suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man8/ip-xfrm.8.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

1228 lines
18 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of IP-XFRM</TITLE>
</HEAD><BODY>
<H1>IP-XFRM</H1>
Section: Linux (8)<BR>Updated: 20 Dec 2011<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
ip-xfrm - transform configuration
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<P>
<BR>
<B>ip</B>
[ <I>OPTIONS</I> ]
<B>xfrm</B>
{ <I>COMMAND</I> |
<B>help</B> }
<P>
<P>
<BR>
<B>ip xfrm</B>
<I>XFRM-OBJECT</I> { <I>COMMAND</I> |
<B>help</B> }
<P>
<P>
<BR>
<I>XFRM-OBJECT</I> :=
<B>state</B> | <B>policy</B> | <B>monitor</B>
<P>
<P>
<BR>
<B>ip xfrm state</B> { <B>add</B> | <B>update</B> }
<I>ID</I> [ <I>ALGO-LIST</I> ]
[ <B>mode</B>
<I>MODE</I> ]
[ <B>mark</B>
<I>MARK</I>
[ <B>mask</B>
<I>MASK</I> ] ]
[ <B>reqid</B>
<I>REQID</I> ]
[ <B>seq</B>
<I>SEQ</I> ]
[ <B>replay-window</B>
<I>SIZE</I> ]
[ <B>replay-seq</B>
<I>SEQ</I> ]
[ <B>replay-oseq</B>
<I>SEQ</I> ]
[ <B>replay-seq-hi</B>
<I>SEQ</I> ]
[ <B>replay-oseq-hi</B>
<I>SEQ</I> ]
[ <B>flag</B>
<I>FLAG-LIST</I> ]
[ <B>sel</B>
<I>SELECTOR</I> ] [ <I>LIMIT-LIST</I> ]
[ <B>encap</B>
<I>ENCAP</I> ]
[ <B>coa</B>
<I>ADDR</I>[/<I>PLEN</I>] ]
[ <B>ctx</B>
<I>CTX</I> ]
[ <B>extra-flag</B>
<I>EXTRA-FLAG-LIST</I> ]
[ <B>output-mark</B>
<I>OUTPUT-MARK</I> ]
<P>
<BR>
<B>ip xfrm state allocspi</B>
<I>ID</I>
[ <B>mode</B>
<I>MODE</I> ]
[ <B>mark</B>
<I>MARK</I>
[ <B>mask</B>
<I>MASK</I> ] ]
[ <B>reqid</B>
<I>REQID</I> ]
[ <B>seq</B>
<I>SEQ</I> ]
[ <B>min</B>
<I>SPI</I>
<B>max</B>
<I>SPI</I> ]
<P>
<BR>
<B>ip xfrm state</B> { <B>delete</B> | <B>get</B> }
<I>ID</I>
[ <B>mark</B>
<I>MARK</I>
[ <B>mask</B>
<I>MASK</I> ] ]
<P>
<BR>
<B>ip</B> [ <B>-4</B> | <B>-6</B> ] <B>xfrm state deleteall</B> [
<I>ID</I> ]
[ <B>mode</B>
<I>MODE</I> ]
[ <B>reqid</B>
<I>REQID</I> ]
[ <B>flag</B>
<I>FLAG-LIST</I> ]
<P>
<BR>
<B>ip</B> [ <B>-4</B> | <B>-6</B> ] <B>xfrm state list</B> [
<I>ID</I> ]
[ <B>nokeys</B> ]
[ <B>mode</B>
<I>MODE</I> ]
[ <B>reqid</B>
<I>REQID</I> ]
[ <B>flag</B>
<I>FLAG-LIST</I> ]
<P>
<BR>
<B>ip xfrm state flush</B> [ <B>proto</B>
<I>XFRM-PROTO</I> ]
<P>
<BR>
<B>ip xfrm state count</B>
<P>
<BR>
<I>ID</I> :=
[ <B>src</B>
<I>ADDR</I> ]
[ <B>dst</B>
<I>ADDR</I> ]
[ <B>proto</B>
<I>XFRM-PROTO</I> ]
[ <B>spi</B>
<I>SPI</I> ]
<P>
<BR>
<I>XFRM-PROTO</I> :=
<B>esp</B> | <B>ah</B> | <B>comp</B> | <B>route2</B> | <B>hao</B>
<P>
<BR>
<I>ALGO-LIST</I> := [ <I>ALGO-LIST</I> ] <I>ALGO</I>
<P>
<BR>
<I>ALGO</I> :=
{ <B>enc</B> | <B>auth</B> }
<I>ALGO-NAME</I> <I>ALGO-KEYMAT</I> |
<BR>
<B>auth-trunc</B>
