[mirror_iproute2.git] / man / man8 / ip-xfrm.8

.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
.SH "NAME"
ip-xfrm \- transform configuration
.SH "SYNOPSIS"
.sp
.ad l
.in +8
.ti -8
.B ip
.RI "[ " OPTIONS " ]"
.B xfrm
.RI " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.B "ip xfrm"
.IR XFRM-OBJECT " { " COMMAND " | "
.BR help " }"
.sp

.ti -8
.IR XFRM-OBJECT " :="
.BR state " | " policy " | " monitor
.sp

.ti -8
.BR "ip xfrm state" " { " add " | " update " } "
.IR ID " [ " ALGO-LIST " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " replay-window
.IR SIZE " ]"
.RB "[ " replay-seq
.IR SEQ " ]"
.RB "[ " replay-oseq
.IR SEQ " ]"
.RB "[ " replay-seq-hi
.IR SEQ " ]"
.RB "[ " replay-oseq-hi
.IR SEQ " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RB "[ " sel
.IR SELECTOR " ] [ " LIMIT-LIST " ]"
.RB "[ " encap
.IR ENCAP " ]"
.RB "[ " coa
.IR ADDR "[/" PLEN "] ]"
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " extra-flag
.IR EXTRA-FLAG-LIST " ]"
.RB "[ " output-mark
.IR OUTPUT-MARK " ]"

.ti -8
.B "ip xfrm state allocspi"
.I ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " seq
.IR SEQ " ]"
.RB "[ " min
.I SPI
.B max
.IR SPI " ]"

.ti -8
.BR "ip xfrm state" " { " delete " | " get " } "
.I ID
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"

.ti -8
.BR "ip xfrm state " deleteall " ["
.IR ID " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"

.ti -8
.BR "ip xfrm state " list " ["
.IR ID " ]"
.RB "[ " nokeys " ]"
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"

.ti -8
.BR "ip xfrm state flush" " [ " proto
.IR XFRM-PROTO " ]"

.ti -8
.BR "ip xfrm state count"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO

.ti -8
.IR ALGO " :="
.RB "{ " enc " | " auth " } "
.IR ALGO-NAME " " ALGO-KEYMAT " |"
.br
.B auth-trunc
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
.br
.B aead
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
.br
.B comp
.IR ALGO-NAME

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
.BR af-unspec " | " align4 " | " esn

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.br
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR ENCAP " :="
.RB "{ " espinudp " | " espinudp-nonike " }"
.IR SPORT " " DPORT " " OADDR

.ti -8
.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG

.ti -8
.IR EXTRA-FLAG " := "
.B dont-encap-dscp

.ti -8
.BR "ip xfrm policy" " { " add " | " update " }"
.I SELECTOR
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST " ]"
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"

.ti -8
.BR "ip xfrm policy" " { " delete " | " get " }"
.RI "{ " SELECTOR " | "
.B index
.IR INDEX " }"
.B dir
.I DIR
.RB "[ " ctx
.IR CTX " ]"
.RB "[ " mark
.I MARK
.RB "[ " mask
.IR MASK " ] ]"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.BR "ip xfrm policy" " { " deleteall " | " list " }"
.RB "[ " nosock " ]"
.RI "[ " SELECTOR " ]"
.RB "[ " dir
.IR DIR " ]"
.RB "[ " index
.IR INDEX " ]"
.RB "[ " ptype
.IR PTYPE " ]"
.RB "[ " action
.IR ACTION " ]"
.RB "[ " priority
.IR PRIORITY " ]"
.RB "[ " flag
.IR FLAG-LIST "]"

.ti -8
.B "ip xfrm policy flush"
.RB "[ " ptype
.IR PTYPE " ]"

.ti -8
.B "ip xfrm policy count"

.ti -8
.B "ip xfrm policy set"
.RB "[ " hthresh4
.IR LBITS " " RBITS " ]"
.RB "[ " hthresh6
.IR LBITS " " RBITS " ]"

.ti -8
.IR SELECTOR " :="
.RB "[ " src
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dst
.IR ADDR "[/" PLEN "] ]"
.RB "[ " dev
.IR DEV " ]"
.RI "[ " UPSPEC " ]"

.ti -8
.IR UPSPEC " := "
.BR proto " {"
.IR PROTO " |"
.br
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
.IR PORT " ]"
.RB "[ " dport
.IR PORT " ] |"
.br
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
.IR NUMBER " ]"
.RB "[ " code
.IR NUMBER " ] |"
.br
.BR gre " [ " key
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"

.ti -8
.IR DIR " := "
.BR in " | " out " | " fwd

.ti -8
.IR PTYPE " := "
.BR main " | " sub

.ti -8
.IR ACTION " := "
.BR allow " | " block

.ti -8
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG

.ti -8
.IR FLAG " :="
.BR localok " | " icmp

.ti -8
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
.B limit
.I LIMIT

.ti -8
.IR LIMIT " :="
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
.IR "SECONDS" " |"
.br
.RB "{ " byte-soft " | " byte-hard " }"
.IR SIZE " |"
.br
.RB "{ " packet-soft " | " packet-hard " }"
.I COUNT

