You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
717 lines
14 KiB
717 lines
14 KiB
.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
|
|
.SH "NAME"
|
|
ip-xfrm \- transform configuration
|
|
.SH "SYNOPSIS"
|
|
.sp
|
|
.ad l
|
|
.in +8
|
|
.ti -8
|
|
.B ip
|
|
.RI "[ " OPTIONS " ]"
|
|
.B xfrm
|
|
.RI " { " COMMAND " | "
|
|
.BR help " }"
|
|
.sp
|
|
|
|
.ti -8
|
|
.B "ip xfrm"
|
|
.IR XFRM-OBJECT " { " COMMAND " | "
|
|
.BR help " }"
|
|
.sp
|
|
|
|
.ti -8
|
|
.IR XFRM-OBJECT " :="
|
|
.BR state " | " policy " | " monitor
|
|
.sp
|
|
|
|
.ti -8
|
|
.BR "ip xfrm state" " { " add " | " update " } "
|
|
.IR ID " [ " ALGO-LIST " ]"
|
|
.RB "[ " mode
|
|
.IR MODE " ]"
|
|
.RB "[ " mark
|
|
.I MARK
|
|
.RB "[ " mask
|
|
.IR MASK " ] ]"
|
|
.RB "[ " reqid
|
|
.IR REQID " ]"
|
|
.RB "[ " seq
|
|
.IR SEQ " ]"
|
|
.RB "[ " replay-window
|
|
.IR SIZE " ]"
|
|
.RB "[ " replay-seq
|
|
.IR SEQ " ]"
|
|
.RB "[ " replay-oseq
|
|
.IR SEQ " ]"
|
|
.RB "[ " replay-seq-hi
|
|
.IR SEQ " ]"
|
|
.RB "[ " replay-oseq-hi
|
|
.IR SEQ " ]"
|
|
.RB "[ " flag
|
|
.IR FLAG-LIST " ]"
|
|
.RB "[ " sel
|
|
.IR SELECTOR " ] [ " LIMIT-LIST " ]"
|
|
.RB "[ " encap
|
|
.IR ENCAP " ]"
|
|
.RB "[ " coa
|
|
.IR ADDR "[/" PLEN "] ]"
|
|
.RB "[ " ctx
|
|
.IR CTX " ]"
|
|
.RB "[ " extra-flag
|
|
.IR EXTRA-FLAG-LIST " ]"
|
|
.RB "[ " output-mark
|
|
.IR OUTPUT-MARK " ]"
|
|
|
|
.ti -8
|
|
.B "ip xfrm state allocspi"
|
|
.I ID
|
|
.RB "[ " mode
|
|
.IR MODE " ]"
|
|
.RB "[ " mark
|
|
.I MARK
|
|
.RB "[ " mask
|
|
.IR MASK " ] ]"
|
|
.RB "[ " reqid
|
|
.IR REQID " ]"
|
|
.RB "[ " seq
|
|
.IR SEQ " ]"
|
|
.RB "[ " min
|
|
.I SPI
|
|
.B max
|
|
.IR SPI " ]"
|
|
|
|
.ti -8
|
|
.BR "ip xfrm state" " { " delete " | " get " } "
|
|
.I ID
|
|
.RB "[ " mark
|
|
.I MARK
|
|
.RB "[ " mask
|
|
.IR MASK " ] ]"
|
|
|
|
.ti -8
|
|
.BR "ip xfrm state" " { " deleteall " | " list " } ["
|
|
.IR ID " ]"
|
|
.RB "[ " mode
|
|
.IR MODE " ]"
|
|
.RB "[ " reqid
|
|
.IR REQID " ]"
|
|
.RB "[ " flag
|
|
.IR FLAG-LIST " ]"
|
|
|
|
.ti -8
|
|
.BR "ip xfrm state flush" " [ " proto
|
|
.IR XFRM-PROTO " ]"
|
|
|
|
.ti -8
|
|
.BR "ip xfrm state count"
|
|
|
|
.ti -8
|
|
.IR ID " :="
|
|
.RB "[ " src
|
|
.IR ADDR " ]"
|
|
.RB "[ " dst
|
|
.IR ADDR " ]"
|
|
.RB "[ " proto
|
|
.IR XFRM-PROTO " ]"
|
|
.RB "[ " spi
|
|
.IR SPI " ]"
|
|
|
|
.ti -8
|
|
.IR XFRM-PROTO " :="
|
|
.BR esp " | " ah " | " comp " | " route2 " | " hao
|
|
|
|
.ti -8
|
|
.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
|
|
|
|
.ti -8
|
|
.IR ALGO " :="
|
|
.RB "{ " enc " | " auth " } "
|
|
.IR ALGO-NAME " " ALGO-KEYMAT " |"
|
|
.br
|
|
.B auth-trunc
|
|
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
|
|
.br
|
|
.B aead
|
|
.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
|
|
.br
|
|
.B comp
|
|
.IR ALGO-NAME
|
|
|