<I>ALGO-NAME</I> <I>ALGO-KEYMAT</I> <I>ALGO-TRUNC-LEN</I> |
<BR>
<B>aead</B>
<I>ALGO-NAME</I> <I>ALGO-KEYMAT</I> <I>ALGO-ICV-LEN</I> |
<BR>
<B>comp</B>
<I>ALGO-NAME</I>
<P>
<BR>
<I>MODE</I> :=
<B>transport</B> | <B>tunnel</B> | <B>beet</B> | <B>ro</B> | <B>in_trigger</B>
<P>
<BR>
<I>FLAG-LIST</I> := [ <I>FLAG-LIST</I> ] <I>FLAG</I>
<P>
<BR>
<I>FLAG</I> :=
<B>noecn</B> | <B>decap-dscp</B> | <B>nopmtudisc</B> | <B>wildrecv</B> | <B>icmp</B> |
<B>af-unspec</B> | <B>align4</B> | <B>esn</B>
<P>
<BR>
<I>SELECTOR</I> :=
[ <B>src</B>
<I>ADDR</I>[/<I>PLEN</I>] ]
[ <B>dst</B>
<I>ADDR</I>[/<I>PLEN</I>] ]
[ <B>dev</B>
<I>DEV</I> ]
<BR>
[ <I>UPSPEC</I> ]
<P>
<BR>
<I>UPSPEC</I> :=
<B>proto</B> {
<I>PROTO</I> |
<BR>
{ <B>tcp</B> | <B>udp</B> | <B>sctp</B> | <B>dccp</B> } [ <B>sport</B>
<I>PORT</I> ]
[ <B>dport</B>
<I>PORT</I> ] |
<BR>
{ <B>icmp</B> | <B>ipv6-icmp</B> | <B>mobility-header</B> } [ <B>type</B>
<I>NUMBER</I> ]
[ <B>code</B>
<I>NUMBER</I> ] |
<BR>
<B>gre</B> [ <B>key</B>
{ <I>DOTTED-QUAD</I> | <I>NUMBER</I> } ] }
<P>
<BR>
<I>LIMIT-LIST</I> := [ <I>LIMIT-LIST</I> ]
<B>limit</B>
<I>LIMIT</I>
<P>
<BR>
<I>LIMIT</I> :=
{ <B>time-soft</B> | <B>time-hard</B> | <B>time-use-soft</B> | <B>time-use-hard</B> }
<I>SECONDS</I> |
<BR>
{ <B>byte-soft</B> | <B>byte-hard</B> }
<I>SIZE</I> |
<BR>
{ <B>packet-soft</B> | <B>packet-hard</B> }
<I>COUNT</I>
<P>
<BR>
<I>ENCAP</I> :=
{ <B>espinudp</B> | <B>espinudp-nonike</B> }
<I>SPORT</I> <I>DPORT</I> <I>OADDR</I>
<P>
<BR>
<I>EXTRA-FLAG-LIST</I> := [ <I>EXTRA-FLAG-LIST</I> ] <I>EXTRA-FLAG</I>
<P>
<BR>
<I>EXTRA-FLAG</I> :=
<B>dont-encap-dscp</B>
<P>
<BR>
<B>ip xfrm policy</B> { <B>add</B> | <B>update</B> }
<I>SELECTOR</I>
<B>dir</B>
<I>DIR</I>
[ <B>ctx</B>
<I>CTX</I> ]
[ <B>mark</B>
<I>MARK</I>
[ <B>mask</B>
<I>MASK</I> ] ]
[ <B>index</B>
<I>INDEX</I> ]
[ <B>ptype</B>
<I>PTYPE</I> ]
[ <B>action</B>
<I>ACTION</I> ]
[ <B>priority</B>
<I>PRIORITY</I> ]
[ <B>flag</B>
<I>FLAG-LIST</I> ]
[ <I>LIMIT-LIST</I> ] [ <I>TMPL-LIST</I> ]
<P>
<BR>
<B>ip xfrm policy</B> { <B>delete</B> | <B>get</B> }
{ <I>SELECTOR</I> |
<B>index</B>
<I>INDEX</I> }
<B>dir</B>
<I>DIR</I>
[ <B>ctx</B>
<I>CTX</I> ]
[ <B>mark</B>
<I>MARK</I>
[ <B>mask</B>
<I>MASK</I> ] ]
[ <B>ptype</B>
<I>PTYPE</I> ]
<P>
<BR>
<B>ip</B> [ <B>-4</B> | <B>-6</B> ] <B>xfrm policy</B> { <B>deleteall</B> | <B>list</B> }
[ <B>nosock</B> ]
[ <I>SELECTOR</I> ]
[ <B>dir</B>
<I>DIR</I> ]
[ <B>index</B>
<I>INDEX</I> ]
[ <B>ptype</B>
<I>PTYPE</I> ]
[ <B>action</B>
<I>ACTION</I> ]
[ <B>priority</B>
<I>PRIORITY</I> ]
[ <B>flag</B>
<I>FLAG-LIST</I>]
<P>
<BR>
<B>ip xfrm policy flush</B>
[ <B>ptype</B>
<I>PTYPE</I> ]
<P>
<BR>
