man/man8/ip-xfrm.8

   1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
   2 .SH "NAME"
   3 ip-xfrm \- transform configuration
   4 .SH "SYNOPSIS"
   5 .sp
   6 .ad l
   7 .in +8
   8 .ti -8
   9 .B ip
  10 .RI "[ " OPTIONS " ]"
  11 .B xfrm
  12 .RI " { " COMMAND " | "
  13 .BR help " }"
  14 .sp
  15
  16 .ti -8
  17 .B "ip xfrm"
  18 .IR XFRM-OBJECT " { " COMMAND " | "
  19 .BR help " }"
  20 .sp
  21
  22 .ti -8
  23 .IR XFRM-OBJECT " :="
  24 .BR state " | " policy " | " monitor
  25 .sp
  26
  27 .ti -8
  28 .BR "ip xfrm state" " { " add " | " update " } "
  29 .IR ID " [ " ALGO-LIST " ]"
  30 .RB "[ " mode
  31 .IR MODE " ]"
  32 .RB "[ " mark
  33 .I MARK
  34 .RB "[ " mask
  35 .IR MASK " ] ]"
  36 .RB "[ " reqid
  37 .IR REQID " ]"
  38 .RB "[ " seq
  39 .IR SEQ " ]"
  40 .RB "[ " replay-window
  41 .IR SIZE " ]"
  42 .RB "[ " replay-seq
  43 .IR SEQ " ]"
  44 .RB "[ " replay-oseq
  45 .IR SEQ " ]"
  46 .RB "[ " replay-seq-hi
  47 .IR SEQ " ]"
  48 .RB "[ " replay-oseq-hi
  49 .IR SEQ " ]"
  50 .RB "[ " flag
  51 .IR FLAG-LIST " ]"
  52 .RB "[ " sel
  53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
  54 .RB "[ " encap
  55 .IR ENCAP " ]"
  56 .RB "[ " coa
  57 .IR ADDR "[/" PLEN "] ]"
  58 .RB "[ " ctx
  59 .IR CTX " ]"
  60 .RB "[ " extra-flag
  61 .IR EXTRA-FLAG-LIST " ]"
  62 .RB "[ " output-mark
  63 .IR OUTPUT-MARK " ]"
  64
  65 .ti -8
  66 .B "ip xfrm state allocspi"
  67 .I ID
  68 .RB "[ " mode
  69 .IR MODE " ]"
  70 .RB "[ " mark
  71 .I MARK
  72 .RB "[ " mask
  73 .IR MASK " ] ]"
  74 .RB "[ " reqid
  75 .IR REQID " ]"
  76 .RB "[ " seq
  77 .IR SEQ " ]"
  78 .RB "[ " min
  79 .I SPI
  80 .B max
  81 .IR SPI " ]"
  82
  83 .ti -8
  84 .BR "ip xfrm state" " { " delete " | " get " } "
  85 .I ID
  86 .RB "[ " mark
  87 .I MARK
  88 .RB "[ " mask
  89 .IR MASK " ] ]"
  90
  91 .ti -8
  92 .BR "ip xfrm state " deleteall " ["
  93 .IR ID " ]"
  94 .RB "[ " mode
  95 .IR MODE " ]"
  96 .RB "[ " reqid
  97 .IR REQID " ]"
  98 .RB "[ " flag
  99 .IR FLAG-LIST " ]"
 100
 101 .ti -8
 102 .BR "ip xfrm state " list " ["
 103 .IR ID " ]"
 104 .RB "[ " nokeys " ]"
 105 .RB "[ " mode
 106 .IR MODE " ]"
 107 .RB "[ " reqid
 108 .IR REQID " ]"
 109 .RB "[ " flag
 110 .IR FLAG-LIST " ]"
 111
 112 .ti -8
 113 .BR "ip xfrm state flush" " [ " proto
 114 .IR XFRM-PROTO " ]"
 115
 116 .ti -8
 117 .BR "ip xfrm state count"
 118
 119 .ti -8
 120 .IR ID " :="
 121 .RB "[ " src
 122 .IR ADDR " ]"
 123 .RB "[ " dst
 124 .IR ADDR " ]"
 125 .RB "[ " proto
 126 .IR XFRM-PROTO " ]"
 127 .RB "[ " spi
 128 .IR SPI " ]"
 129
 130 .ti -8
 131 .IR XFRM-PROTO " :="
 132 .BR esp " | " ah " | " comp " | " route2 " | " hao
 133
 134 .ti -8
 135 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
 136
 137 .ti -8
 138 .IR ALGO " :="
 139 .RB "{ " enc " | " auth " } "
 140 .IR ALGO-NAME " " ALGO-KEYMAT " |"
 141 .br
 142 .B auth-trunc
 143 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
 144 .br
 145 .B aead
 146 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
 147 .br
 148 .B comp
 149 .IR ALGO-NAME
 150
 151 .ti -8
 152 .IR MODE " := "
 153 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
 154
 155 .ti -8
 156 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
 157
 158 .ti -8
 159 .IR FLAG " :="
