1IP(8) Linux IP(8)
2
6 ip - show / manipulate routing, devices, policy routing and tunnels
7
9 ip [ OPTIONS ] OBJECT { COMMAND | help }
10 OBJECT := { link | addr | addrlabel | route | rule | neigh | tunnel |
13 maddr | mroute | monitor }
14 OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | -f[amily] { inet
17 | inet6 | ipx | dnet | link } | -o[neline] }
18 ip link set DEVICE { up | down | arp { on | off } |
20 promisc { on | off } |
21 allmulticast { on | off } |
22 dynamic { on | off } |
23 multicast { on | off } |
24 txqueuelen PACKETS |
25 name NEWNAME |
26 address LLADDR | broadcast LLADDR |
27 mtu MTU |
28 netns PID |
29 alias NAME |
30 vf NUM [ mac LLADDR ] [ vlan VLANID [ qos VLAN-QOS ] ] [ rate
31 TXRATE ] [ spoofchk { on | off } ] | }
32 ip link show [ DEVICE ]
35 ip addr { add | del } IFADDR dev STRING
37 ip addr { show | flush } [ dev STRING ] [ scope SCOPE-ID ] [ to PREFIX
39 ] [ FLAG-LIST ] [ label PATTERN ]
40 IFADDR := PREFIX | ADDR peer PREFIX [ broadcast ADDR ] [ anycast ADDR ]
42 [ label STRING ] [ scope SCOPE-ID ]
43 SCOPE-ID := [ host | link | global | NUMBER ]
45 FLAG-LIST := [ FLAG-LIST ] FLAG
47 FLAG := [ permanent | dynamic | secondary | primary | tentative | dep‐
49 recated ]
50 ip addrlabel { add | del } prefix PREFIX [ dev DEV ] [ label NUMBER ]
52 ip addrlabel { list | flush }
54 ip route { list | flush } SELECTOR
56 ip route get ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ tos
58 TOS ]
59 ip route { add | del | change | append | replace | monitor } ROUTE
61 SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table
63 TABLE_ID ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]
64 ROUTE := NODE_SPEC [ INFO_SPEC ]
66 NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto
68 RTPROTO ] [ scope SCOPE ] [ metric METRIC ]
69 INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...
71 NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
73 OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ rtt TIME ] [ rttvar
75 TIME ] [ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ] [
76 ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initrwnd
77 NUMBER ]
78 TYPE := [ unicast | local | broadcast | multicast | throw | unreachable
80 | prohibit | blackhole | nat ]
81 TABLE_ID := [ local| main | default | all | NUMBER ]
83 SCOPE := [ host | link | global | NUMBER ]
85 FLAGS := [ equalize ]
87 NHFLAGS := [ onlink | pervasive ]
89 RTPROTO := [ kernel | boot | static | NUMBER ]
91 ip rule [ list | add | del | flush ] SELECTOR ACTION
93 SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark
95 FWMARK[/MASK] ] [ dev STRING ] [ pref NUMBER ]
96 ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ realms
98 [SRCREALM/]DSTREALM ]
99 TABLE_ID := [ local | main | default | NUMBER ]
101 ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ] [
103 nud { permanent | noarp | stale | reachable } ] | proxy ADDR }
104 [ dev DEV ]
105 ip neigh { show | flush } [ to PREFIX ] [ dev DEV ] [ nud STATE ]
107 ip tunnel { add | change | del | show | prl } [ NAME ]
109 [ mode MODE ] [ remote ADDR ] [ local ADDR ]
110 [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] ]
111 [ encaplimit ELIM ] [ ttl TTL ]
112 [ tos TOS ] [ flowlabel FLOWLABEL ]
113 [ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]
114 [ [no]pmtudisc ] [ dev PHYS_DEV ] [ dscp inherit ]
115 MODE := { ipip | gre | sit | isatap | ip6ip6 | ipip6 | any }
117 ADDR := { IP_ADDRESS | any }
119 TOS := { NUMBER | inherit }
121 ELIM := { none | 0..255 }
123 TTL := { 1..255 | inherit }
125 KEY := { DOTTED_QUAD | NUMBER }
127 TIME := NUMBER[s|ms]
129 ip maddr [ add | del ] MULTIADDR dev NAME
131 ip maddr show [ dev NAME ]
133 ip mroute show [ PREFIX ] [ from PREFIX ] [ iif DEVICE ]
135 ip monitor [ all | OBJECT-LIST ]
137 ip xfrm XFRM_OBJECT { COMMAND }
139 XFRM_OBJECT := { state | policy | monitor }
141 ip xfrm state { add | update } ID [ XFRM_OPT ] [ mode MODE ]
143 [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ]
144 [ flag FLAG-LIST ] [ encap ENCAP ] [ sel SELECTOR ]
145 [ LIMIT-LIST ]
146 ip xfrm state allocspi ID [ mode MODE ] [ reqid REQID ] [ seq SEQ ]
148 [ min SPI max SPI ]
149 ip xfrm state { delete | get } ID
151 ip xfrm state { deleteall | list } [ ID ] [ mode MODE ]
153 [ reqid REQID ] [ flag FLAG_LIST ]
154 ip xfrm state flush [ proto XFRM_PROTO ]
156 ip xfrm state count
158 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
160 XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
162 MODE := [ transport | tunnel | ro | beet ] (default=transport)
164 FLAG-LIST := [ FLAG-LIST ] FLAG
166 FLAG := [ noecn | decap-dscp | wildrecv ]
168 ENCAP := ENCAP-TYPE SPORT DPORT OADDR
170 ENCAP-TYPE := espinudp | espinudp-nonike
172 ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]
174 ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY
176 ALGO_TYPE := [ enc | auth | comp ]
178 SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
180 UPSPEC := proto PROTO [[ sport PORT ] [ dport PORT ] |
182 [ type NUMBER ] [ code NUMBER ]]
183 LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
185 LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ]
187 | [ [byte-soft|byte-hard] SIZE ] |
188 [ [packet-soft|packet-hard] COUNT ]
189 ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ]
191 [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]
192 [ LIMIT-LIST ] [ TMPL-LIST ]
193 ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ]
195 [ ptype PTYPE ]
196 ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ]
198 [ index INDEX ] [ action ACTION ] [ priority PRIORITY ]
199 ip xfrm policy flush [ ptype PTYPE ]
201 ip xfrm count
203 PTYPE := [ main | sub ] (default=main)
205 DIR := [ in | out | fwd ]
207 SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
209 UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |
211 [ type NUMBER ] [ code NUMBER ] ]
212 ACTION := [ allow | block ] (default=allow)
214 LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
216 LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ]
218 | [ [byte-soft|byte-hard] SIZE ] |
219 [packet-soft|packet-hard] NUMBER ]
220 TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]
222 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
224 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
226 XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
228 MODE := [ transport | tunnel | beet ] (default=transport)
230 LEVEL := [ required | use ] (default=required)
232 ip xfrm monitor [ all | OBJECT-LIST ]
234 ip token { COMMAND | help }
236 ip token { set } TOKEN dev DEV
238 ip token { get } dev DEV
240 ip token { list }
242
246 -V, -Version
247 print the version of the ip utility and exit.