<B>ip xfrm policy count</B>
<P>
<BR>
<B>ip xfrm policy set</B>
[ <B>hthresh4</B>
<I>LBITS</I> <I>RBITS</I> ]
[ <B>hthresh6</B>
<I>LBITS</I> <I>RBITS</I> ]
<P>
<BR>
<I>SELECTOR</I> :=
[ <B>src</B>
<I>ADDR</I>[/<I>PLEN</I>] ]
[ <B>dst</B>
<I>ADDR</I>[/<I>PLEN</I>] ]
[ <B>dev</B>
<I>DEV</I> ]
[ <I>UPSPEC</I> ]
<P>
<BR>
<I>UPSPEC</I> :=
<B>proto</B> {
<I>PROTO</I> |
<BR>
{ <B>tcp</B> | <B>udp</B> | <B>sctp</B> | <B>dccp</B> } [ <B>sport</B>
<I>PORT</I> ]
[ <B>dport</B>
<I>PORT</I> ] |
<BR>
{ <B>icmp</B> | <B>ipv6-icmp</B> | <B>mobility-header</B> } [ <B>type</B>
<I>NUMBER</I> ]
[ <B>code</B>
<I>NUMBER</I> ] |
<BR>
<B>gre</B> [ <B>key</B>
{ <I>DOTTED-QUAD</I> | <I>NUMBER</I> } ] }
<P>
<BR>
<I>DIR</I> :=
<B>in</B> | <B>out</B> | <B>fwd</B>
<P>
<BR>
<I>PTYPE</I> :=
<B>main</B> | <B>sub</B>
<P>
<BR>
<I>ACTION</I> :=
<B>allow</B> | <B>block</B>
<P>
<BR>
<I>FLAG-LIST</I> := [ <I>FLAG-LIST</I> ] <I>FLAG</I>
<P>
<BR>
<I>FLAG</I> :=
<B>localok</B> | <B>icmp</B>
<P>
<BR>
<I>LIMIT-LIST</I> := [ <I>LIMIT-LIST</I> ]
<B>limit</B>
<I>LIMIT</I>
<P>
<BR>
<I>LIMIT</I> :=
{ <B>time-soft</B> | <B>time-hard</B> | <B>time-use-soft</B> | <B>time-use-hard</B> }
<I>SECONDS</I> |
<BR>
{ <B>byte-soft</B> | <B>byte-hard</B> }
<I>SIZE</I> |
<BR>
{ <B>packet-soft</B> | <B>packet-hard</B> }
<I>COUNT</I>
<P>
<BR>
<I>TMPL-LIST</I> := [ <I>TMPL-LIST</I> ]
<B>tmpl</B>
<I>TMPL</I>
<P>
<BR>
<I>TMPL</I> := <I>ID</I>
[ <B>mode</B>
<I>MODE</I> ]
[ <B>reqid</B>
<I>REQID</I> ]
[ <B>level</B>
<I>LEVEL</I> ]
<P>
<BR>
<I>ID</I> :=
[ <B>src</B>
<I>ADDR</I> ]
[ <B>dst</B>
<I>ADDR</I> ]
[ <B>proto</B>
<I>XFRM-PROTO</I> ]
[ <B>spi</B>
<I>SPI</I> ]
<P>
<BR>
<I>XFRM-PROTO</I> :=
<B>esp</B> | <B>ah</B> | <B>comp</B> | <B>route2</B> | <B>hao</B>
<P>
<BR>
<I>MODE</I> :=
<B>transport</B> | <B>tunnel</B> | <B>beet</B> | <B>ro</B> | <B>in_trigger</B>
<P>
<BR>
<I>LEVEL</I> :=
<B>required</B> | <B>use</B>
<P>
<BR>
<B>ip xfrm monitor</B> [
<B>all-nsid</B>
] [
<B>nokeys</B>
] [
<B>all</B>
<BR>&nbsp;|
<I>LISTofXFRM-OBJECTS</I> ]
<P>
<BR>
<I>LISTofXFRM-OBJECTS</I> := [ <I>LISTofXFRM-OBJECTS</I> ] <I>XFRM-OBJECT</I>
<P>
<BR>
<I>XFRM-OBJECT</I> :=
<B>acquire</B> | <B>expire</B> | <B>SA</B> | <B>policy</B> | <B>aevent</B> | <B>report</B>
<P>
<P>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<P>
xfrm is an IP framework for transforming packets (such as encrypting
their payloads). This framework is used to implement the IPsec protocol
suite (with the
<B>state</B>
object operating on the Security Association Database, and the
<B>policy</B>
object operating on the Security Policy Database). It is also used for
