man/man8/ip-xfrm.8

   1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
   2 .SH "NAME"
   3 ip-xfrm \- transform configuration
   4 .SH "SYNOPSIS"
   5 .sp
   6 .ad l
   7 .in +8
   8 .ti -8
   9 .B ip
  10 .RI "[ " OPTIONS " ]"
  11 .B xfrm
  12 .RI " { " COMMAND " | "
  13 .BR help " }"
  14 .sp
  15
  16 .ti -8
  17 .B "ip xfrm"
  18 .IR XFRM-OBJECT " { " COMMAND " | "
  19 .BR help " }"
  20 .sp
  21
  22 .ti -8
  23 .IR XFRM-OBJECT " :="
  24 .BR state " | " policy " | " monitor
  25 .sp
  26
  27 .ti -8
  28 .BR "ip xfrm state" " { " add " | " update " } "
  29 .IR ID " [ " ALGO-LIST " ]"
  30 .RB "[ " mode
  31 .IR MODE " ]"
  32 .RB "[ " mark
  33 .I MARK
  34 .RB "[ " mask
  35 .IR MASK " ] ]"
  36 .RB "[ " reqid
  37 .IR REQID " ]"
  38 .RB "[ " seq
  39 .IR SEQ " ]"
  40 .RB "[ " replay-window
  41 .IR SIZE " ]"
  42 .RB "[ " replay-seq
  43 .IR SEQ " ]"
  44 .RB "[ " replay-oseq
  45 .IR SEQ " ]"
  46 .RB "[ " replay-seq-hi
  47 .IR SEQ " ]"
  48 .RB "[ " replay-oseq-hi
  49 .IR SEQ " ]"
  50 .RB "[ " flag
  51 .IR FLAG-LIST " ]"
  52 .RB "[ " sel
  53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
  54 .RB "[ " encap
  55 .IR ENCAP " ]"
  56 .RB "[ " coa
  57 .IR ADDR "[/" PLEN "] ]"
  58 .RB "[ " ctx
  59 .IR CTX " ]"
  60 .RB "[ " extra-flag
  61 .IR EXTRA-FLAG-LIST " ]"
  62 .RB "[ " output-mark
  63 .IR OUTPUT-MARK
  64 .RB "[ " mask
  65 .IR MASK " ] ]"
  66 .RB "[ " if_id
  67 .IR IF-ID " ]"
  68
  69 .ti -8
  70 .B "ip xfrm state allocspi"
  71 .I ID
  72 .RB "[ " mode
  73 .IR MODE " ]"
  74 .RB "[ " mark
  75 .I MARK
  76 .RB "[ " mask
  77 .IR MASK " ] ]"
  78 .RB "[ " reqid
  79 .IR REQID " ]"
  80 .RB "[ " seq
  81 .IR SEQ " ]"
  82 .RB "[ " min
  83 .I SPI
  84 .B max
  85 .IR SPI " ]"
  86
  87 .ti -8
  88 .BR "ip xfrm state" " { " delete " | " get " } "
  89 .I ID
  90 .RB "[ " mark
  91 .I MARK
  92 .RB "[ " mask
  93 .IR MASK " ] ]"
  94
  95 .ti -8
  96 .BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
  97 .IR ID " ]"
  98 .RB "[ " mode
  99 .IR MODE " ]"
 100 .RB "[ " reqid
 101 .IR REQID " ]"
 102 .RB "[ " flag
 103 .IR FLAG-LIST " ]"
 104
 105 .ti -8
 106 .BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
 107 .IR ID " ]"
 108 .RB "[ " nokeys " ]"
 109 .RB "[ " mode
 110 .IR MODE " ]"
 111 .RB "[ " reqid
 112 .IR REQID " ]"
 113 .RB "[ " flag
 114 .IR FLAG-LIST " ]"
 115
 116 .ti -8
 117 .BR "ip xfrm state flush" " [ " proto
 118 .IR XFRM-PROTO " ]"
 119
 120 .ti -8
 121 .BR "ip xfrm state count"
 122
 123 .ti -8
 124 .IR ID " :="
 125 .RB "[ " src
 126 .IR ADDR " ]"
 127 .RB "[ " dst
 128 .IR ADDR " ]"
 129 .RB "[ " proto
 130 .IR XFRM-PROTO " ]"
 131 .RB "[ " spi
 132 .IR SPI " ]"
 133
 134 .ti -8
 135 .IR XFRM-PROTO " :="
 136 .BR esp " | " ah " | " comp " | " route2 " | " hao
 137
 138 .ti -8
 139 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
 140
 141 .ti -8
 142 .IR ALGO " :="
 143 .RB "{ " enc " | " auth " } "
 144 .IR ALGO-NAME " " ALGO-KEYMAT " |"
 145 .br
 146 .B auth-trunc
 147 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
 148 .br
 149 .B aead
 150 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
 151 .br
 152 .B comp
 153 .IR ALGO-NAME
 154
 155 .ti -8
 156 .IR MODE " := "
 157 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
 158
 159 .ti -8
 160 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
