1IP-ROUTE(8) Linux IP-ROUTE(8)
2
3
4
6 ip-route - routing table management
7
9 ip [ ip-OPTIONS ] route { COMMAND | help }
10
11
12 ip route { show | flush } SELECTOR
13
14 ip route save SELECTOR
15
16 ip route restore
17
18 ip route get ROUTE_GET_FLAGS ADDRESS [ from ADDRESS iif STRING ] [ oif
19 STRING ] [ mark MARK ] [ tos TOS ] [ vrf NAME ] [ ipproto PRO‐
20 TOCOL ] [ sport NUMBER ] [ dport NUMBER ]
21
22 ip route { add | del | change | append | replace } ROUTE
23
24 SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table
25 TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ] [ type TYPE ] [ scope
26 SCOPE ]
27
28 ROUTE := NODE_SPEC [ INFO_SPEC ]
29
30 NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto
31 RTPROTO ] [ scope SCOPE ] [ metric METRIC ] [ ttl-propagate {
32 enabled | disabled } ]
33
34 INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...
35
36 NH := [ encap ENCAP ] [ via [ FAMILY ] ADDRESS ] [ dev STRING ] [
37 weight NUMBER ] NHFLAGS
38
39 FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
40
41 OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
42 rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ] [ window NUM‐
43 BER ] [ cwnd NUMBER ] [ ssthresh NUMBER ] [ realms REALM ] [
44 rto_min TIME ] [ initcwnd NUMBER ] [ initrwnd NUMBER ] [ fea‐
45 tures FEATURES ] [ quickack BOOL ] [ congctl NAME ] [ pref PREF
46 ] [ expires TIME ] [ fastopen_no_cookie BOOL ]
47
48 TYPE := [ unicast | local | broadcast | multicast | throw | unreachable
49 | prohibit | blackhole | nat ]
50
51 TABLE_ID := [ local| main | default | all | NUMBER ]
52
53 SCOPE := [ host | link | global | NUMBER ]
54
55 NHFLAGS := [ onlink | pervasive ]
56
57 RTPROTO := [ kernel | boot | static | NUMBER ]
58
59 FEATURES := [ ecn | ]
60
61 PREF := [ low | medium | high ]
62
63 ENCAP := [ MPLS | IP | BPF | SEG6 | SEG6LOCAL ]
64
65 ENCAP_MPLS := mpls [ LABEL ] [ ttl TTL ]
66
67 ENCAP_IP := ip id TUNNEL_ID dst REMOTE_IP [ tos TOS ] [ ttl TTL ]
68
69 ENCAP_BPF := bpf [ in PROG ] [ out PROG ] [ xmit PROG ] [ headroom SIZE
70 ]
71
72 ENCAP_SEG6 := seg6 mode [ encap | inline | l2encap ] segs SEGMENTS [
73 hmac KEYID ]
74
75 ENCAP_SEG6LOCAL := seg6local action SEG6_ACTION [ SEG6_ACTION_PARAM ]
76
77 ROUTE_GET_FLAGS := [ fibmatch ]
78
79
81 ip route is used to manipulate entries in the kernel routing tables.
82
83 Route types:
84
85 unicast - the route entry describes real paths to the destina‐
86 tions covered by the route prefix.
87
88
89 unreachable - these destinations are unreachable. Packets are
90 discarded and the ICMP message host unreachable is generated.
91 The local senders get an EHOSTUNREACH error.
92
93
94 blackhole - these destinations are unreachable. Packets are
95 discarded silently. The local senders get an EINVAL error.
96
97
98 prohibit - these destinations are unreachable. Packets are dis‐
99 carded and the ICMP message communication administratively pro‐
100 hibited is generated. The local senders get an EACCES error.
101
102
103 local - the destinations are assigned to this host. The packets
104 are looped back and delivered locally.
105
106
107 broadcast - the destinations are broadcast addresses. The pack‐
108 ets are sent as link broadcasts.
109
110
111 throw - a special control route used together with policy
112 rules. If such a route is selected, lookup in this table is
113 terminated pretending that no route was found. Without policy
114 routing it is equivalent to the absence of the route in the
115 routing table. The packets are dropped and the ICMP message net
116 unreachable is generated. The local senders get an ENETUNREACH
117 error.
