1IP(8) Linux IP(8)
2
6 ip - show / manipulate routing, devices, policy routing and tunnels
7
9 ip [ OPTIONS ] OBJECT { COMMAND | help }
10 OBJECT := { link | addr | addrlabel | route | rule | neigh | tunnel |
13 maddr | mroute | monitor }
14 OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | -f[amily] { inet
17 | inet6 | ipx | dnet | link } | -o[neline] }
18 ip link add link DEVICE [ name ] NAME
20 [ txqueuelen PACKETS ]
21 [ address LLADDR ] [ broadcast LLADDR ]
22 [ mtu MTU ]
23 typeTYPE [ ARGS ]
24 TYPE := [ vlan | maclan | can ]
26 ip link delete DEVICE typeTYPE [ ARGS ]
28 ip link set DEVICE { up | down | arp { on | off } |
30 promisc { on | off } |
31 allmulticast { on | off } |
32 dynamic { on | off } |
33 multicast { on | off } |
34 txqueuelen PACKETS |
35 name NEWNAME |
36 address LLADDR | broadcast LLADDR |
37 mtu MTU |
38 netns PID |
39 alias NAME |
40 vf NUM [ mac LLADDR ] [ vlan VLANID [ qos VLAN-QOS ] ] [ rate
41 TXRATE ]
42 ip link show [ DEVICE ]
44 ip addr { add | del } IFADDR dev STRING
46 ip addr { show | flush } [ dev STRING ] [ scope SCOPE-ID ] [ to PREFIX
48 ] [ FLAG-LIST ] [ label PATTERN ]
49 IFADDR := PREFIX | ADDR peer PREFIX [ broadcast ADDR ] [ anycast ADDR ]
51 [ label STRING ] [ scope SCOPE-ID ]
52 SCOPE-ID := [ host | link | global | NUMBER ]
54 FLAG-LIST := [ FLAG-LIST ] FLAG
56 FLAG := [ permanent | dynamic | secondary | primary | tentative | dep‐
58 recated | dadfailed | temporary ]
59 ip addrlabel { add | del } prefix PREFIX [ dev DEV ] [ label NUMBER ]
61 ip addrlabel { list | flush }
63 ip route { list | flush } SELECTOR
65 ip route get ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ tos
67 TOS ]
68 ip route { add | del | change | append | replace | monitor } ROUTE
70 SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table
72 TABLE_ID ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]
73 ROUTE := NODE_SPEC [ INFO_SPEC ]
75 NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto
77 RTPROTO ] [ scope SCOPE ] [ metric METRIC ]
78 INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...
80 NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
82 OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ rtt TIME ] [ rttvar
84 TIME ] [ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ] [
85 ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initcwnd
86 NUMBER ] [ initrwnd NUMBER ]
87 TYPE := [ unicast | local | broadcast | multicast | throw | unreachable
89 | prohibit | blackhole | nat ]
90 TABLE_ID := [ local| main | default | all | NUMBER ]
92 SCOPE := [ host | link | global | NUMBER ]
94 NHFLAGS := [ onlink | pervasive ]
96 RTPROTO := [ kernel | boot | static | NUMBER ]
98 ip rule [ list | add | del | flush ] SELECTOR ACTION
100 SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark
102 FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ]
103 ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ prohibit | reject |
105 unreachable ] [ realms [SRCREALM/]DSTREALM ]
106 TABLE_ID := [ local | main | default | NUMBER ]
108 ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ] [
110 nud { permanent | noarp | stale | reachable } ] | proxy ADDR }
111 [ dev DEV ]
112 ip neigh { show | flush } [ to PREFIX ] [ dev DEV ] [ nud STATE ]
114 ip tunnel { add | change | del | show | prl } [ NAME ]
116 [ mode MODE ] [ remote ADDR ] [ local ADDR ]
117 [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] ]
118 [ encaplimit ELIM ] [ ttl TTL ]
119 [ tos TOS ] [ flowlabel FLOWLABEL ]
120 [ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]
121 [ [no]pmtudisc ] [ dev PHYS_DEV ] [ dscp inherit ]
122 MODE := { ipip | gre | sit | isatap | ip6ip6 | ipip6 | any }
124 ADDR := { IP_ADDRESS | any }
126 TOS := { NUMBER | inherit }
128 ELIM := { none | 0..255 }
130 TTL := { 1..255 | inherit }
132 KEY := { DOTTED_QUAD | NUMBER }
134 TIME := NUMBER[s|ms|us|ns|j]
136 ip maddr [ add | del ] MULTIADDR dev STRING
138 ip maddr show [ dev STRING ]
140 ip mroute show [ PREFIX ] [ from PREFIX ] [ iif DEVICE ]
142 ip monitor [ all | LISTofOBJECTS ]
144 ip xfrm XFRM_OBJECT { COMMAND }
146 XFRM_OBJECT := { state | policy | monitor }
148 ip xfrm state { add | update } ID [ XFRM_OPT ] [ mode MODE ]
150 [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ]
151 [ flag FLAG-LIST ] [ encap ENCAP ] [ sel SELECTOR ]
152 [ LIMIT-LIST ]
153 ip xfrm state allocspi ID [ mode MODE ] [ reqid REQID ] [ seq SEQ ]
155 [ min SPI max SPI ]
156 ip xfrm state { delete | get } ID
158 ip xfrm state { deleteall | list } [ ID ] [ mode MODE ]
160 [ reqid REQID ] [ flag FLAG_LIST ]
161 ip xfrm state flush [ proto XFRM_PROTO ]
163 ip xfrm state count
165 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
167 XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
169 MODE := [ transport | tunnel | ro | beet ] (default=transport)
171 FLAG-LIST := [ FLAG-LIST ] FLAG
173 FLAG := [ noecn | decap-dscp | wildrecv ]
175 ENCAP := ENCAP-TYPE SPORT DPORT OADDR
177 ENCAP-TYPE := espinudp | espinudp-nonike
179 ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]
181 ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY
183 ALGO_TYPE := [ enc | auth | comp ]
185 SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
187 UPSPEC := proto PROTO [[ sport PORT ] [ dport PORT ] |
189 [ type NUMBER ] [ code NUMBER ]]
190 LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
192 LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ]
194 | [ [byte-soft|byte-hard] SIZE ] |
195 [ [packet-soft|packet-hard] COUNT ]
196 ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ]
198 [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]
199 [ LIMIT-LIST ] [ TMPL-LIST ]
200 ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ]
202 [ ptype PTYPE ]
203 ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ]
205 [ index INDEX ] [ action ACTION ] [ priority PRIORITY ]
206 ip xfrm policy flush [ ptype PTYPE ]
208 ip xfrm count
210 PTYPE := [ main | sub ] (default=main)
212 DIR := [ in | out | fwd ]
214 SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
216 UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |
218 [ type NUMBER ] [ code NUMBER ] ]
219 ACTION := [ allow | block ] (default=allow)
221 LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
223 LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ]
225 | [ [byte-soft|byte-hard] SIZE ] |
226 [packet-soft|packet-hard] NUMBER ]
227 TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]
229 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
231 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
233 XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
235 MODE := [ transport | tunnel | beet ] (default=transport)
237 LEVEL := [ required | use ] (default=required)
239 ip xfrm monitor [ all | LISTofOBJECTS ]
241
245 -V, -Version
246 print the version of the ip utility and exit.