248 -s, -stats, -statistics
251 Output more information. If the option appears twice or more,
252 the amount of information increases. As a rule, the information
253 is statistics or some time values.
254 -h, -human, -human-readable
257 output statistics with human readable values number followed by
258 suffix
259 -iec print human readable rates in IEC units (ie. 1K = 1024).
262
265Specifies the protocol family to use. The protocol family identifier can be
266one of inet, inet6, ipx, dnet or link. If this option is not present, the
267protocol family is guessed from other arguments. If the rest of the command
268line does not give enough information to guess the family, ip falls back to
269the default one, usually inet or any. link is a special family identifier
270meaning that no networking protocol is involved.
271
274shortcut for -family inet.
275
278shortcut for -family inet6.
279
282shortcut for -family link.
283
286output each record on a single line, replacing line feeds with the '\' charac‐
287ter. This is convenient when you want to count records with wc(1) or to
289
292use the system's name resolver to print DNS names instead of host addresses.
293
296 OBJECT
297 link - network device.
298 address
301 - protocol (IP or IPv6) address on a device.
302 addrlabel
305 - label configuration for protocol address selection.
306 neighbour
309 - ARP or NDISC cache entry.
310 route - routing table entry.
313 rule - rule in routing policy database.
316 maddress
319 - multicast address.
320 mroute - multicast routing cache entry.
323 tunnel - tunnel over IP.
326 xfrm - framework for IPsec protocol.
329 The names of all objects may be written in full or abbreviated form,
332 for example address can be abbreviated as addr or just a.
333 COMMAND
336 Specifies the action to perform on the object. The set of possible
337 actions depends on the object type. As a rule, it is possible to add,
338 delete and show (or list ) objects, but some objects do not allow all
339 of these operations or have some additional commands. The help command
340 is available for all objects. It prints out a list of available com‐
341 mands and argument syntax conventions.
342 If no command is given, some default command is assumed. Usually it is
344 list or, if the objects of this class cannot be listed, help.
345
348 link is a network device and the corresponding commands display and
349 change the state of devices.
350 ip link set - change device attributes
353 dev NAME (default)
354 NAME specifies network device to operate on. When configuring
355 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
356 ify the associated Physical Function (PF) device.
357 up and down
360 change the state of the device to UP or DOWN.
361 arp on or arp off
364 change the NOARP flag on the device.
365 multicast on or multicast off
368 change the MULTICAST flag on the device.
369 dynamic on or dynamic off
372 change the DYNAMIC flag on the device.
373 name NAME
376 change the name of the device. This operation is not recommended
377 if the device is running or has some addresses already config‐
378 ured.
379 txqueuelen NUMBER
382 txqlen NUMBER
384 change the transmit queue length of the device.
385 mtu NUMBER
388 change the MTU of the device.
389 address LLADDRESS
392 change the station address of the interface.
393 broadcast LLADDRESS
396 brd LLADDRESS
398 peer LLADDRESS
400 change the link layer broadcast address or the peer address when
401 the interface is POINTOPOINT.
402 netns PID
405 move the device to the network namespace associated with the
406 process PID.
407 alias NAME
410 give the device a symbolic name for easy reference.
411 vf NUM specify a Virtual Function device to be configured. The associ‐
414 ated PF device must be specified using the dev parameter.
415 mac LLADDRESS - change the station address for the spec‐
417 ified VF. The vf parameter must be specified.
418 vlan VLANID - change the assigned VLAN for the specified
421 VF. When specified, all traffic sent from the VF will be
422 tagged with the specified VLAN ID. Incoming traffic will
423 be filtered for the specified VLAN ID, and will have all
424 VLAN tags stripped before being passed to the VF. Set‐
425 ting this parameter to 0 disables VLAN tagging and fil‐
426 tering. The vf parameter must be specified.
427 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
430 VLAN tag. When specified, all VLAN tags transmitted by
431 the VF will include the specified priority bits in the
432 VLAN tag. If not specified, the value is assumed to be
433 0. Both the vf and vlan parameters must be specified.
434 Setting both vlan and qos as 0 disables VLAN tagging and
435 filtering for the VF.
436 rate TXRATE - change the allowed transmit bandwidth, in
439 Mbps, for the specified VF. Setting this parameter to 0
440 disables rate limiting. The vf parameter must be speci‐
441 fied.
442 spoofchk on|off - turn packet spoof checking on or off
444 for the specified VF.