.ti -8
.IR TMPL-LIST " := [ " TMPL-LIST " ]"
.B tmpl
.I TMPL

.ti -8
.IR TMPL " := " ID
.RB "[ " mode
.IR MODE " ]"
.RB "[ " reqid
.IR REQID " ]"
.RB "[ " level
.IR LEVEL " ]"

.ti -8
.IR ID " :="
.RB "[ " src
.IR ADDR " ]"
.RB "[ " dst
.IR ADDR " ]"
.RB "[ " proto
.IR XFRM-PROTO " ]"
.RB "[ " spi
.IR SPI " ]"

.ti -8
.IR XFRM-PROTO " :="
.BR esp " | " ah " | " comp " | " route2 " | " hao

.ti -8
.IR MODE " := "
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger

.ti -8
.IR LEVEL " :="
.BR required " | " use

.ti -8
.BR "ip xfrm monitor" " ["
.BI all-nsid
] [
.BI nokeys
] [
.BI all
 |
.IR LISTofXFRM-OBJECTS " ]"

.ti -8
.IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT

.ti -8
.IR XFRM-OBJECT " := "
.BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report

.in -8
.ad b

.SH DESCRIPTION

xfrm is an IP framework for transforming packets (such as encrypting
their payloads). This framework is used to implement the IPsec protocol
suite (with the
.B state
object operating on the Security Association Database, and the
.B policy
object operating on the Security Policy Database). It is also used for
the IP Payload Compression Protocol and features of Mobile IPv6.

.TS
l l.
ip xfrm state add	add new state into xfrm
ip xfrm state update	update existing state in xfrm
ip xfrm state allocspi	allocate an SPI value
ip xfrm state delete	delete existing state in xfrm
ip xfrm state get	get existing state in xfrm
ip xfrm state deleteall	delete all existing state in xfrm
ip xfrm state list	print out the list of existing state in xfrm
ip xfrm state flush	flush all state in xfrm
ip xfrm state count	count all existing state in xfrm
.TE

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
.IR SPI ".)"

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I ALGO-LIST
contains one or more algorithms to use. Each algorithm
.I ALGO
is specified by:
.RS
.IP \[bu]
the algorithm type:
.RB "encryption (" enc "),"
.RB "authentication (" auth " or " auth-trunc "),"
.RB "authenticated encryption with associated data (" aead "), or"
.RB "compression (" comp ")"
.IP \[bu]
the algorithm name
.IR ALGO-NAME
(see below)
.IP \[bu]
.RB "(for all except " comp ")"
the keying material
.IR ALGO-KEYMAT ","
which may include both a key and a salt or nonce value; refer to the
corresponding RFC
.IP \[bu]
.RB "(for " auth-trunc " only)"
the truncation length
.I ALGO-TRUNC-LEN
in bits
.IP \[bu]
.RB "(for " aead " only)"
the Integrity Check Value length
.I ALGO-ICV-LEN
in bits
.RE

.nh
.RS
Encryption algorithms include
.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."

Authentication algorithms include
.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."

Authenticated encryption with associated data (AEAD) algorithms include
.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."

Compression algorithms include
.BR deflate ", " lzs ", and " lzjh "."
.RE
.hy

.TP
.I MODE
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
.BR transport ", " tunnel ","
and (for IPsec ESP only) Bound End-to-End Tunnel
.RB "(" beet ")."
Mobile IPv6 modes are route optimization
.RB "(" ro ")"
and inbound trigger
.RB "(" in_trigger ")."

.TP
.I FLAG-LIST
contains one or more of the following optional flags:
.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
.BR af-unspec ", " align4 ", or " esn "."

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I ENCAP
encapsulates packets with protocol
.BR espinudp " or " espinudp-nonike ","
.RI "using source port " SPORT ", destination port "  DPORT
.RI ", and original address " OADDR "."

.TP
.I MARK
used to match xfrm policies and states

.TP
.I OUTPUT-MARK
used to set the output mark to influence the routing
of the packets emitted by the state

.sp
.PP
.TS
l l.
ip xfrm policy add	add a new policy
ip xfrm policy update	update an existing policy
ip xfrm policy delete	delete an existing policy
ip xfrm policy get	get an existing policy
ip xfrm policy deleteall	delete all existing xfrm policies
ip xfrm policy list	print out the list of xfrm policies
ip xfrm policy flush	flush policies
.TE

.TP
.BR nosock
filter (remove) all socket policies from the output.

.TP
.IR SELECTOR
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
.IR UPSPEC "."

