1228 lines
18 KiB
HTML
1228 lines
18 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of IP-XFRM</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>IP-XFRM</H1>
|
|
Section: Linux (8)<BR>Updated: 20 Dec 2011<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
ip-xfrm - transform configuration
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<P>
|
|
|
|
|
|
<BR>
|
|
|
|
<B>ip</B>
|
|
|
|
[ <I>OPTIONS</I> ]
|
|
|
|
<B>xfrm</B>
|
|
|
|
{ <I>COMMAND</I> |
|
|
|
|
<B>help</B> }
|
|
|
|
<P>
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm</B>
|
|
|
|
<I>XFRM-OBJECT</I> { <I>COMMAND</I> |
|
|
|
|
<B>help</B> }
|
|
|
|
<P>
|
|
<P>
|
|
<BR>
|
|
|
|
<I>XFRM-OBJECT</I> :=
|
|
|
|
<B>state</B> | <B>policy</B> | <B>monitor</B>
|
|
|
|
<P>
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm state</B> { <B>add</B> | <B>update</B> }
|
|
|
|
<I>ID</I> [ <I>ALGO-LIST</I> ]
|
|
|
|
[ <B>mode</B>
|
|
|
|
<I>MODE</I> ]
|
|
|
|
[ <B>mark</B>
|
|
|
|
<I>MARK</I>
|
|
|
|
[ <B>mask</B>
|
|
|
|
<I>MASK</I> ] ]
|
|
|
|
[ <B>reqid</B>
|
|
|
|
<I>REQID</I> ]
|
|
|
|
[ <B>seq</B>
|
|
|
|
<I>SEQ</I> ]
|
|
|
|
[ <B>replay-window</B>
|
|
|
|
<I>SIZE</I> ]
|
|
|
|
[ <B>replay-seq</B>
|
|
|
|
<I>SEQ</I> ]
|
|
|
|
[ <B>replay-oseq</B>
|
|
|
|
<I>SEQ</I> ]
|
|
|
|
[ <B>replay-seq-hi</B>
|
|
|
|
<I>SEQ</I> ]
|
|
|
|
[ <B>replay-oseq-hi</B>
|
|
|
|
<I>SEQ</I> ]
|
|
|
|
[ <B>flag</B>
|
|
|
|
<I>FLAG-LIST</I> ]
|
|
|
|
[ <B>sel</B>
|
|
|
|
<I>SELECTOR</I> ] [ <I>LIMIT-LIST</I> ]
|
|
|
|
[ <B>encap</B>
|
|
|
|
<I>ENCAP</I> ]
|
|
|
|
[ <B>coa</B>
|
|
|
|
<I>ADDR</I>[/<I>PLEN</I>] ]
|
|
|
|
[ <B>ctx</B>
|
|
|
|
<I>CTX</I> ]
|
|
|
|
[ <B>extra-flag</B>
|
|
|
|
<I>EXTRA-FLAG-LIST</I> ]
|
|
|
|
[ <B>output-mark</B>
|
|
|
|
<I>OUTPUT-MARK</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm state allocspi</B>
|
|
|
|
<I>ID</I>
|
|
|
|
[ <B>mode</B>
|
|
|
|
<I>MODE</I> ]
|
|
|
|
[ <B>mark</B>
|
|
|
|
<I>MARK</I>
|
|
|
|
[ <B>mask</B>
|
|
|
|
<I>MASK</I> ] ]
|
|
|
|
[ <B>reqid</B>
|
|
|
|
<I>REQID</I> ]
|
|
|
|
[ <B>seq</B>
|
|
|
|
<I>SEQ</I> ]
|
|
|
|
[ <B>min</B>
|
|
|
|
<I>SPI</I>
|
|
|
|
<B>max</B>
|
|
|
|
<I>SPI</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm state</B> { <B>delete</B> | <B>get</B> }
|
|
|
|
<I>ID</I>
|
|
|
|
[ <B>mark</B>
|
|
|
|
<I>MARK</I>
|
|
|
|
[ <B>mask</B>
|
|
|
|
<I>MASK</I> ] ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip</B> [ <B>-4</B> | <B>-6</B> ] <B>xfrm state deleteall</B> [
|
|
|
|
<I>ID</I> ]
|
|
|
|
[ <B>mode</B>
|
|
|
|
<I>MODE</I> ]
|
|
|
|
[ <B>reqid</B>
|
|
|
|
<I>REQID</I> ]
|
|
|
|
[ <B>flag</B>
|
|
|
|
<I>FLAG-LIST</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip</B> [ <B>-4</B> | <B>-6</B> ] <B>xfrm state list</B> [
|
|
|
|
<I>ID</I> ]
|
|
|
|
[ <B>nokeys</B> ]
|
|
|
|
[ <B>mode</B>
|
|
|
|
<I>MODE</I> ]
|
|
|
|
[ <B>reqid</B>
|
|
|
|
<I>REQID</I> ]
|
|
|
|
[ <B>flag</B>
|
|
|
|