445 Warning: If multiple parameter changes are requested, ip aborts immedi‐
449 ately after any of the changes have failed. This is the only case when
450 ip can move the system to an unpredictable state. The solution is to
451 avoid changing several parameters with one ip link set call.
452 ip link show - display device attributes
455 dev NAME (default)
456 NAME specifies the network device to show. If this argument is
457 omitted all devices are listed.
458 up only display running interfaces.
461
464 The address is a protocol (IP or IPv6) address attached to a network
465 device. Each device must have at least one address to use the corre‐
466 sponding protocol. It is possible to have several different addresses
467 attached to one device. These addresses are not discriminated, so that
468 the term alias is not quite appropriate for them and we do not use it
469 in this document.
470 The ip addr command displays addresses and their properties, adds new
472 addresses and deletes old ones.
473 ip address add - add new protocol address.
476 dev NAME
477 the name of the device to add the address to.
478 local ADDRESS (default)
481 the address of the interface. The format of the address depends
482 on the protocol. It is a dotted quad for IP and a sequence of
483 hexadecimal halfwords separated by colons for IPv6. The ADDRESS
484 may be followed by a slash and a decimal number which encodes
485 the network prefix length.
486 peer ADDRESS
489 the address of the remote endpoint for pointopoint interfaces.
490 Again, the ADDRESS may be followed by a slash and a decimal num‐
491 ber, encoding the network prefix length. If a peer address is
492 specified, the local address cannot have a prefix length. The
493 network prefix is associated with the peer rather than with the
494 local address.
495 broadcast ADDRESS
498 the broadcast address on the interface.
499 It is possible to use the special symbols '+' and '-' instead of
501 the broadcast address. In this case, the broadcast address is
502 derived by setting/resetting the host bits of the interface pre‐
503 fix.
504 label NAME
507 Each address may be tagged with a label string. In order to
508 preserve compatibility with Linux-2.0 net aliases, this string
509 must coincide with the name of the device or must be prefixed
510 with the device name followed by colon.
511 scope SCOPE_VALUE
514 the scope of the area where this address is valid. The avail‐
515 able scopes are listed in file /etc/iproute2/rt_scopes. Prede‐
516 fined scope values are:
517 global - the address is globally valid.
519 site - (IPv6 only) the address is site local, i.e. it is
521 valid inside this site.
522 link - the address is link local, i.e. it is valid only
524 on this device.
525 host - the address is valid only inside this host.
527 ip address delete - delete protocol address
530 Arguments: coincide with the arguments of ip addr add. The device name
531 is a required argument. The rest are optional. If no arguments are
532 given, the first address is deleted.
533 ip address show - look at protocol addresses
536 dev NAME (default)
537 name of device.
538 scope SCOPE_VAL
541 only list addresses with this scope.
542 to PREFIX
545 only list addresses matching this prefix.
546 label PATTERN
549 only list addresses with labels matching the PATTERN. PATTERN
550 is a usual shell style pattern.
551 dynamic and permanent
554 (IPv6 only) only list addresses installed due to stateless
555 address configuration or only list permanent (not dynamic)
556 addresses.
557 tentative
560 (IPv6 only) only list addresses which did not pass duplicate
561 address detection.
562 deprecated
565 (IPv6 only) only list deprecated addresses.
566 primary and secondary
569 only list primary (or secondary) addresses.
570 ip address flush - flush protocol addresses
573 This command flushes the protocol addresses selected by some criteria.
574 This command has the same arguments as show. The difference is that it
577 does not run when no arguments are given.
578 Warning: This command (and other flush commands described below) is
581 pretty dangerous. If you make a mistake, it will not forgive it, but
582 will cruelly purge all the addresses.
583 With the -statistics option, the command becomes verbose. It prints out
586 the number of deleted addresses and the number of rounds made to flush
587 the address list. If this option is given twice, ip addr flush also
588 dumps all the deleted addresses in the format described in the previous
589 subsection.
590
593 IPv6 address labels are used for address selection; they are described
594 in RFC 3484. Precedence is managed by userspace, and only the label
595 itself is stored in the kernel.
596 ip addrlabel add - add an address label
599 add an address label entry to the kernel.
600 prefix PREFIX
602 dev DEV
604 the outgoing interface.
605 label NUMBER
607 the label for the prefix. 0xffffffff is reserved.
608 ip addrlabel del - delete an address label
610 delete an address label entry from the kernel. Arguments: coincide
611 with the arguments of ip addrlabel add but the label is not required.
612 ip addrlabel list - list address labels
614 list the current address label entries in the kernel.
615 ip addrlabel flush - flush address labels
617 flush all address labels in the kernel. This does not restore any
618 default settings.
619
621 neighbour objects establish bindings between protocol addresses and
622 link layer addresses for hosts sharing the same link. Neighbour
623 entries are organized into tables. The IPv4 neighbour table is also
624 known by another name - the ARP table.
625 The corresponding commands display neighbour bindings and their proper‐
628 ties, add new neighbour entries and delete old ones.
629 ip neighbour add - add a new neighbour entry
632 ip neighbour change - change an existing entry
633 ip neighbour replace - add a new entry or change an existing one
634 These commands create new neighbour records or update existing ones.
635 to ADDRESS (default)
638 the protocol address of the neighbour. It is either an IPv4 or
639 IPv6 address.
640 dev NAME
643 the interface to which this neighbour is attached.
644 lladdr LLADDRESS
647 the link layer address of the neighbour. LLADDRESS can also be
648 null.
649 nud NUD_STATE
652 the state of the neighbour entry. nud is an abbreviation for
653 'Neigh bour Unreachability Detection'. The state can take one
654 of the following values:
655 permanent - the neighbour entry is valid forever and can
657 be only be removed administratively.
658 noarp - the neighbour entry is valid. No attempts to
661 validate this entry will be made but it can be removed
662 when its lifetime expires.