247 -s, -stats, -statistics
250 output more information. If the option appears twice or more,
251 the amount of information increases. As a rule, the information
252 is statistics or some time values.
253 -f, -family
256 followed by protocol family identifier: inet, inet6 or link
257 ,enforce the protocol family to use. If the option is not
258 present, the protocol family is guessed from other arguments.
259 If the rest of the command line does not give enough information
260 to guess the family, ip falls back to the default one, usually
261 inet or any. link is a special family identifier meaning that
262 no networking protocol is involved.
263 -4 shortcut for -family inet.
266 -6 shortcut for -family inet6.
269 -0 shortcut for -family link.
272 -o, -oneline
275 output each record on a single line, replacing line feeds with
276 the '\´ character. This is convenient when you want to count
277 records with wc(1)
278 or to grep(1) the output.
279 -r, -resolve
282 use the system's name resolver to print DNS names instead of
283 host addresses.
284
287 OBJECT
288 link - network device.
289 address
292 - protocol (IP or IPv6) address on a device.
293 addrlabel
296 - label configuration for protocol address selection.
297 neighbour
300 - ARP or NDISC cache entry.
301 route - routing table entry.
304 rule - rule in routing policy database.
307 maddress
310 - multicast address.
311 mroute - multicast routing cache entry.
314 tunnel - tunnel over IP.
317 xfrm - framework for IPsec protocol.
320 The names of all objects may be written in full or abbreviated form,
323 f.e. address is abbreviated as addr or just a.
324 COMMAND
327 Specifies the action to perform on the object. The set of possible
328 actions depends on the object type. As a rule, it is possible to add,
329 delete and show (or list ) objects, but some objects do not allow all
330 of these operations or have some additional commands. The help command
331 is available for all objects. It prints out a list of available com‐
332 mands and argument syntax conventions.
333 If no command is given, some default command is assumed. Usually it is
335 list or, if the objects of this class cannot be listed, help.
336
339 link is a network device and the corresponding commands display and
340 change the state of devices.
341 ip link add - add virtual link
344 link DEVICE
345 specifies the physical device to act operate on.
346 NAME specifies the name of the new virtual device.
348 TYPE specifies the type of the new device.
350 Link types:
352 vlan - 802.1q tagged virrtual LAN interface
354 macvlan - virtual interface base on link layer address
356 (MAC)
357 can - Controller Area Network interface
359 ip link delete - delete virtual link
362 DEVICE specifies the virtual device to act operate on. TYPE specifies
363 the type of the device.
364 dev DEVICE
368 specifies the physical device to act operate on.
369 ip link set - change device attributes
372 dev DEVICE
373 DEVICE specifies network device to operate on. When configuring
374 SR-IOV Virtual Fuction (VF) devices, this keyword should specify
375 the associated Physical Function (PF) device.
376 up and down
379 change the state of the device to UP or DOWN.
380 arp on or arp off
383 change the NOARP flag on the device.
384 multicast on or multicast off
387 change the MULTICAST flag on the device.
388 dynamic on or dynamic off
391 change the DYNAMIC flag on the device.
392 name NAME
395 change the name of the device. This operation is not recom‐
396 mended if the device is running or has some addresses already
397 configured.
398 txqueuelen NUMBER
401 txqlen NUMBER
403 change the transmit queue length of the device.
404 mtu NUMBER
407 change the MTU of the device.
408 address LLADDRESS
411 change the station address of the interface.
412 broadcast LLADDRESS
415 brd LLADDRESS
417 peer LLADDRESS
419 change the link layer broadcast address or the peer address when
420 the interface is POINTOPOINT.
421 netns PID
424 move the device to the network namespace associated with the
425 process PID.
426 alias NAME
429 give the device a symbolic name for easy reference.
430 vf NUM specify a Virtual Function device to be configured. The associ‐
433 ated PF device must be specified using the dev parameter.
434 mac LLADDRESS - change the station address for the spec‐
436 ified VF. The vf parameter must be specified.
437 vlan VLANID - change the assigned VLAN for the specified
440 VF. When specified, all traffic sent from the VF will be
441 tagged with the specified VLAN ID. Incoming traffic will
442 be filtered for the specified VLAN ID, and will have all
443 VLAN tags stripped before being passed to the VF. Set‐
444 ting this parameter to 0 disables VLAN tagging and fil‐
445 tering. The vf parameter must be specified.