<I>FLAG-LIST</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm state flush</B> [ <B>proto</B>
|
|
|
|
<I>XFRM-PROTO</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm state count</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ID</I> :=
|
|
|
|
[ <B>src</B>
|
|
|
|
<I>ADDR</I> ]
|
|
|
|
[ <B>dst</B>
|
|
|
|
<I>ADDR</I> ]
|
|
|
|
[ <B>proto</B>
|
|
|
|
<I>XFRM-PROTO</I> ]
|
|
|
|
[ <B>spi</B>
|
|
|
|
<I>SPI</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>XFRM-PROTO</I> :=
|
|
|
|
<B>esp</B> | <B>ah</B> | <B>comp</B> | <B>route2</B> | <B>hao</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ALGO-LIST</I> := [ <I>ALGO-LIST</I> ] <I>ALGO</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ALGO</I> :=
|
|
|
|
{ <B>enc</B> | <B>auth</B> }
|
|
|
|
<I>ALGO-NAME</I> <I>ALGO-KEYMAT</I> |
|
|
|
|
<BR>
|
|
|
|
<B>auth-trunc</B>
|
|
|
|
<I>ALGO-NAME</I> <I>ALGO-KEYMAT</I> <I>ALGO-TRUNC-LEN</I> |
|
|
|
|
<BR>
|
|
|
|
<B>aead</B>
|
|
|
|
<I>ALGO-NAME</I> <I>ALGO-KEYMAT</I> <I>ALGO-ICV-LEN</I> |
|
|
|
|
<BR>
|
|
|
|
<B>comp</B>
|
|
|
|
<I>ALGO-NAME</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>MODE</I> :=
|
|
|
|
<B>transport</B> | <B>tunnel</B> | <B>beet</B> | <B>ro</B> | <B>in_trigger</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>FLAG-LIST</I> := [ <I>FLAG-LIST</I> ] <I>FLAG</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>FLAG</I> :=
|
|
|
|
<B>noecn</B> | <B>decap-dscp</B> | <B>nopmtudisc</B> | <B>wildrecv</B> | <B>icmp</B> |
|
|
|
|
<B>af-unspec</B> | <B>align4</B> | <B>esn</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>SELECTOR</I> :=
|
|
|
|
[ <B>src</B>
|
|
|
|
<I>ADDR</I>[/<I>PLEN</I>] ]
|
|
|
|
[ <B>dst</B>
|
|
|
|
<I>ADDR</I>[/<I>PLEN</I>] ]
|
|
|
|
[ <B>dev</B>
|
|
|
|
<I>DEV</I> ]
|
|
|
|
<BR>
|
|
|
|
[ <I>UPSPEC</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>UPSPEC</I> :=
|
|
|
|
<B>proto</B> {
|
|
|
|
<I>PROTO</I> |
|
|
|
|
<BR>
|
|
|
|
{ <B>tcp</B> | <B>udp</B> | <B>sctp</B> | <B>dccp</B> } [ <B>sport</B>
|
|
|
|
<I>PORT</I> ]
|
|
|
|
[ <B>dport</B>
|
|
|
|
<I>PORT</I> ] |
|
|
|
|
<BR>
|
|
|
|
{ <B>icmp</B> | <B>ipv6-icmp</B> | <B>mobility-header</B> } [ <B>type</B>
|
|
|
|
<I>NUMBER</I> ]
|
|
|
|
[ <B>code</B>
|
|
|
|
<I>NUMBER</I> ] |
|
|
|
|
<BR>
|
|
|
|
<B>gre</B> [ <B>key</B>
|
|
|
|
{ <I>DOTTED-QUAD</I> | <I>NUMBER</I> } ] }
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>LIMIT-LIST</I> := [ <I>LIMIT-LIST</I> ]
|
|
|
|
<B>limit</B>
|
|
|
|
<I>LIMIT</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>LIMIT</I> :=
|
|
|
|
{ <B>time-soft</B> | <B>time-hard</B> | <B>time-use-soft</B> | <B>time-use-hard</B> }
|
|
|
|
<I>SECONDS</I> |
|
|
|
|
<BR>
|
|
|
|
{ <B>byte-soft</B> | <B>byte-hard</B> }
|
|
|
|
<I>SIZE</I> |
|
|
|
|
<BR>
|
|
|
|
{ <B>packet-soft</B> | <B>packet-hard</B> }
|
|
|
|
<I>COUNT</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ENCAP</I> :=
|
|
|
|
{ <B>espinudp</B> | <B>espinudp-nonike</B> }
|
|
|
|
