1IP-ROUTE(8) Linux IP-ROUTE(8)
2
6 ip-route - routing table management
7
9 ip [ ip-OPTIONS ] route { COMMAND | help }
10 ip route { show | flush } SELECTOR
13 ip route save SELECTOR
15 ip route restore
17 ip route get ROUTE_GET_FLAGS ADDRESS [ from ADDRESS iif STRING ] [ oif
19 STRING ] [ mark MARK ] [ tos TOS ] [ vrf NAME ] [ ipproto PRO‐
20 TOCOL ] [ sport NUMBER ] [ dport NUMBER ]
21 ip route { add | del | change | append | replace } ROUTE
23 SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table
25 TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ] [ type TYPE ] [ scope
26 SCOPE ]
27 ROUTE := NODE_SPEC [ INFO_SPEC ]
29 NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto
31 RTPROTO ] [ scope SCOPE ] [ metric METRIC ] [ ttl-propagate {
32 enabled | disabled } ]
33 INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...
35 NH := [ encap ENCAP ] [ via [ FAMILY ] ADDRESS ] [ dev STRING ] [
37 weight NUMBER ] NHFLAGS
38 FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
40 OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
42 rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ] [ window NUM‐
43 BER ] [ cwnd NUMBER ] [ ssthresh NUMBER ] [ realms REALM ] [
44 rto_min TIME ] [ initcwnd NUMBER ] [ initrwnd NUMBER ] [ fea‐
45 tures FEATURES ] [ quickack BOOL ] [ congctl NAME ] [ pref PREF
46 ] [ expires TIME ] [ fastopen_no_cookie BOOL ]
47 TYPE := [ unicast | local | broadcast | multicast | throw | unreachable
49 | prohibit | blackhole | nat ]
50 TABLE_ID := [ local| main | default | all | NUMBER ]
52 SCOPE := [ host | link | global | NUMBER ]
54 NHFLAGS := [ onlink | pervasive ]
56 RTPROTO := [ kernel | boot | static | NUMBER ]
58 FEATURES := [ ecn | ]
60 PREF := [ low | medium | high ]
62 ENCAP := [ ENCAP_MPLS | ENCAP_IP | ENCAP_BPF | ENCAP_SEG6 |
64 ENCAP_SEG6LOCAL ]
65 ENCAP_MPLS := mpls [ LABEL ] [ ttl TTL ]
67 ENCAP_IP := ip id TUNNEL_ID dst REMOTE_IP [ tos TOS ] [ ttl TTL ]
69 ENCAP_BPF := bpf [ in PROG ] [ out PROG ] [ xmit PROG ] [ headroom SIZE
71 ]
72 ENCAP_SEG6 := seg6 mode [ encap | inline | l2encap ] segs SEGMENTS [
74 hmac KEYID ]
75 ENCAP_SEG6LOCAL := seg6local action SEG6_ACTION [ SEG6_ACTION_PARAM ]
77 ROUTE_GET_FLAGS := [ fibmatch ]
79
82 ip route is used to manipulate entries in the kernel routing tables.
83 Route types:
85 unicast - the route entry describes real paths to the destina‐
87 tions covered by the route prefix.
88 unreachable - these destinations are unreachable. Packets are
91 discarded and the ICMP message host unreachable is generated.
92 The local senders get an EHOSTUNREACH error.
93 blackhole - these destinations are unreachable. Packets are
96 discarded silently. The local senders get an EINVAL error.
97 prohibit - these destinations are unreachable. Packets are dis‐
100 carded and the ICMP message communication administratively pro‐
101 hibited is generated. The local senders get an EACCES error.
102 local - the destinations are assigned to this host. The packets
105 are looped back and delivered locally.
106 broadcast - the destinations are broadcast addresses. The pack‐
109 ets are sent as link broadcasts.