the IP Payload Compression Protocol and features of Mobile IPv6.
<P>
<TABLE>
<TR VALIGN=top><TD>ip xfrm state add</TD><TD>add new state into xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state update</TD><TD>update existing state in xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state allocspi</TD><TD>allocate an SPI value<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state delete</TD><TD>delete existing state in xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state get</TD><TD>get existing state in xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state deleteall</TD><TD>delete all existing state in xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state list</TD><TD>print out the list of existing state in xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state flush</TD><TD>flush all state in xfrm<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm state count</TD><TD>count all existing state in xfrm<BR></TD></TR>
</TABLE>
<P>
<DL COMPACT>
<DT id="1"><I>ID</I>
<DD>
is specified by a source address, destination address,
transform protocol <I>XFRM-PROTO</I>,
and/or Security Parameter Index
<I>SPI</I>.
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
<I>SPI</I>.)
<P>
<DT id="2"><I>XFRM-PROTO</I>
<DD>
specifies a transform protocol:
IPsec Encapsulating Security Payload (<B>esp</B>),
IPsec Authentication Header (<B>ah</B>),
IP Payload Compression (<B>comp</B>),
Mobile IPv6 Type 2 Routing Header (<B>route2</B>), or
Mobile IPv6 Home Address Option (<B>hao</B>).
<P>
<DT id="3"><I>ALGO-LIST</I>
<DD>
contains one or more algorithms to use. Each algorithm
<I>ALGO</I>
is specified by:
<DL COMPACT><DT id="4"><DD>
<DL COMPACT>
<DT id="5">&bull;<DD>
the algorithm type:
encryption (<B>enc</B>),
authentication (<B>auth</B> or <B>auth-trunc</B>),
authenticated encryption with associated data (<B>aead</B>), or
compression (<B>comp</B>)
<DT id="6">&bull;<DD>
the algorithm name
<I>ALGO-NAME</I>
(see below)
<DT id="7">&bull;<DD>
(for all except <B>comp</B>)
the keying material
<I>ALGO-KEYMAT</I>,
which may include both a key and a salt or nonce value; refer to the
corresponding RFC
<DT id="8">&bull;<DD>
(for <B>auth-trunc</B> only)
the truncation length
<I>ALGO-TRUNC-LEN</I>
in bits
<DT id="9">&bull;<DD>
(for <B>aead</B> only)
the Integrity Check Value length
<I>ALGO-ICV-LEN</I>
in bits
</DL>
</DL>
<P>
<DL COMPACT><DT id="10"><DD>
Encryption algorithms include
<B>ecb(cipher_null)</B>, <B>cbc(des)</B>, <B>cbc(des3_ede)</B>, <B>cbc(cast5)</B>,
<B>cbc(blowfish)</B>, <B>cbc(aes)</B>, <B>cbc(serpent)</B>, <B>cbc(camellia)</B>,
<B>cbc(twofish)</B>, and <B>rfc3686(ctr(aes))</B>.