663 reachable - the neighbour entry is valid until the
666 reachability timeout expires.
667 stale - the neighbour entry is valid but suspicious.
670 This option to ip neigh does not change the neighbour
671 state if it was valid and the address is not changed by
672 this command.
673 ip neighbour delete - delete a neighbour entry
676 This command invalidates a neighbour entry.
677 The arguments are the same as with ip neigh add, except that lladdr and
680 nud are ignored.
681 Warning: Attempts to delete or manually change a noarp entry created by
684 the kernel may result in unpredictable behaviour. Particularly, the
685 kernel may try to resolve this address even on a NOARP interface or if
686 the address is multicast or broadcast.
687 ip neighbour show - list neighbour entries
690 This commands displays neighbour tables.
691 to ADDRESS (default)
694 the prefix selecting the neighbours to list.
695 dev NAME
698 only list the neighbours attached to this device.
699 unused only list neighbours which are not currently in use.
702 nud NUD_STATE
705 only list neighbour entries in this state. NUD_STATE takes val‐
706 ues listed below or the special value all which means all
707 states. This option may occur more than once. If this option is
708 absent, ip lists all entries except for none and noarp.
709 ip neighbour flush - flush neighbour entries
712 This command flushes neighbour tables, selecting entries to flush by
713 some criteria.
714 This command has the same arguments as show. The differences are that
717 it does not run when no arguments are given, and that the default
718 neighbour states to be flushed do not include permanent and noarp.
719 With the -statistics option, the command becomes verbose. It prints out
722 the number of deleted neighbours and the number of rounds made to flush
723 the neighbour table. If the option is given twice, ip neigh flush also
724 dumps all the deleted neighbours.
725
728 Manipulate route entries in the kernel routing tables keep information
729 about paths to other networked nodes.
730 Route types:
732 unicast - the route entry describes real paths to the destina‐
734 tions covered by the route prefix.
735 unreachable - these destinations are unreachable. Packets are
738 discarded and the ICMP message host unreachable is generated.
739 The local senders get an EHOSTUNREACH error.
740 blackhole - these destinations are unreachable. Packets are
743 discarded silently. The local senders get an EINVAL error.
744 prohibit - these destinations are unreachable. Packets are dis‐
747 carded and the ICMP message communication administratively pro‐
748 hibited is generated. The local senders get an EACCES error.
749 local - the destinations are assigned to this host. The packets
752 are looped back and delivered locally.
753 broadcast - the destinations are broadcast addresses. The pack‐
756 ets are sent as link broadcasts.
757 throw - a special control route used together with policy
760 rules. If such a route is selected, lookup in this table is
761 terminated pretending that no route was found. Without policy
762 routing it is equivalent to the absence of the route in the
763 routing table. The packets are dropped and the ICMP message net
764 unreachable is generated. The local senders get an ENETUNREACH
765 error.
766 nat - a special NAT route. Destinations covered by the prefix
769 are considered to be dummy (or external) addresses which
770 require translation to real (or internal) ones before forward‐
771 ing. The addresses to translate to are selected with the
772 attribute via. Warning: Route NAT is no longer supported in
773 Linux 2.6.
774 anycast - not implemented the destinations are anycast
777 addresses assigned to this host. They are mainly equivalent to
778 local with one difference: such addresses are invalid when used
779 as the source address of any packet.
780 multicast - a special type used for multicast routing. It is
783 not present in normal routing tables.
784 Route tables: Linux-2.x can pack routes into several routing tables
787 identified by a number in the range from 1 to 255 or by name from the
788 file /etc/iproute2/rt_tables By default all normal routes are inserted
789 into the main table (ID 254) and the kernel only uses this table when
790 calculating routes.
791 Actually, one other table always exists, which is invisible but even
794 more important. It is the local table (ID 255). This table consists of
795 routes for local and broadcast addresses. The kernel maintains this ta‐
796 ble automatically and the administrator usually need not modify it or
797 even look at it.
798 The multiple routing tables enter the game when policy routing is used.
800 ip route add - add new route
803 ip route change - change route
804 ip route replace - change or add new one
805 to TYPE PREFIX (default)
806 the destination prefix of the route. If TYPE is omitted, ip
807 assumes type unicast. Other values of TYPE are listed above.
808 PREFIX is an IP or IPv6 address optionally followed by a slash
809 and the prefix length. If the length of the prefix is missing,
810 ip assumes a full-length host route. There is also a special
811 PREFIX default - which is equivalent to IP 0/0 or to IPv6 ::/0.
812 tos TOS
815 dsfield TOS
817 the Type Of Service (TOS) key. This key has no associated mask
818 and the longest match is understood as: First, compare the TOS
819 of the route and of the packet. If they are not equal, then the
820 packet may still match a route with a zero TOS. TOS is either
821 an 8 bit hexadecimal number or an identifier from
822 /etc/iproute2/rt_dsfield.
823 metric NUMBER
826 preference NUMBER
828 the preference value of the route. NUMBER is an arbitrary 32bit
829 number.
830 table TABLEID
833 the table to add this route to. TABLEID may be a number or a
834 string from the file /etc/iproute2/rt_tables. If this parameter
835 is omitted, ip assumes the main table, with the exception of
836 local, broadcast and nat routes, which are put into the local
837 table by default.
838 dev NAME
841 the output device name.
842 via ADDRESS
845 the address of the nexthop router. Actually, the sense of this
846 field depends on the route type. For normal unicast routes it is
847 either the true next hop router or, if it is a direct route
848 installed in BSD compatibility mode, it can be a local address
849 of the interface. For NAT routes it is the first address of the
850 block of translated IP destinations.
851 src ADDRESS
854 the source address to prefer when sending to the destinations
855 covered by the route prefix.
856 realm REALMID
859 the realm to which this route is assigned. REALMID may be a
860 number or a string from the file /etc/iproute2/rt_realms.