<I>SPORT</I> <I>DPORT</I> <I>OADDR</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>EXTRA-FLAG-LIST</I> := [ <I>EXTRA-FLAG-LIST</I> ] <I>EXTRA-FLAG</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>EXTRA-FLAG</I> :=
|
|
|
|
<B>dont-encap-dscp</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm policy</B> { <B>add</B> | <B>update</B> }
|
|
|
|
<I>SELECTOR</I>
|
|
|
|
<B>dir</B>
|
|
|
|
<I>DIR</I>
|
|
|
|
[ <B>ctx</B>
|
|
|
|
<I>CTX</I> ]
|
|
|
|
[ <B>mark</B>
|
|
|
|
<I>MARK</I>
|
|
|
|
[ <B>mask</B>
|
|
|
|
<I>MASK</I> ] ]
|
|
|
|
[ <B>index</B>
|
|
|
|
<I>INDEX</I> ]
|
|
|
|
[ <B>ptype</B>
|
|
|
|
<I>PTYPE</I> ]
|
|
|
|
[ <B>action</B>
|
|
|
|
<I>ACTION</I> ]
|
|
|
|
[ <B>priority</B>
|
|
|
|
<I>PRIORITY</I> ]
|
|
|
|
[ <B>flag</B>
|
|
|
|
<I>FLAG-LIST</I> ]
|
|
|
|
[ <I>LIMIT-LIST</I> ] [ <I>TMPL-LIST</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm policy</B> { <B>delete</B> | <B>get</B> }
|
|
|
|
{ <I>SELECTOR</I> |
|
|
|
|
<B>index</B>
|
|
|
|
<I>INDEX</I> }
|
|
|
|
<B>dir</B>
|
|
|
|
<I>DIR</I>
|
|
|
|
[ <B>ctx</B>
|
|
|
|
<I>CTX</I> ]
|
|
|
|
[ <B>mark</B>
|
|
|
|
<I>MARK</I>
|
|
|
|
[ <B>mask</B>
|
|
|
|
<I>MASK</I> ] ]
|
|
|
|
[ <B>ptype</B>
|
|
|
|
<I>PTYPE</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip</B> [ <B>-4</B> | <B>-6</B> ] <B>xfrm policy</B> { <B>deleteall</B> | <B>list</B> }
|
|
|
|
[ <B>nosock</B> ]
|
|
|
|
[ <I>SELECTOR</I> ]
|
|
|
|
[ <B>dir</B>
|
|
|
|
<I>DIR</I> ]
|
|
|
|
[ <B>index</B>
|
|
|
|
<I>INDEX</I> ]
|
|
|
|
[ <B>ptype</B>
|
|
|
|
<I>PTYPE</I> ]
|
|
|
|
[ <B>action</B>
|
|
|
|
<I>ACTION</I> ]
|
|
|
|
[ <B>priority</B>
|
|
|
|
<I>PRIORITY</I> ]
|
|
|
|
[ <B>flag</B>
|
|
|
|
<I>FLAG-LIST</I>]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm policy flush</B>
|
|
|
|
[ <B>ptype</B>
|
|
|
|
<I>PTYPE</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm policy count</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm policy set</B>
|
|
|
|
[ <B>hthresh4</B>
|
|
|
|
<I>LBITS</I> <I>RBITS</I> ]
|
|
|
|
[ <B>hthresh6</B>
|
|
|
|
<I>LBITS</I> <I>RBITS</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>SELECTOR</I> :=
|
|
|
|
[ <B>src</B>
|
|
|
|
<I>ADDR</I>[/<I>PLEN</I>] ]
|
|
|
|
[ <B>dst</B>
|
|
|
|
<I>ADDR</I>[/<I>PLEN</I>] ]
|
|
|
|
[ <B>dev</B>
|
|
|
|
<I>DEV</I> ]
|
|
|
|
[ <I>UPSPEC</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>UPSPEC</I> :=
|
|
|
|
<B>proto</B> {
|
|
|
|
<I>PROTO</I> |
|
|
|
|
<BR>
|
|
|
|
{ <B>tcp</B> | <B>udp</B> | <B>sctp</B> | <B>dccp</B> } [ <B>sport</B>
|
|
|
|
<I>PORT</I> ]
|
|
|
|
[ <B>dport</B>
|
|
|
|
<I>PORT</I> ] |
|
|
|
|
<BR>
|
|
|
|
{ <B>icmp</B> | <B>ipv6-icmp</B> | <B>mobility-header</B> } [ <B>type</B>
|
|
|
|
<I>NUMBER</I> ]
|
|
|
|
[ <B>code</B>
|
|
|
|
<I>NUMBER</I> ] |
|
|
|
|
<BR>
|
|
|
|
<B>gre</B> [ <B>key</B>
|
|
|
|
{ <I>DOTTED-QUAD</I> | <I>NUMBER</I> } ] }
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>DIR</I> :=
|
|
|
|
