]>
Commit | Line | Data |
---|---|---|
2a9721f1 SH |
1 | .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux" |
2 | .SH "NAME" | |
aab2702d | 3 | ip-xfrm \- transform configuration |
2a9721f1 SH |
4 | .SH "SYNOPSIS" |
5 | .sp | |
6 | .ad l | |
7 | .in +8 | |
8 | .ti -8 | |
9 | .B ip | |
10 | .RI "[ " OPTIONS " ]" | |
11 | .B xfrm | |
12 | .RI " { " COMMAND " | " | |
13 | .BR help " }" | |
14 | .sp | |
15 | ||
16 | .ti -8 | |
17 | .B "ip xfrm" | |
18 | .IR XFRM-OBJECT " { " COMMAND " | " | |
19 | .BR help " }" | |
20 | .sp | |
21 | ||
22 | .ti -8 | |
23 | .IR XFRM-OBJECT " :=" | |
24 | .BR state " | " policy " | " monitor | |
25 | .sp | |
26 | ||
27 | .ti -8 | |
28 | .BR "ip xfrm state" " { " add " | " update " } " | |
29 | .IR ID " [ " ALGO-LIST " ]" | |
30 | .RB "[ " mode | |
31 | .IR MODE " ]" | |
32 | .RB "[ " mark | |
33 | .I MARK | |
34 | .RB "[ " mask | |
35 | .IR MASK " ] ]" | |
36 | .RB "[ " reqid | |
37 | .IR REQID " ]" | |
38 | .RB "[ " seq | |
39 | .IR SEQ " ]" | |
40 | .RB "[ " replay-window | |
41 | .IR SIZE " ]" | |
42 | .RB "[ " replay-seq | |
43 | .IR SEQ " ]" | |
44 | .RB "[ " replay-oseq | |
45 | .IR SEQ " ]" | |
eeb669a7 ND |
46 | .RB "[ " replay-seq-hi |
47 | .IR SEQ " ]" | |
48 | .RB "[ " replay-oseq-hi | |
49 | .IR SEQ " ]" | |
2a9721f1 SH |
50 | .RB "[ " flag |
51 | .IR FLAG-LIST " ]" | |
52 | .RB "[ " sel | |
53 | .IR SELECTOR " ] [ " LIMIT-LIST " ]" | |
54 | .RB "[ " encap | |
55 | .IR ENCAP " ]" | |
56 | .RB "[ " coa | |
57 | .IR ADDR "[/" PLEN "] ]" | |
58 | .RB "[ " ctx | |
59 | .IR CTX " ]" | |
a7eef7aa PS |
60 | .RB "[ " extra-flag |
61 | .IR EXTRA-FLAG-LIST " ]" | |
2ecb61a0 SAK |
62 | .RB "[ " output-mark |
63 | .IR OUTPUT-MARK " ]" | |
2a9721f1 SH |
64 | |
65 | .ti -8 | |
66 | .B "ip xfrm state allocspi" | |
67 | .I ID | |
68 | .RB "[ " mode | |
69 | .IR MODE " ]" | |
70 | .RB "[ " mark | |
71 | .I MARK | |
72 | .RB "[ " mask | |
73 | .IR MASK " ] ]" | |
74 | .RB "[ " reqid | |
75 | .IR REQID " ]" | |
76 | .RB "[ " seq | |
77 | .IR SEQ " ]" | |
78 | .RB "[ " min | |
79 | .I SPI | |
80 | .B max | |
81 | .IR SPI " ]" | |
82 | ||
83 | .ti -8 | |
84 | .BR "ip xfrm state" " { " delete " | " get " } " | |
85 | .I ID | |
86 | .RB "[ " mark | |
87 | .I MARK | |
88 | .RB "[ " mask | |
89 | .IR MASK " ] ]" | |
90 | ||
91 | .ti -8 | |
a6af9f2e | 92 | .BR "ip xfrm state " deleteall " [" |
2a9721f1 SH |
93 | .IR ID " ]" |
94 | .RB "[ " mode | |
95 | .IR MODE " ]" | |
96 | .RB "[ " reqid | |
97 | .IR REQID " ]" | |
98 | .RB "[ " flag | |
99 | .IR FLAG-LIST " ]" | |
100 | ||
a6af9f2e BW |
101 | .ti -8 |
102 | .BR "ip xfrm state " list " [" | |
103 | .IR ID " ]" | |
104 | .RB "[ " nokeys " ]" | |
105 | .RB "[ " mode | |
106 | .IR MODE " ]" | |
107 | .RB "[ " reqid | |
108 | .IR REQID " ]" | |
109 | .RB "[ " flag | |
110 | .IR FLAG-LIST " ]" | |
111 | ||
2a9721f1 SH |
112 | .ti -8 |
113 | .BR "ip xfrm state flush" " [ " proto | |
114 | .IR XFRM-PROTO " ]" | |
115 | ||
116 | .ti -8 | |
117 | .BR "ip xfrm state count" | |
118 | ||
119 | .ti -8 | |
120 | .IR ID " :=" | |
121 | .RB "[ " src | |
122 | .IR ADDR " ]" | |
123 | .RB "[ " dst | |
124 | .IR ADDR " ]" | |
125 | .RB "[ " proto | |
126 | .IR XFRM-PROTO " ]" | |