|
.ti -8
|
|
.IR MODE " := "
|
|
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
|
|
|
|
.ti -8
|
|
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
|
|
|
|
.ti -8
|
|
.IR FLAG " :="
|
|
.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
|
|
.BR af-unspec " | " align4 " | " esn
|
|
|
|
.ti -8
|
|
.IR SELECTOR " :="
|
|
.RB "[ " src
|
|
.IR ADDR "[/" PLEN "] ]"
|
|
.RB "[ " dst
|
|
.IR ADDR "[/" PLEN "] ]"
|
|
.RB "[ " dev
|
|
.IR DEV " ]"
|
|
.br
|
|
.RI "[ " UPSPEC " ]"
|
|
|
|
.ti -8
|
|
.IR UPSPEC " := "
|
|
.BR proto " {"
|
|
.IR PROTO " |"
|
|
.br
|
|
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
|
|
.IR PORT " ]"
|
|
.RB "[ " dport
|
|
.IR PORT " ] |"
|
|
.br
|
|
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
|
|
.IR NUMBER " ]"
|
|
.RB "[ " code
|
|
.IR NUMBER " ] |"
|
|
.br
|
|
.BR gre " [ " key
|
|
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
|
|
|
|
.ti -8
|
|
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
|
|
.B limit
|
|
.I LIMIT
|
|
|
|
.ti -8
|
|
.IR LIMIT " :="
|
|
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
|
|
.IR "SECONDS" " |"
|
|
.br
|
|
.RB "{ " byte-soft " | " byte-hard " }"
|
|
.IR SIZE " |"
|
|
.br
|
|
.RB "{ " packet-soft " | " packet-hard " }"
|
|
.I COUNT
|
|
|
|
.ti -8
|
|
.IR ENCAP " :="
|
|
.RB "{ " espinudp " | " espinudp-nonike " }"
|
|
.IR SPORT " " DPORT " " OADDR
|
|
|
|
.ti -8
|
|
.IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
|
|
|
|
.ti -8
|
|
.IR EXTRA-FLAG " := "
|
|
.B dont-encap-dscp
|
|
|
|
.ti -8
|
|
.BR "ip xfrm policy" " { " add " | " update " }"
|
|
.I SELECTOR
|
|
.B dir
|
|
.I DIR
|
|
.RB "[ " ctx
|
|
.IR CTX " ]"
|
|
.RB "[ " mark
|
|
.I MARK
|
|
.RB "[ " mask
|
|
.IR MASK " ] ]"
|
|
.RB "[ " index
|
|
.IR INDEX " ]"
|
|
.RB "[ " ptype
|
|
.IR PTYPE " ]"
|
|
.RB "[ " action
|
|
.IR ACTION " ]"
|
|
.RB "[ " priority
|
|
.IR PRIORITY " ]"
|
|
.RB "[ " flag
|
|
.IR FLAG-LIST " ]"
|
|
.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
|
|
|
|
.ti -8
|
|
.BR "ip xfrm policy" " { " delete " | " get " }"
|
|
.RI "{ " SELECTOR " | "
|
|
.B index
|
|
.IR INDEX " }"
|
|
.B dir
|
|
.I DIR
|
|
.RB "[ " ctx
|
|
.IR CTX " ]"
|
|
.RB "[ " mark
|
|
.I MARK
|
|
.RB "[ " mask
|
|
.IR MASK " ] ]"
|
|
.RB "[ " ptype
|
|
.IR PTYPE " ]"
|
|
|
|
.ti -8
|
|
.BR "ip xfrm policy" " { " deleteall " | " list " }"
|
|
.RI "[ " SELECTOR " ]"
|
|
.RB "[ " dir
|
|
.IR DIR " ]"
|
|
.RB "[ " index
|
|
.IR INDEX " ]"
|
|
.RB "[ " ptype
|
|
.IR PTYPE " ]"
|
|
.RB "[ " action
|
|
.IR ACTION " ]"
|
|
.RB "[ " priority
|
|
.IR PRIORITY " ]"
|
|
.RB "[ " flag
|
|
.IR FLAG-LIST "]"
|
|
|
|
.ti -8
|
|
.B "ip xfrm policy flush"
|
|
.RB "[ " ptype
|
|
.IR PTYPE " ]"
|
|
|
|
.ti -8
|
|
.B "ip xfrm policy count"
|
|
|
|
.ti -8
|
|
.B "ip xfrm policy set"
|
|
.RB "[ " hthresh4