110 throw - a special control route used together with policy
113 rules. If such a route is selected, lookup in this table is
114 terminated pretending that no route was found. Without policy
115 routing it is equivalent to the absence of the route in the
116 routing table. The packets are dropped and the ICMP message net
117 unreachable is generated. The local senders get an ENETUNREACH
118 error.
119 nat - a special NAT route. Destinations covered by the prefix
122 are considered to be dummy (or external) addresses which
123 require translation to real (or internal) ones before forward‐
124 ing. The addresses to translate to are selected with the
125 attribute via. Warning: Route NAT is no longer supported in
126 Linux 2.6.
127 anycast - not implemented the destinations are anycast
130 addresses assigned to this host. They are mainly equivalent to
131 local with one difference: such addresses are invalid when used
132 as the source address of any packet.
133 multicast - a special type used for multicast routing. It is
136 not present in normal routing tables.
137 Route tables: Linux-2.x can pack routes into several routing tables
140 identified by a number in the range from 1 to 2^32-1 or by name from
141 the file /etc/iproute2/rt_tables By default all normal routes are
142 inserted into the main table (ID 254) and the kernel only uses this ta‐
143 ble when calculating routes. Values (0, 253, 254, and 255) are
144 reserved for built-in use.
145 Actually, one other table always exists, which is invisible but even
148 more important. It is the local table (ID 255). This table consists of
149 routes for local and broadcast addresses. The kernel maintains this ta‐
150 ble automatically and the administrator usually need not modify it or
151 even look at it.
152 The multiple routing tables enter the game when policy routing is used.
154 ip route add
157 add new route
158 ip route change
160 change route
161 ip route replace
163 change or add new one
164 to TYPE PREFIX (default)
166 the destination prefix of the route. If TYPE is omitted,
167 ip assumes type unicast. Other values of TYPE are listed
168 above. PREFIX is an IP or IPv6 address optionally fol‐
169 lowed by a slash and the prefix length. If the length of
170 the prefix is missing, ip assumes a full-length host
171 route. There is also a special PREFIX default - which is
172 equivalent to IP 0/0 or to IPv6 ::/0.
173 tos TOS
176 dsfield TOS
178 the Type Of Service (TOS) key. This key has no associated
179 mask and the longest match is understood as: First, com‐
180 pare the TOS of the route and of the packet. If they are
181 not equal, then the packet may still match a route with a
182 zero TOS. TOS is either an 8 bit hexadecimal number or
183 an identifier from /etc/iproute2/rt_dsfield.
184 metric NUMBER
187 preference NUMBER
189 the preference value of the route. NUMBER is an arbi‐
190 trary 32bit number, where routes with lower values are
191 preferred.
192 table TABLEID
195 the table to add this route to. TABLEID may be a number
196 or a string from the file /etc/iproute2/rt_tables. If
197 this parameter is omitted, ip assumes the main table,
198 with the exception of local, broadcast and nat routes,
199 which are put into the local table by default.
200 vrf NAME
203 the vrf name to add this route to. Implicitly means the
204 table associated with the VRF.
205 dev NAME
208 the output device name.
209 via [ FAMILY ] ADDRESS
212 the address of the nexthop router, in the address family
213 FAMILY. Actually, the sense of this field depends on the
214 route type. For normal unicast routes it is either the
215 true next hop router or, if it is a direct route
216 installed in BSD compatibility mode, it can be a local
217 address of the interface. For NAT routes it is the first
218 address of the block of translated IP destinations.
219 src ADDRESS
222 the source address to prefer when sending to the destina‐
223 tions covered by the route prefix.
224 realm REALMID
227 the realm to which this route is assigned. REALMID may
228 be a number or a string from the file
229 /etc/iproute2/rt_realms.
230 mtu MTU
233 mtu lock MTU
235 the MTU along the path to the destination. If the modi‐
236 fier lock is not used, the MTU may be updated by the ker‐
237 nel due to Path MTU Discovery. If the modifier lock is
238 used, no path MTU discovery will be tried, all packets
239 will be sent without the DF bit in IPv4 case or frag‐
240 mented to MTU for IPv6.