446 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
449 VLAN tag. When specified, all VLAN tags transmitted by
450 the VF will include the specified priority bits in the
451 VLAN tag. If not specified, the value is assumed to be
452 0. Both the vf and vlan parameters must be specified.
453 Setting both vlan and qos as 0 disables VLAN tagging and
454 filtering for the VF.
455 rate TXRATE - change the allowed transmit bandwidth, in
458 Mbps, for the specified VF. Setting this parameter to 0
459 disables rate limiting. The vf parameter must be speci‐
460 fied.
461 Warning: If multiple parameter changes are requested, ip aborts immedi‐
464 ately after any of the changes have failed. This is the only case when
465 ip can move the system to an unpredictable state. The solution is to
466 avoid changing several parameters with one ip link set call.
467 ip link show - display device attributes
470 dev NAME (default)
471 NAME specifies the network device to show. If this argument is
472 omitted all devices are listed.
473 up only display running interfaces.
476
479 The address is a protocol (IP or IPv6) address attached to a network
480 device. Each device must have at least one address to use the corre‐
481 sponding protocol. It is possible to have several different addresses
482 attached to one device. These addresses are not discriminated, so that
483 the term alias is not quite appropriate for them and we do not use it
484 in this document.
485 The ip addr command displays addresses and their properties, adds new
487 addresses and deletes old ones.
488 ip address add - add new protocol address.
491 dev NAME
492 the name of the device to add the address to.
493 local ADDRESS (default)
496 the address of the interface. The format of the address depends
497 on the protocol. It is a dotted quad for IP and a sequence of
498 hexadecimal halfwords separated by colons for IPv6. The ADDRESS
499 may be followed by a slash and a decimal number which encodes
500 the network prefix length.
501 peer ADDRESS
504 the address of the remote endpoint for pointopoint interfaces.
505 Again, the ADDRESS may be followed by a slash and a decimal num‐
506 ber, encoding the network prefix length. If a peer address is
507 specified, the local address cannot have a prefix length. The
508 network prefix is associated with the peer rather than with the
509 local address.
510 broadcast ADDRESS
513 the broadcast address on the interface.
514 It is possible to use the special symbols '+' and '-' instead of
516 the broadcast address. In this case, the broadcast address is
517 derived by setting/resetting the host bits of the interface pre‐
518 fix.
519 label NAME
522 Each address may be tagged with a label string. In order to
523 preserve compatibility with Linux-2.0 net aliases, this string
524 must coincide with the name of the device or must be prefixed
525 with the device name followed by colon.
526 scope SCOPE_VALUE
529 the scope of the area where this address is valid. The avail‐
530 able scopes are listed in file /etc/iproute2/rt_scopes. Prede‐
531 fined scope values are:
532 global - the address is globally valid.
534 site - (IPv6 only) the address is site local, i.e. it is
536 valid inside this site.
537 link - the address is link local, i.e. it is valid only
539 on this device.
540 host - the address is valid only inside this host.
542 ip address delete - delete protocol address
545 Arguments: coincide with the arguments of ip addr add. The device name
546 is a required argument. The rest are optional. If no arguments are
547 given, the first address is deleted.
548 ip address show - look at protocol addresses
551 dev NAME (default)
552 name of device.
553 scope SCOPE_VAL
556 only list addresses with this scope.
557 to PREFIX
560 only list addresses matching this prefix.
561 label PATTERN
564 only list addresses with labels matching the PATTERN. PATTERN
565 is a usual shell style pattern.
566 dynamic and permanent
569 (IPv6 only) only list addresses installed due to stateless
570 address configuration or only list permanent (not dynamic)
571 addresses.
572 tentative
575 (IPv6 only) only list addresses which have not yet passed dupli‐
576 cate address detection.
577 deprecated
580 (IPv6 only) only list deprecated addresses.
581 dadfailed
584 (IPv6 only) only list addresses which have failed duplicate
585 address detection.
586 temporary
589 (IPv6 only) only list temporary addresses.
590 primary and secondary
593 only list primary (or secondary) addresses.
594 ip address flush - flush protocol addresses
597 This command flushes the protocol addresses selected by some criteria.
598 This command has the same arguments as show. The difference is that it
601 does not run when no arguments are given.
602 Warning: This command (and other flush commands described below) is
605 pretty dangerous. If you make a mistake, it will not forgive it, but
606 will cruelly purge all the addresses.
607 With the -statistics option, the command becomes verbose. It prints out
610 the number of deleted addresses and the number of rounds made to flush
611 the address list. If this option is given twice, ip addr flush also
612 dumps all the deleted addresses in the format described in the previous
613 subsection.
614
617 IPv6 address label is used for address selection described in RFC 3484.
618 Precedence is managed by userspace, and only label is stored in kernel.
619 ip addrlabel add - add an address label
622 the command adds an address label entry to the kernel.
623 prefix PREFIX
625 dev DEV
627 the outgoing interface.
628 label NUMBER
630 the label for the prefix. 0xffffffff is reserved.
631 ip addrlabel del - delete an address label
633 the command deletes an address label entry in the kernel. Arguments:
634 coincide with the arguments of ip addrlabel add but label is not
635 required.
636 ip addrlabel list - list address labels
638 the command show contents of address labels.
639 ip addrlabel flush - flush address labels
641 the command flushes the contents of address labels and it does not
642 restore default settings.
643
645 neighbour objects establish bindings between protocol addresses and
646 link layer addresses for hosts sharing the same link. Neighbour
647 entries are organized into tables. The IPv4 neighbour table is known by
648 another name - the ARP table.
649 The corresponding commands display neighbour bindings and their proper‐
652 ties, add new neighbour entries and delete old ones.