<B>in</B> | <B>out</B> | <B>fwd</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>PTYPE</I> :=
|
|
|
|
<B>main</B> | <B>sub</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ACTION</I> :=
|
|
|
|
<B>allow</B> | <B>block</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>FLAG-LIST</I> := [ <I>FLAG-LIST</I> ] <I>FLAG</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>FLAG</I> :=
|
|
|
|
<B>localok</B> | <B>icmp</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>LIMIT-LIST</I> := [ <I>LIMIT-LIST</I> ]
|
|
|
|
<B>limit</B>
|
|
|
|
<I>LIMIT</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>LIMIT</I> :=
|
|
|
|
{ <B>time-soft</B> | <B>time-hard</B> | <B>time-use-soft</B> | <B>time-use-hard</B> }
|
|
|
|
<I>SECONDS</I> |
|
|
|
|
<BR>
|
|
|
|
{ <B>byte-soft</B> | <B>byte-hard</B> }
|
|
|
|
<I>SIZE</I> |
|
|
|
|
<BR>
|
|
|
|
{ <B>packet-soft</B> | <B>packet-hard</B> }
|
|
|
|
<I>COUNT</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>TMPL-LIST</I> := [ <I>TMPL-LIST</I> ]
|
|
|
|
<B>tmpl</B>
|
|
|
|
<I>TMPL</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>TMPL</I> := <I>ID</I>
|
|
|
|
[ <B>mode</B>
|
|
|
|
<I>MODE</I> ]
|
|
|
|
[ <B>reqid</B>
|
|
|
|
<I>REQID</I> ]
|
|
|
|
[ <B>level</B>
|
|
|
|
<I>LEVEL</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ID</I> :=
|
|
|
|
[ <B>src</B>
|
|
|
|
<I>ADDR</I> ]
|
|
|
|
[ <B>dst</B>
|
|
|
|
<I>ADDR</I> ]
|
|
|
|
[ <B>proto</B>
|
|
|
|
<I>XFRM-PROTO</I> ]
|
|
|
|
[ <B>spi</B>
|
|
|
|
<I>SPI</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>XFRM-PROTO</I> :=
|
|
|
|
<B>esp</B> | <B>ah</B> | <B>comp</B> | <B>route2</B> | <B>hao</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>MODE</I> :=
|
|
|
|
<B>transport</B> | <B>tunnel</B> | <B>beet</B> | <B>ro</B> | <B>in_trigger</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>LEVEL</I> :=
|
|
|
|
<B>required</B> | <B>use</B>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip xfrm monitor</B> [
|
|
|
|
<B>all-nsid</B>
|
|
|
|
] [
|
|
<B>nokeys</B>
|
|
|
|
] [
|
|
<B>all</B>
|
|
|
|
<BR> |
|
|
<I>LISTofXFRM-OBJECTS</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>LISTofXFRM-OBJECTS</I> := [ <I>LISTofXFRM-OBJECTS</I> ] <I>XFRM-OBJECT</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>XFRM-OBJECT</I> :=
|
|
|
|
<B>acquire</B> | <B>expire</B> | <B>SA</B> | <B>policy</B> | <B>aevent</B> | <B>report</B>
|
|
|
|
<P>
|
|
|
|
|
|
<P>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<P>
|
|
xfrm is an IP framework for transforming packets (such as encrypting
|
|
their payloads). This framework is used to implement the IPsec protocol
|
|
suite (with the
|
|
<B>state</B>
|
|
|
|
object operating on the Security Association Database, and the
|
|
<B>policy</B>
|
|
|
|
object operating on the Security Policy Database). It is also used for
|
|
the IP Payload Compression Protocol and features of Mobile IPv6.
|
|
<P>
|
|
<TABLE>
|
|