<P>
Authentication algorithms include
<B>digest_null</B>, <B>hmac(md5)</B>, <B>hmac(sha1)</B>, <B>hmac(sha256)</B>,
<B>hmac(sha384)</B>, <B>hmac(sha512)</B>, <B>hmac(rmd160)</B>, and <B>xcbc(aes)</B>.
<P>
Authenticated encryption with associated data (AEAD) algorithms include
<B>rfc4106(gcm(aes))</B>, <B>rfc4309(ccm(aes))</B>, and <B>rfc4543(gcm(aes))</B>.
<P>
Compression algorithms include
<B>deflate</B>, <B>lzs</B>, and <B>lzjh</B>.
</DL>
<P>
<DT id="11"><I>MODE</I>
<DD>
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
<B>transport</B>, <B>tunnel</B>,
and (for IPsec ESP only) Bound End-to-End Tunnel
(<B>beet</B>).
Mobile IPv6 modes are route optimization
(<B>ro</B>)
and inbound trigger
(<B>in_trigger</B>).
<P>
<DT id="12"><I>FLAG-LIST</I>
<DD>
contains one or more of the following optional flags:
<B>noecn</B>, <B>decap-dscp</B>, <B>nopmtudisc</B>, <B>wildrecv</B>, <B>icmp</B>,
<B>af-unspec</B>, <B>align4</B>, or <B>esn</B>.
<P>
<DT id="13"><I>SELECTOR</I>
<DD>
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
<I>UPSPEC</I>.
<P>
<DT id="14"><I>UPSPEC</I>
<DD>
selects traffic by protocol. For the
<B>tcp</B>, <B>udp</B>, <B>sctp</B>, or <B>dccp</B>
protocols, the source and destination port can optionally be specified.
For the
<B>icmp</B>, <B>ipv6-icmp</B>, or <B>mobility-header</B>
protocols, the type and code numbers can optionally be specified.
For the
<B>gre</B>
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
<I>PROTO</I>.
<P>
<DT id="15"><I>LIMIT-LIST</I>
<DD>
sets limits in seconds, bytes, or numbers of packets.
<P>
<DT id="16"><I>ENCAP</I>
<DD>
encapsulates packets with protocol
<B>espinudp</B> or <B>espinudp-nonike</B>,
using source port <I>SPORT</I>, destination port <I>DPORT</I>
, and original address <I>OADDR</I>.
<P>
<DT id="17"><I>MARK</I>
<DD>
used to match xfrm policies and states
<P>
<DT id="18"><I>OUTPUT-MARK</I>
<DD>
used to set the output mark to influence the routing
of the packets emitted by the state
<P>
<P>
</DL>
<P>
<TABLE>
<TR VALIGN=top><TD>ip xfrm policy add</TD><TD>add a new policy<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm policy update</TD><TD>update an existing policy<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm policy delete</TD><TD>delete an existing policy<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm policy get</TD><TD>get an existing policy<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm policy deleteall</TD><TD>delete all existing xfrm policies<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm policy list</TD><TD>print out the list of xfrm policies<BR></TD></TR>
<TR VALIGN=top><TD>ip xfrm policy flush</TD><TD>flush policies<BR></TD></TR>
</TABLE>
<P>
<DL COMPACT>
<DT id="19"><B>nosock</B>
<DD>
filter (remove) all socket policies from the output.
<P>
<DT id="20"><I>SELECTOR</I>
<DD>
selects the traffic that will be controlled by the policy, based on the source
address, the destination address, the network device, and/or
<I>UPSPEC</I>.
<P>
<DT id="21"><I>UPSPEC</I>
<DD>
selects traffic by protocol. For the
<B>tcp</B>, <B>udp</B>, <B>sctp</B>, or <B>dccp</B>
protocols, the source and destination port can optionally be specified.
For the
<B>icmp</B>, <B>ipv6-icmp</B>, or <B>mobility-header</B>
protocols, the type and code numbers can optionally be specified.
For the
<B>gre</B>
protocol, the key can optionally be specified as a dotted-quad or number.
Other protocols can be selected by name or number
<I>PROTO</I>.
<P>
<DT id="22"><I>DIR</I>
<DD>
selects the policy direction as
<B>in</B>, <B>out</B>, or <B>fwd</B>.
<P>
<DT id="23"><I>CTX</I>
<DD>
sets the security context.