.TP
.IR UPSPEC
selects traffic by protocol. For the
.BR tcp ", " udp ", " sctp ", or " dccp
protocols, the source and destination port can optionally be specified.
For the
.BR icmp ", " ipv6-icmp ", or " mobility-header
protocols, the type and code numbers can optionally be specified.
For the
.B gre
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
.IR PROTO "."

.TP
.I DIR
selects the policy direction as
.BR in ", " out ", or " fwd "."

.TP
.I CTX
sets the security context.

.TP
.I PTYPE
can be
.BR main " (default) or " sub "."

.TP
.I ACTION
can be
.BR allow " (default) or " block "."

.TP
.I PRIORITY
is a number that defaults to zero.

.TP
.I FLAG-LIST
contains one or both of the following optional flags:
.BR local " or " icmp "."

.TP
.I LIMIT-LIST
sets limits in seconds, bytes, or numbers of packets.

.TP
.I TMPL-LIST
is a template list specified using
.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "

.TP
.IR ID
is specified by a source address, destination address,
.RI "transform protocol " XFRM-PROTO ","
and/or Security Parameter Index
.IR SPI "."
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
.IR SPI ".)"

.TP
.I XFRM-PROTO
specifies a transform protocol:
.RB "IPsec Encapsulating Security Payload (" esp "),"
.RB "IPsec Authentication Header (" ah "),"
.RB "IP Payload Compression (" comp "),"
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
.RB "Mobile IPv6 Home Address Option (" hao ")."

.TP
.I MODE
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
.BR transport ", " tunnel ","
and (for IPsec ESP only) Bound End-to-End Tunnel
.RB "(" beet ")."
Mobile IPv6 modes are route optimization
.RB "(" ro ")"
and inbound trigger
.RB "(" in_trigger ")."

.TP
.I LEVEL
can be
.BR required " (default) or " use "."

.sp
.PP
.TS
l l.
ip xfrm policy count	count existing policies
.TE

.PP
Use one or more -s options to display more details, including policy hash table
information.

.sp
.PP
.TS
l l.
ip xfrm policy set	configure the policy hash table
.TE

.PP
Security policies whose address prefix lengths are greater than or equal
policy hash table thresholds are hashed. Others are stored in the
policy_inexact chained list.

.TP
.I LBITS
specifies the minimum local address prefix length of policies that are
stored in the Security Policy Database hash table.

.TP
.I RBITS
specifies the minimum remote address prefix length of policies that are
stored in the Security Policy Database hash table.

.sp
.PP
.TS
l l.
ip xfrm monitor 	state monitoring for xfrm objects
.TE

.PP
The xfrm objects to monitor can be optionally specified.

.P
If the
.BI all-nsid
option is set, the program listens to all network namespaces that have a
nsid assigned into the network namespace were the program is running.
A prefix is displayed to show the network namespace where the message
originates. Example:
.sp
.in +2
[nsid 1]Flushed state proto 0
.in -2
.sp