127 | .RB "[ " spi | |
128 | .IR SPI " ]" | |
129 | ||
130 | .ti -8 | |
131 | .IR XFRM-PROTO " :=" | |
132 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
133 | ||
134 | .ti -8 | |
135 | .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO | |
136 | ||
137 | .ti -8 | |
138 | .IR ALGO " :=" | |
5699275b | 139 | .RB "{ " enc " | " auth " } " |
29665f92 | 140 | .IR ALGO-NAME " " ALGO-KEYMAT " |" |
2a9721f1 | 141 | .br |
2a9721f1 | 142 | .B auth-trunc |
29665f92 | 143 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |" |
f3b9aa3d DW |
144 | .br |
145 | .B aead | |
29665f92 | 146 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |" |
f3b9aa3d DW |
147 | .br |
148 | .B comp | |
149 | .IR ALGO-NAME | |
2a9721f1 SH |
150 | |
151 | .ti -8 | |
152 | .IR MODE " := " | |
29665f92 | 153 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
154 | |
155 | .ti -8 | |
156 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
157 | ||
158 | .ti -8 | |
159 | .IR FLAG " :=" | |
eeb669a7 ND |
160 | .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " |
161 | .BR af-unspec " | " align4 " | " esn | |
2a9721f1 SH |
162 | |
163 | .ti -8 | |
164 | .IR SELECTOR " :=" | |
165 | .RB "[ " src | |
166 | .IR ADDR "[/" PLEN "] ]" | |
167 | .RB "[ " dst | |
168 | .IR ADDR "[/" PLEN "] ]" | |
169 | .RB "[ " dev | |
170 | .IR DEV " ]" | |
171 | .br | |
172 | .RI "[ " UPSPEC " ]" | |
173 | ||
174 | .ti -8 | |
175 | .IR UPSPEC " := " | |
176 | .BR proto " {" | |
177 | .IR PROTO " |" | |
178 | .br | |
179 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
180 | .IR PORT " ]" | |
181 | .RB "[ " dport | |
182 | .IR PORT " ] |" | |
183 | .br | |
184 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
185 | .IR NUMBER " ]" | |
186 | .RB "[ " code | |
187 | .IR NUMBER " ] |" | |
188 | .br | |
189 | .BR gre " [ " key | |
190 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
191 | ||
192 | .ti -8 | |
193 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
194 | .B limit | |
195 | .I LIMIT | |
196 | ||
197 | .ti -8 | |
198 | .IR LIMIT " :=" | |
199 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
200 | .IR "SECONDS" " |" | |
201 | .br | |
202 | .RB "{ " byte-soft " | " byte-hard " }" | |
203 | .IR SIZE " |" | |
204 | .br | |
205 | .RB "{ " packet-soft " | " packet-hard " }" | |
206 | .I COUNT | |
207 | ||
208 | .ti -8 | |
209 | .IR ENCAP " :=" | |
210 | .RB "{ " espinudp " | " espinudp-nonike " }" | |
211 | .IR SPORT " " DPORT " " OADDR | |
212 | ||
a7eef7aa PS |
213 | .ti -8 |
214 | .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG | |
215 | ||
216 | .ti -8 | |
217 | .IR EXTRA-FLAG " := " | |
218 | .B dont-encap-dscp | |
219 | ||
2a9721f1 SH |
220 | .ti -8 |
221 | .BR "ip xfrm policy" " { " add " | " update " }" | |
222 | .I SELECTOR | |
223 | .B dir | |
224 | .I DIR | |
225 | .RB "[ " ctx | |
226 | .IR CTX " ]" | |
227 | .RB "[ " mark | |
228 | .I MARK | |
229 | .RB "[ " mask | |
230 | .IR MASK " ] ]" | |
231 | .RB "[ " index | |
232 | .IR INDEX " ]" | |
233 | .RB "[ " ptype | |
234 | .IR PTYPE " ]" | |
235 | .RB "[ " action | |
236 | .IR ACTION " ]" | |
237 | .RB "[ " priority | |
238 | .IR PRIORITY " ]" | |