241 window NUMBER
244 the maximal window for TCP to advertise to these destina‐
245 tions, measured in bytes. It limits maximal data bursts
246 that our TCP peers are allowed to send to us.
247 rtt TIME
250 the initial RTT ('Round Trip Time') estimate. If no suf‐
251 fix is specified the units are raw values passed directly
252 to the routing code to maintain compatibility with previ‐
253 ous releases. Otherwise if a suffix of s, sec or secs is
254 used to specify seconds and ms, msec or msecs to specify
255 milliseconds.
256 rttvar TIME (Linux 2.3.15+ only)
260 the initial RTT variance estimate. Values are specified
261 as with rtt above.
262 rto_min TIME (Linux 2.6.23+ only)
265 the minimum TCP Retransmission TimeOut to use when commu‐
266 nicating with this destination. Values are specified as
267 with rtt above.
268 ssthresh NUMBER (Linux 2.3.15+ only)
271 an estimate for the initial slow start threshold.
272 cwnd NUMBER (Linux 2.3.15+ only)
275 the clamp for congestion window. It is ignored if the
276 lock flag is not used.
277 initcwnd NUMBER (Linux 2.5.70+ only)
280 the initial congestion window size for connections to
281 this destination. Actual window size is this value mul‐
282 tiplied by the MSS (``Maximal Segment Size'') for same
283 connection. The default is zero, meaning to use the val‐
284 ues specified in RFC2414.
285 initrwnd NUMBER (Linux 2.6.33+ only)
288 the initial receive window size for connections to this
289 destination. Actual window size is this value multiplied
290 by the MSS of the connection. The default value is zero,
291 meaning to use Slow Start value.
292 features FEATURES (Linux3.18+only)
295 Enable or disable per-route features. Only available fea‐
296 ture at this time is ecn to enable explicit congestion
297 notification when initiating connections to the given
298 destination network. When responding to a connection
299 request from the given network, ecn will also be used
300 even if the net.ipv4.tcp_ecn sysctl is set to 0.
301 quickack BOOL (Linux 3.11+ only)
304 Enable or disable quick ack for connections to this des‐
305 tination.
306 fastopen_no_cookie BOOL (Linux 4.15+ only)
309 Enable TCP Fastopen without a cookie for connections to
310 this destination.
311 congctl NAME (Linux 3.20+ only)
314 congctl lock NAME (Linux 3.20+ only)
316 Sets a specific TCP congestion control algorithm only for
317 a given destination. If not specified, Linux keeps the
318 current global default TCP congestion control algorithm,
319 or the one set from the application. If the modifier lock
320 is not used, an application may nevertheless overwrite
321 the suggested congestion control algorithm for that des‐
322 tination. If the modifier lock is used, then an applica‐
323 tion is not allowed to overwrite the specified congestion
324 control algorithm for that destination, thus it will be
325 enforced/guaranteed to use the proposed algorithm.
326 advmss NUMBER (Linux 2.3.15+ only)
329 the MSS ('Maximal Segment Size') to advertise to these
330 destinations when establishing TCP connections. If it is
331 not given, Linux uses a default value calculated from the
332 first hop device MTU. (If the path to these destination
333 is asymmetric, this guess may be wrong.)
334 reordering NUMBER (Linux 2.3.15+ only)
337 Maximal reordering on the path to this destination. If
338 it is not given, Linux uses the value selected with
339 sysctl variable net/ipv4/tcp_reordering.
340 nexthop NEXTHOP
343 the nexthop of a multipath route. NEXTHOP is a complex
344 value with its own syntax similar to the top level argu‐
345 ment lists:
346 via [ FAMILY ] ADDRESS - is the nexthop router.
348 dev NAME - is the output device.
351 weight NUMBER - is a weight for this element of a
354 multipath route reflecting its relative bandwidth
355 or quality.