.SH AUTHOR
Manpage revised by David Ward <david.ward@ll.mit.edu>
.br
Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
.br
Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
Commit	Line	Data
2a9721f1 SH	1	.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
2a9721f1 SH	2	.SH "NAME"
aab2702d	3	ip-xfrm \- transform configuration
2a9721f1 SH	4	.SH "SYNOPSIS"
	5	.sp
	6	.ad l
	7	.in +8
	8	.ti -8
	9	.B ip
	10	.RI "[ " OPTIONS " ]"
	11	.B xfrm
	12	.RI " { " COMMAND " \| "
	13	.BR help " }"
	14	.sp
	15
	16	.ti -8
	17	.B "ip xfrm"
	18	.IR XFRM-OBJECT " { " COMMAND " \| "
	19	.BR help " }"
	20	.sp
	21
	22	.ti -8
	23	.IR XFRM-OBJECT " :="
	24	.BR state " \| " policy " \| " monitor
	25	.sp
	26
	27	.ti -8
	28	.BR "ip xfrm state" " { " add " \| " update " } "
	29	.IR ID " [ " ALGO-LIST " ]"
	30	.RB "[ " mode
	31	.IR MODE " ]"
	32	.RB "[ " mark
	33	.I MARK
	34	.RB "[ " mask
	35	.IR MASK " ] ]"
	36	.RB "[ " reqid
	37	.IR REQID " ]"
	38	.RB "[ " seq
	39	.IR SEQ " ]"
	40	.RB "[ " replay-window
	41	.IR SIZE " ]"
	42	.RB "[ " replay-seq
	43	.IR SEQ " ]"
	44	.RB "[ " replay-oseq
	45	.IR SEQ " ]"
eeb669a7 ND	46	.RB "[ " replay-seq-hi
	47	.IR SEQ " ]"
	48	.RB "[ " replay-oseq-hi
	49	.IR SEQ " ]"
2a9721f1 SH	50	.RB "[ " flag
	51	.IR FLAG-LIST " ]"
	52	.RB "[ " sel
	53	.IR SELECTOR " ] [ " LIMIT-LIST " ]"
	54	.RB "[ " encap
	55	.IR ENCAP " ]"
	56	.RB "[ " coa
	57	.IR ADDR "[/" PLEN "] ]"
	58	.RB "[ " ctx
	59	.IR CTX " ]"
a7eef7aa PS	60	.RB "[ " extra-flag
a7eef7aa PS	61	.IR EXTRA-FLAG-LIST " ]"
2ecb61a0 SAK	62	.RB "[ " output-mark
2ecb61a0 SAK	63	.IR OUTPUT-MARK " ]"
2a9721f1 SH	64
	65	.ti -8
	66	.B "ip xfrm state allocspi"
	67	.I ID
	68	.RB "[ " mode
	69	.IR MODE " ]"
	70	.RB "[ " mark
	71	.I MARK
	72	.RB "[ " mask
	73	.IR MASK " ] ]"
	74	.RB "[ " reqid
	75	.IR REQID " ]"
	76	.RB "[ " seq
	77	.IR SEQ " ]"
	78	.RB "[ " min
	79	.I SPI
	80	.B max
	81	.IR SPI " ]"
	82
	83	.ti -8
	84	.BR "ip xfrm state" " { " delete " \| " get " } "
	85	.I ID
	86	.RB "[ " mark
	87	.I MARK
	88	.RB "[ " mask
	89	.IR MASK " ] ]"
	90
	91	.ti -8
a6af9f2e	92	.BR "ip xfrm state " deleteall " ["
2a9721f1 SH	93	.IR ID " ]"
	94	.RB "[ " mode
	95	.IR MODE " ]"
	96	.RB "[ " reqid
	97	.IR REQID " ]"
	98	.RB "[ " flag
	99	.IR FLAG-LIST " ]"
	100
a6af9f2e BW	101	.ti -8
	102	.BR "ip xfrm state " list " ["
	103	.IR ID " ]"
	104	.RB "[ " nokeys " ]"
	105	.RB "[ " mode
	106	.IR MODE " ]"
	107	.RB "[ " reqid
	108	.IR REQID " ]"
	109	.RB "[ " flag
	110	.IR FLAG-LIST " ]"
	111
2a9721f1 SH	112	.ti -8
	113	.BR "ip xfrm state flush" " [ " proto
	114	.IR XFRM-PROTO " ]"
	115
	116	.ti -8
	117	.BR "ip xfrm state count"
	118
	119	.ti -8
	120	.IR ID " :="
	121	.RB "[ " src
	122	.IR ADDR " ]"
	123	.RB "[ " dst
	124	.IR ADDR " ]"
	125	.RB "[ " proto
	126	.IR XFRM-PROTO " ]"
	127	.RB "[ " spi
	128	.IR SPI " ]"
	129
	130	.ti -8
	131	.IR XFRM-PROTO " :="
	132	.BR esp " \| " ah " \| " comp " \| " route2 " \| " hao
	133
	134	.ti -8
	135	.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
	136
	137	.ti -8
	138	.IR ALGO " :="
5699275b	139	.RB "{ " enc " \| " auth " } "
29665f92	140	.IR ALGO-NAME " " ALGO-KEYMAT " \|"
2a9721f1	141	.br
2a9721f1	142	.B auth-trunc
29665f92	143	.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " \|"
f3b9aa3d DW	144	.br
f3b9aa3d DW	145	.B aead
29665f92	146	.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " \|"
f3b9aa3d DW	147	.br
	148	.B comp
	149	.IR ALGO-NAME
2a9721f1 SH	150
	151	.ti -8
	152	.IR MODE " := "
29665f92	153	.BR transport " \| " tunnel " \| " beet " \| " ro " \| " in_trigger
2a9721f1 SH	154
	155	.ti -8
	156	.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
	157
	158	.ti -8
	159	.IR FLAG " :="
eeb669a7 ND	160	.BR noecn " \| " decap-dscp " \| " nopmtudisc " \| " wildrecv " \| " icmp " \| "
eeb669a7 ND	161	.BR af-unspec " \| " align4 " \| " esn
2a9721f1 SH	162
	163	.ti -8
	164	.IR SELECTOR " :="
	165	.RB "[ " src