239 | .RB "[ " flag | |
240 | .IR FLAG-LIST " ]" | |
241 | .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]" | |
242 | ||
243 | .ti -8 | |
244 | .BR "ip xfrm policy" " { " delete " | " get " }" | |
245 | .RI "{ " SELECTOR " | " | |
246 | .B index | |
247 | .IR INDEX " }" | |
248 | .B dir | |
249 | .I DIR | |
250 | .RB "[ " ctx | |
251 | .IR CTX " ]" | |
252 | .RB "[ " mark | |
253 | .I MARK | |
254 | .RB "[ " mask | |
255 | .IR MASK " ] ]" | |
256 | .RB "[ " ptype | |
257 | .IR PTYPE " ]" | |
258 | ||
259 | .ti -8 | |
260 | .BR "ip xfrm policy" " { " deleteall " | " list " }" | |
de3ddbc2 | 261 | .RB "[ " nosock " ]" |
2a9721f1 SH |
262 | .RI "[ " SELECTOR " ]" |
263 | .RB "[ " dir | |
264 | .IR DIR " ]" | |
265 | .RB "[ " index | |
266 | .IR INDEX " ]" | |
267 | .RB "[ " ptype | |
268 | .IR PTYPE " ]" | |
269 | .RB "[ " action | |
270 | .IR ACTION " ]" | |
271 | .RB "[ " priority | |
272 | .IR PRIORITY " ]" | |
a7eef7aa PS |
273 | .RB "[ " flag |
274 | .IR FLAG-LIST "]" | |
2a9721f1 SH |
275 | |
276 | .ti -8 | |
277 | .B "ip xfrm policy flush" | |
278 | .RB "[ " ptype | |
279 | .IR PTYPE " ]" | |
280 | ||
281 | .ti -8 | |
282 | .B "ip xfrm policy count" | |
283 | ||
811aca04 CG |
284 | .ti -8 |
285 | .B "ip xfrm policy set" | |
286 | .RB "[ " hthresh4 | |
287 | .IR LBITS " " RBITS " ]" | |
288 | .RB "[ " hthresh6 | |
289 | .IR LBITS " " RBITS " ]" | |
290 | ||
2a9721f1 SH |
291 | .ti -8 |
292 | .IR SELECTOR " :=" | |
293 | .RB "[ " src | |
294 | .IR ADDR "[/" PLEN "] ]" | |
295 | .RB "[ " dst | |
296 | .IR ADDR "[/" PLEN "] ]" | |
297 | .RB "[ " dev | |
298 | .IR DEV " ]" | |
299 | .RI "[ " UPSPEC " ]" | |
300 | ||
301 | .ti -8 | |
302 | .IR UPSPEC " := " | |
303 | .BR proto " {" | |
304 | .IR PROTO " |" | |
305 | .br | |
306 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
307 | .IR PORT " ]" | |
308 | .RB "[ " dport | |
309 | .IR PORT " ] |" | |
310 | .br | |
311 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
312 | .IR NUMBER " ]" | |
313 | .RB "[ " code | |
314 | .IR NUMBER " ] |" | |
315 | .br | |
316 | .BR gre " [ " key | |
317 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
318 | ||
319 | .ti -8 | |
320 | .IR DIR " := " | |
321 | .BR in " | " out " | " fwd | |
322 | ||
323 | .ti -8 | |
324 | .IR PTYPE " := " | |
325 | .BR main " | " sub | |
326 | ||
327 | .ti -8 | |
328 | .IR ACTION " := " | |
329 | .BR allow " | " block | |
330 | ||
331 | .ti -8 | |
332 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
333 | ||
334 | .ti -8 | |
335 | .IR FLAG " :=" | |
336 | .BR localok " | " icmp | |
337 | ||
338 | .ti -8 | |
339 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
340 | .B limit | |
341 | .I LIMIT | |
342 | ||
343 | .ti -8 | |
344 | .IR LIMIT " :=" | |
345 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
346 | .IR "SECONDS" " |" | |
347 | .br | |
348 | .RB "{ " byte-soft " | " byte-hard " }" | |
349 | .IR SIZE " |" | |
350 | .br | |
351 | .RB "{ " packet-soft " | " packet-hard " }" | |
352 | .I COUNT | |
353 | ||
354 | .ti -8 | |
355 | .IR TMPL-LIST " := [ " TMPL-LIST " ]" | |
356 | .B tmpl | |
357 | .I TMPL | |
358 | ||
359 | .ti -8 | |
360 | .IR TMPL " := " ID | |
361 | .RB "[ " mode | |