861 mtu MTU
864 mtu lock MTU
866 the MTU along the path to the destination. If the modifier lock
867 is not used, the MTU may be updated by the kernel due to Path
868 MTU Discovery. If the modifier lock is used, no path MTU discov‐
869 ery will be tried, all packets will be sent without the DF bit
870 in IPv4 case or fragmented to MTU for IPv6.
871 window NUMBER
874 the maximal window for TCP to advertise to these destinations,
875 measured in bytes. It limits maximal data bursts that our TCP
876 peers are allowed to send to us.
877 rtt TIME
880 the initial RTT ('Round Trip Time') estimate. If no suffix is
881 specified the units are raw values passed directly to the rout‐
882 ing code to maintain compatability with previous releases. Oth‐
883 erwise if a suffix of s, sec or secs is used to specify seconds
884 and ms, msec or msecs to specify milliseconds.
885 rttvar TIME (2.3.15+ only)
888 the initial RTT variance estimate. Values are specified as with
889 rtt above.
890 rto_min TIME (2.6.23+ only)
893 the minimum TCP Retransmission TimeOut to use when communicating
894 with this destination. Values are specified as with rtt above.
895 ssthresh NUMBER (2.3.15+ only)
898 an estimate for the initial slow start threshold.
899 cwnd NUMBER (2.3.15+ only)
902 the clamp for congestion window. It is ignored if the lock flag
903 is not used.
904 initcwnd NUMBER
907 the maximum initial congestion window (cwnd) size in MSS of a
908 TCP connection.
909 initrwnd NUMBER (2.6.33+ only)
912 the initial receive window size for connections to this destina‐
913 tion. Actual window size is this value multiplied by the MSS of
914 the connection. The default value is zero, meaning to use Slow
915 Start value.
916 advmss NUMBER (2.3.15+ only)
919 the MSS ('Maximal Segment Size') to advertise to these destina‐
920 tions when establishing TCP connections. If it is not given,
921 Linux uses a default value calculated from the first hop device
922 MTU. (If the path to these destination is asymmetric, this
923 guess may be wrong.)
924 reordering NUMBER (2.3.15+ only)
927 Maximal reordering on the path to this destination. If it is
928 not given, Linux uses the value selected with sysctl variable
929 net/ipv4/tcp_reordering.
930 nexthop NEXTHOP
933 the nexthop of a multipath route. NEXTHOP is a complex value
934 with its own syntax similar to the top level argument lists:
935 via ADDRESS - is the nexthop router.
937 dev NAME - is the output device.
940 weight NUMBER - is a weight for this element of a multi‐
943 path route reflecting its relative bandwidth or quality.
944 scope SCOPE_VAL
947 the scope of the destinations covered by the route prefix.
948 SCOPE_VAL may be a number or a string from the file
949 /etc/iproute2/rt_scopes. If this parameter is omitted, ip
950 assumes scope global for all gatewayed unicast routes, scope
951 link for direct unicast and broadcast routes and scope host for
952 local routes.
953 protocol RTPROTO
956 the routing protocol identifier of this route. RTPROTO may be a
957 number or a string from the file /etc/iproute2/rt_protos. If
958 the routing protocol ID is not given, ip assumes protocol boot
959 (i.e. it assumes the route was added by someone who doesn't
960 understand what they are doing). Several protocol values have a
961 fixed interpretation. Namely:
962 redirect - the route was installed due to an ICMP redi‐
964 rect.
965 kernel - the route was installed by the kernel during
968 autoconfiguration.
969 boot - the route was installed during the bootup
972 sequence. If a routing daemon starts, it will purge all
973 of them.
974 static - the route was installed by the administrator to
977 override dynamic routing. Routing daemon will respect
978 them and, probably, even advertise them to its peers.
979 ra - the route was installed by Router Discovery proto‐
982 col.
983 The rest of the values are not reserved and the administrator is
986 free to assign (or not to assign) protocol tags.
987 onlink pretend that the nexthop is directly attached to this link, even
990 if it does not match any interface prefix.
991 equalize
994 allow packet by packet randomization on multipath routes. With‐
995 out this modifier, the route will be frozen to one selected nex‐
996 thop, so that load splitting will only occur on per-flow base.
997 equalize only works if the kernel is patched.
998 ip route delete - delete route
1001 ip route del has the same arguments as ip route add, but their seman‐
1002 tics are a bit different.
1003 Key values (to, tos, preference and table) select the route to delete.
1005 If optional attributes are present, ip verifies that they coincide with
1006 the attributes of the route to delete. If no route with the given key
1007 and attributes was found, ip route del fails.
1008 ip route show - list routes
1011 the command displays the contents of the routing tables or the route(s)
1012 selected by some criteria.
1013 to SELECTOR (default)
1016 only select routes from the given range of destinations. SELEC‐
1017 TOR consists of an optional modifier (root, match or exact) and
1018 a prefix. root PREFIX selects routes with prefixes not shorter
1019 than PREFIX. F.e. root 0/0 selects the entire routing table.
1020 match PREFIX selects routes with prefixes not longer than PRE‐
1021 FIX. F.e. match 10.0/16 selects 10.0/16, 10/8 and 0/0, but it
1022 does not select 10.1/16 and 10.0.0/24. And exact PREFIX (or
1023 just PREFIX) selects routes with this exact prefix. If neither
1024 of these options are present, ip assumes root 0/0 i.e. it lists
1025 the entire table.
1026 tos TOS
1029 dsfield TOS
1031 only select routes with the given TOS.
1032 table TABLEID
1035 show the routes from this table(s). The default setting is to
1036 show table main. TABLEID may either be the ID of a real table
1037 or one of the special values:
1038 all - list all of the tables.
1040 cache - dump the routing cache.