356 The internal buffer used in iproute2 limits the maximum
358 number of nexthops that may be specified in one go. If
359 only ADDRESS is given, the current buffer size allows for
360 144 IPv6 nexthops and 253 IPv4 ones. For IPv4, this
361 effectively limits the number of nexthops possible per
362 route. With IPv6, further nexthops may be appended to the
363 same route via ip route append command.
364 scope SCOPE_VAL
367 the scope of the destinations covered by the route pre‐
368 fix. SCOPE_VAL may be a number or a string from the file
369 /etc/iproute2/rt_scopes. If this parameter is omitted,
370 ip assumes scope global for all gatewayed unicast routes,
371 scope link for direct unicast and broadcast routes and
372 scope host for local routes.
373 protocol RTPROTO
376 the routing protocol identifier of this route. RTPROTO
377 may be a number or a string from the file
378 /etc/iproute2/rt_protos. If the routing protocol ID is
379 not given, ip assumes protocol boot (i.e. it assumes the
380 route was added by someone who doesn't understand what
381 they are doing). Several protocol values have a fixed
382 interpretation. Namely:
383 redirect - the route was installed due to an ICMP
385 redirect.
386 kernel - the route was installed by the kernel
389 during autoconfiguration.
390 boot - the route was installed during the bootup
393 sequence. If a routing daemon starts, it will
394 purge all of them.
395 static - the route was installed by the adminis‐
398 trator to override dynamic routing. Routing dae‐
399 mon will respect them and, probably, even adver‐
400 tise them to its peers.
401 ra - the route was installed by Router Discovery
404 protocol.
405 The rest of the values are not reserved and the adminis‐
408 trator is free to assign (or not to assign) protocol
409 tags.
410 onlink pretend that the nexthop is directly attached to this
413 link, even if it does not match any interface prefix.
414 pref PREF
417 the IPv6 route preference. PREF is a string specifying
418 the route preference as defined in RFC4191 for Router
419 Discovery messages. Namely:
420 low - the route has a lowest priority
422 medium - the route has a default priority
425 high - the route has a highest priority
428 encap ENCAPTYPE ENCAPHDR
432 attach tunnel encapsulation attributes to this route.
433 ENCAPTYPE is a string specifying the supported encapsula‐
435 tion type. Namely:
436 mpls - encapsulation type MPLS
438 ip - IP encapsulation (Geneve, GRE, VXLAN, ...)
440 bpf - Execution of BPF program
442 seg6 - encapsulation type IPv6 Segment Routing
444 seg6local - local SRv6 segment processing
446 ENCAPHDR is a set of encapsulation attributes specific to
448 the ENCAPTYPE.
449 mpls
451 MPLSLABEL - mpls label stack with labels sepa‐
452 rated by /
453 ttl TTL - TTL to use for MPLS header or 0 to
456 inherit from IP header
457 ip
460 id TUNNEL_ID dst REMOTE_IP [ tos TOS ] [ ttl
461 TTL ]
462 bpf
465 in PROG - BPF program to execute for incoming
466 packets
467 out PROG - BPF program to execute for outgoing
470 packets
471 xmit PROG - BPF program to execute for trans‐
474 mitted packets
475 headroom SIZE - Size of header BPF program will
478 attach (xmit)
479 seg6
482 mode inline - Directly insert Segment Routing
483 Header after IPv6 header
484 mode encap - Encapsulate packet in an outer
487 IPv6 header with SRH
488 mode l2encap - Encapsulate ingress L2 frame
491 within an outer IPv6 header and SRH
492 SEGMENTS - List of comma-separated IPv6
495 addresses
496 KEYID - Numerical value in decimal representa‐
499 tion. See ip-sr(8).
500 seg6local
503 SEG6_ACTION [ SEG6_ACTION_PARAM ] - Operation
504 to perform on matching packets. The following
505 actions are currently supported (Linux 4.14+
506 only).