362 | .IR MODE " ]" | |
363 | .RB "[ " reqid | |
364 | .IR REQID " ]" | |
365 | .RB "[ " level | |
366 | .IR LEVEL " ]" | |
367 | ||
368 | .ti -8 | |
369 | .IR ID " :=" | |
370 | .RB "[ " src | |
371 | .IR ADDR " ]" | |
372 | .RB "[ " dst | |
373 | .IR ADDR " ]" | |
374 | .RB "[ " proto | |
375 | .IR XFRM-PROTO " ]" | |
376 | .RB "[ " spi | |
377 | .IR SPI " ]" | |
378 | ||
379 | .ti -8 | |
380 | .IR XFRM-PROTO " :=" | |
381 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
382 | ||
383 | .ti -8 | |
384 | .IR MODE " := " | |
29665f92 | 385 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
386 | |
387 | .ti -8 | |
388 | .IR LEVEL " :=" | |
389 | .BR required " | " use | |
390 | ||
391 | .ti -8 | |
b6ec53e3 ND |
392 | .BR "ip xfrm monitor" " [" |
393 | .BI all-nsid | |
394 | ] [ | |
a6af9f2e BW |
395 | .BI nokeys |
396 | ] [ | |
b6ec53e3 ND |
397 | .BI all |
398 | | | |
2a9721f1 SH |
399 | .IR LISTofXFRM-OBJECTS " ]" |
400 | ||
811aca04 CG |
401 | .ti -8 |
402 | .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT | |
403 | ||
404 | .ti -8 | |
405 | .IR XFRM-OBJECT " := " | |
406 | .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report | |
407 | ||
2a9721f1 SH |
408 | .in -8 |
409 | .ad b | |
410 | ||
411 | .SH DESCRIPTION | |
412 | ||
413 | xfrm is an IP framework for transforming packets (such as encrypting | |
414 | their payloads). This framework is used to implement the IPsec protocol | |
415 | suite (with the | |
416 | .B state | |
417 | object operating on the Security Association Database, and the | |
418 | .B policy | |
419 | object operating on the Security Policy Database). It is also used for | |
420 | the IP Payload Compression Protocol and features of Mobile IPv6. | |
421 | ||
61f541fe | 422 | .TS |
423 | l l. | |
424 | ip xfrm state add add new state into xfrm | |
425 | ip xfrm state update update existing state in xfrm | |
426 | ip xfrm state allocspi allocate an SPI value | |
427 | ip xfrm state delete delete existing state in xfrm | |
428 | ip xfrm state get get existing state in xfrm | |
429 | ip xfrm state deleteall delete all existing state in xfrm | |
430 | ip xfrm state list print out the list of existing state in xfrm | |
431 | ip xfrm state flush flush all state in xfrm | |
432 | ip xfrm state count count all existing state in xfrm | |
61f541fe | 433 | .TE |
2a9721f1 SH |
434 | |
435 | .TP | |
436 | .IR ID | |
437 | is specified by a source address, destination address, | |
438 | .RI "transform protocol " XFRM-PROTO "," | |
439 | and/or Security Parameter Index | |
440 | .IR SPI "." | |
29665f92 DW |
441 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
442 | .IR SPI ".)" | |
2a9721f1 SH |
443 | |
444 | .TP | |
445 | .I XFRM-PROTO | |
446 | specifies a transform protocol: | |
447 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
448 | .RB "IPsec Authentication Header (" ah ")," | |
449 | .RB "IP Payload Compression (" comp ")," | |
450 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
451 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
452 | ||
453 | .TP | |
454 | .I ALGO-LIST | |
29665f92 DW |
455 | contains one or more algorithms to use. Each algorithm |