	166	.IR ADDR "[/" PLEN "] ]"
	167	.RB "[ " dst
	168	.IR ADDR "[/" PLEN "] ]"
	169	.RB "[ " dev
	170	.IR DEV " ]"
	171	.br
	172	.RI "[ " UPSPEC " ]"
	173
	174	.ti -8
	175	.IR UPSPEC " := "
	176	.BR proto " {"
	177	.IR PROTO " \|"
	178	.br
	179	.RB "{ " tcp " \| " udp " \| " sctp " \| " dccp " } [ " sport
	180	.IR PORT " ]"
	181	.RB "[ " dport
	182	.IR PORT " ] \|"
	183	.br
	184	.RB "{ " icmp " \| " ipv6-icmp " \| " mobility-header " } [ " type
	185	.IR NUMBER " ]"
	186	.RB "[ " code
	187	.IR NUMBER " ] \|"
	188	.br
	189	.BR gre " [ " key
	190	.RI "{ " DOTTED-QUAD " \| " NUMBER " } ] }"
	191
	192	.ti -8
	193	.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
	194	.B limit
	195	.I LIMIT
	196
	197	.ti -8
	198	.IR LIMIT " :="
	199	.RB "{ " time-soft " \| " time-hard " \| " time-use-soft " \| " time-use-hard " }"
	200	.IR "SECONDS" " \|"
	201	.br
	202	.RB "{ " byte-soft " \| " byte-hard " }"
	203	.IR SIZE " \|"
	204	.br
	205	.RB "{ " packet-soft " \| " packet-hard " }"
	206	.I COUNT
	207
	208	.ti -8
	209	.IR ENCAP " :="
	210	.RB "{ " espinudp " \| " espinudp-nonike " }"
	211	.IR SPORT " " DPORT " " OADDR
	212
a7eef7aa PS	213	.ti -8
	214	.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
	215
	216	.ti -8
	217	.IR EXTRA-FLAG " := "
	218	.B dont-encap-dscp
	219
2a9721f1 SH	220	.ti -8
	221	.BR "ip xfrm policy" " { " add " \| " update " }"
	222	.I SELECTOR
	223	.B dir
	224	.I DIR
	225	.RB "[ " ctx
	226	.IR CTX " ]"
	227	.RB "[ " mark
	228	.I MARK
	229	.RB "[ " mask
	230	.IR MASK " ] ]"
	231	.RB "[ " index
	232	.IR INDEX " ]"
	233	.RB "[ " ptype
	234	.IR PTYPE " ]"
	235	.RB "[ " action
	236	.IR ACTION " ]"
	237	.RB "[ " priority
	238	.IR PRIORITY " ]"
	239	.RB "[ " flag
	240	.IR FLAG-LIST " ]"
	241	.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
	242
	243	.ti -8
	244	.BR "ip xfrm policy" " { " delete " \| " get " }"
	245	.RI "{ " SELECTOR " \| "
	246	.B index
	247	.IR INDEX " }"
	248	.B dir
	249	.I DIR
	250	.RB "[ " ctx
	251	.IR CTX " ]"
	252	.RB "[ " mark
	253	.I MARK
	254	.RB "[ " mask
	255	.IR MASK " ] ]"
	256	.RB "[ " ptype
	257	.IR PTYPE " ]"
	258
	259	.ti -8
	260	.BR "ip xfrm policy" " { " deleteall " \| " list " }"
de3ddbc2	261	.RB "[ " nosock " ]"
2a9721f1 SH	262	.RI "[ " SELECTOR " ]"
	263	.RB "[ " dir
	264	.IR DIR " ]"
	265	.RB "[ " index
	266	.IR INDEX " ]"
	267	.RB "[ " ptype
	268	.IR PTYPE " ]"
	269	.RB "[ " action
	270	.IR ACTION " ]"
	271	.RB "[ " priority
	272	.IR PRIORITY " ]"
a7eef7aa PS	273	.RB "[ " flag
a7eef7aa PS	274	.IR FLAG-LIST "]"
2a9721f1 SH	275
	276	.ti -8
	277	.B "ip xfrm policy flush"
	278	.RB "[ " ptype
	279	.IR PTYPE " ]"
	280
	281	.ti -8
	282	.B "ip xfrm policy count"
	283
811aca04 CG	284	.ti -8
	285	.B "ip xfrm policy set"
	286	.RB "[ " hthresh4
	287	.IR LBITS " " RBITS " ]"
	288	.RB "[ " hthresh6
	289	.IR LBITS " " RBITS " ]"
	290
2a9721f1 SH	291	.ti -8
	292	.IR SELECTOR " :="
	293	.RB "[ " src
	294	.IR ADDR "[/" PLEN "] ]"
	295	.RB "[ " dst
	296	.IR ADDR "[/" PLEN "] ]"
	297	.RB "[ " dev
	298	.IR DEV " ]"
	299	.RI "[ " UPSPEC " ]"
	300
	301	.ti -8
	302	.IR UPSPEC " := "
	303	.BR proto " {"
	304	.IR PROTO " \|"
	305	.br
	306	.RB "{ " tcp " \| " udp " \| " sctp " \| " dccp " } [ " sport
	307	.IR PORT " ]"
	308	.RB "[ " dport
	309	.IR PORT " ] \|"
	310	.br
	311	.RB "{ " icmp " \| " ipv6-icmp " \| " mobility-header " } [ " type
	312	.IR NUMBER " ]"
	313	.RB "[ " code
	314	.IR NUMBER " ] \|"
	315	.br
	316	.BR gre " [ " key
	317	.RI "{ " DOTTED-QUAD " \| " NUMBER " } ] }"
	318
	319	.ti -8
	320	.IR DIR " := "
	321	.BR in " \| " out " \| " fwd
	322
	323	.ti -8
	324	.IR PTYPE " := "
	325	.BR main " \| " sub
	326
	327	.ti -8
	328	.IR ACTION " := "
	329	.BR allow " \| " block
	330
	331	.ti -8
	332	.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
	333
	334	.ti -8
	335	.IR FLAG " :="
	336	.BR localok " \| " icmp
	337
	338	.ti -8