507 End - Regular SRv6 processing as intermediate
509 segment endpoint. This action only accepts
510 packets with a non-zero Segments Left value.
511 Other matching packets are dropped.
512 End.X nh6 NEXTHOP - Regular SRv6 processing
514 as intermediate segment endpoint. Addition‐
515 ally, forward processed packets to given
516 next-hop. This action only accepts packets
517 with a non-zero Segments Left value. Other
518 matching packets are dropped.
519 End.DX6 nh6 NEXTHOP - Decapsulate inner IPv6
521 packet and forward it to the specified next-
522 hop. If the argument is set to ::, then the
523 next-hop is selected according to the local
524 selection rules. This action only accepts
525 packets with either a zero Segments Left
526 value or no SRH at all, and an inner IPv6
527 packet. Other matching packets are dropped.
528 End.B6 srh segs SEGMENTS [ hmac KEYID ] -
530 Insert the specified SRH immediately after
531 the IPv6 header, update the DA with the first
532 segment of the newly inserted SRH, then for‐
533 ward the resulting packet. The original SRH
534 is not modified. This action only accepts
535 packets with a non-zero Segments Left value.
536 Other matching packets are dropped.
537 End.B6.Encaps srh segs SEGMENTS [ hmac KEYID
539 ] - Regular SRv6 processing as intermediate
540 segment endpoint. Additionally, encapsulate
541 the matching packet within an outer IPv6
542 header followed by the specified SRH. The
543 destination address of the outer IPv6 header
544 is set to the first segment of the new SRH.
545 The source address is set as described in ip-
546 sr(8).
547 expires TIME (Linux 4.4+ only)
551 the route will be deleted after the expires time. Only
552 support IPv6 at present.
553 ttl-propagate { enabled | disabled }
556 Control whether TTL should be propagated from any encap
557 into the un-encapsulated packet, overriding any global
558 configuration. Only supported for MPLS at present.
559 ip route delete
562 delete route
563 ip route del has the same arguments as ip route add, but their
564 semantics are a bit different.
565 Key values (to, tos, preference and table) select the route to
567 delete. If optional attributes are present, ip verifies that
568 they coincide with the attributes of the route to delete. If no
569 route with the given key and attributes was found, ip route del
570 fails.
571 ip route show
574 list routes
575 the command displays the contents of the routing tables or the
576 route(s) selected by some criteria.
577 to SELECTOR (default)
580 only select routes from the given range of destinations.
581 SELECTOR consists of an optional modifier (root, match or
582 exact) and a prefix. root PREFIX selects routes with
583 prefixes not shorter than PREFIX. F.e. root 0/0 selects
584 the entire routing table. match PREFIX selects routes
585 with prefixes not longer than PREFIX. F.e. match
586 10.0/16 selects 10.0/16, 10/8 and 0/0, but it does not
587 select 10.1/16 and 10.0.0/24. And exact PREFIX (or just
588 PREFIX) selects routes with this exact prefix. If neither
589 of these options are present, ip assumes root 0/0 i.e. it
590 lists the entire table.
591 tos TOS
594 dsfield TOS
596 only select routes with the given TOS.
597 table TABLEID
600 show the routes from this table(s). The default setting
601 is to show table main. TABLEID may either be the ID of a
602 real table or one of the special values:
603 all - list all of the tables.
605 cache - dump the routing cache.
607 vrf NAME
610 show the routes for the table associated with the vrf
611 name
612 cloned
615 cached list cloned routes i.e. routes which were dynamically
617 forked from other routes because some route attribute
618 (f.e. MTU) was updated. Actually, it is equivalent to
619 table cache.
620 from SELECTOR
623 the same syntax as for to, but it binds the source
624 address range rather than destinations. Note that the
625 from option only works with cloned routes.
626 protocol RTPROTO
629 only list routes of this protocol.
630 scope SCOPE_VAL
633 only list routes with this scope.
634 type TYPE
637 only list routes of this type.
638 dev NAME
641 only list routes going via this device.