456 | .I ALGO | |
457 | is specified by: | |
458 | .RS | |
459 | .IP \[bu] | |
460 | the algorithm type: | |
2a9721f1 | 461 | .RB "encryption (" enc ")," |
29665f92 DW |
462 | .RB "authentication (" auth " or " auth-trunc ")," |
463 | .RB "authenticated encryption with associated data (" aead "), or" | |
464 | .RB "compression (" comp ")" | |
465 | .IP \[bu] | |
466 | the algorithm name | |
467 | .IR ALGO-NAME | |
468 | (see below) | |
469 | .IP \[bu] | |
470 | .RB "(for all except " comp ")" | |
471 | the keying material | |
472 | .IR ALGO-KEYMAT "," | |
473 | which may include both a key and a salt or nonce value; refer to the | |
474 | corresponding RFC | |
475 | .IP \[bu] | |
476 | .RB "(for " auth-trunc " only)" | |
477 | the truncation length | |
478 | .I ALGO-TRUNC-LEN | |
479 | in bits | |
480 | .IP \[bu] | |
481 | .RB "(for " aead " only)" | |
2a9721f1 SH |
482 | the Integrity Check Value length |
483 | .I ALGO-ICV-LEN | |
29665f92 DW |
484 | in bits |
485 | .RE | |
486 | ||
487 | .nh | |
488 | .RS | |
489 | Encryption algorithms include | |
490 | .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) "," | |
491 | .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) "," | |
492 | .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "." | |
493 | ||
494 | Authentication algorithms include | |
495 | .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) "," | |
7f977447 | 496 | .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "." |
29665f92 DW |
497 | |
498 | Authenticated encryption with associated data (AEAD) algorithms include | |
499 | .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "." | |
500 | ||
501 | Compression algorithms include | |
502 | .BR deflate ", " lzs ", and " lzjh "." | |
503 | .RE | |
504 | .hy | |
2a9721f1 SH |
505 | |
506 | .TP | |
507 | .I MODE | |
29665f92 DW |
508 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
509 | Compression modes are | |
510 | .BR transport ", " tunnel "," | |
511 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
512 | .RB "(" beet ")." | |
513 | Mobile IPv6 modes are route optimization | |
514 | .RB "(" ro ")" | |
515 | and inbound trigger | |
516 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
517 | |
518 | .TP | |
519 | .I FLAG-LIST | |
520 | contains one or more of the following optional flags: | |
521 | .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", " | |
eeb669a7 | 522 | .BR af-unspec ", " align4 ", or " esn "." |
2a9721f1 SH |
523 | |
524 | .TP | |
525 | .IR SELECTOR | |
526 | selects the traffic that will be controlled by the policy, based on the source | |
527 | address, the destination address, the network device, and/or | |
528 | .IR UPSPEC "." | |
529 | ||
530 | .TP | |
531 | .IR UPSPEC | |
532 | selects traffic by protocol. For the | |
533 | .BR tcp ", " udp ", " sctp ", or " dccp | |
534 | protocols, the source and destination port can optionally be specified. | |
535 | For the | |
536 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
537 | protocols, the type and code numbers can optionally be specified. | |
538 | For the | |
539 | .B gre | |
540 | protocol, the key can optionally be specified as a dotted-quad or number. | |