<P>
<DT id="24"><I>PTYPE</I>
<DD>
can be
<B>main</B> (default) or <B>sub</B>.
<P>
<DT id="25"><I>ACTION</I>
<DD>
can be
<B>allow</B> (default) or <B>block</B>.
<P>
<DT id="26"><I>PRIORITY</I>
<DD>
is a number that defaults to zero.
<P>
<DT id="27"><I>FLAG-LIST</I>
<DD>
contains one or both of the following optional flags:
<B>local</B> or <B>icmp</B>.
<P>
<DT id="28"><I>LIMIT-LIST</I>
<DD>
sets limits in seconds, bytes, or numbers of packets.
<P>
<DT id="29"><I>TMPL-LIST</I>
<DD>
is a template list specified using
<I>ID</I>, <I>MODE</I>, <I>REQID</I>, and/or <I>LEVEL</I>.
<P>
<DT id="30"><I>ID</I>
<DD>
is specified by a source address, destination address,
transform protocol <I>XFRM-PROTO</I>,
and/or Security Parameter Index
<I>SPI</I>.
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
<I>SPI</I>.)
<P>
<DT id="31"><I>XFRM-PROTO</I>
<DD>
specifies a transform protocol:
IPsec Encapsulating Security Payload (<B>esp</B>),
IPsec Authentication Header (<B>ah</B>),
IP Payload Compression (<B>comp</B>),
Mobile IPv6 Type 2 Routing Header (<B>route2</B>), or
Mobile IPv6 Home Address Option (<B>hao</B>).
<P>
<DT id="32"><I>MODE</I>
<DD>
specifies a mode of operation for the transform protocol. IPsec and IP Payload
Compression modes are
<B>transport</B>, <B>tunnel</B>,
and (for IPsec ESP only) Bound End-to-End Tunnel
(<B>beet</B>).
Mobile IPv6 modes are route optimization
(<B>ro</B>)
and inbound trigger
(<B>in_trigger</B>).
<P>
<DT id="33"><I>LEVEL</I>
<DD>
can be
<B>required</B> (default) or <B>use</B>.
<P>
<P>
</DL>
<P>
<TABLE>
<TR VALIGN=top><TD>ip xfrm policy count</TD><TD>count existing policies<BR></TD></TR>
</TABLE>
<P>
<P>
Use one or more -s options to display more details, including policy hash table
information.
<P>
<P>
<P>
<TABLE>
<TR VALIGN=top><TD>ip xfrm policy set</TD><TD>configure the policy hash table<BR></TD></TR>
</TABLE>
<P>
<P>
Security policies whose address prefix lengths are greater than or equal
policy hash table thresholds are hashed. Others are stored in the
policy_inexact chained list.
<P>
<DL COMPACT>
<DT id="34"><I>LBITS</I>
<DD>
specifies the minimum local address prefix length of policies that are
stored in the Security Policy Database hash table.
<P>
<DT id="35"><I>RBITS</I>
<DD>
specifies the minimum remote address prefix length of policies that are
stored in the Security Policy Database hash table.
<P>
<P>
</DL>
<P>
<TABLE>
<TR VALIGN=top><TD>ip xfrm monitor </TD><TD>state monitoring for xfrm objects<BR></TD></TR>
</TABLE>
<P>
<P>
The xfrm objects to monitor can be optionally specified.
<P>
<P>
If the
<B>all-nsid</B>
option is set, the program listens to all network namespaces that have a
nsid assigned into the network namespace were the program is running.
A prefix is displayed to show the network namespace where the message
originates. Example:
<P>
[nsid 1]Flushed state proto 0
<P>
<P>
<A NAME="lbAE">&nbsp;</A>
<H2>AUTHOR</H2>
Manpage revised by David Ward &lt;<A HREF="mailto:david.ward@ll.mit.edu">david.ward@ll.mit.edu</A>&gt;
<BR>
Manpage revised by Christophe Gouault &lt;<A HREF="mailto:christophe.gouault@6wind.com">christophe.gouault@6wind.com</A>&gt;
<BR>
Manpage revised by Nicolas Dichtel &lt;<A HREF="mailto:nicolas.dichtel@6wind.com">nicolas.dichtel@6wind.com</A>&gt;
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="36"><A HREF="#lbAB">NAME</A><DD>
<DT id="37"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="38"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="39"><A HREF="#lbAE">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:13 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink