "),"
	594	.RB "IP Payload Compression (" comp "),"
	595	.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
	596	.RB "Mobile IPv6 Home Address Option (" hao ")."
	597
	598	.TP
	599	.I MODE
29665f92 DW	600	specifies a mode of operation for the transform protocol. IPsec and IP Payload
	601	Compression modes are
	602	.BR transport ", " tunnel ","
	603	and (for IPsec ESP only) Bound End-to-End Tunnel
	604	.RB "(" beet ")."
	605	Mobile IPv6 modes are route optimization
	606	.RB "(" ro ")"
	607	and inbound trigger
	608	.RB "(" in_trigger ")."
2a9721f1 SH	609
	610	.TP
	611	.I LEVEL
	612	can be
	613	.BR required " (default) or " use "."
	614
2a9721f1 SH	615	The xfrm objects to monitor can be optionally specified.
	616
	617	.SH AUTHOR
29665f92	618	Manpage revised by David Ward <david.ward@ll.mit.edu>