<TR VALIGN=top><TD>ip xfrm state add</TD><TD>add new state into xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state update</TD><TD>update existing state in xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state allocspi</TD><TD>allocate an SPI value<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state delete</TD><TD>delete existing state in xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state get</TD><TD>get existing state in xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state deleteall</TD><TD>delete all existing state in xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state list</TD><TD>print out the list of existing state in xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state flush</TD><TD>flush all state in xfrm<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm state count</TD><TD>count all existing state in xfrm<BR></TD></TR>
|
|
</TABLE>
|
|
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="1"><I>ID</I>
|
|
|
|
<DD>
|
|
is specified by a source address, destination address,
|
|
transform protocol <I>XFRM-PROTO</I>,
|
|
|
|
and/or Security Parameter Index
|
|
<I>SPI</I>.
|
|
|
|
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
|
|
<I>SPI</I>.)
|
|
|
|
<P>
|
|
<DT id="2"><I>XFRM-PROTO</I>
|
|
|
|
<DD>
|
|
specifies a transform protocol:
|
|
IPsec Encapsulating Security Payload (<B>esp</B>),
|
|
|
|
IPsec Authentication Header (<B>ah</B>),
|
|
|
|
IP Payload Compression (<B>comp</B>),
|
|
|
|
Mobile IPv6 Type 2 Routing Header (<B>route2</B>), or
|
|
|
|
Mobile IPv6 Home Address Option (<B>hao</B>).
|
|
|
|
<P>
|
|
<DT id="3"><I>ALGO-LIST</I>
|
|
|
|
<DD>
|
|
contains one or more algorithms to use. Each algorithm
|
|
<I>ALGO</I>
|
|
|
|
is specified by:
|
|
<DL COMPACT><DT id="4"><DD>
|
|
<DL COMPACT>
|
|
<DT id="5">•<DD>
|
|
the algorithm type:
|
|
encryption (<B>enc</B>),
|
|
|
|
authentication (<B>auth</B> or <B>auth-trunc</B>),
|
|
|
|
authenticated encryption with associated data (<B>aead</B>), or
|
|
|
|
compression (<B>comp</B>)
|
|
|
|
<DT id="6">•<DD>
|
|
the algorithm name
|
|
<I>ALGO-NAME</I>
|
|
|
|
(see below)
|
|
<DT id="7">•<DD>
|
|
(for all except <B>comp</B>)
|
|
|
|
the keying material
|
|
<I>ALGO-KEYMAT</I>,
|
|
|
|
which may include both a key and a salt or nonce value; refer to the
|
|
corresponding RFC
|
|
<DT id="8">•<DD>
|
|
(for <B>auth-trunc</B> only)
|
|
|
|
the truncation length
|
|
<I>ALGO-TRUNC-LEN</I>
|
|
|
|
in bits
|
|
<DT id="9">•<DD>
|
|
(for <B>aead</B> only)
|
|
|
|
the Integrity Check Value length
|
|
<I>ALGO-ICV-LEN</I>
|
|
|
|
in bits
|
|
</DL>
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<DL COMPACT><DT id="10"><DD>
|
|
Encryption algorithms include
|
|
<B>ecb(cipher_null)</B>, <B>cbc(des)</B>, <B>cbc(des3_ede)</B>, <B>cbc(cast5)</B>,
|
|
|
|
<B>cbc(blowfish)</B>, <B>cbc(aes)</B>, <B>cbc(serpent)</B>, <B>cbc(camellia)</B>,
|
|
|
|
<B>cbc(twofish)</B>, and <B>rfc3686(ctr(aes))</B>.