653 ip neighbour add - add a new neighbour entry
656 ip neighbour change - change an existing entry
657 ip neighbour replace - add a new entry or change an existing one
658 These commands create new neighbour records or update existing ones.
659 to ADDRESS (default)
662 the protocol address of the neighbour. It is either an IPv4 or
663 IPv6 address.
664 dev NAME
667 the interface to which this neighbour is attached.
668 lladdr LLADDRESS
671 the link layer address of the neighbour. LLADDRESS can also be
672 null.
673 nud NUD_STATE
676 the state of the neighbour entry. nud is an abbreviation for
677 'Neigh bour Unreachability Detection'. The state can take one
678 of the following values:
679 permanent - the neighbour entry is valid forever and can
681 be only be removed administratively.
682 noarp - the neighbour entry is valid. No attempts to
685 validate this entry will be made but it can be removed
686 when its lifetime expires.
687 reachable - the neighbour entry is valid until the
690 reachability timeout expires.
691 stale - the neighbour entry is valid but suspicious.
694 This option to ip neigh does not change the neighbour
695 state if it was valid and the address is not changed by
696 this command.
697 ip neighbour delete - delete a neighbour entry
700 This command invalidates a neighbour entry.
701 The arguments are the same as with ip neigh add, except that lladdr and
704 nud are ignored.
705 Warning: Attempts to delete or manually change a noarp entry created by
708 the kernel may result in unpredictable behaviour. Particularly, the
709 kernel may try to resolve this address even on a NOARP interface or if
710 the address is multicast or broadcast.
711 ip neighbour show - list neighbour entries
714 This commands displays neighbour tables.
715 to ADDRESS (default)
718 the prefix selecting the neighbours to list.
719 dev NAME
722 only list the neighbours attached to this device.
723 unused only list neighbours which are not currently in use.
726 nud NUD_STATE
729 only list neighbour entries in this state. NUD_STATE takes val‐
730 ues listed below or the special value all which means all
731 states. This option may occur more than once. If this option
732 is absent, ip lists all entries except for none and noarp.
733 ip neighbour flush - flush neighbour entries
736 This command flushes neighbour tables, selecting entries to flush by
737 some criteria.
738 This command has the same arguments as show. The differences are that
741 it does not run when no arguments are given, and that the default
742 neighbour states to be flushed do not include permanent and noarp.
743 With the -statistics option, the command becomes verbose. It prints
746 out the number of deleted neighbours and the number of rounds made to
747 flush the neighbour table. If the option is given twice, ip neigh
748 flush also dumps all the deleted neighbours.
749
752 Manipulate route entries in the kernel routing tables keep information
753 about paths to other networked nodes.
754 Route types:
756 unicast - the route entry describes real paths to the destina‐
758 tions covered by the route prefix.
759 unreachable - these destinations are unreachable. Packets are
762 discarded and the ICMP message host unreachable is generated.
763 The local senders get an EHOSTUNREACH error.
764 blackhole - these destinations are unreachable. Packets are
767 discarded silently. The local senders get an EINVAL error.
768 prohibit - these destinations are unreachable. Packets are
771 discarded and the ICMP message communication administratively
772 prohibited is generated. The local senders get an EACCES
773 error.
774 local - the destinations are assigned to this host. The pack‐
777 ets are looped back and delivered locally.
778 broadcast - the destinations are broadcast addresses. The
781 packets are sent as link broadcasts.
782 throw - a special control route used together with policy
785 rules. If such a route is selected, lookup in this table is
786 terminated pretending that no route was found. Without policy
787 routing it is equivalent to the absence of the route in the
788 routing table. The packets are dropped and the ICMP message
789 net unreachable is generated. The local senders get an ENETUN‐
790 REACH error.
791 nat - a special NAT route. Destinations covered by the prefix
794 are considered to be dummy (or external) addresses which
795 require translation to real (or internal) ones before forward‐
796 ing. The addresses to translate to are selected with the
797 attribute Warning: Route NAT is no longer supported in Linux
798 2.6.
799 via.
802 anycast - not implemented the destinations are anycast
804 addresses assigned to this host. They are mainly equivalent to
805 local with one difference: such addresses are invalid when used
806 as the source address of any packet.
807 multicast - a special type used for multicast routing. It is
810 not present in normal routing tables.
811 Route tables: Linux-2.x can pack routes into several routing tables
814 identified by a number in the range from 1 to 2^31 or by name from the
815 file /etc/iproute2/rt_tables By default all normal routes are inserted
816 into the main table (ID 254) and the kernel only uses this table when
817 calculating routes. Values (0, 253, 254, and 255) are reserved for
818 built-in use.
819 Actually, one other table always exists, which is invisible but even
822 more important. It is the local table (ID 255). This table consists
823 of routes for local and broadcast addresses. The kernel maintains this
824 table automatically and the administrator usually need not modify it or
825 even look at it.
826 The multiple routing tables enter the game when policy routing is used.
828 ip route add - add new route
831 ip route change - change route
832 ip route replace - change or add new one
833 to TYPE PREFIX (default)
834 the destination prefix of the route. If TYPE is omitted, ip
835 assumes type unicast. Other values of TYPE are listed above.
836 PREFIX is an IP or IPv6 address optionally followed by a slash
837 and the prefix length. If the length of the prefix is missing,
838 ip assumes a full-length host route. There is also a special
839 PREFIX default - which is equivalent to IP 0/0 or to IPv6 ::/0.
840 tos TOS
843 dsfield TOS
845 the Type Of Service (TOS) key. This key has no associated mask
846 and the longest match is understood as: First, compare the TOS
847 of the route and of the packet. If they are not equal, then the
848 packet may still match a route with a zero TOS. TOS is either
849 an 8 bit hexadecimal number or an identifier from
850 /etc/iproute2/rt_dsfield.
