1IP-XFRM(8) Linux IP-XFRM(8)
2
6 ip-xfrm - transform configuration
7
9 ip [ OPTIONS ] xfrm { COMMAND | help }
10 ip xfrm XFRM-OBJECT { COMMAND | help }
13 XFRM-OBJECT := state | policy | monitor
16 ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19 MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20 dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21 hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22 TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23 CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24 ]
25 ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
27 reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
28 ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
30 ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ]
32 [ flag FLAG-LIST ]
33 ip xfrm state flush [ proto XFRM-PROTO ]
35 ip xfrm state count
37 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
39 XFRM-PROTO := esp | ah | comp | route2 | hao
41 ALGO-LIST := [ ALGO-LIST ] ALGO
43 ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
45 auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
46 aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
47 comp ALGO-NAME
48 MODE := transport | tunnel | beet | ro | in_trigger
50 FLAG-LIST := [ FLAG-LIST ] FLAG
52 FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
54 align4 | esn
55 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
57 [ UPSPEC ]
58 UPSPEC := proto { PROTO |
60 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
61 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
62 NUMBER ] |
63 gre [ key { DOTTED-QUAD | NUMBER } ] }
64 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
66 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
68 ONDS |
69 { byte-soft | byte-hard } SIZE |
70 { packet-soft | packet-hard } COUNT
71 ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR
73 EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
75 EXTRA-FLAG := dont-encap-dscp
77 ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
79 MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
80 ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST
81 ] [ TMPL-LIST ]
82 ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
84 ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]
85 ip xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ] [ dir DIR ]
87 [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority
88 PRIORITY ] [ flag FLAG-LIST]
89 ip xfrm policy flush [ ptype PTYPE ]
91 ip xfrm policy count
93 ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
95 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [
97 UPSPEC ]
98 UPSPEC := proto { PROTO |
100 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
101 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
102 NUMBER ] |
103 gre [ key { DOTTED-QUAD | NUMBER } ] }
104 DIR := in | out | fwd
106 PTYPE := main | sub
108 ACTION := allow | block
110 FLAG-LIST := [ FLAG-LIST ] FLAG
112 FLAG := localok | icmp
114 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
116 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
118 ONDS |
119 { byte-soft | byte-hard } SIZE |
120 { packet-soft | packet-hard } COUNT
121 TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
123 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
125 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
127 XFRM-PROTO := esp | ah | comp | route2 | hao
129 MODE := transport | tunnel | beet | ro | in_trigger
131 LEVEL := required | use
133 ip xfrm monitor [ all-nsid ] [ all
135 | LISTofXFRM-OBJECTS ]
136 LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
138 XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
140
144 xfrm is an IP framework for transforming packets (such as encrypting
145 their payloads). This framework is used to implement the IPsec protocol
146 suite (with the state object operating on the Security Association
147 Database, and the policy object operating on the Security Policy Data‐
148 base). It is also used for the IP Payload Compression Protocol and fea‐
149 tures of Mobile IPv6.
150 ip xfrm state add add new state into xfrm
153 ip xfrm state update update existing state in xfrm
154 ip xfrm state allocspi allocate an SPI value
155 ip xfrm state delete delete existing state in xfrm
156 ip xfrm state get get existing state in xfrm
157 ip xfrm state deleteall delete all existing state in xfrm
158 ip xfrm state list print out the list of existing state in xfrm
159 ip xfrm state flush flush all state in xfrm
160 ip xfrm state count count all existing state in xfrm
161 ID is specified by a source address, destination address, transform
164 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
165 IP Payload Compression, the Compression Parameter Index or CPI
166 is used for SPI.)
167 XFRM-PROTO
170 specifies a transform protocol: IPsec Encapsulating Security
171 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
172 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
173 Mobile IPv6 Home Address Option (hao).
174 ALGO-LIST
177 contains one or more algorithms to use. Each algorithm ALGO is
178 specified by:
179 · the algorithm type: encryption (enc), authentication
181 (auth or auth-trunc), authenticated encryption with asso‐
182 ciated data (aead), or compression (comp)
183 · the algorithm name ALGO-NAME (see below)
185 · (for all except comp) the keying material ALGO-KEYMAT,
187 which may include both a key and a salt or nonce value;
188 refer to the corresponding RFC
189 · (for auth-trunc only) the truncation length ALGO-TRUNC-
191 LEN in bits
192 · (for aead only) the Integrity Check Value length ALGO-
194 ICV-LEN in bits
195 Encryption algorithms include ecb(cipher_null), cbc(des),
197 cbc(des3_ede), cbc(cast5), cbc(blowfish), cbc(aes),
198 cbc(serpent), cbc(camellia), cbc(twofish), and
199 rfc3686(ctr(aes)).