1042 cloned
1045 cached list cloned routes i.e. routes which were dynamically forked
1047 from other routes because some route attribute (f.e. MTU) was
1048 updated. Actually, it is equivalent to table cache.
1049 from SELECTOR
1052 the same syntax as for to, but it binds the source address range
1053 rather than destinations. Note that the from option only works
1054 with cloned routes.
1055 protocol RTPROTO
1058 only list routes of this protocol.
1059 scope SCOPE_VAL
1062 only list routes with this scope.
1063 type TYPE
1066 only list routes of this type.
1067 dev NAME
1070 only list routes going via this device.
1071 via PREFIX
1074 only list routes going via the nexthop routers selected by PRE‐
1075 FIX.
1076 src PREFIX
1079 only list routes with preferred source addresses selected by
1080 PREFIX.
1081 realm REALMID
1084 realms FROMREALM/TOREALM
1086 only list routes with these realms.
1087 ip route flush - flush routing tables
1090 this command flushes routes selected by some criteria.
1091 The arguments have the same syntax and semantics as the arguments of ip
1094 route show, but routing tables are not listed but purged. The only dif‐
1095 ference is the default action: show dumps all the IP main routing table
1096 but flush prints the helper page.
1097 With the -statistics option, the command becomes verbose. It prints out
1100 the number of deleted routes and the number of rounds made to flush the
1101 routing table. If the option is given twice, ip route flush also dumps
1102 all the deleted routes in the format described in the previous subsec‐
1103 tion.
1104 ip route get - get a single route
1107 this command gets a single route to a destination and prints its con‐
1108 tents exactly as the kernel sees it.
1109 to ADDRESS (default)
1112 the destination address.
1113 from ADDRESS
1116 the source address.
1117 tos TOS
1120 dsfield TOS
1122 the Type Of Service.
1123 iif NAME
1126 the device from which this packet is expected to arrive.
1127 oif NAME
1130 force the output device on which this packet will be routed.
1131 connected
1134 if no source address (option from) was given, relookup the route
1135 with the source set to the preferred address received from the
1136 first lookup. If policy routing is used, it may be a different
1137 route.
1138 Note that this operation is not equivalent to ip route show. show
1141 shows existing routes. get resolves them and creates new clones if
1142 necessary. Essentially, get is equivalent to sending a packet along
1143 this path. If the iif argument is not given, the kernel creates a
1144 route to output packets towards the requested destination. This is
1145 equivalent to pinging the destination with a subsequent ip route ls
1146 cache, however, no packets are actually sent. With the iif argument,
1147 the kernel pretends that a packet arrived from this interface and
1148 searches for a path to forward the packet.
1149
1152 Rules in the routing policy database control the route selection algo‐
1153 rithm.
1154 Classic routing algorithms used in the Internet make routing decisions
1157 based only on the destination address of packets (and in theory, but
1158 not in practice, on the TOS field).
1159 In some circumstances we want to route packets differently depending
1162 not only on destination addresses, but also on other packet fields:
1163 source address, IP protocol, transport protocol ports or even packet
1164 payload. This task is called 'policy routing'.
1165 To solve this task, the conventional destination based routing table,
1168 ordered according to the longest match rule, is replaced with a 'rout‐
1169 ing policy database' (or RPDB), which selects routes by executing some
1170 set of rules.
1171 Each policy routing rule consists of a selector and an action predi‐
1174 cate. The RPDB is scanned in order of decreasing priority. The selec‐
1175 tor of each rule is applied to {source address, destination address,
1176 incoming interface, tos, fwmark} and, if the selector matches the
1177 packet, the action is performed. The action predicate may return with
1178 success. In this case, it will either give a route or failure indica‐
1179 tion and the RPDB lookup is terminated. Otherwise, the RPDB program
1180 continues with the next rule.
1181 Semantically, the natural action is to select the nexthop and the out‐
1184 put device.
1185 At startup time the kernel configures the default RPDB consisting of
1188 three rules:
1189 1. Priority: 0, Selector: match anything, Action: lookup routing
1192 table local (ID 255). The local table is a special routing ta‐
1193 ble containing high priority control routes for local and broad‐
1194 cast addresses.
1195 Rule 0 is special. It cannot be deleted or overridden.
1197 2. Priority: 32766, Selector: match anything, Action: lookup rout‐
1200 ing table main (ID 254). The main table is the normal routing
1201 table containing all non-policy routes. This rule may be deleted
1202 and/or overridden with other ones by the administrator.
1203 3. Priority: 32767, Selector: match anything, Action: lookup rout‐
1206 ing table default (ID 253). The default table is empty. It is
1207 reserved for some post-processing if no previous default rules
1208 selected the packet. This rule may also be deleted.
1209 Each RPDB entry has additional attributes. F.e. each rule has a pointer
1212 to some routing table. NAT and masquerading rules have an attribute to
1213 select new IP address to translate/masquerade. Besides that, rules have
1214 some optional attributes, which routes have, namely realms. These val‐
1215 ues do not override those contained in the routing tables. They are
1216 only used if the route did not select any attributes.
1217 The RPDB may contain rules of the following types:
1220 unicast - the rule prescribes to return the route found in the
1222 routing table referenced by the rule.
1223 blackhole - the rule prescribes to silently drop the packet.
1225 unreachable - the rule prescribes to generate a 'Network is
1227 unreachable' error.
1228 prohibit - the rule prescribes to generate 'Communication is
1230 administratively prohibited' error.
1231 nat - the rule prescribes to translate the source address of
1233 the IP packet into some other value.
1234 ip rule add - insert a new rule
1237 ip rule delete - delete a rule
1238 type TYPE (default)
1239 the type of this rule. The list of valid types was given in the
1240 previous subsection.
1241 from PREFIX
1244 select the source prefix to match.
1245 to PREFIX
1248 select the destination prefix to match.