 160 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
 161 .BR af-unspec " | " align4 " | " esn
 162
 163 .ti -8
 164 .IR SELECTOR " :="
 165 .RB "[ " src
 166 .IR ADDR "[/" PLEN "] ]"
 167 .RB "[ " dst
 168 .IR ADDR "[/" PLEN "] ]"
 169 .RB "[ " dev
 170 .IR DEV " ]"
 171 .br
 172 .RI "[ " UPSPEC " ]"
 173
 174 .ti -8
 175 .IR UPSPEC " := "
 176 .BR proto " {"
 177 .IR PROTO " |"
 178 .br
 179 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
 180 .IR PORT " ]"
 181 .RB "[ " dport
 182 .IR PORT " ] |"
 183 .br
 184 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
 185 .IR NUMBER " ]"
 186 .RB "[ " code
 187 .IR NUMBER " ] |"
 188 .br
 189 .BR gre " [ " key
 190 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
 191
 192 .ti -8
 193 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
 194 .B limit
 195 .I LIMIT
 196
 197 .ti -8
 198 .IR LIMIT " :="
 199 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
 200 .IR "SECONDS" " |"
 201 .br
 202 .RB "{ " byte-soft " | " byte-hard " }"
 203 .IR SIZE " |"
 204 .br
 205 .RB "{ " packet-soft " | " packet-hard " }"
 206 .I COUNT
 207
 208 .ti -8
 209 .IR ENCAP " :="
 210 .RB "{ " espinudp " | " espinudp-nonike " }"
 211 .IR SPORT " " DPORT " " OADDR
 212
 213 .ti -8
 214 .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
 215
 216 .ti -8
 217 .IR EXTRA-FLAG " := "
 218 .B dont-encap-dscp
 219
 220 .ti -8
 221 .BR "ip xfrm policy" " { " add " | " update " }"
 222 .I SELECTOR
 223 .B dir
 224 .I DIR
 225 .RB "[ " ctx
 226 .IR CTX " ]"
 227 .RB "[ " mark
 228 .I MARK
 229 .RB "[ " mask
 230 .IR MASK " ] ]"
 231 .RB "[ " index
 232 .IR INDEX " ]"
 233 .RB "[ " ptype
 234 .IR PTYPE " ]"
 235 .RB "[ " action
 236 .IR ACTION " ]"
 237 .RB "[ " priority
 238 .IR PRIORITY " ]"
 239 .RB "[ " flag
 240 .IR FLAG-LIST " ]"
 241 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
 242
 243 .ti -8
 244 .BR "ip xfrm policy" " { " delete " | " get " }"
 245 .RI "{ " SELECTOR " | "
 246 .B index
 247 .IR INDEX " }"
 248 .B dir
 249 .I DIR
 250 .RB "[ " ctx
 251 .IR CTX " ]"
 252 .RB "[ " mark
 253 .I MARK
 254 .RB "[ " mask
 255 .IR MASK " ] ]"
 256 .RB "[ " ptype
 257 .IR PTYPE " ]"
 258
 259 .ti -8
 260 .BR "ip xfrm policy" " { " deleteall " | " list " }"
 261 .RB "[ " nosock " ]"
 262 .RI "[ " SELECTOR " ]"
 263 .RB "[ " dir
 264 .IR DIR " ]"
 265 .RB "[ " index
 266 .IR INDEX " ]"
 267 .RB "[ " ptype
 268 .IR PTYPE " ]"
 269 .RB "[ " action
 270 .IR ACTION " ]"
 271 .RB "[ " priority
 272 .IR PRIORITY " ]"
 273 .RB "[ " flag
 274 .IR FLAG-LIST "]"
 275
 276 .ti -8
 277 .B "ip xfrm policy flush"
 278 .RB "[ " ptype
 279 .IR PTYPE " ]"
 280
 281 .ti -8
 282 .B "ip xfrm policy count"
 283
 284 .ti -8
 285 .B "ip xfrm policy set"
 286 .RB "[ " hthresh4
 287 .IR LBITS " " RBITS " ]"
 288 .RB "[ " hthresh6
 289 .IR LBITS " " RBITS " ]"
 290
 291 .ti -8
 292 .IR SELECTOR " :="
 293 .RB "[ " src
 294 .IR ADDR "[/" PLEN "] ]"
 295 .RB "[ " dst
 296 .IR ADDR "[/" PLEN "] ]"
 297 .RB "[ " dev
 298 .IR DEV " ]"
 299 .RI "[ " UPSPEC " ]"
 300
 301 .ti -8
 302 .IR UPSPEC " := "
 303 .BR proto " {"
 304 .IR PROTO " |"
 305 .br
 306 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
 307 .IR PORT " ]"
 308 .RB "[ " dport
 309 .IR PORT " ] |"
 310 .br