200 Authentication algorithms include digest_null, hmac(md5),
202 hmac(sha1), hmac(sha256), hmac(sha384), hmac(sha512),
203 hmac(rmd160), and xcbc(aes).
204 Authenticated encryption with associated data (AEAD) algorithms
206 include rfc4106(gcm(aes)), rfc4309(ccm(aes)), and
207 rfc4543(gcm(aes)).
208 Compression algorithms include deflate, lzs, and lzjh.
210 MODE specifies a mode of operation for the transform protocol. IPsec
213 and IP Payload Compression modes are transport, tunnel, and (for
214 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
215 modes are route optimization (ro) and inbound trigger (in_trig‐
216 ger).
217 FLAG-LIST
220 contains one or more of the following optional flags: noecn, de‐
221 cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
222 SELECTOR
225 selects the traffic that will be controlled by the policy, based
226 on the source address, the destination address, the network de‐
227 vice, and/or UPSPEC.
228 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
231 protocols, the source and destination port can optionally be
232 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
233 cols, the type and code numbers can optionally be specified.
234 For the gre protocol, the key can optionally be specified as a
235 dotted-quad or number. Other protocols can be selected by name
236 or number PROTO.
237 LIMIT-LIST
240 sets limits in seconds, bytes, or numbers of packets.
241 ENCAP encapsulates packets with protocol espinudp or espinudp-nonike,
244 using source port SPORT, destination port DPORT , and original
245 address OADDR.
246 MARK used to match xfrm policies and states
249 OUTPUT-MARK
252 used to set the output mark to influence the routing of the
253 packets emitted by the state
254 ip xfrm policy add add a new policy
258 ip xfrm policy update update an existing policy
259 ip xfrm policy delete delete an existing policy
260 ip xfrm policy get get an existing policy
261 ip xfrm policy deleteall delete all existing xfrm policies
262 ip xfrm policy list print out the list of xfrm policies
263 ip xfrm policy flush flush policies
264 nosock filter (remove) all socket policies from the output.
267 SELECTOR
270 selects the traffic that will be controlled by the policy, based
271 on the source address, the destination address, the network de‐
272 vice, and/or UPSPEC.
273 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
276 protocols, the source and destination port can optionally be
277 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
278 cols, the type and code numbers can optionally be specified.
279 For the gre protocol, the key can optionally be specified as a
280 dotted-quad or number. Other protocols can be selected by name
281 or number PROTO.
282 DIR selects the policy direction as in, out, or fwd.
285 CTX sets the security context.
288 PTYPE can be main (default) or sub.
291 ACTION can be allow (default) or block.
294 PRIORITY
297 is a number that defaults to zero.
298 FLAG-LIST
301 contains one or both of the following optional flags: local or
302 icmp.
303 LIMIT-LIST
306 sets limits in seconds, bytes, or numbers of packets.
307 TMPL-LIST
310 is a template list specified using ID, MODE, REQID, and/or LEV‐
311 EL.
312 ID is specified by a source address, destination address, transform
315 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
316 IP Payload Compression, the Compression Parameter Index or CPI
317 is used for SPI.)
318 XFRM-PROTO
321 specifies a transform protocol: IPsec Encapsulating Security
322 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
323 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
324 Mobile IPv6 Home Address Option (hao).
325 MODE specifies a mode of operation for the transform protocol. IPsec
328 and IP Payload Compression modes are transport, tunnel, and (for
329 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
330 modes are route optimization (ro) and inbound trigger (in_trig‐
331 ger).
332 LEVEL can be required (default) or use.
335 ip xfrm policy count count existing policies
339 Use one or more -s options to display more details, including policy
342 hash table information.
343 ip xfrm policy set configure the policy hash table
347 Security policies whose address prefix lengths are greater than or
350 equal policy hash table thresholds are hashed. Others are stored in the
351 policy_inexact chained list.
352 LBITS specifies the minimum local address prefix length of policies
355 that are stored in the Security Policy Database hash table.
356 RBITS specifies the minimum remote address prefix length of policies
359 that are stored in the Security Policy Database hash table.
360 ip xfrm monitor state monitoring for xfrm objects
364 The xfrm objects to monitor can be optionally specified.
367 If the all-nsid option is set, the program listens to all network
370 namespaces that have a nsid assigned into the network namespace were
371 the program is running. A prefix is displayed to show the network
372 namespace where the message originates. Example:
373 [nsid 1]Flushed state proto 0
375
379 Manpage revised by David Ward <david.ward@ll.mit.edu>
380 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
381 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
382iproute2 20 Dec 2011 IP-XFRM(8)