851 metric NUMBER
854 preference NUMBER
856 the preference value of the route. NUMBER is an arbitrary 32bit
857 number.
858 table TABLEID
861 the table to add this route to. TABLEID may be a number or a
862 string from the file /etc/iproute2/rt_tables. If this parameter
863 is omitted, ip assumes the main table, with the exception of
864 local , broadcast and nat routes, which are put into the local
865 table by default.
866 dev NAME
869 the output device name.
870 via ADDRESS
873 the address of the nexthop router. Actually, the sense of this
874 field depends on the route type. For normal unicast routes it
875 is either the true next hop router or, if it is a direct route
876 installed in BSD compatibility mode, it can be a local address
877 of the interface. For NAT routes it is the first address of the
878 block of translated IP destinations.
879 src ADDRESS
882 the source address to prefer when sending to the destinations
883 covered by the route prefix.
884 realm REALMID
887 the realm to which this route is assigned. REALMID may be a
888 number or a string from the file /etc/iproute2/rt_realms.
889 mtu MTU
892 mtu lock MTU
894 the MTU along the path to the destination. If the modifier lock
895 is not used, the MTU may be updated by the kernel due to Path
896 MTU Discovery. If the modifier lock is used, no path MTU dis‐
897 covery will be tried, all packets will be sent without the DF
898 bit in IPv4 case or fragmented to MTU for IPv6.
899 window NUMBER
902 the maximal window for TCP to advertise to these destinations,
903 measured in bytes. It limits maximal data bursts that our TCP
904 peers are allowed to send to us.
905 rtt TIME
908 the initial RTT ('Round Trip Time') estimate. If no suffix is
909 specified the units are raw values passed directly to the rout‐
910 ing code to maintain compatability with previous releases. Oth‐
911 erwise if a suffix of s, sec or secs is used to specify seconds;
912 ms, msec or msecs to specify milliseconds; us, usec or usecs to
913 specify microseconds; ns, nsec or nsecs to specify nanoseconds;
914 j, hz or jiffies to specify jiffies, the value is converted to
915 what the routing code expects.
916 rttvar TIME (2.3.15+ only)
920 the initial RTT variance estimate. Values are specified as with
921 rtt above.
922 rto_min TIME (2.6.23+ only)
925 the minimum TCP Retransmission TimeOut to use when communicating
926 with this destination. Values are specified as with rtt above.
927 ssthresh NUMBER (2.3.15+ only)
930 an estimate for the initial slow start threshold.
931 cwnd NUMBER (2.3.15+ only)
934 the clamp for congestion window. It is ignored if the lock flag
935 is not used.
936 initcwnd NUMBER (2.5.70+ only)
939 the initial congestion window size for connections to this des‐
940 tination. Actual window size is this value multiplied by the
941 MSS (``Maximal Segment Size'') for same connection. The default
942 is zero, meaning to use the values specified in RFC2414.
943 initrwnd NUMBER (2.6.33+ only)
946 the initial receive window size for connections to this destina‐
947 tion. Actual window size is this value multiplied by the MSS of
948 the connection. The default value is zero, meaning to use Slow
949 Start value.
950 advmss NUMBER (2.3.15+ only)
953 the MSS ('Maximal Segment Size') to advertise to these destina‐
954 tions when establishing TCP connections. If it is not given,
955 Linux uses a default value calculated from the first hop device
956 MTU. (If the path to these destination is asymmetric, this
957 guess may be wrong.)
958 reordering NUMBER (2.3.15+ only)
961 Maximal reordering on the path to this destination. If it is
962 not given, Linux uses the value selected with sysctl variable
963 net/ipv4/tcp_reordering.
964 nexthop NEXTHOP
967 the nexthop of a multipath route. NEXTHOP is a complex value
968 with its own syntax similar to the top level argument lists:
969 via ADDRESS - is the nexthop router.
971 dev NAME - is the output device.
974 weight NUMBER - is a weight for this element of a multi‐
977 path route reflecting its relative bandwidth or quality.
978 scope SCOPE_VAL
981 the scope of the destinations covered by the route prefix.
982 SCOPE_VAL may be a number or a string from the file
983 /etc/iproute2/rt_scopes. If this parameter is omitted, ip
984 assumes scope global for all gatewayed unicast routes, scope
985 link for direct unicast and broadcast routes and scope host for
986 local routes.
987 protocol RTPROTO
990 the routing protocol identifier of this route. RTPROTO may be a
991 number or a string from the file /etc/iproute2/rt_protos. If
992 the routing protocol ID is not given, ip assumes protocol boot
993 (i.e. it assumes the route was added by someone who doesn't
994 understand what they are doing). Several protocol values have a
995 fixed interpretation. Namely:
996 redirect - the route was installed due to an ICMP redi‐
998 rect.
999 kernel - the route was installed by the kernel during
1002 autoconfiguration.
1003 boot - the route was installed during the bootup
1006 sequence. If a routing daemon starts, it will purge all
1007 of them.
1008 static - the route was installed by the administrator to
1011 override dynamic routing. Routing daemon will respect
1012 them and, probably, even advertise them to its peers.
1013 ra - the route was installed by Router Discovery proto‐
1016 col.
1017 The rest of the values are not reserved and the administrator is
1020 free to assign (or not to assign) protocol tags.
1021 onlink pretend that the nexthop is directly attached to this link, even
1024 if it does not match any interface prefix.
1025 ip route delete - delete route
1028 ip route del has the same arguments as ip route add, but their seman‐
1029 tics are a bit different.
1030 Key values (to, tos, preference and table) select the route to delete.
1032 If optional attributes are present, ip verifies that they coincide with
1033 the attributes of the route to delete. If no route with the given key
1034 and attributes was found, ip route del fails.
1035 ip route show - list routes
1038 the command displays the contents of the routing tables or the route(s)
1039 selected by some criteria.