1249 iif NAME
1252 select the incoming device to match. If the interface is loop‐
1253 back, the rule only matches packets originating from this host.
1254 This means that you may create separate routing tables for for‐
1255 warded and local packets and, hence, completely segregate them.
1256 tos TOS
1259 dsfield TOS
1261 select the TOS value to match.
1262 fwmark MARK
1265 select the fwmark value to match.
1266 priority PREFERENCE
1269 the priority of this rule. Each rule should have an explicitly
1270 set unique priority value. The options preference and order are
1271 synonyms with priority.
1272 table TABLEID
1275 the routing table identifier to lookup if the rule selector
1276 matches. It is also possible to use lookup instead of table.
1277 realms FROM/TO
1280 Realms to select if the rule matched and the routing table
1281 lookup succeeded. Realm TO is only used if the route did not
1282 select any realm.
1283 nat ADDRESS
1286 The base of the IP address block to translate (for source
1287 addresses). The ADDRESS may be either the start of the block of
1288 NAT addresses (selected by NAT routes) or a local host address
1289 (or even zero). In the last case the router does not translate
1290 the packets, but masquerades them to this address. Using map-to
1291 instead of nat means the same thing.
1292 Warning: Changes to the RPDB made with these commands do not
1294 become active immediately. It is assumed that after a script
1295 finishes a batch of updates, it flushes the routing cache with
1296 ip route flush cache.
1297 ip rule flush - also dumps all the deleted rules.
1300 This command has no arguments.
1301 ip rule show - list rules
1304 This command has no arguments. The options list or lst are synonyms
1305 with show.
1306
1309 maddress objects are multicast addresses.
1310 ip maddress show - list multicast addresses
1313 dev NAME (default)
1314 the device name.
1315 ip maddress add - add a multicast address
1318 ip maddress delete - delete a multicast address
1319 these commands attach/detach a static link-layer multicast address to
1320 listen on the interface. Note that it is impossible to join protocol
1321 multicast groups statically. This command only manages link-layer
1322 addresses.
1323 address LLADDRESS (default)
1326 the link-layer multicast address.
1327 dev NAME
1330 the device to join/leave this multicast address.
1331
1334 mroute objects are multicast routing cache entries created by a user-
1335 level mrouting daemon (f.e. pimd or mrouted ).
1336 Due to the limitations of the current interface to the multicast rout‐
1338 ing engine, it is impossible to change mroute objects administratively,
1339 so we can only display them. This limitation will be removed in the
1340 future.
1341 ip mroute show - list mroute cache entries
1344 to PREFIX (default)
1345 the prefix selecting the destination multicast addresses to
1346 list.
1347 iif NAME
1350 the interface on which multicast packets are received.
1351 from PREFIX
1354 the prefix selecting the IP source addresses of the multicast
1355 route.
1356
1359 tunnel objects are tunnels, encapsulating packets in IP packets and
1360 then sending them over the IP infrastructure. The encapsulating (or
1361 outer) address family is specified by the -f option. The default is
1362 IPv4.
1363 ip tunnel add - add a new tunnel
1366 ip tunnel change - change an existing tunnel
1367 ip tunnel delete - destroy a tunnel
1368 name NAME (default)
1369 select the tunnel device name.
1370 mode MODE
1373 set the tunnel mode. Available modes depend on the encapsulating
1374 address family.
1375 Modes for IPv4 encapsulation available: ipip, sit, isatap and
1376 gre.
1377 Modes for IPv6 encapsulation available: ip6ip6, ipip6 and any.
1378 remote ADDRESS
1381 set the remote endpoint of the tunnel.
1382 local ADDRESS
1385 set the fixed local address for tunneled packets. It must be an
1386 address on another interface of this host.
1387 ttl N set a fixed TTL N on tunneled packets. N is a number in the
1390 range 1--255. 0 is a special value meaning that packets inherit
1391 the TTL value. The default value for IPv4 tunnels is: inherit.
1392 The default value for IPv6 tunnels is: 64.
1393 tos T
1397 dsfield T
1399 tclass T
1401 set a fixed TOS (or traffic class in IPv6) T on tunneled pack‐
1402 ets. The default value is: inherit.
1403 dev NAME
1406 bind the tunnel to the device NAME so that tunneled packets will
1407 only be routed via this device and will not be able to escape to
1408 another device when the route to endpoint changes.
1409 nopmtudisc
1412 disable Path MTU Discovery on this tunnel. It is enabled by
1413 default. Note that a fixed ttl is incompatible with this option:
1414 tunneling with a fixed ttl always makes pmtu discovery.
1415 key K
1418 ikey K
1420 okey K ( only GRE tunnels ) use keyed GRE with key K. K is either a
1422 number or an IP address-like dotted quad. The key parameter
1423 sets the key to use in both directions. The ikey and okey
1424 parameters set different keys for input and output.
1425 csum, icsum, ocsum
1428 ( only GRE tunnels ) generate/require checksums for tunneled
1429 packets. The ocsum flag calculates checksums for outgoing pack‐
1430 ets. The icsum flag requires that all input packets have the
1431 correct checksum. The csum flag is equivalent to the combination
1432 icsum ocsum.
1433 seq, iseq, oseq
1436 ( only GRE tunnels ) serialize packets. The oseq flag enables
1437 sequencing of outgoing packets. The iseq flag requires that all
1438 input packets are serialized. The seq flag is equivalent to the
1439 combination iseq oseq. It isn't work. Don't use it.
1440 dscp inherit
1443 ( only IPv6 tunnels ) Inherit DS field between inner and outer
1444 header.
1445 encaplim ELIM
1448 ( only IPv6 tunnels ) set a fixed encapsulation limit. Default
1449 is 4.
1450 flowlabel FLOWLABEL
1453 ( only IPv6 tunnels ) set a fixed flowlabel.
1454 ip tunnel prl - potential router list (ISATAP only)
1457 dev NAME
1458 mandatory device name.