 311 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
 312 .IR NUMBER " ]"
 313 .RB "[ " code
 314 .IR NUMBER " ] |"
 315 .br
 316 .BR gre " [ " key
 317 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
 318
 319 .ti -8
 320 .IR DIR " := "
 321 .BR in " | " out " | " fwd
 322
 323 .ti -8
 324 .IR PTYPE " := "
 325 .BR main " | " sub
 326
 327 .ti -8
 328 .IR ACTION " := "
 329 .BR allow " | " block
 330
 331 .ti -8
 332 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
 333
 334 .ti -8
 335 .IR FLAG " :="
 336 .BR localok " | " icmp
 337
 338 .ti -8
 339 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
 340 .B limit
 341 .I LIMIT
 342
 343 .ti -8
 344 .IR LIMIT " :="
 345 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
 346 .IR "SECONDS" " |"
 347 .br
 348 .RB "{ " byte-soft " | " byte-hard " }"
 349 .IR SIZE " |"
 350 .br
 351 .RB "{ " packet-soft " | " packet-hard " }"
 352 .I COUNT
 353
 354 .ti -8
 355 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
 356 .B tmpl
 357 .I TMPL
 358
 359 .ti -8
 360 .IR TMPL " := " ID
 361 .RB "[ " mode
 362 .IR MODE " ]"
 363 .RB "[ " reqid
 364 .IR REQID " ]"
 365 .RB "[ " level
 366 .IR LEVEL " ]"
 367
 368 .ti -8
 369 .IR ID " :="
 370 .RB "[ " src
 371 .IR ADDR " ]"
 372 .RB "[ " dst
 373 .IR ADDR " ]"
 374 .RB "[ " proto
 375 .IR XFRM-PROTO " ]"
 376 .RB "[ " spi
 377 .IR SPI " ]"
 378
 379 .ti -8
 380 .IR XFRM-PROTO " :="
 381 .BR esp " | " ah " | " comp " | " route2 " | " hao
 382
 383 .ti -8
 384 .IR MODE " := "
 385 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
 386
 387 .ti -8
 388 .IR LEVEL " :="
 389 .BR required " | " use
 390
 391 .ti -8
 392 .BR "ip xfrm monitor" " ["
 393 .BI all-nsid
 394 ] [
 395 .BI nokeys
 396 ] [
 397 .BI all
 398  |
 399 .IR LISTofXFRM-OBJECTS " ]"
 400
 401 .ti -8
 402 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
 403
 404 .ti -8
 405 .IR XFRM-OBJECT " := "
 406 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
 407
 408 .in -8
 409 .ad b
 410
 411 .SH DESCRIPTION
 412
 413 xfrm is an IP framework for transforming packets (such as encrypting
 414 their payloads). This framework is used to implement the IPsec protocol
 415 suite (with the
 416 .B state
 417 object operating on the Security Association Database, and the
 418 .B policy
 419 object operating on the Security Policy Database). It is also used for
 420 the IP Payload Compression Protocol and features of Mobile IPv6.
 421
 422 .TS
 423 l l.
 424 ip xfrm state add       add new state into xfrm
 425 ip xfrm state update    update existing state in xfrm
 426 ip xfrm state allocspi  allocate an SPI value
 427 ip xfrm state delete    delete existing state in xfrm
 428 ip xfrm state get       get existing state in xfrm
 429 ip xfrm state deleteall delete all existing state in xfrm
 430 ip xfrm state list      print out the list of existing state in xfrm
 431 ip xfrm state flush     flush all state in xfrm
 432 ip xfrm state count     count all existing state in xfrm
 433 .TE
 434
 435 .TP
 436 .IR ID
 437 is specified by a source address, destination address,
 438 .RI "transform protocol " XFRM-PROTO ","
 439 and/or Security Parameter Index
 440 .IR SPI "."
 441 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
 442 .IR SPI ".)"