541 | Other protocols can be selected by name or number | |
542 | .IR PROTO "." | |
543 | ||
544 | .TP | |
545 | .I LIMIT-LIST | |
546 | sets limits in seconds, bytes, or numbers of packets. | |
547 | ||
548 | .TP | |
549 | .I ENCAP | |
550 | encapsulates packets with protocol | |
551 | .BR espinudp " or " espinudp-nonike "," | |
552 | .RI "using source port " SPORT ", destination port " DPORT | |
553 | .RI ", and original address " OADDR "." | |
811aca04 | 554 | |
2ecb61a0 SAK |
555 | .TP |
556 | .I MARK | |
557 | used to match xfrm policies and states | |
558 | ||
559 | .TP | |
560 | .I OUTPUT-MARK | |
561 | used to set the output mark to influence the routing | |
562 | of the packets emitted by the state | |
563 | ||
61f541fe | 564 | .sp |
811aca04 | 565 | .PP |
61f541fe | 566 | .TS |
567 | l l. | |
568 | ip xfrm policy add add a new policy | |
569 | ip xfrm policy update update an existing policy | |
570 | ip xfrm policy delete delete an existing policy | |
571 | ip xfrm policy get get an existing policy | |
572 | ip xfrm policy deleteall delete all existing xfrm policies | |
573 | ip xfrm policy list print out the list of xfrm policies | |
574 | ip xfrm policy flush flush policies | |
61f541fe | 575 | .TE |
2a9721f1 | 576 | |
de3ddbc2 SR |
577 | .TP |
578 | .BR nosock | |
579 | filter (remove) all socket policies from the output. | |
580 | ||
2a9721f1 SH |
581 | .TP |
582 | .IR SELECTOR | |
583 | selects the traffic that will be controlled by the policy, based on the source | |
584 | address, the destination address, the network device, and/or | |
585 | .IR UPSPEC "." | |
586 | ||
587 | .TP | |
588 | .IR UPSPEC | |
589 | selects traffic by protocol. For the | |
590 | .BR tcp ", " udp ", " sctp ", or " dccp | |
591 | protocols, the source and destination port can optionally be specified. | |
592 | For the | |
593 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
594 | protocols, the type and code numbers can optionally be specified. | |
595 | For the | |
596 | .B gre | |
597 | protocol, the key can optionally be specified as a dotted-quad or number. | |
598 | Other protocols can be selected by name or number | |
599 | .IR PROTO "." | |
600 | ||
601 | .TP | |
602 | .I DIR | |
603 | selects the policy direction as | |
604 | .BR in ", " out ", or " fwd "." | |
605 | ||
606 | .TP | |
607 | .I CTX | |
608 | sets the security context. | |
609 | ||
610 | .TP | |
611 | .I PTYPE | |
612 | can be | |
613 | .BR main " (default) or " sub "." | |
614 | ||
615 | .TP | |
616 | .I ACTION | |
617 | can be | |
618 | .BR allow " (default) or " block "." | |
619 | ||
620 | .TP | |
621 | .I PRIORITY | |
622 | is a number that defaults to zero. | |
623 | ||
624 | .TP | |
625 | .I FLAG-LIST | |
626 | contains one or both of the following optional flags: | |
627 | .BR local " or " icmp "." | |
628 | ||
629 | .TP | |
630 | .I LIMIT-LIST | |
631 | sets limits in seconds, bytes, or numbers of packets. | |
632 | ||
633 | .TP | |
634 | .I TMPL-LIST | |
635 | is a template list specified using | |
636 | .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". " | |
637 | ||
638 | .TP | |
639 | .IR ID | |