118
119
120 nat - a special NAT route. Destinations covered by the prefix
121 are considered to be dummy (or external) addresses which
122 require translation to real (or internal) ones before forward‐
123 ing. The addresses to translate to are selected with the
124 attribute via. Warning: Route NAT is no longer supported in
125 Linux 2.6.
126
127
128 anycast - not implemented the destinations are anycast
129 addresses assigned to this host. They are mainly equivalent to
130 local with one difference: such addresses are invalid when used
131 as the source address of any packet.
132
133
134 multicast - a special type used for multicast routing. It is
135 not present in normal routing tables.
136
137
138 Route tables: Linux-2.x can pack routes into several routing tables
139 identified by a number in the range from 1 to 2^32-1 or by name from
140 the file /etc/iproute2/rt_tables By default all normal routes are
141 inserted into the main table (ID 254) and the kernel only uses this ta‐
142 ble when calculating routes. Values (0, 253, 254, and 255) are
143 reserved for built-in use.
144
145
146 Actually, one other table always exists, which is invisible but even
147 more important. It is the local table (ID 255). This table consists of
148 routes for local and broadcast addresses. The kernel maintains this ta‐
149 ble automatically and the administrator usually need not modify it or
150 even look at it.
151
152 The multiple routing tables enter the game when policy routing is used.
153
154
155 ip route add
156 add new route
157
158 ip route change
159 change route
160
161 ip route replace
162 change or add new one
163
164 to TYPE PREFIX (default)
165 the destination prefix of the route. If TYPE is omitted,
166 ip assumes type unicast. Other values of TYPE are listed
167 above. PREFIX is an IP or IPv6 address optionally fol‐
168 lowed by a slash and the prefix length. If the length of
169 the prefix is missing, ip assumes a full-length host
170 route. There is also a special PREFIX default - which is
171 equivalent to IP 0/0 or to IPv6 ::/0.
172
173
174 tos TOS
175
176 dsfield TOS
177 the Type Of Service (TOS) key. This key has no associated
178 mask and the longest match is understood as: First, com‐
179 pare the TOS of the route and of the packet. If they are
180 not equal, then the packet may still match a route with a
181 zero TOS. TOS is either an 8 bit hexadecimal number or
182 an identifier from /etc/iproute2/rt_dsfield.
183
184
185 metric NUMBER
186
187 preference NUMBER
188 the preference value of the route. NUMBER is an arbi‐
189 trary 32bit number, where routes with lower values are
190 preferred.
191
192
193 table TABLEID
194 the table to add this route to. TABLEID may be a number
195 or a string from the file /etc/iproute2/rt_tables. If
196 this parameter is omitted, ip assumes the main table,
197 with the exception of local, broadcast and nat routes,
198 which are put into the local table by default.
199
200
201 vrf NAME
202 the vrf name to add this route to. Implicitly means the
203 table associated with the VRF.
204
205
206 dev NAME
207 the output device name.
208
209
210 via [ FAMILY ] ADDRESS
211 the address of the nexthop router, in the address family
212 FAMILY. Actually, the sense of this field depends on the
213 route type. For normal unicast routes it is either the
214 true next hop router or, if it is a direct route
215 installed in BSD compatibility mode, it can be a local
216 address of the interface. For NAT routes it is the first
217 address of the block of translated IP destinations.
218
219
220 src ADDRESS
221 the source address to prefer when sending to the destina‐
222 tions covered by the route prefix.
223
224
225 realm REALMID
226 the realm to which this route is assigned. REALMID may
227 be a number or a string from the file
228 /etc/iproute2/rt_realms.
229
230
231 mtu MTU
232
233 mtu lock MTU
234 the MTU along the path to the destination. If the modi‐
235 fier lock is not used, the MTU may be updated by the ker‐
236 nel due to Path MTU Discovery. If the modifier lock is
237 used, no path MTU discovery will be tried, all packets
238 will be sent without the DF bit in IPv4 case or frag‐
239 mented to MTU for IPv6.