|
|
|
|
<P>
|
|
Authentication algorithms include
|
|
<B>digest_null</B>, <B>hmac(md5)</B>, <B>hmac(sha1)</B>, <B>hmac(sha256)</B>,
|
|
|
|
<B>hmac(sha384)</B>, <B>hmac(sha512)</B>, <B>hmac(rmd160)</B>, and <B>xcbc(aes)</B>.
|
|
|
|
<P>
|
|
Authenticated encryption with associated data (AEAD) algorithms include
|
|
<B>rfc4106(gcm(aes))</B>, <B>rfc4309(ccm(aes))</B>, and <B>rfc4543(gcm(aes))</B>.
|
|
|
|
<P>
|
|
Compression algorithms include
|
|
<B>deflate</B>, <B>lzs</B>, and <B>lzjh</B>.
|
|
|
|
</DL>
|
|
|
|
|
|
<P>
|
|
<DT id="11"><I>MODE</I>
|
|
|
|
<DD>
|
|
specifies a mode of operation for the transform protocol. IPsec and IP Payload
|
|
Compression modes are
|
|
<B>transport</B>, <B>tunnel</B>,
|
|
|
|
and (for IPsec ESP only) Bound End-to-End Tunnel
|
|
(<B>beet</B>).
|
|
|
|
Mobile IPv6 modes are route optimization
|
|
(<B>ro</B>)
|
|
|
|
and inbound trigger
|
|
(<B>in_trigger</B>).
|
|
|
|
<P>
|
|
<DT id="12"><I>FLAG-LIST</I>
|
|
|
|
<DD>
|
|
contains one or more of the following optional flags:
|
|
<B>noecn</B>, <B>decap-dscp</B>, <B>nopmtudisc</B>, <B>wildrecv</B>, <B>icmp</B>,
|
|
|
|
<B>af-unspec</B>, <B>align4</B>, or <B>esn</B>.
|
|
|
|
<P>
|
|
<DT id="13"><I>SELECTOR</I>
|
|
|
|
<DD>
|
|
selects the traffic that will be controlled by the policy, based on the source
|
|
address, the destination address, the network device, and/or
|
|
<I>UPSPEC</I>.
|
|
|
|
<P>
|
|
<DT id="14"><I>UPSPEC</I>
|
|
|
|
<DD>
|
|
selects traffic by protocol. For the
|
|
<B>tcp</B>, <B>udp</B>, <B>sctp</B>, or <B>dccp</B>
|
|
|
|
protocols, the source and destination port can optionally be specified.
|
|
For the
|
|
<B>icmp</B>, <B>ipv6-icmp</B>, or <B>mobility-header</B>
|
|
|
|
protocols, the type and code numbers can optionally be specified.
|
|
For the
|
|
<B>gre</B>
|
|
|
|
protocol, the key can optionally be specified as a dotted-quad or number.
|
|
Other protocols can be selected by name or number
|
|
<I>PROTO</I>.
|
|
|
|
<P>
|
|
<DT id="15"><I>LIMIT-LIST</I>
|
|
|
|
<DD>
|
|
sets limits in seconds, bytes, or numbers of packets.