642 via [ FAMILY ] PREFIX
645 only list routes going via the nexthop routers selected
646 by PREFIX.
647 src PREFIX
650 only list routes with preferred source addresses selected
651 by PREFIX.
652 realm REALMID
655 realms FROMREALM/TOREALM
657 only list routes with these realms.
658 ip route flush
661 flush routing tables
662 this command flushes routes selected by some criteria.
663 The arguments have the same syntax and semantics as the argu‐
666 ments of ip route show, but routing tables are not listed but
667 purged. The only difference is the default action: show dumps
668 all the IP main routing table but flush prints the helper page.
669 With the -statistics option, the command becomes verbose. It
672 prints out the number of deleted routes and the number of rounds
673 made to flush the routing table. If the option is given twice,
674 ip route flush also dumps all the deleted routes in the format
675 described in the previous subsection.
676 ip route get
679 get a single route
680 this command gets a single route to a destination and prints its
681 contents exactly as the kernel sees it.
682 fibmatch
685 Return full fib lookup matched route. Default is to
686 return the resolved dst entry
687 to ADDRESS (default)
690 the destination address.
691 from ADDRESS
694 the source address.
695 tos TOS
698 dsfield TOS
700 the Type Of Service.
701 iif NAME
704 the device from which this packet is expected to arrive.
705 oif NAME
708 force the output device on which this packet will be
709 routed.
710 mark MARK
713 the firewall mark (fwmark)
714 vrf NAME
717 force the vrf device on which this packet will be routed.
718 ipproto PROTOCOL
721 ip protocol as seen by the route lookup
722 sport NUMBER
725 source port as seen by the route lookup
726 dport NUMBER
729 destination port as seen by the route lookup
730 connected
733 if no source address (option from) was given, relookup
734 the route with the source set to the preferred address
735 received from the first lookup. If policy routing is
736 used, it may be a different route.
737 Note that this operation is not equivalent to ip route show.
740 show shows existing routes. get resolves them and creates new
741 clones if necessary. Essentially, get is equivalent to sending a
742 packet along this path. If the iif argument is not given, the
743 kernel creates a route to output packets towards the requested
744 destination. This is equivalent to pinging the destination with
745 a subsequent ip route ls cache, however, no packets are actually
746 sent. With the iif argument, the kernel pretends that a packet
747 arrived from this interface and searches for a path to forward
748 the packet.
749 ip route save
752 save routing table information to stdout
753 This command behaves like ip route show except that the output
754 is raw data suitable for passing to ip route restore.
755 ip route restore
758 restore routing table information from stdin
759 This command expects to read a data stream as returned from ip
760 route save. It will attempt to restore the routing table infor‐
761 mation exactly as it was at the time of the save, so any trans‐
762 lation of information in the stream (such as device indexes)
763 must be done first. Any existing routes are left unchanged. Any
764 routes specified in the data stream that already exist in the
765 table will be ignored.
766
769 Starting with Linux kernel version 3.6, there is no routing cache for
770 IPv4 anymore. Hence ip route show cached will never print any entries
771 on systems with this or newer kernel versions.
772
775 ip ro
776 Show all route entries in the kernel.
777 ip route add default via 192.168.1.1 dev eth0
779 Adds a default route (for all addresses) via the local gateway
780 192.168.1.1 that can be reached on device eth0.
781 ip route add 10.1.1.0/30 encap mpls 200/300 via 10.1.1.1 dev eth0
783 Adds an ipv4 route with mpls encapsulation attributes attached to
784 it.
785 ip -6 route add 2001:db8:1::/64 encap seg6 mode encap segs
787 2001:db8:42::1,2001:db8:ffff::2 dev eth0
788 Adds an IPv6 route with SRv6 encapsulation and two segments
789 attached.
790
792 ip(8)
793
796 Original Manpage by Michail Litvak <mci@owl.openwall.com>
797iproute2 13 Dec 2012 IP-ROUTE(8)