240
241
242 window NUMBER
243 the maximal window for TCP to advertise to these destina‐
244 tions, measured in bytes. It limits maximal data bursts
245 that our TCP peers are allowed to send to us.
246
247
248 rtt TIME
249 the initial RTT ('Round Trip Time') estimate. If no suf‐
250 fix is specified the units are raw values passed directly
251 to the routing code to maintain compatibility with previ‐
252 ous releases. Otherwise if a suffix of s, sec or secs is
253 used to specify seconds and ms, msec or msecs to specify
254 milliseconds.
255
256
257
258 rttvar TIME (2.3.15+ only)
259 the initial RTT variance estimate. Values are specified
260 as with rtt above.
261
262
263 rto_min TIME (2.6.23+ only)
264 the minimum TCP Retransmission TimeOut to use when commu‐
265 nicating with this destination. Values are specified as
266 with rtt above.
267
268
269 ssthresh NUMBER (2.3.15+ only)
270 an estimate for the initial slow start threshold.
271
272
273 cwnd NUMBER (2.3.15+ only)
274 the clamp for congestion window. It is ignored if the
275 lock flag is not used.
276
277
278 initcwnd NUMBER (2.5.70+ only)
279 the initial congestion window size for connections to
280 this destination. Actual window size is this value mul‐
281 tiplied by the MSS (``Maximal Segment Size'') for same
282 connection. The default is zero, meaning to use the val‐
283 ues specified in RFC2414.
284
285
286 initrwnd NUMBER (2.6.33+ only)
287 the initial receive window size for connections to this
288 destination. Actual window size is this value multiplied
289 by the MSS of the connection. The default value is zero,
290 meaning to use Slow Start value.
291
292
293 features FEATURES (3.18+only)
294 Enable or disable per-route features. Only available fea‐
295 ture at this time is ecn to enable explicit congestion
296 notification when initiating connections to the given
297 destination network. When responding to a connection
298 request from the given network, ecn will also be used
299 even if the net.ipv4.tcp_ecn sysctl is set to 0.
300
301
302 quickack BOOL (3.11+ only)
303 Enable or disable quick ack for connections to this des‐
304 tination.
305
306
307 fastopen_no_cookie BOOL (4.15+ only)
308 Enable TCP Fastopen without a cookie for connections to
309 this destination.
310
311
312 congctl NAME (3.20+ only)
313
314 congctl lock NAME (3.20+ only)
315 Sets a specific TCP congestion control algorithm only for
316 a given destination. If not specified, Linux keeps the
317 current global default TCP congestion control algorithm,
318 or the one set from the application. If the modifier lock
319 is not used, an application may nevertheless overwrite
320 the suggested congestion control algorithm for that des‐
321 tination. If the modifier lock is used, then an applica‐
322 tion is not allowed to overwrite the specified congestion
323 control algorithm for that destination, thus it will be
324 enforced/guaranteed to use the proposed algorithm.
325
326
327 advmss NUMBER (2.3.15+ only)
328 the MSS ('Maximal Segment Size') to advertise to these
329 destinations when establishing TCP connections. If it is
330 not given, Linux uses a default value calculated from the
331 first hop device MTU. (If the path to these destination
332 is asymmetric, this guess may be wrong.)
333
334
335 reordering NUMBER (2.3.15+ only)
336 Maximal reordering on the path to this destination. If
337 it is not given, Linux uses the value selected with
338 sysctl variable net/ipv4/tcp_reordering.
339
340
341 nexthop NEXTHOP
342 the nexthop of a multipath route. NEXTHOP is a complex
343 value with its own syntax similar to the top level argu‐
344 ment lists:
345
346 via [ FAMILY ] ADDRESS - is the nexthop router.
347
348
349 dev NAME - is the output device.
350
351
352 weight NUMBER - is a weight for this element of a
353 multipath route reflecting its relative bandwidth
354 or quality.
355
356 The internal buffer used in iproute2 limits the maximum
357 number of nexthops that may be specified in one go. If
358 only ADDRESS is given, the current buffer size allows for
359 144 IPv6 nexthops and 253 IPv4 ones. For IPv4, this
360 effectively limits the number of nexthops possible per
361 route. With IPv6, further nexthops may be appended to the
362 same route via ip route append command.