1459 prl-default ADDR
1462 prl-nodefault ADDR
1464 prl-delete ADDR
1466 Add or delete ADDR as a potential router or default router.
1467 ip tunnel show - list tunnels
1470 This command has no arguments.
1471
1474 The ip utility can monitor the state of devices, addresses and routes
1475 continuously. This option has a slightly different format. Namely, the
1476 monitor command is the first in the command line and then the object
1477 list follows:
1478 ip monitor [ all | OBJECT-LIST ]
1480 OBJECT-LIST is the list of object types that we want to monitor. It
1482 may contain link, address and route. If no file argument is given, ip
1483 opens RTNETLINK, listens on it and dumps state changes in the format
1484 described in previous sections.
1485 If the file option is given, the program does not listen on RTNETLINK,
1488 but opens the given file, and dumps its contents. The file should con‐
1489 tain RTNETLINK messages saved in binary format. Such a file can be
1490 generated with the rtmon utility. This utility has a command line syn‐
1491 tax similar to ip monitor. Ideally, rtmon should be started before the
1492 first network configuration command is issued. F.e. if you insert:
1493 rtmon file /var/log/rtmon.log
1495 in a startup script, you will be able to view the full history later.
1497 Nevertheless, it is possible to start rtmon at any time. It prepends
1500 the history with the state snapshot dumped at the moment of starting.
1501
1504 xfrm is an IP framework, which can transform format of the datagrams,
1505 i.e. encrypt the packets with some algorithm. xfrm policy and xfrm
1506 state are associated through templates TMPL_LIST. This framework is
1507 used as a part of IPsec protocol.
1508 ip xfrm state add - add new state into xfrm
1511 ip xfrm state update - update existing xfrm state
1512 ip xfrm state allocspi - allocate SPI value
1513 MODE is set as default to transport, but it could be set to tunnel,ro
1514 or beet.
1515 FLAG-LIST
1518 contains one or more flags.
1519 FLAG could be set to noecn, decap-dscp or wildrecv.
1522 ENCAP encapsulation is set to encapsulation type ENCAP-TYPE, source
1525 port SPORT, destination port DPORT and OADDR.
1526 ENCAP-TYPE
1529 could be set to espinudp or espinudp-nonike.
1530 ALGO-LIST
1533 contains one or more algorithms ALGO which depend on the type of
1534 algorithm set by ALGO_TYPE. It can be used these algoritms enc,
1535 auth or comp.
1536 ip xfrm policy add - add a new policy
1539 ip xfrm policy update - update an existing policy
1540 ip xfrm policy delete - delete existing policy
1541 ip xfrm policy get - get existing policy
1542 ip xfrm policy deleteall - delete all existing xfrm policy
1543 ip xfrm policy list - print out the list of xfrm policy
1544 ip xfrm policy flush - flush policies
1545 It can be flush all policies or only those specified with ptype.
1546 dir DIR
1549 directory could be one of these: inp, out or fwd.
1550 SELECTOR
1553 selects for which addresses will be set up the policy. The
1554 selector is defined by source and destination address.
1555 UPSPEC is defined by source port sport, destination port dport, type as
1558 number and code also number.
1559 dev DEV
1562 specify network device.
1563 index INDEX
1566 the number of indexed policy.
1567 ptype PTYPE
1570 type is set as default on main, could be switch on sub.
1571 action ACTION
1574 is set as default on allow. It could be switch on block.
1575 priority PRIORITY
1578 priority is a number. Default priority is set on zero.
1579 LIMIT-LIST
1582 limits are set in seconds, bytes or numbers of packets.
1583 TMPL-LIST
1586 template list is based on ID, mode, reqid and level.
1587 ID is specified by source address, destination address, proto and
1590 value of spi.
1591 XFRM_PROTO
1594 values: esp, ah, comp, route2 or hao.
1595 MODE is set as default on transport, but it could be set on tunnel or
1598 beet.
1599 LEVEL is set as default on required and the other choice is use.
1602 UPSPEC is specified by sport, dport, type and code (NUMBER).
1605 ip xfrm monitor - is used for listing all objects or defined group of them.
1608 The xfrm monitor can monitor the policies for all objects or defined
1609 group of them.
1610
1613 IPv6 tokenized interface identifer support is used for assigning well-
1614 known host-part addresses to nodes whilst still obtaining a global net‐
1615 work prefix from Router advertisements. The primary target for tok‐
1616 enized identifiers are server platforms where addresses are usually
1617 manually configured, rather than using DHCPv6 or SLAAC. By using tok‐
1618 enized identifiers, hosts can still determine their network prefix by
1619 use of SLAAC, but more readily be automatically renumbered should their
1620 network prefix change [1]. Tokenized IPv6 Identifiers are described in
1621 the draft [1]: <draft-chown-6man-tokenised-ipv6-identifiers-02>.
1622 ip token set - set an interface token
1625 set the interface token to the kernel. Once a token is set, it cannot
1626 be removed from the interface, only overwritten.
1627 TOKEN the interface identifer token address.
1629 dev DEV
1631 the networking interface.
1632 ip token get - get the interface token from the kernel
1635 show a tokenized interface identifer of a particular networking device.
1636 Arguments: coincide with the arguments of ip token set but the TOKEN
1637 must be left out.
1638 ip token list - list all interface tokens
1640 list all tokenized interface identifers for the networking interfaces
1641 from the kernel.
1642
1645 ip was written by Alexey N. Kuznetsov and added in Linux 2.2.
1646
1648 tc(8)
1649 IP Command reference ip-cref.ps
1650 IP tunnels ip-cref.ps
1651 User documentation at http://lartc.org/, but please direct bugreports
1652 and patches to: <netdev@vger.kernel.org>
1653
1656 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1657iproute2 17 January 2002 IP(8)