	339	.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
	340	.B limit
	341	.I LIMIT
	342
	343	.ti -8
	344	.IR LIMIT " :="
	345	.RB "{ " time-soft " \| " time-hard " \| " time-use-soft " \| " time-use-hard " }"
	346	.IR "SECONDS" " \|"
	347	.br
	348	.RB "{ " byte-soft " \| " byte-hard " }"
	349	.IR SIZE " \|"
	350	.br
	351	.RB "{ " packet-soft " \| " packet-hard " }"
	352	.I COUNT
	353
	354	.ti -8
355	.IR TMPL-LIST " := [ " TMPL-LIST " ]"
356	.B tmpl
357	.I TMPL
358
359	.ti -8
360	.IR TMPL " := " ID
361	.RB "[ " mode
362	.IR MODE " ]"
363	.RB "[ " reqid
364	.IR REQID " ]"
365	.RB "[ " level
366	.IR LEVEL " ]"
367
368	.ti -8
369	.IR ID " :="
370	.RB "[ " src
371	.IR ADDR " ]"
372	.RB "[ " dst
373	.IR ADDR " ]"
374	.RB "[ " proto
375	.IR XFRM-PROTO " ]"
376	.RB "[ " spi
377	.IR SPI " ]"
378
379	.ti -8
380	.IR XFRM-PROTO " :="
381	.BR esp " \| " ah " \| " comp " \| " route2 " \| " hao
382
383	.ti -8
384	.IR MODE " := "
29665f92	385	.BR transport " \| " tunnel " \| " beet " \| " ro " \| " in_trigger
2a9721f1 SH	386
	387	.ti -8
	388	.IR LEVEL " :="
	389	.BR required " \| " use
	390
	391	.ti -8
b6ec53e3 ND	392	.BR "ip xfrm monitor" " ["
	393	.BI all-nsid
	394	] [
a6af9f2e BW	395	.BI nokeys
a6af9f2e BW	396	] [
b6ec53e3 ND	397	.BI all
b6ec53e3 ND	398	\|
2a9721f1 SH	399	.IR LISTofXFRM-OBJECTS " ]"
2a9721f1 SH	400
811aca04 CG	401	.ti -8
	402	.IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
	403
	404	.ti -8
	405	.IR XFRM-OBJECT " := "
	406	.BR acquire " \| " expire " \| " SA " \| " policy " \| " aevent " \| " report
	407
2a9721f1 SH	408	.in -8
	409	.ad b
	410
	411	.SH DESCRIPTION
	412
	413	xfrm is an IP framework for transforming packets (such as encrypting
	414	their payloads). This framework is used to implement the IPsec protocol
	415	suite (with the
	416	.B state
	417	object operating on the Security Association Database, and the
	418	.B policy
	419	object operating on the Security Policy Database). It is also used for
	420	the IP Payload Compression Protocol and features of Mobile IPv6.
	421
61f541fe	422	.TS
	423	l l.
	424	ip xfrm state add add new state into xfrm
	425	ip xfrm state update update existing state in xfrm
	426	ip xfrm state allocspi allocate an SPI value
	427	ip xfrm state delete delete existing state in xfrm
	428	ip xfrm state get get existing state in xfrm
	429	ip xfrm state deleteall delete all existing state in xfrm
	430	ip xfrm state list print out the list of existing state in xfrm
	431	ip xfrm state flush flush all state in xfrm
	432	ip xfrm state count count all existing state in xfrm
61f541fe	433	.TE
2a9721f1 SH	434
	435	.TP
	436	.IR ID
	437	is specified by a source address, destination address,
	438	.RI "transform protocol " XFRM-PROTO ","
	439	and/or Security Parameter Index
	440	.IR SPI "."
29665f92 DW	441	(For IP Payload Compression, the Compression Parameter Index or CPI is used for
29665f92 DW	442	.IR SPI ".)"
2a9721f1 SH	443
	444	.TP
	445	.I XFRM-PROTO
	446	specifies a transform protocol:
	447	.RB "IPsec Encapsulating Security Payload (" esp "),"
	448	.RB "IPsec Authentication Header (" ah "),"
	449	.RB "IP Payload Compression (" comp "),"
	450	.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
	451	.RB "Mobile IPv6 Home Address Option (" hao ")."
	452
	453	.TP
	454	.I ALGO-LIST
29665f92 DW	455	contains one or more algorithms to use. Each algorithm
	456	.I ALGO
	457	is specified by:
	458	.RS
	459	.IP \[bu]
	460	the algorithm type:
2a9721f1	461	.RB "encryption (" enc "),"
29665f92 DW	462	.RB "authentication (" auth " or " auth-trunc "),"
	463	.RB "authenticated encryption with associated data (" aead "), or"
	464	.RB "compression (" comp ")"
	465	.IP \[bu]
	466	the algorithm name
	467	.IR ALGO-NAME
	468	(see below)
	469	.IP \[bu]
	470	.RB "(for all except " comp ")"
	471	the keying material
	472	.IR ALGO-KEYMAT ","
	473	which may include both a key and a salt or nonce value; refer to the