363
364
365 scope SCOPE_VAL
366 the scope of the destinations covered by the route pre‐
367 fix. SCOPE_VAL may be a number or a string from the file
368 /etc/iproute2/rt_scopes. If this parameter is omitted,
369 ip assumes scope global for all gatewayed unicast routes,
370 scope link for direct unicast and broadcast routes and
371 scope host for local routes.
372
373
374 protocol RTPROTO
375 the routing protocol identifier of this route. RTPROTO
376 may be a number or a string from the file
377 /etc/iproute2/rt_protos. If the routing protocol ID is
378 not given, ip assumes protocol boot (i.e. it assumes the
379 route was added by someone who doesn't understand what
380 they are doing). Several protocol values have a fixed
381 interpretation. Namely:
382
383 redirect - the route was installed due to an ICMP
384 redirect.
385
386
387 kernel - the route was installed by the kernel
388 during autoconfiguration.
389
390
391 boot - the route was installed during the bootup
392 sequence. If a routing daemon starts, it will
393 purge all of them.
394
395
396 static - the route was installed by the adminis‐
397 trator to override dynamic routing. Routing dae‐
398 mon will respect them and, probably, even adver‐
399 tise them to its peers.
400
401
402 ra - the route was installed by Router Discovery
403 protocol.
404
405
406 The rest of the values are not reserved and the adminis‐
407 trator is free to assign (or not to assign) protocol
408 tags.
409
410
411 onlink pretend that the nexthop is directly attached to this
412 link, even if it does not match any interface prefix.
413
414
415 pref PREF
416 the IPv6 route preference. PREF is a string specifying
417 the route preference as defined in RFC4191 for Router
418 Discovery messages. Namely:
419
420 low - the route has a lowest priority
421
422
423 medium - the route has a default priority
424
425
426 high - the route has a highest priority
427
428
429
430 encap ENCAPTYPE ENCAPHDR
431 attach tunnel encapsulation attributes to this route.
432
433 ENCAPTYPE is a string specifying the supported encapsula‐
434 tion type. Namely:
435
436 mpls - encapsulation type MPLS
437
438 ip - IP encapsulation (Geneve, GRE, VXLAN, ...)
439
440 bpf - Execution of BPF program
441
442 seg6 - encapsulation type IPv6 Segment Routing
443
444 seg6local - local SRv6 segment processing
445
446 ENCAPHDR is a set of encapsulation attributes specific to
447 the ENCAPTYPE.
448
449 mpls
450 MPLSLABEL - mpls label stack with labels sepa‐
451 rated by /
452
453
454 ttl TTL - TTL to use for MPLS header or 0 to
455 inherit from IP header
456
457
458 ip
459 id TUNNEL_ID dst REMOTE_IP [ tos TOS ] [ ttl
460 TTL ]
461
462
463 bpf
464 in PROG - BPF program to execute for incoming
465 packets
466
467
468 out PROG - BPF program to execute for outgoing
469 packets
470
471
472 xmit PROG - BPF program to execute for trans‐
473 mitted packets
474
475
476 headroom SIZE - Size of header BPF program will
477 attach (xmit)
478
479
480 seg6
481 mode inline - Directly insert Segment Routing
482 Header after IPv6 header
483
484
485 mode encap - Encapsulate packet in an outer
486 IPv6 header with SRH
487
488
489 mode l2encap - Encapsulate ingress L2 frame
490 within an outer IPv6 header and SRH
491
492
493 SEGMENTS - List of comma-separated IPv6
494 addresses
495
496
497 KEYID - Numerical value in decimal representa‐
498 tion. See ip-sr(8).
499
500
501 seg6local
502 SEG6_ACTION [ SEG6_ACTION_PARAM ] - Operation
503 to perform on matching packets. The following
504 actions are currently supported (4.14+ only).
505
506 End - Regular SRv6 processing as intermediate
507 segment endpoint. This action only accepts
508 packets with a non-zero Segments Left value.