 443
 444 .TP
 445 .I XFRM-PROTO
 446 specifies a transform protocol:
 447 .RB "IPsec Encapsulating Security Payload (" esp "),"
 448 .RB "IPsec Authentication Header (" ah "),"
 449 .RB "IP Payload Compression (" comp "),"
 450 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
 451 .RB "Mobile IPv6 Home Address Option (" hao ")."
 452
 453 .TP
 454 .I ALGO-LIST
 455 contains one or more algorithms to use. Each algorithm
 456 .I ALGO
 457 is specified by:
 458 .RS
 459 .IP \[bu]
 460 the algorithm type:
 461 .RB "encryption (" enc "),"
 462 .RB "authentication (" auth " or " auth-trunc "),"
 463 .RB "authenticated encryption with associated data (" aead "), or"
 464 .RB "compression (" comp ")"
 465 .IP \[bu]
 466 the algorithm name
 467 .IR ALGO-NAME
 468 (see below)
 469 .IP \[bu]
 470 .RB "(for all except " comp ")"
 471 the keying material
 472 .IR ALGO-KEYMAT ","
 473 which may include both a key and a salt or nonce value; refer to the
 474 corresponding RFC
 475 .IP \[bu]
 476 .RB "(for " auth-trunc " only)"
 477 the truncation length
 478 .I ALGO-TRUNC-LEN
 479 in bits
 480 .IP \[bu]
 481 .RB "(for " aead " only)"
 482 the Integrity Check Value length
 483 .I ALGO-ICV-LEN
 484 in bits
 485 .RE
 486
 487 .nh
 488 .RS
 489 Encryption algorithms include
 490 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
 491 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
 492 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
 493
 494 Authentication algorithms include
 495 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
 496 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
 497
 498 Authenticated encryption with associated data (AEAD) algorithms include
 499 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
 500
 501 Compression algorithms include
 502 .BR deflate ", " lzs ", and " lzjh "."
 503 .RE
 504 .hy
 505
 506 .TP
 507 .I MODE
 508 specifies a mode of operation for the transform protocol. IPsec and IP Payload
 509 Compression modes are
 510 .BR transport ", " tunnel ","
 511 and (for IPsec ESP only) Bound End-to-End Tunnel
 512 .RB "(" beet ")."
 513 Mobile IPv6 modes are route optimization
 514 .RB "(" ro ")"
 515 and inbound trigger
 516 .RB "(" in_trigger ")."
 517
 518 .TP
 519 .I FLAG-LIST
 520 contains one or more of the following optional flags:
 521 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
 522 .BR af-unspec ", " align4 ", or " esn "."
 523
 524 .TP
 525 .IR SELECTOR
 526 selects the traffic that will be controlled by the policy, based on the source
 527 address, the destination address, the network device, and/or
 528 .IR UPSPEC "."
 529
 530 .TP
 531 .IR UPSPEC
 532 selects traffic by protocol. For the
 533 .BR tcp ", " udp ", " sctp ", or " dccp
 534 protocols, the source and destination port can optionally be specified.
 535 For the
 536 .BR icmp ", " ipv6-icmp ", or " mobility-header
 537 protocols, the type and code numbers can optionally be specified.
 538 For the
 539 .B gre
 540 protocol, the key can optionally be specified as a dotted-quad or number.
 541 Other protocols can be selected by name or number
 542 .IR PROTO "."
 543
 544 .TP
 545 .I LIMIT-LIST
 546 sets limits in seconds, bytes, or numbers of packets.
 547
 548 .TP
 549 .I ENCAP
 550 encapsulates packets with protocol
 551 .BR espinudp " or " espinudp-nonike ","
 552 .RI "using source port " SPORT ", destination port "  DPORT
 553 .RI ", and original address " OADDR "."
 554
 555 .TP
 556 .I MARK
 557 used to match xfrm policies and states
 558
 559 .TP
 560 .I OUTPUT-MARK
 561 used to set the output mark to influence the routing
 562 of the packets emitted by the state
 563
 564 .sp
 565 .PP
 566 .TS
 567 l l.
 568 ip xfrm policy add      add a new policy
 569 ip xfrm policy update   update an existing policy
 570 ip xfrm policy delete   delete an existing policy
 571 ip xfrm policy get      get an existing policy
 572 ip xfrm policy deleteall        delete all existing xfrm policies
 573 ip xfrm policy list     print out the list of xfrm policies
 574 ip xfrm policy flush    flush policies
 575 .TE
 576
 577 .TP
 578 .BR nosock
 579 filter (remove) all socket policies from the output.