1040 to SELECTOR (default)
1043 only select routes from the given range of destinations. SELEC‐
1044 TOR consists of an optional modifier (root, match or exact) and
1045 a prefix. root PREFIX selects routes with prefixes not shorter
1046 than PREFIX. F.e. root 0/0 selects the entire routing table.
1047 match PREFIX selects routes with prefixes not longer than PRE‐
1048 FIX. F.e. match 10.0/16 selects 10.0/16, 10/8 and 0/0, but it
1049 does not select 10.1/16 and 10.0.0/24. And exact PREFIX (or
1050 just PREFIX) selects routes with this exact prefix. If neither
1051 of these options are present, ip assumes root 0/0 i.e. it lists
1052 the entire table.
1053 tos TOS
1056 dsfield TOS only select routes with the given TOS.
1057 table TABLEID
1060 show the routes from this table(s). The default setting is to
1061 show tablemain. TABLEID may either be the ID of a real table or
1062 one of the special values:
1063 all - list all of the tables.
1065 cache - dump the routing cache.
1067 cloned
1070 cached list cloned routes i.e. routes which were dynamically forked
1072 from other routes because some route attribute (f.e. MTU) was
1073 updated. Actually, it is equivalent to table cache.
1074 from SELECTOR
1077 the same syntax as for to, but it binds the source address range
1078 rather than destinations. Note that the from option only works
1079 with cloned routes.
1080 protocol RTPROTO
1083 only list routes of this protocol.
1084 scope SCOPE_VAL
1087 only list routes with this scope.
1088 type TYPE
1091 only list routes of this type.
1092 dev NAME
1095 only list routes going via this device.
1096 via PREFIX
1099 only list routes going via the nexthop routers selected by PRE‐
1100 FIX.
1101 src PREFIX
1104 only list routes with preferred source addresses selected by
1105 PREFIX.
1106 realm REALMID
1109 realms FROMREALM/TOREALM
1111 only list routes with these realms.
1112 ip route flush - flush routing tables
1115 this command flushes routes selected by some criteria.
1116 The arguments have the same syntax and semantics as the arguments of ip
1119 route show, but routing tables are not listed but purged. The only
1120 difference is the default action: show dumps all the IP main routing
1121 table but flush prints the helper page.
1122 With the -statistics option, the command becomes verbose. It prints out
1125 the number of deleted routes and the number of rounds made to flush the
1126 routing table. If the option is given twice, ip route flush also dumps
1127 all the deleted routes in the format described in the previous subsec‐
1128 tion.
1129 ip route get - get a single route
1132 this command gets a single route to a destination and prints its con‐
1133 tents exactly as the kernel sees it.
1134 to ADDRESS (default)
1137 the destination address.
1138 from ADDRESS
1141 the source address.
1142 tos TOS
1145 dsfield TOS
1147 the Type Of Service.
1148 iif NAME
1151 the device from which this packet is expected to arrive.
1152 oif NAME
1155 force the output device on which this packet will be routed.
1156 connected
1159 if no source address (option from) was given, relookup the route
1160 with the source set to the preferred address received from the
1161 first lookup. If policy routing is used, it may be a different
1162 route.
1163 Note that this operation is not equivalent to ip route show. show
1166 shows existing routes. get resolves them and creates new clones if
1167 necessary. Essentially, get is equivalent to sending a packet along
1168 this path. If the iif argument is not given, the kernel creates a
1169 route to output packets towards the requested destination. This is
1170 equivalent to pinging the destination with a subsequent ip route ls
1171 cache, however, no packets are actually sent. With the iif argument,
1172 the kernel pretends that a packet arrived from this interface and
1173 searches for a path to forward the packet.
1174
1177 Rules in the routing policy database control the route selection algo‐
1178 rithm.
1179 Classic routing algorithms used in the Internet make routing decisions
1182 based only on the destination address of packets (and in theory, but
1183 not in practice, on the TOS field).
1184 In some circumstances we want to route packets differently depending
1187 not only on destination addresses, but also on other packet fields:
1188 source address, IP protocol, transport protocol ports or even packet
1189 payload. This task is called 'policy routing'.
1190 To solve this task, the conventional destination based routing table,
1193 ordered according to the longest match rule, is replaced with a 'rout‐
1194 ing policy database' (or RPDB), which selects routes by executing some
1195 set of rules.
1196 Each policy routing rule consists of a selector and an action predi‐
1199 cate. The RPDB is scanned in the order of increasing priority. The
1200 selector of each rule is applied to {source address, destination
1201 address, incoming interface, tos, fwmark} and, if the selector matches
1202 the packet, the action is performed. The action predicate may return
1203 with success. In this case, it will either give a route or failure
1204 indication and the RPDB lookup is terminated. Otherwise, the RPDB pro‐
1205 gram continues on the next rule.
1206 Semantically, natural action is to select the nexthop and the output
1209 device.
1210 At startup time the kernel configures the default RPDB consisting of
1213 three rules:
1214 1. Priority: 0, Selector: match anything, Action: lookup routing
1217 table local (ID 255). The local table is a special routing ta‐
1218 ble containing high priority control routes for local and broad‐
1219 cast addresses.
1220 Rule 0 is special. It cannot be deleted or overridden.
1222 2. Priority: 32766, Selector: match anything, Action: lookup rout‐
1225 ing table main (ID 254). The main table is the normal routing
1226 table containing all non-policy routes. This rule may be deleted
1227 and/or overridden with other ones by the administrator.
1228 3. Priority: 32767, Selector: match anything, Action: lookup rout‐
1231 ing table default (ID 253). The default table is empty. It is
1232 reserved for some post-processing if no previous default rules
1233 selected the packet. This rule may also be deleted.