	474	corresponding RFC
	475	.IP \[bu]
	476	.RB "(for " auth-trunc " only)"
	477	the truncation length
	478	.I ALGO-TRUNC-LEN
	479	in bits
	480	.IP \[bu]
	481	.RB "(for " aead " only)"
2a9721f1 SH	482	the Integrity Check Value length
2a9721f1 SH	483	.I ALGO-ICV-LEN
29665f92 DW	484	in bits
	485	.RE
	486
	487	.nh
	488	.RS
	489	Encryption algorithms include
	490	.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
	491	.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
	492	.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
	493
	494	Authentication algorithms include
	495	.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
7f977447	496	.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
29665f92 DW	497
	498	Authenticated encryption with associated data (AEAD) algorithms include
	499	.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
	500
	501	Compression algorithms include
	502	.BR deflate ", " lzs ", and " lzjh "."
	503	.RE
	504	.hy
2a9721f1 SH	505
	506	.TP
	507	.I MODE
29665f92 DW	508	specifies a mode of operation for the transform protocol. IPsec and IP Payload
	509	Compression modes are
	510	.BR transport ", " tunnel ","
	511	and (for IPsec ESP only) Bound End-to-End Tunnel
	512	.RB "(" beet ")."
	513	Mobile IPv6 modes are route optimization
	514	.RB "(" ro ")"
	515	and inbound trigger
	516	.RB "(" in_trigger ")."
2a9721f1 SH	517
	518	.TP
	519	.I FLAG-LIST
	520	contains one or more of the following optional flags:
	521	.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
eeb669a7	522	.BR af-unspec ", " align4 ", or " esn "."
2a9721f1 SH	523
	524	.TP
	525	.IR SELECTOR
	526	selects the traffic that will be controlled by the policy, based on the source
	527	address, the destination address, the network device, and/or
	528	.IR UPSPEC "."
	529
	530	.TP
	531	.IR UPSPEC
	532	selects traffic by protocol. For the
	533	.BR tcp ", " udp ", " sctp ", or " dccp
	534	protocols, the source and destination port can optionally be specified.
	535	For the
	536	.BR icmp ", " ipv6-icmp ", or " mobility-header
	537	protocols, the type and code numbers can optionally be specified.
	538	For the
	539	.B gre
	540	protocol, the key can optionally be specified as a dotted-quad or number.
	541	Other protocols can be selected by name or number
	542	.IR PROTO "."
	543
	544	.TP
	545	.I LIMIT-LIST
	546	sets limits in seconds, bytes, or numbers of packets.
	547
	548	.TP
	549	.I ENCAP
	550	encapsulates packets with protocol
	551	.BR espinudp " or " espinudp-nonike ","
	552	.RI "using source port " SPORT ", destination port " DPORT
	553	.RI ", and original address " OADDR "."
811aca04	554
2ecb61a0 SAK	555	.TP
	556	.I MARK
	557	used to match xfrm policies and states
	558
	559	.TP
	560	.I OUTPUT-MARK
	561	used to set the output mark to influence the routing
	562	of the packets emitted by the state
	563
61f541fe	564	.sp
811aca04	565	.PP
61f541fe	566	.TS
	567	l l.
	568	ip xfrm policy add add a new policy
	569	ip xfrm policy update update an existing policy
	570	ip xfrm policy delete delete an existing policy
	571	ip xfrm policy get get an existing policy
	572	ip xfrm policy deleteall delete all existing xfrm policies
	573	ip xfrm policy list print out the list of xfrm policies
	574	ip xfrm policy flush flush policies
61f541fe	575	.TE
2a9721f1	576
de3ddbc2 SR	577	.TP
	578	.BR nosock
	579	filter (remove) all socket policies from the output.
	580
2a9721f1 SH	581	.TP
	582	.IR SELECTOR
	583	selects the traffic that will be controlled by the policy, based on the source
	584	address, the destination address, the network device, and/or
	585	.IR UPSPEC "."
	586
	587	.TP
	588	.IR UPSPEC
	589	selects traffic by protocol. For the
	590	.BR tcp ", " udp ", " sctp ", or " dccp
	591	protocols, the source and destination port can optionally be specified.
	592	For the
	593	.BR icmp ", " ipv6-icmp ", or " mobility-header