 161
 162 .ti -8
 163 .IR FLAG " :="
 164 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
 165 .BR af-unspec " | " align4 " | " esn
 166
 167 .ti -8
 168 .IR SELECTOR " :="
 169 .RB "[ " src
 170 .IR ADDR "[/" PLEN "] ]"
 171 .RB "[ " dst
 172 .IR ADDR "[/" PLEN "] ]"
 173 .RB "[ " dev
 174 .IR DEV " ]"
 175 .br
 176 .RI "[ " UPSPEC " ]"
 177
 178 .ti -8
 179 .IR UPSPEC " := "
 180 .BR proto " {"
 181 .IR PROTO " |"
 182 .br
 183 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
 184 .IR PORT " ]"
 185 .RB "[ " dport
 186 .IR PORT " ] |"
 187 .br
 188 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
 189 .IR NUMBER " ]"
 190 .RB "[ " code
 191 .IR NUMBER " ] |"
 192 .br
 193 .BR gre " [ " key
 194 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
 195
 196 .ti -8
 197 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
 198 .B limit
 199 .I LIMIT
 200
 201 .ti -8
 202 .IR LIMIT " :="
 203 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
 204 .IR "SECONDS" " |"
 205 .br
 206 .RB "{ " byte-soft " | " byte-hard " }"
 207 .IR SIZE " |"
 208 .br
 209 .RB "{ " packet-soft " | " packet-hard " }"
 210 .I COUNT
 211
 212 .ti -8
 213 .IR ENCAP " :="
 214 .RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
 215 .IR SPORT " " DPORT " " OADDR
 216
 217 .ti -8
 218 .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
 219
 220 .ti -8
 221 .IR EXTRA-FLAG " := "
 222 .BR dont-encap-dscp " | " oseq-may-wrap
 223
 224 .ti -8
 225 .BR "ip xfrm policy" " { " add " | " update " }"
 226 .I SELECTOR
 227 .B dir
 228 .I DIR
 229 .RB "[ " ctx
 230 .IR CTX " ]"
 231 .RB "[ " mark
 232 .I MARK
 233 .RB "[ " mask
 234 .IR MASK " ] ]"
 235 .RB "[ " index
 236 .IR INDEX " ]"
 237 .RB "[ " ptype
 238 .IR PTYPE " ]"
 239 .RB "[ " action
 240 .IR ACTION " ]"
 241 .RB "[ " priority
 242 .IR PRIORITY " ]"
 243 .RB "[ " flag
 244 .IR FLAG-LIST " ]"
 245 .RB "[ " if_id
 246 .IR IF-ID " ]"
 247 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
 248
 249 .ti -8
 250 .BR "ip xfrm policy" " { " delete " | " get " }"
 251 .RI "{ " SELECTOR " | "
 252 .B index
 253 .IR INDEX " }"
 254 .B dir
 255 .I DIR
 256 .RB "[ " ctx
 257 .IR CTX " ]"
 258 .RB "[ " mark
 259 .I MARK
 260 .RB "[ " mask
 261 .IR MASK " ] ]"
 262 .RB "[ " ptype
 263 .IR PTYPE " ]"
 264 .RB "[ " if_id
 265 .IR IF-ID " ]"
 266
 267 .ti -8
 268 .BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
 269 .RB "[ " nosock " ]"
 270 .RI "[ " SELECTOR " ]"
 271 .RB "[ " dir
 272 .IR DIR " ]"
 273 .RB "[ " index
 274 .IR INDEX " ]"
 275 .RB "[ " ptype
 276 .IR PTYPE " ]"
 277 .RB "[ " action
 278 .IR ACTION " ]"
 279 .RB "[ " priority
 280 .IR PRIORITY " ]"
 281 .RB "[ " flag
 282 .IR FLAG-LIST "]"
 283
 284 .ti -8
 285 .B "ip xfrm policy flush"
 286 .RB "[ " ptype
 287 .IR PTYPE " ]"
 288
 289 .ti -8
 290 .B "ip xfrm policy count"
 291
 292 .ti -8
 293 .B "ip xfrm policy set"
 294 .RB "[ " hthresh4
 295 .IR LBITS " " RBITS " ]"
 296 .RB "[ " hthresh6
 297 .IR LBITS " " RBITS " ]"
 298
 299 .ti -8
 300 .IR SELECTOR " :="
 301 .RB "[ " src
 302 .IR ADDR "[/" PLEN "] ]"
 303 .RB "[ " dst
 304 .IR ADDR "[/" PLEN "] ]"
 305 .RB "[ " dev
 306 .IR DEV " ]"
 307 .RI "[ " UPSPEC " ]"
 308
 309 .ti -8
 310 .IR UPSPEC " := "
 311 .BR proto " {"
 312 .IR PROTO " |"
 313 .br
 314 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
