.IR ADDR "[/" PLEN "] ]"
.RB "[ " ctx
.IR CTX " ]"
+.RB "[ " extra-flag
+.IR EXTRA-FLAG-LIST " ]"
+.RB "[ " output-mark
+.IR OUTPUT-MARK " ]"
+.RB "[ " if_id
+.IR IF-ID " ]"
.ti -8
.B "ip xfrm state allocspi"
.IR MASK " ] ]"
.ti -8
-.BR "ip xfrm state" " { " deleteall " | " list " } ["
+.BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
.IR ID " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
+.ti -8
+.BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
+.IR ID " ]"
+.RB "[ " nokeys " ]"
+.RB "[ " mode
+.IR MODE " ]"
+.RB "[ " reqid
+.IR REQID " ]"
+.RB "[ " flag
+.IR FLAG-LIST " ]"
+
.ti -8
.BR "ip xfrm state flush" " [ " proto
.IR XFRM-PROTO " ]"
.ti -8
.IR ALGO " :="
-.RB "{ " enc " | " auth " } "
+.RB "{ " enc " | " auth " } "
.IR ALGO-NAME " " ALGO-KEYMAT " |"
.br
.B auth-trunc
.ti -8
.IR ENCAP " :="
-.RB "{ " espinudp " | " espinudp-nonike " }"
+.RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
.IR SPORT " " DPORT " " OADDR
+.ti -8
+.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
+
+.ti -8
+.IR EXTRA-FLAG " := "
+.BR dont-encap-dscp " | " oseq-may-wrap
+
.ti -8
.BR "ip xfrm policy" " { " add " | " update " }"
.I SELECTOR
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
+.RB "[ " if_id
+.IR IF-ID " ]"
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
.ti -8
.IR MASK " ] ]"
.RB "[ " ptype
.IR PTYPE " ]"
+.RB "[ " if_id
+.IR IF-ID " ]"
.ti -8
-.BR "ip xfrm policy" " { " deleteall " | " list " }"
+.BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
+.RB "[ " nosock " ]"
.RI "[ " SELECTOR " ]"
.RB "[ " dir
.IR DIR " ]"
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
+.RB "[ " flag
+.IR FLAG-LIST "]"
.ti -8
.B "ip xfrm policy flush"
.BR required " | " use
.ti -8
-.BR "ip xfrm monitor" " [ " all " |"
+.BR "ip xfrm monitor" " ["
+.BI all-nsid
+] [
+.BI nokeys
+] [
+.BI all
+ |
.IR LISTofXFRM-OBJECTS " ]"
.ti -8
Authentication algorithms include
.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
-.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
+.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
Authenticated encryption with associated data (AEAD) algorithms include
.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
.TP
.I ENCAP
encapsulates packets with protocol
-.BR espinudp " or " espinudp-nonike ","
+.BR espinudp ", " espinudp-nonike ", or " espintcp ","
.RI "using source port " SPORT ", destination port " DPORT
.RI ", and original address " OADDR "."
+.TP
+.I MARK
+used to match xfrm policies and states
+
+.TP
+.I OUTPUT-MARK
+used to set the output mark to influence the routing
+of the packets emitted by the state
+
+.TP
+.I IF-ID
+xfrm interface identifier used to in both xfrm policies and states
+
.sp
.PP
.TS
ip xfrm policy flush flush policies
.TE
+.TP
+.BR nosock
+filter (remove) all socket policies from the output.
+
.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
.PP
The xfrm objects to monitor can be optionally specified.
+.P
+If the
+.BI all-nsid
+option is set, the program listens to all network namespaces that have a
+nsid assigned into the network namespace were the program is running.
+A prefix is displayed to show the network namespace where the message
+originates. Example:
+.sp
+.in +2
+[nsid 1]Flushed state proto 0
+.in -2
+.sp
+
.SH AUTHOR
Manpage revised by David Ward <david.ward@ll.mit.edu>
.br
Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
+.br
+Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>