|
|
.IR LBITS " " RBITS " ]"
|
|
.RB "[ " hthresh6
|
|
.IR LBITS " " RBITS " ]"
|
|
|
|
.ti -8
|
|
.IR SELECTOR " :="
|
|
.RB "[ " src
|
|
.IR ADDR "[/" PLEN "] ]"
|
|
.RB "[ " dst
|
|
.IR ADDR "[/" PLEN "] ]"
|
|
.RB "[ " dev
|
|
.IR DEV " ]"
|
|
.RI "[ " UPSPEC " ]"
|
|
|
|
.ti -8
|
|
.IR UPSPEC " := "
|
|
.BR proto " {"
|
|
.IR PROTO " |"
|
|
.br
|
|
.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
|
|
.IR PORT " ]"
|
|
.RB "[ " dport
|
|
.IR PORT " ] |"
|
|
.br
|
|
.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
|
|
.IR NUMBER " ]"
|
|
.RB "[ " code
|
|
.IR NUMBER " ] |"
|
|
.br
|
|
.BR gre " [ " key
|
|
.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
|
|
|
|
.ti -8
|
|
.IR DIR " := "
|
|
.BR in " | " out " | " fwd
|
|
|
|
.ti -8
|
|
.IR PTYPE " := "
|
|
.BR main " | " sub
|
|
|
|
.ti -8
|
|
.IR ACTION " := "
|
|
.BR allow " | " block
|
|
|
|
.ti -8
|
|
.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
|
|
|
|
.ti -8
|
|
.IR FLAG " :="
|
|
.BR localok " | " icmp
|
|
|
|
.ti -8
|
|
.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
|
|
.B limit
|
|
.I LIMIT
|
|
|
|
.ti -8
|
|
.IR LIMIT " :="
|
|
.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
|
|
.IR "SECONDS" " |"
|
|
.br
|
|
.RB "{ " byte-soft " | " byte-hard " }"
|
|
.IR SIZE " |"
|
|
.br
|
|
.RB "{ " packet-soft " | " packet-hard " }"
|
|
.I COUNT
|
|
|
|
.ti -8
|
|
.IR TMPL-LIST " := [ " TMPL-LIST " ]"
|
|
.B tmpl
|
|
.I TMPL
|
|
|
|
.ti -8
|
|
.IR TMPL " := " ID
|
|
.RB "[ " mode
|
|
.IR MODE " ]"
|
|
.RB "[ " reqid
|
|
.IR REQID " ]"
|
|
.RB "[ " level
|
|
.IR LEVEL " ]"
|
|
|
|
.ti -8
|
|
.IR ID " :="
|
|
.RB "[ " src
|
|
.IR ADDR " ]"
|
|
.RB "[ " dst
|
|
.IR ADDR " ]"
|
|
.RB "[ " proto
|
|
.IR XFRM-PROTO " ]"
|
|
.RB "[ " spi
|
|
.IR SPI " ]"
|
|
|
|
.ti -8
|
|
.IR XFRM-PROTO " :="
|
|
.BR esp " | " ah " | " comp " | " route2 " | " hao
|
|
|
|
.ti -8
|
|
.IR MODE " := "
|
|
.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
|
|
|
|
.ti -8
|
|
.IR LEVEL " :="
|
|
.BR required " | " use
|
|
|
|
.ti -8
|
|
.BR "ip xfrm monitor" " ["
|
|
.BI all-nsid
|
|
] [
|
|
.BI all
|
|
|
|
|
.IR LISTofXFRM-OBJECTS " ]"
|
|
|
|
.ti -8
|
|
.IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
|
|
|
|
.ti -8
|
|
.IR XFRM-OBJECT " := "
|
|
.BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
|
|
|
|
.in -8
|
|
.ad b
|
|
|
|
.SH DESCRIPTION
|
|
|
|
xfrm is an IP framework for transforming packets (such as encrypting
|
|
their payloads). This framework is used to implement the IPsec protocol
|
|
suite (with the
|
|
.B state
|
|
object operating on the Security Association Database, and the
|
|
.B policy
|
|
object operating on the Security Policy Database). It is also used for
|
|
the IP Payload Compression Protocol and features of Mobile IPv6.