 315 .IR PORT " ]"
 316 .RB "[ " dport
 317 .IR PORT " ] |"
 318 .br
 319 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
 320 .IR NUMBER " ]"
 321 .RB "[ " code
 322 .IR NUMBER " ] |"
 323 .br
 324 .BR gre " [ " key
 325 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
 326
 327 .ti -8
 328 .IR DIR " := "
 329 .BR in " | " out " | " fwd
 330
 331 .ti -8
 332 .IR PTYPE " := "
 333 .BR main " | " sub
 334
 335 .ti -8
 336 .IR ACTION " := "
 337 .BR allow " | " block
 338
 339 .ti -8
 340 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
 341
 342 .ti -8
 343 .IR FLAG " :="
 344 .BR localok " | " icmp
 345
 346 .ti -8
 347 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
 348 .B limit
 349 .I LIMIT
 350
 351 .ti -8
 352 .IR LIMIT " :="
 353 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
 354 .IR "SECONDS" " |"
 355 .br
 356 .RB "{ " byte-soft " | " byte-hard " }"
 357 .IR SIZE " |"
 358 .br
 359 .RB "{ " packet-soft " | " packet-hard " }"
 360 .I COUNT
 361
 362 .ti -8
 363 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
 364 .B tmpl
 365 .I TMPL
 366
 367 .ti -8
 368 .IR TMPL " := " ID
 369 .RB "[ " mode
 370 .IR MODE " ]"
 371 .RB "[ " reqid
 372 .IR REQID " ]"
 373 .RB "[ " level
 374 .IR LEVEL " ]"
 375
 376 .ti -8
 377 .IR ID " :="
 378 .RB "[ " src
 379 .IR ADDR " ]"
 380 .RB "[ " dst
 381 .IR ADDR " ]"
 382 .RB "[ " proto
 383 .IR XFRM-PROTO " ]"
 384 .RB "[ " spi
 385 .IR SPI " ]"
 386
 387 .ti -8
 388 .IR XFRM-PROTO " :="
 389 .BR esp " | " ah " | " comp " | " route2 " | " hao
 390
 391 .ti -8
 392 .IR MODE " := "
 393 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
 394
 395 .ti -8
 396 .IR LEVEL " :="
 397 .BR required " | " use
 398
 399 .ti -8
 400 .BR "ip xfrm monitor" " ["
 401 .BI all-nsid
 402 ] [
 403 .BI nokeys
 404 ] [
 405 .BI all
 406  |
 407 .IR LISTofXFRM-OBJECTS " ]"
 408
 409 .ti -8
 410 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
 411
 412 .ti -8
 413 .IR XFRM-OBJECT " := "
 414 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
 415
 416 .in -8
 417 .ad b
 418
 419 .SH DESCRIPTION
 420
 421 xfrm is an IP framework for transforming packets (such as encrypting
 422 their payloads). This framework is used to implement the IPsec protocol
 423 suite (with the
 424 .B state
 425 object operating on the Security Association Database, and the
 426 .B policy
 427 object operating on the Security Policy Database). It is also used for
 428 the IP Payload Compression Protocol and features of Mobile IPv6.
 429
 430 .TS
 431 l l.
 432 ip xfrm state add       add new state into xfrm
 433 ip xfrm state update    update existing state in xfrm
 434 ip xfrm state allocspi  allocate an SPI value
 435 ip xfrm state delete    delete existing state in xfrm
 436 ip xfrm state get       get existing state in xfrm
 437 ip xfrm state deleteall delete all existing state in xfrm
 438 ip xfrm state list      print out the list of existing state in xfrm
 439 ip xfrm state flush     flush all state in xfrm
 440 ip xfrm state count     count all existing state in xfrm
 441 .TE
 442
 443 .TP
 444 .IR ID
 445 is specified by a source address, destination address,
 446 .RI "transform protocol " XFRM-PROTO ","
 447 and/or Security Parameter Index
 448 .IR SPI "."
 449 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
 450 .IR SPI ".)"