 580
 581 .TP
 582 .IR SELECTOR
 583 selects the traffic that will be controlled by the policy, based on the source
 584 address, the destination address, the network device, and/or
 585 .IR UPSPEC "."
 586
 587 .TP
 588 .IR UPSPEC
 589 selects traffic by protocol. For the
 590 .BR tcp ", " udp ", " sctp ", or " dccp
 591 protocols, the source and destination port can optionally be specified.
 592 For the
 593 .BR icmp ", " ipv6-icmp ", or " mobility-header
 594 protocols, the type and code numbers can optionally be specified.
 595 For the
 596 .B gre
 597 protocol, the key can optionally be specified as a dotted-quad or number.
 598 Other protocols can be selected by name or number
 599 .IR PROTO "."
 600
 601 .TP
 602 .I DIR
 603 selects the policy direction as
 604 .BR in ", " out ", or " fwd "."
 605
 606 .TP
 607 .I CTX
 608 sets the security context.
 609
 610 .TP
 611 .I PTYPE
 612 can be
 613 .BR main " (default) or " sub "."
 614
 615 .TP
 616 .I ACTION
 617 can be
 618 .BR allow " (default) or " block "."
 619
 620 .TP
 621 .I PRIORITY
 622 is a number that defaults to zero.
 623
 624 .TP
 625 .I FLAG-LIST
 626 contains one or both of the following optional flags:
 627 .BR local " or " icmp "."
 628
 629 .TP
 630 .I LIMIT-LIST
 631 sets limits in seconds, bytes, or numbers of packets.
 632
 633 .TP
 634 .I TMPL-LIST
 635 is a template list specified using
 636 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
 637
 638 .TP
 639 .IR ID
 640 is specified by a source address, destination address,
 641 .RI "transform protocol " XFRM-PROTO ","
 642 and/or Security Parameter Index
 643 .IR SPI "."
 644 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
 645 .IR SPI ".)"
 646
 647 .TP
 648 .I XFRM-PROTO
 649 specifies a transform protocol:
 650 .RB "IPsec Encapsulating Security Payload (" esp "),"
 651 .RB "IPsec Authentication Header (" ah "),"
 652 .RB "IP Payload Compression (" comp "),"
 653 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
 654 .RB "Mobile IPv6 Home Address Option (" hao ")."
 655
 656 .TP
 657 .I MODE
 658 specifies a mode of operation for the transform protocol. IPsec and IP Payload
 659 Compression modes are
 660 .BR transport ", " tunnel ","
 661 and (for IPsec ESP only) Bound End-to-End Tunnel
 662 .RB "(" beet ")."
 663 Mobile IPv6 modes are route optimization
 664 .RB "(" ro ")"
 665 and inbound trigger
 666 .RB "(" in_trigger ")."
 667
 668 .TP
 669 .I LEVEL
 670 can be
 671 .BR required " (default) or " use "."
 672
 673 .sp
 674 .PP
 675 .TS
 676 l l.
 677 ip xfrm policy count    count existing policies
 678 .TE
 679
 680 .PP
 681 Use one or more -s options to display more details, including policy hash table
 682 information.
 683
 684 .sp
 685 .PP
 686 .TS
 687 l l.
 688 ip xfrm policy set      configure the policy hash table
 689 .TE
 690
 691 .PP
 692 Security policies whose address prefix lengths are greater than or equal
 693 policy hash table thresholds are hashed. Others are stored in the
 694 policy_inexact chained list.
 695
 696 .TP
 697 .I LBITS
 698 specifies the minimum local address prefix length of policies that are
 699 stored in the Security Policy Database hash table.
 700
 701 .TP
 702 .I RBITS
 703 specifies the minimum remote address prefix length of policies that are
 704 stored in the Security Policy Database hash table.
 705
 706 .sp
 707 .PP
 708 .TS
 709 l l.
 710 ip xfrm monitor         state monitoring for xfrm objects
 711 .TE
 712
 713 .PP
 714 The xfrm objects to monitor can be optionally specified.
 715
 716 .P
 717 If the
 718 .BI all-nsid
 719 option is set, the program listens to all network namespaces that have a
 720 nsid assigned into the network namespace were the program is running.
 721 A prefix is displayed to show the network namespace where the message
 722 originates. Example:
 723 .sp
 724 .in +2
 725 [nsid 1]Flushed state proto 0
 726 .in -2
 727 .sp
 728
 729 .SH AUTHOR
 730 Manpage revised by David Ward <david.ward@ll.mit.edu>
 731 .br
 732 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
 733 .br
 734 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>