1234 Each RPDB entry has additional attributes. F.e. each rule has a
1237 pointer to some routing table. NAT and masquerading rules have an
1238 attribute to select new IP address to translate/masquerade. Besides
1239 that, rules have some optional attributes, which routes have, namely
1240 realms. These values do not override those contained in the routing
1241 tables. They are only used if the route did not select any attributes.
1242 The RPDB may contain rules of the following types:
1245 unicast - the rule prescribes to return the route found in the
1247 routing table referenced by the rule.
1248 blackhole - the rule prescribes to silently drop the packet.
1250 unreachable - the rule prescribes to generate a 'Network is
1252 unreachable' error.
1253 prohibit - the rule prescribes to generate 'Communication is
1255 administratively prohibited' error.
1256 nat - the rule prescribes to translate the source address of
1258 the IP packet into some other value.
1259 ip rule add - insert a new rule
1262 ip rule delete - delete a rule
1263 type TYPE (default)
1264 the type of this rule. The list of valid types was given in the
1265 previous subsection.
1266 from PREFIX
1269 select the source prefix to match.
1270 to PREFIX
1273 select the destination prefix to match.
1274 iif NAME
1277 select the incoming device to match. If the interface is loop‐
1278 back, the rule only matches packets originating from this host.
1279 This means that you may create separate routing tables for for‐
1280 warded and local packets and, hence, completely segregate them.
1281 oif NAME
1284 select the outgoing device to match. The outgoing interface is
1285 only available for packets originating from local sockets that
1286 are bound to a device.
1287 tos TOS
1290 dsfield TOS
1292 select the TOS value to match.
1293 fwmark MARK
1296 select the fwmark value to match.
1297 priority PREFERENCE
1300 the priority of this rule. Each rule should have an explicitly
1301 set unique priority value. The options preference and order are
1302 synonyms with priority.
1303 table TABLEID
1306 the routing table identifier to lookup if the rule selector
1307 matches. It is also possible to use lookup instead of table.
1308 realms FROM/TO
1311 Realms to select if the rule matched and the routing table
1312 lookup succeeded. Realm TO is only used if the route did not
1313 select any realm.
1314 nat ADDRESS
1317 The base of the IP address block to translate (for source
1318 addresses). The ADDRESS may be either the start of the block of
1319 NAT addresses (selected by NAT routes) or a local host address
1320 (or even zero). In the last case the router does not translate
1321 the packets, but masquerades them to this address. Using map-to
1322 instead of nat means the same thing.
1323 Warning: Changes to the RPDB made with these commands do not
1325 become active immediately. It is assumed that after a script
1326 finishes a batch of updates, it flushes the routing cache with
1327 ip route flush cache.
1328 ip rule flush - also dumps all the deleted rules.
1331 This command has no arguments.
1332 ip rule show - list rules
1335 This command has no arguments. The options list or lst are synonyms
1336 with show.
1337
1340 maddress objects are multicast addresses.
1341 ip maddress show - list multicast addresses
1344 dev NAME (default)
1345 the device name.
1346 ip maddress add - add a multicast address
1349 ip maddress delete - delete a multicast address
1350 these commands attach/detach a static link layer multicast address to
1351 listen on the interface. Note that it is impossible to join protocol
1352 multicast groups statically. This command only manages link layer
1353 addresses.
1354 address LLADDRESS (default)
1357 the link layer multicast address.
1358 dev NAME
1361 the device to join/leave this multicast address.
1362
1365 mroute objects are multicast routing cache entries created by a user
1366 level mrouting daemon (f.e. pimd or mrouted ).
1367 Due to the limitations of the current interface to the multicast rout‐
1369 ing engine, it is impossible to change mroute objects administratively,
1370 so we may only display them. This limitation will be removed in the
1371 future.
1372 ip mroute show - list mroute cache entries
1375 to PREFIX (default)
1376 the prefix selecting the destination multicast addresses to
1377 list.
1378 iif NAME
1381 the interface on which multicast packets are received.
1382 from PREFIX
1385 the prefix selecting the IP source addresses of the multicast
1386 route.
1387
1390 tunnel objects are tunnels, encapsulating packets in IP packets and
1391 then sending them over the IP infrastructure. The encapulating (or
1392 outer) address family is specified by the -f option. The default is
1393 IPv4.
1394 ip tunnel add - add a new tunnel
1397 ip tunnel change - change an existing tunnel
1398 ip tunnel delete - destroy a tunnel
1399 name NAME (default)
1400 select the tunnel device name.
1401 mode MODE
1404 set the tunnel mode. Available modes depend on the encapsulating
1405 address family.
1406 Modes for IPv4 encapsulation available: ipip, sit, isatap and
1407 gre.
1408 Modes for IPv6 encapsulation available: ip6ip6, ipip6 and any.
1409 remote ADDRESS
1412 set the remote endpoint of the tunnel.
1413 local ADDRESS
1416 set the fixed local address for tunneled packets. It must be an
1417 address on another interface of this host.
1418 ttl N set a fixed TTL N on tunneled packets. N is a number in the
1421 range 1--255. 0 is a special value meaning that packets inherit
1422 the TTL value. The default value for IPv4 tunnels is: inherit.
1423 The default value for IPv6 tunnels is: 64.
1424 tos T
1428 dsfield T
1430 tclass T
1432 set a fixed TOS (or traffic class in IPv6) T on tunneled pack‐
1433 ets. The default value is: inherit.
1434 dev NAME
1437 bind the tunnel to the device NAME so that tunneled packets will
1438 only be routed via this device and will not be able to escape to
1439 another device when the route to endpoint changes.
1440 nopmtudisc
1443 disable Path MTU Discovery on this tunnel. It is enabled by
1444 default. Note that a fixed ttl is incompatible with this
1445 option: tunnelling with a fixed ttl always makes pmtu discovery.