640 | is specified by a source address, destination address, | |
641 | .RI "transform protocol " XFRM-PROTO "," | |
642 | and/or Security Parameter Index | |
643 | .IR SPI "." | |
29665f92 DW |
644 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
645 | .IR SPI ".)" | |
2a9721f1 SH |
646 | |
647 | .TP | |
648 | .I XFRM-PROTO | |
649 | specifies a transform protocol: | |
650 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
651 | .RB "IPsec Authentication Header (" ah ")," | |
652 | .RB "IP Payload Compression (" comp ")," | |
653 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
654 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
655 | ||
656 | .TP | |
657 | .I MODE | |
29665f92 DW |
658 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
659 | Compression modes are | |
660 | .BR transport ", " tunnel "," | |
661 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
662 | .RB "(" beet ")." | |
663 | Mobile IPv6 modes are route optimization | |
664 | .RB "(" ro ")" | |
665 | and inbound trigger | |
666 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
667 | |
668 | .TP | |
669 | .I LEVEL | |
670 | can be | |
671 | .BR required " (default) or " use "." | |
672 | ||
811aca04 CG |
673 | .sp |
674 | .PP | |
675 | .TS | |
676 | l l. | |
677 | ip xfrm policy count count existing policies | |
678 | .TE | |
679 | ||
680 | .PP | |
681 | Use one or more -s options to display more details, including policy hash table | |
682 | information. | |
683 | ||
684 | .sp | |
685 | .PP | |
686 | .TS | |
687 | l l. | |
688 | ip xfrm policy set configure the policy hash table | |
689 | .TE | |
690 | ||
691 | .PP | |
692 | Security policies whose address prefix lengths are greater than or equal | |
693 | policy hash table thresholds are hashed. Others are stored in the | |
694 | policy_inexact chained list. | |
695 | ||
696 | .TP | |
697 | .I LBITS | |
698 | specifies the minimum local address prefix length of policies that are | |
699 | stored in the Security Policy Database hash table. | |
700 | ||
701 | .TP | |
702 | .I RBITS | |
703 | specifies the minimum remote address prefix length of policies that are | |
704 | stored in the Security Policy Database hash table. | |
705 | ||
706 | .sp | |
707 | .PP | |
708 | .TS | |
709 | l l. | |
710 | ip xfrm monitor state monitoring for xfrm objects | |
711 | .TE | |
712 | ||
713 | .PP | |
2a9721f1 SH |
714 | The xfrm objects to monitor can be optionally specified. |
715 | ||
b6ec53e3 ND |
716 | .P |
717 | If the | |
718 | .BI all-nsid | |
719 | option is set, the program listens to all network namespaces that have a | |
720 | nsid assigned into the network namespace were the program is running. | |
721 | A prefix is displayed to show the network namespace where the message | |
722 | originates. Example: | |
723 | .sp | |
724 | .in +2 | |
725 | [nsid 1]Flushed state proto 0 | |
726 | .in -2 | |
727 | .sp | |
728 | ||
2a9721f1 | 729 | .SH AUTHOR |
29665f92 | 730 | Manpage revised by David Ward <david.ward@ll.mit.edu> |
811aca04 CG |
731 | .br |
732 | Manpage revised by Christophe Gouault <christophe.gouault@6wind.com> | |
b6ec53e3 ND |
733 | .br |
734 | Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com> |