|
|
<P>
|
|
<DT id="16"><I>ENCAP</I>
|
|
|
|
<DD>
|
|
encapsulates packets with protocol
|
|
<B>espinudp</B> or <B>espinudp-nonike</B>,
|
|
|
|
using source port <I>SPORT</I>, destination port <I>DPORT</I>
|
|
|
|
, and original address <I>OADDR</I>.
|
|
|
|
<P>
|
|
<DT id="17"><I>MARK</I>
|
|
|
|
<DD>
|
|
used to match xfrm policies and states
|
|
<P>
|
|
<DT id="18"><I>OUTPUT-MARK</I>
|
|
|
|
<DD>
|
|
used to set the output mark to influence the routing
|
|
of the packets emitted by the state
|
|
<P>
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
|
|
<TABLE>
|
|
<TR VALIGN=top><TD>ip xfrm policy add</TD><TD>add a new policy<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm policy update</TD><TD>update an existing policy<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm policy delete</TD><TD>delete an existing policy<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm policy get</TD><TD>get an existing policy<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm policy deleteall</TD><TD>delete all existing xfrm policies<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm policy list</TD><TD>print out the list of xfrm policies<BR></TD></TR>
|
|
<TR VALIGN=top><TD>ip xfrm policy flush</TD><TD>flush policies<BR></TD></TR>
|
|
</TABLE>
|
|
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="19"><B>nosock</B>
|
|
|
|
<DD>
|
|
filter (remove) all socket policies from the output.
|
|
<P>
|
|
<DT id="20"><I>SELECTOR</I>
|
|
|
|
<DD>
|
|
selects the traffic that will be controlled by the policy, based on the source
|
|
address, the destination address, the network device, and/or
|
|
<I>UPSPEC</I>.
|
|
|
|
<P>
|
|
<DT id="21"><I>UPSPEC</I>
|
|
|
|
<DD>
|
|
selects traffic by protocol. For the
|
|
<B>tcp</B>, <B>udp</B>, <B>sctp</B>, or <B>dccp</B>
|
|
|
|
protocols, the source and destination port can optionally be specified.
|
|
For the
|
|
<B>icmp</B>, <B>ipv6-icmp</B>, or <B>mobility-header</B>
|
|
|
|
protocols, the type and code numbers can optionally be specified.
|
|
For the
|
|
<B>gre</B>
|
|
|
|
protocol, the key can optionally be specified as a dotted-quad or number.
|
|
Other protocols can be selected by name or number
|
|
<I>PROTO</I>.
|
|
|
|
<P>
|
|
<DT id="22"><I>DIR</I>
|
|
|
|
<DD>
|
|
selects the policy direction as
|
|
<B>in</B>, <B>out</B>, or <B>fwd</B>.
|
|
|
|
<P>
|
|
<DT id="23"><I>CTX</I>
|
|
|
|
<DD>
|
|
sets the security context.
|
|
<P>
|
|
<DT id="24"><I>PTYPE</I>
|
|
|
|
<DD>
|
|
can be
|
|
<B>main</B> (default) or <B>sub</B>.
|
|
|
|
<P>
|
|
<DT id="25"><I>ACTION</I>
|
|
|
|
<DD>
|
|
can be
|
|
<B>allow</B> (default) or <B>block</B>.
|
|
|
|
<P>
|
|
<DT id="26"><I>PRIORITY</I>
|
|
|
|
<DD>
|
|
is a number that defaults to zero.
|
|
<P>
|
|
<DT id="27"><I>FLAG-LIST</I>
|
|
|
|
<DD>
|
|
contains one or both of the following optional flags:
|
|
<B>local</B> or <B>icmp</B>.
|
|
|
|
<P>
|
|
<DT id="28"><I>LIMIT-LIST</I>
|
|
|
|
<DD>
|
|
sets limits in seconds, bytes, or numbers of packets.
|
|
<P>
|
|
<DT id="29"><I>TMPL-LIST</I>
|
|
|
|
<DD>
|
|
is a template list specified using
|
|
<I>ID</I>, <I>MODE</I>, <I>REQID</I>, and/or <I>LEVEL</I>.
|
|
|
|
<P>
|
|
<DT id="30"><I>ID</I>
|
|
|
|
<DD>
|
|
is specified by a source address, destination address,
|
|
transform protocol <I>XFRM-PROTO</I>,
|
|
|
|
and/or Security Parameter Index
|
|
<I>SPI</I>.