 451
 452 .TP
 453 .I XFRM-PROTO
 454 specifies a transform protocol:
 455 .RB "IPsec Encapsulating Security Payload (" esp "),"
 456 .RB "IPsec Authentication Header (" ah "),"
 457 .RB "IP Payload Compression (" comp "),"
 458 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
 459 .RB "Mobile IPv6 Home Address Option (" hao ")."
 460
 461 .TP
 462 .I ALGO-LIST
 463 contains one or more algorithms to use. Each algorithm
 464 .I ALGO
 465 is specified by:
 466 .RS
 467 .IP \[bu]
 468 the algorithm type:
 469 .RB "encryption (" enc "),"
 470 .RB "authentication (" auth " or " auth-trunc "),"
 471 .RB "authenticated encryption with associated data (" aead "), or"
 472 .RB "compression (" comp ")"
 473 .IP \[bu]
 474 the algorithm name
 475 .IR ALGO-NAME
 476 (see below)
 477 .IP \[bu]
 478 .RB "(for all except " comp ")"
 479 the keying material
 480 .IR ALGO-KEYMAT ","
 481 which may include both a key and a salt or nonce value; refer to the
 482 corresponding RFC
 483 .IP \[bu]
 484 .RB "(for " auth-trunc " only)"
 485 the truncation length
 486 .I ALGO-TRUNC-LEN
 487 in bits
 488 .IP \[bu]
 489 .RB "(for " aead " only)"
 490 the Integrity Check Value length
 491 .I ALGO-ICV-LEN
 492 in bits
 493 .RE
 494
 495 .nh
 496 .RS
 497 Encryption algorithms include
 498 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
 499 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
 500 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
 501
 502 Authentication algorithms include
 503 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
 504 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
 505
 506 Authenticated encryption with associated data (AEAD) algorithms include
 507 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
 508
 509 Compression algorithms include
 510 .BR deflate ", " lzs ", and " lzjh "."
 511 .RE
 512 .hy
 513
 514 .TP
 515 .I MODE
 516 specifies a mode of operation for the transform protocol. IPsec and IP Payload
 517 Compression modes are
 518 .BR transport ", " tunnel ","
 519 and (for IPsec ESP only) Bound End-to-End Tunnel
 520 .RB "(" beet ")."
 521 Mobile IPv6 modes are route optimization
 522 .RB "(" ro ")"
 523 and inbound trigger
 524 .RB "(" in_trigger ")."
 525
 526 .TP
 527 .I FLAG-LIST
 528 contains one or more of the following optional flags:
 529 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
 530 .BR af-unspec ", " align4 ", or " esn "."
 531
 532 .TP
 533 .IR SELECTOR
 534 selects the traffic that will be controlled by the policy, based on the source
 535 address, the destination address, the network device, and/or
 536 .IR UPSPEC "."
 537
 538 .TP
 539 .IR UPSPEC
 540 selects traffic by protocol. For the
 541 .BR tcp ", " udp ", " sctp ", or " dccp
 542 protocols, the source and destination port can optionally be specified.
 543 For the
 544 .BR icmp ", " ipv6-icmp ", or " mobility-header
 545 protocols, the type and code numbers can optionally be specified.
 546 For the
 547 .B gre
 548 protocol, the key can optionally be specified as a dotted-quad or number.
 549 Other protocols can be selected by name or number
 550 .IR PROTO "."
 551
 552 .TP
 553 .I LIMIT-LIST
 554 sets limits in seconds, bytes, or numbers of packets.
 555
 556 .TP
 557 .I ENCAP
 558 encapsulates packets with protocol
 559 .BR espinudp ", " espinudp-nonike ", or " espintcp ","
 560 .RI "using source port " SPORT ", destination port "  DPORT
 561 .RI ", and original address " OADDR "."
 562
 563 .TP
 564 .I MARK
 565 used to match xfrm policies and states
 566
 567 .TP
 568 .I OUTPUT-MARK
 569 used to set the output mark to influence the routing
 570 of the packets emitted by the state
 571
 572 .TP
 573 .I IF-ID
 574 xfrm interface identifier used to in both xfrm policies and states
 575
 576 .sp
 577 .PP
 578 .TS
 579 l l.
 580 ip xfrm policy add      add a new policy
 581 ip xfrm policy update   update an existing policy
 582 ip xfrm policy delete   delete an existing policy
 583 ip xfrm policy get      get an existing policy
 584 ip xfrm policy deleteall        delete all existing xfrm policies
 585 ip xfrm policy list     print out the list of xfrm policies
 586 ip xfrm policy flush    flush policies
 587 .TE
 588
 589 .TP
 590 .BR nosock
 591 filter (remove) all socket policies from the output.