1446 key K
1449 ikey K
1451 okey K ( only GRE tunnels ) use keyed GRE with key K. K is either a
1453 number or an IP address-like dotted quad. The key parameter
1454 sets the key to use in both directions. The ikey and okey
1455 parameters set different keys for input and output.
1456 csum, icsum, ocsum
1459 ( only GRE tunnels ) generate/require checksums for tunneled
1460 packets. The ocsum flag calculates checksums for outgoing pack‐
1461 ets. The icsum flag requires that all input packets have the
1462 correct checksum. The csum flag is equivalent to the combina‐
1463 tion icsum ocsum.
1464 seq, iseq, oseq
1467 ( only GRE tunnels ) serialize packets. The oseq flag enables
1468 sequencing of outgoing packets. The iseq flag requires that all
1469 input packets are serialized. The seq flag is equivalent to the
1470 combination iseq oseq. It isn't work. Don't use it.
1471 dscp inherit
1474 ( only IPv6 tunnels ) Inherit DS field between inner and outer
1475 header.
1476 encaplim ELIM
1479 ( only IPv6 tunnels ) set a fixed encapsulation limit. Default
1480 is 4.
1481 flowlabel FLOWLABEL
1484 ( only IPv6 tunnels ) set a fixed flowlabel.
1485 ip tunnel prl - potential router list (ISATAP only)
1488 dev NAME
1489 mandatory device name.
1490 prl-default ADDR
1493 prl-nodefault ADDR
1495 prl-delete ADDR
1497 Add or delete ADDR as a potential router or default router.
1498 ip tunnel show - list tunnels
1501 This command has no arguments.
1502
1505 The ip utility can monitor the state of devices, addresses and routes
1506 continuously. This option has a slightly different format. Namely,
1507 the monitor command is the first in the command line and then the
1508 object list follows:
1509 ip monitor [ all | LISTofOBJECTS ]
1511 OBJECT-LIST is the list of object types that we want to monitor. It
1513 may contain link, address and route. If no file argument is given, ip
1514 opens RTNETLINK, listens on it and dumps state changes in the format
1515 described in previous sections.
1516 If a file name is given, it does not listen on RTNETLINK, but opens the
1519 file containing RTNETLINK messages saved in binary format and dumps
1520 them. Such a history file can be generated with the rtmon utility.
1521 This utility has a command line syntax similar to ip monitor. Ideally,
1522 rtmon should be started before the first network configuration command
1523 is issued. F.e. if you insert:
1524 rtmon file /var/log/rtmon.log
1526 in a startup script, you will be able to view the full history later.
1528 Certainly, it is possible to start rtmon at any time. It prepends the
1531 history with the state snapshot dumped at the moment of starting.
1532
1535 xfrm is an IP framework, which can transform format of the datagrams,
1536 i.e. encrypt the packets with some algorithm. xfrm policy and xfrm
1537 state are associated through templates TMPL_LIST. This framework is
1538 used as a part of IPsec protocol.
1539 ip xfrm state add - add new state into xfrm
1542 ip xfrm state update - update existing xfrm state
1543 ip xfrm state allocspi - allocate SPI value
1544 MODE is set as default to transport, but it could be set to tunnel,ro
1545 or beet.
1546 FLAG-LIST
1549 contains one or more flags.
1550 FLAG could be set to noecn, decap-dscp or wildrecv.
1553 ENCAP encapsulation is set to encapsulation type ENCAP-TYPE, source
1556 port SPORT, destination port DPORT and OADDR.
1557 ENCAP-TYPE
1560 could be set to espinudp or espinudp-nonike.
1561 ALGO-LIST
1564 contains one or more algorithms ALGO which depend on the type of
1565 algorithm set by ALGO_TYPE. It can be used these algoritms enc,
1566 auth or comp.
1567 ip xfrm policy add - add a new policy
1570 ip xfrm policy update - update an existing policy
1571 ip xfrm policy delete - delete existing policy
1572 ip xfrm policy get - get existing policy
1573 ip xfrm policy deleteall - delete all existing xfrm policy
1574 ip xfrm policy list - print out the list of xfrm policy
1575 ip xfrm policy flush - flush policies
1576 It can be flush all policies or only those specified with ptype.
1577 dir DIR
1580 directory could be one of these: inp, out or fwd.
1581 SELECTOR
1584 selects for which addresses will be set up the policy. The
1585 selector is defined by source and destination address.
1586 UPSPEC is defined by source port sport, destination port dport, type as
1589 number and code also number.
1590 dev DEV
1593 specify network device.
1594 index INDEX
1597 the number of indexed policy.
1598 ptype PTYPE
1601 type is set as default on main, could be switch on sub.
1602 action ACTION
1605 is set as default on allow. It could be switch on block.
1606 priority PRIORITY
1609 priority is a number. Default priority is set on zero.
1610 LIMIT-LIST
1613 limits are set in seconds, bytes or numbers of packets.
1614 TMPL-LIST
1617 template list is based on ID, mode, reqid and level.
1618 ID is specified by source address, destination address, proto and
1621 value of spi.
1622 XFRM_PROTO
1625 values: esp, ah, comp, route2 or hao.
1626 MODE is set as default on transport, but it could be set on tunnel or
1629 beet.
1630 LEVEL is set as default on required and the other choice is use.
1633 UPSPEC is specified by sport, dport, type and code (NUMBER).
1636 ip xfrm monitor - is used for listing all objects or defined group of them.
1639 The xfrm monitor can monitor the policies for all objects or defined
1640 group of them.
1641
1644 ip was written by Alexey N. Kuznetsov and added in Linux 2.2.
1645
1647 tc(8)
1648 IP Command reference ip-cref.ps
1649 IP tunnels ip-cref.ps
1650 User documentation at http://lartc.org/, but please direct bugreports
1651 and patches to: <netdev@vger.kernel.org>
1652
1655 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1656iproute2 17 January 2002 IP(8)