509 Other matching packets are dropped.
510
511 End.X nh6 NEXTHOP - Regular SRv6 processing
512 as intermediate segment endpoint. Addition‐
513 ally, forward processed packets to given
514 next-hop. This action only accepts packets
515 with a non-zero Segments Left value. Other
516 matching packets are dropped.
517
518 End.DX6 nh6 NEXTHOP - Decapsulate inner IPv6
519 packet and forward it to the specified next-
520 hop. If the argument is set to ::, then the
521 next-hop is selected according to the local
522 selection rules. This action only accepts
523 packets with either a zero Segments Left
524 value or no SRH at all, and an inner IPv6
525 packet. Other matching packets are dropped.
526
527 End.B6 srh segs SEGMENTS [ hmac KEYID ] -
528 Insert the specified SRH immediately after
529 the IPv6 header, update the DA with the first
530 segment of the newly inserted SRH, then for‐
531 ward the resulting packet. The original SRH
532 is not modified. This action only accepts
533 packets with a non-zero Segments Left value.
534 Other matching packets are dropped.
535
536 End.B6.Encaps srh segs SEGMENTS [ hmac KEYID
537 ] - Regular SRv6 processing as intermediate
538 segment endpoint. Additionally, encapsulate
539 the matching packet within an outer IPv6
540 header followed by the specified SRH. The
541 destination address of the outer IPv6 header
542 is set to the first segment of the new SRH.
543 The source address is set as described in ip-
544 sr(8).
545
546
547
548 expires TIME (4.4+ only)
549 the route will be deleted after the expires time. Only
550 support IPv6 at present.
551
552
553 ttl-propagate { enabled | disabled }
554 Control whether TTL should be propagated from any encap
555 into the un-encapsulated packet, overriding any global
556 configuration. Only supported for MPLS at present.
557
558
559 ip route delete
560 delete route
561 ip route del has the same arguments as ip route add, but their
562 semantics are a bit different.
563
564 Key values (to, tos, preference and table) select the route to
565 delete. If optional attributes are present, ip verifies that
566 they coincide with the attributes of the route to delete. If no
567 route with the given key and attributes was found, ip route del
568 fails.
569
570
571 ip route show
572 list routes
573 the command displays the contents of the routing tables or the
574 route(s) selected by some criteria.
575
576
577 to SELECTOR (default)
578 only select routes from the given range of destinations.
579 SELECTOR consists of an optional modifier (root, match or
580 exact) and a prefix. root PREFIX selects routes with
581 prefixes not shorter than PREFIX. F.e. root 0/0 selects
582 the entire routing table. match PREFIX selects routes
583 with prefixes not longer than PREFIX. F.e. match
584 10.0/16 selects 10.0/16, 10/8 and 0/0, but it does not
585 select 10.1/16 and 10.0.0/24. And exact PREFIX (or just
586 PREFIX) selects routes with this exact prefix. If neither
587 of these options are present, ip assumes root 0/0 i.e. it
588 lists the entire table.
589
590
591 tos TOS
592
593 dsfield TOS
594 only select routes with the given TOS.
595
596
597 table TABLEID
598 show the routes from this table(s). The default setting
599 is to show table main. TABLEID may either be the ID of a
600 real table or one of the special values:
601
602 all - list all of the tables.
603
604 cache - dump the routing cache.
605
606
607 vrf NAME
608 show the routes for the table associated with the vrf
609 name
610
611
612 cloned
613
614 cached list cloned routes i.e. routes which were dynamically
615 forked from other routes because some route attribute
616 (f.e. MTU) was updated. Actually, it is equivalent to
617 table cache.
618
619
620 from SELECTOR
621 the same syntax as for to, but it binds the source
622 address range rather than destinations. Note that the
623 from option only works with cloned routes.
624
625
626 protocol RTPROTO
627 only list routes of this protocol.
628
629
630 scope SCOPE_VAL
631 only list routes with this scope.
632
633
634 type TYPE
635 only list routes of this type.
636
637
638 dev NAME
639 only list routes going via this device.
640
641
642 via [ FAMILY ] PREFIX
643 only list routes going via the nexthop routers selected
644 by PREFIX.