 592
 593 .TP
 594 .IR SELECTOR
 595 selects the traffic that will be controlled by the policy, based on the source
 596 address, the destination address, the network device, and/or
 597 .IR UPSPEC "."
 598
 599 .TP
 600 .IR UPSPEC
 601 selects traffic by protocol. For the
 602 .BR tcp ", " udp ", " sctp ", or " dccp
 603 protocols, the source and destination port can optionally be specified.
 604 For the
 605 .BR icmp ", " ipv6-icmp ", or " mobility-header
 606 protocols, the type and code numbers can optionally be specified.
 607 For the
 608 .B gre
 609 protocol, the key can optionally be specified as a dotted-quad or number.
 610 Other protocols can be selected by name or number
 611 .IR PROTO "."
 612
 613 .TP
 614 .I DIR
 615 selects the policy direction as
 616 .BR in ", " out ", or " fwd "."
 617
 618 .TP
 619 .I CTX
 620 sets the security context.
 621
 622 .TP
 623 .I PTYPE
 624 can be
 625 .BR main " (default) or " sub "."
 626
 627 .TP
 628 .I ACTION
 629 can be
 630 .BR allow " (default) or " block "."
 631
 632 .TP
 633 .I PRIORITY
 634 is a number that defaults to zero.
 635
 636 .TP
 637 .I FLAG-LIST
 638 contains one or both of the following optional flags:
 639 .BR local " or " icmp "."
 640
 641 .TP
 642 .I LIMIT-LIST
 643 sets limits in seconds, bytes, or numbers of packets.
 644
 645 .TP
 646 .I TMPL-LIST
 647 is a template list specified using
 648 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
 649
 650 .TP
 651 .IR ID
 652 is specified by a source address, destination address,
 653 .RI "transform protocol " XFRM-PROTO ","
 654 and/or Security Parameter Index
 655 .IR SPI "."
 656 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
 657 .IR SPI ".)"
 658
 659 .TP
 660 .I XFRM-PROTO
 661 specifies a transform protocol:
 662 .RB "IPsec Encapsulating Security Payload (" esp "),"
 663 .RB "IPsec Authentication Header (" ah "),"
 664 .RB "IP Payload Compression (" comp "),"
 665 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
 666 .RB "Mobile IPv6 Home Address Option (" hao ")."
 667
 668 .TP
 669 .I MODE
 670 specifies a mode of operation for the transform protocol. IPsec and IP Payload
 671 Compression modes are
 672 .BR transport ", " tunnel ","
 673 and (for IPsec ESP only) Bound End-to-End Tunnel
 674 .RB "(" beet ")."
 675 Mobile IPv6 modes are route optimization
 676 .RB "(" ro ")"
 677 and inbound trigger
 678 .RB "(" in_trigger ")."
 679
 680 .TP
 681 .I LEVEL
 682 can be
 683 .BR required " (default) or " use "."
 684
 685 .sp
 686 .PP
 687 .TS
 688 l l.
 689 ip xfrm policy count    count existing policies
 690 .TE
 691
 692 .PP
 693 Use one or more -s options to display more details, including policy hash table
 694 information.
 695
 696 .sp
 697 .PP
 698 .TS
 699 l l.
 700 ip xfrm policy set      configure the policy hash table
 701 .TE
 702
 703 .PP
 704 Security policies whose address prefix lengths are greater than or equal
 705 policy hash table thresholds are hashed. Others are stored in the
 706 policy_inexact chained list.
 707
 708 .TP
 709 .I LBITS
 710 specifies the minimum local address prefix length of policies that are
 711 stored in the Security Policy Database hash table.
 712
 713 .TP
 714 .I RBITS
 715 specifies the minimum remote address prefix length of policies that are
 716 stored in the Security Policy Database hash table.
 717
 718 .sp
 719 .PP
 720 .TS
 721 l l.
 722 ip xfrm monitor         state monitoring for xfrm objects
 723 .TE
 724
 725 .PP
 726 The xfrm objects to monitor can be optionally specified.
 727
 728 .P
 729 If the
 730 .BI all-nsid
 731 option is set, the program listens to all network namespaces that have a
 732 nsid assigned into the network namespace were the program is running.
 733 A prefix is displayed to show the network namespace where the message
 734 originates. Example:
 735 .sp
 736 .in +2
 737 [nsid 1]Flushed state proto 0
 738 .in -2
 739 .sp
 740
 741 .SH AUTHOR
 742 Manpage revised by David Ward <david.ward@ll.mit.edu>
 743 .br
 744 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
 745 .br
 746 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>