|
|
|
|
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
|
|
<I>SPI</I>.)
|
|
|
|
<P>
|
|
<DT id="31"><I>XFRM-PROTO</I>
|
|
|
|
<DD>
|
|
specifies a transform protocol:
|
|
IPsec Encapsulating Security Payload (<B>esp</B>),
|
|
|
|
IPsec Authentication Header (<B>ah</B>),
|
|
|
|
IP Payload Compression (<B>comp</B>),
|
|
|
|
Mobile IPv6 Type 2 Routing Header (<B>route2</B>), or
|
|
|
|
Mobile IPv6 Home Address Option (<B>hao</B>).
|
|
|
|
<P>
|
|
<DT id="32"><I>MODE</I>
|
|
|
|
<DD>
|
|
specifies a mode of operation for the transform protocol. IPsec and IP Payload
|
|
Compression modes are
|
|
<B>transport</B>, <B>tunnel</B>,
|
|
|
|
and (for IPsec ESP only) Bound End-to-End Tunnel
|
|
(<B>beet</B>).
|
|
|
|
Mobile IPv6 modes are route optimization
|
|
(<B>ro</B>)
|
|
|
|
and inbound trigger
|
|
(<B>in_trigger</B>).
|
|
|
|
<P>
|
|
<DT id="33"><I>LEVEL</I>
|
|
|
|
<DD>
|
|
can be
|
|
<B>required</B> (default) or <B>use</B>.
|
|
|
|
<P>
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
|
|
<TABLE>
|
|
<TR VALIGN=top><TD>ip xfrm policy count</TD><TD>count existing policies<BR></TD></TR>
|
|
</TABLE>
|
|
|
|
<P>
|
|
<P>
|
|
|
|
Use one or more -s options to display more details, including policy hash table
|
|
information.
|
|
<P>
|
|
<P>
|
|
<P>
|
|
|
|
<TABLE>
|
|
<TR VALIGN=top><TD>ip xfrm policy set</TD><TD>configure the policy hash table<BR></TD></TR>
|
|
</TABLE>
|
|
|
|
<P>
|
|
<P>
|
|
|
|
Security policies whose address prefix lengths are greater than or equal
|
|
policy hash table thresholds are hashed. Others are stored in the
|
|
policy_inexact chained list.
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="34"><I>LBITS</I>
|
|
|
|
<DD>
|
|
specifies the minimum local address prefix length of policies that are
|
|
stored in the Security Policy Database hash table.
|
|
<P>
|
|
<DT id="35"><I>RBITS</I>
|
|
|
|
<DD>
|
|
specifies the minimum remote address prefix length of policies that are
|
|
stored in the Security Policy Database hash table.
|
|
<P>
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
|
|
<TABLE>
|
|
<TR VALIGN=top><TD>ip xfrm monitor </TD><TD>state monitoring for xfrm objects<BR></TD></TR>
|
|
</TABLE>
|
|
|
|
<P>
|
|
<P>
|
|
|
|
The xfrm objects to monitor can be optionally specified.
|
|
<P>
|
|
<P>
|
|
|
|
If the
|
|
<B>all-nsid</B>
|
|
|
|
option is set, the program listens to all network namespaces that have a
|
|
nsid assigned into the network namespace were the program is running.
|
|
A prefix is displayed to show the network namespace where the message
|
|
originates. Example:
|
|
<P>
|
|
|
|
[nsid 1]Flushed state proto 0
|
|
|
|
<P>
|
|
<P>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
Manpage revised by David Ward <<A HREF="mailto:david.ward@ll.mit.edu">david.ward@ll.mit.edu</A>>
|
|
<BR>
|
|
|
|
Manpage revised by Christophe Gouault <<A HREF="mailto:christophe.gouault@6wind.com">christophe.gouault@6wind.com</A>>
|
|
<BR>
|
|
|
|
Manpage revised by Nicolas Dichtel <<A HREF="mailto:nicolas.dichtel@6wind.com">nicolas.dichtel@6wind.com</A>>
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="36"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="37"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="38"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="39"><A HREF="#lbAE">AUTHOR</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:13 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|