	594	protocols, the type and code numbers can optionally be specified.
	595	For the
	596	.B gre
	597	protocol, the key can optionally be specified as a dotted-quad or number.
	598	Other protocols can be selected by name or number
	599	.IR PROTO "."
	600
	601	.TP
	602	.I DIR
	603	selects the policy direction as
	604	.BR in ", " out ", or " fwd "."
	605
	606	.TP
	607	.I CTX
	608	sets the security context.
	609
	610	.TP
	611	.I PTYPE
	612	can be
	613	.BR main " (default) or " sub "."
	614
	615	.TP
	616	.I ACTION
	617	can be
	618	.BR allow " (default) or " block "."
	619
	620	.TP
	621	.I PRIORITY
	622	is a number that defaults to zero.
	623
	624	.TP
	625	.I FLAG-LIST
	626	contains one or both of the following optional flags:
	627	.BR local " or " icmp "."
	628
	629	.TP
	630	.I LIMIT-LIST
	631	sets limits in seconds, bytes, or numbers of packets.
	632
	633	.TP
	634	.I TMPL-LIST
	635	is a template list specified using
	636	.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
	637
	638	.TP
	639	.IR ID
	640	is specified by a source address, destination address,
	641	.RI "transform protocol " XFRM-PROTO ","
	642	and/or Security Parameter Index
	643	.IR SPI "."
29665f92 DW	644	(For IP Payload Compression, the Compression Parameter Index or CPI is used for
29665f92 DW	645	.IR SPI ".)"
2a9721f1 SH	646
	647	.TP
	648	.I XFRM-PROTO
	649	specifies a transform protocol:
	650	.RB "IPsec Encapsulating Security Payload (" esp "),"
	651	.RB "IPsec Authentication Header (" ah "),"
	652	.RB "IP Payload Compression (" comp "),"
	653	.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
	654	.RB "Mobile IPv6 Home Address Option (" hao ")."
	655
	656	.TP
	657	.I MODE
29665f92 DW	658	specifies a mode of operation for the transform protocol. IPsec and IP Payload
	659	Compression modes are
	660	.BR transport ", " tunnel ","
	661	and (for IPsec ESP only) Bound End-to-End Tunnel
	662	.RB "(" beet ")."
	663	Mobile IPv6 modes are route optimization
	664	.RB "(" ro ")"
	665	and inbound trigger
	666	.RB "(" in_trigger ")."
2a9721f1 SH	667
	668	.TP
	669	.I LEVEL
	670	can be
	671	.BR required " (default) or " use "."
	672
811aca04 CG	673	.sp
	674	.PP
	675	.TS
	676	l l.
	677	ip xfrm policy count count existing policies
	678	.TE
	679
	680	.PP
	681	Use one or more -s options to display more details, including policy hash table
	682	information.
	683
	684	.sp
	685	.PP
	686	.TS
	687	l l.
	688	ip xfrm policy set configure the policy hash table
	689	.TE
	690
	691	.PP
	692	Security policies whose address prefix lengths are greater than or equal
	693	policy hash table thresholds are hashed. Others are stored in the
	694	policy_inexact chained list.
	695
	696	.TP
	697	.I LBITS
	698	specifies the minimum local address prefix length of policies that are
	699	stored in the Security Policy Database hash table.
	700
	701	.TP
	702	.I RBITS
	703	specifies the minimum remote address prefix length of policies that are
	704	stored in the Security Policy Database hash table.
	705
	706	.sp
	707	.PP
	708	.TS
	709	l l.
	710	ip xfrm monitor state monitoring for xfrm objects
	711	.TE
	712
	713	.PP
2a9721f1 SH	714	The xfrm objects to monitor can be optionally specified.
2a9721f1 SH	715
b6ec53e3 ND	716	.P
	717	If the
	718	.BI all-nsid
	719	option is set, the program listens to all network namespaces that have a
	720	nsid assigned into the network namespace were the program is running.
	721	A prefix is displayed to show the network namespace where the message
	722	originates. Example:
	723	.sp
	724	.in +2
	725	[nsid 1]Flushed state proto 0
	726	.in -2
	727	.sp
	728
2a9721f1	729	.SH AUTHOR
29665f92	730	Manpage revised by David Ward <david.ward@ll.mit.edu>
811aca04 CG	731	.br
811aca04 CG	732	Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
b6ec53e3 ND	733	.br
b6ec53e3 ND	734	Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>