645
646
647 src PREFIX
648 only list routes with preferred source addresses selected
649 by PREFIX.
650
651
652 realm REALMID
653
654 realms FROMREALM/TOREALM
655 only list routes with these realms.
656
657
658 ip route flush
659 flush routing tables
660 this command flushes routes selected by some criteria.
661
662
663 The arguments have the same syntax and semantics as the argu‐
664 ments of ip route show, but routing tables are not listed but
665 purged. The only difference is the default action: show dumps
666 all the IP main routing table but flush prints the helper page.
667
668
669 With the -statistics option, the command becomes verbose. It
670 prints out the number of deleted routes and the number of rounds
671 made to flush the routing table. If the option is given twice,
672 ip route flush also dumps all the deleted routes in the format
673 described in the previous subsection.
674
675
676 ip route get
677 get a single route
678 this command gets a single route to a destination and prints its
679 contents exactly as the kernel sees it.
680
681
682 fibmatch
683 Return full fib lookup matched route. Default is to
684 return the resolved dst entry
685
686
687 to ADDRESS (default)
688 the destination address.
689
690
691 from ADDRESS
692 the source address.
693
694
695 tos TOS
696
697 dsfield TOS
698 the Type Of Service.
699
700
701 iif NAME
702 the device from which this packet is expected to arrive.
703
704
705 oif NAME
706 force the output device on which this packet will be
707 routed.
708
709
710 mark MARK
711 the firewall mark (fwmark)
712
713
714 vrf NAME
715 force the vrf device on which this packet will be routed.
716
717
718 ipproto PROTOCOL
719 ip protocol as seen by the route lookup
720
721
722 sport NUMBER
723 source port as seen by the route lookup
724
725
726 dport NUMBER
727 destination port as seen by the route lookup
728
729
730 connected
731 if no source address (option from) was given, relookup
732 the route with the source set to the preferred address
733 received from the first lookup. If policy routing is
734 used, it may be a different route.
735
736
737 Note that this operation is not equivalent to ip route show.
738 show shows existing routes. get resolves them and creates new
739 clones if necessary. Essentially, get is equivalent to sending a
740 packet along this path. If the iif argument is not given, the
741 kernel creates a route to output packets towards the requested
742 destination. This is equivalent to pinging the destination with
743 a subsequent ip route ls cache, however, no packets are actually
744 sent. With the iif argument, the kernel pretends that a packet
745 arrived from this interface and searches for a path to forward
746 the packet.
747
748
749 ip route save
750 save routing table information to stdout
751 This command behaves like ip route show except that the output
752 is raw data suitable for passing to ip route restore.
753
754
755 ip route restore
756 restore routing table information from stdin
757 This command expects to read a data stream as returned from ip
758 route save. It will attempt to restore the routing table infor‐
759 mation exactly as it was at the time of the save, so any trans‐
760 lation of information in the stream (such as device indexes)
761 must be done first. Any existing routes are left unchanged. Any
762 routes specified in the data stream that already exist in the
763 table will be ignored.
764
765
767 Starting with Linux kernel version 3.6, there is no routing cache for
768 IPv4 anymore. Hence ip route show cached will never print any entries
769 on systems with this or newer kernel versions.
770
771
773 ip ro
774 Show all route entries in the kernel.
775
776 ip route add default via 192.168.1.1 dev eth0
777 Adds a default route (for all addresses) via the local gateway
778 192.168.1.1 that can be reached on device eth0.
779
780 ip route add 10.1.1.0/30 encap mpls 200/300 via 10.1.1.1 dev eth0
781 Adds an ipv4 route with mpls encapsulation attributes attached to
782 it.
783
784 ip -6 route add 2001:db8:1::/64 encap seg6 mode encap segs
785 2001:db8:42::1,2001:db8:ffff::2 dev eth0
786 Adds an IPv6 route with SRv6 encapsulation and two segments
787 attached.
788
790 ip(8)
791
792
794 Original Manpage by Michail Litvak <mci@owl.openwall.com>
795
796
797
798iproute2 13 Dec 2012 IP-ROUTE(8)