|
|
|
|
.TS
|
|
l l.
|
|
ip xfrm state add add new state into xfrm
|
|
ip xfrm state update update existing state in xfrm
|
|
ip xfrm state allocspi allocate an SPI value
|
|
ip xfrm state delete delete existing state in xfrm
|
|
ip xfrm state get get existing state in xfrm
|
|
ip xfrm state deleteall delete all existing state in xfrm
|
|
ip xfrm state list print out the list of existing state in xfrm
|
|
ip xfrm state flush flush all state in xfrm
|
|
ip xfrm state count count all existing state in xfrm
|
|
.TE
|
|
|
|
.TP
|
|
.IR ID
|
|
is specified by a source address, destination address,
|
|
.RI "transform protocol " XFRM-PROTO ","
|
|
and/or Security Parameter Index
|
|
.IR SPI "."
|
|
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
|
|
.IR SPI ".)"
|
|
|
|
.TP
|
|
.I XFRM-PROTO
|
|
specifies a transform protocol:
|
|
.RB "IPsec Encapsulating Security Payload (" esp "),"
|
|
.RB "IPsec Authentication Header (" ah "),"
|
|
.RB "IP Payload Compression (" comp "),"
|
|
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
|
|
.RB "Mobile IPv6 Home Address Option (" hao ")."
|
|
|
|
.TP
|
|
.I ALGO-LIST
|
|
contains one or more algorithms to use. Each algorithm
|
|
.I ALGO
|
|
is specified by:
|
|
.RS
|
|
.IP \[bu]
|
|
the algorithm type:
|
|
.RB "encryption (" enc "),"
|
|
.RB "authentication (" auth " or " auth-trunc "),"
|
|
.RB "authenticated encryption with associated data (" aead "), or"
|
|
.RB "compression (" comp ")"
|
|
.IP \[bu]
|
|
the algorithm name
|
|
.IR ALGO-NAME
|
|
(see below)
|
|
.IP \[bu]
|
|
.RB "(for all except " comp ")"
|
|
the keying material
|
|
.IR ALGO-KEYMAT ","
|
|
which may include both a key and a salt or nonce value; refer to the
|
|
corresponding RFC
|
|
.IP \[bu]
|
|
.RB "(for " auth-trunc " only)"
|
|
the truncation length
|
|
.I ALGO-TRUNC-LEN
|
|
in bits
|
|
.IP \[bu]
|
|
.RB "(for " aead " only)"
|
|
the Integrity Check Value length
|
|
.I ALGO-ICV-LEN
|
|
in bits
|
|
.RE
|
|
|
|
.nh
|
|
.RS
|
|
Encryption algorithms include
|
|
.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
|
|
.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
|
|
.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
|
|
|
|
Authentication algorithms include
|
|
.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
|
|
.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
|
|
|
|
Authenticated encryption with associated data (AEAD) algorithms include
|
|
.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
|
|
|
|
Compression algorithms include
|
|
.BR deflate ", " lzs ", and " lzjh "."
|
|
.RE
|
|
.hy
|
|
|
|
.TP
|
|
.I MODE
|
|
specifies a mode of operation for the transform protocol. IPsec and IP Payload
|
|
Compression modes are
|
|
.BR transport ", " tunnel ","
|
|
and (for IPsec ESP only) Bound End-to-End Tunnel
|
|
.RB "(" beet ")."
|
|
Mobile IPv6 modes are route optimization
|
|
.RB "(" ro ")"
|
|
and inbound trigger
|
|
.RB "(" in_trigger ")."
|
|
|
|
.TP
|
|
.I FLAG-LIST
|
|
contains one or more of the following optional flags:
|
|
.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
|
|
.BR af-unspec ", " align4 ", or " esn "."
|
|
|
|
.TP
|
|
.IR SELECTOR
|
|
selects the traffic that will be controlled by the policy, based on the source
|
|
address, the destination address, the network device, and/or
|
|
.IR UPSPEC "."
|
|
|
|
.TP
|
|
.IR UPSPEC
|
|
selects traffic by protocol. For the
|
|
.BR tcp ", " udp ", " sctp ", or " dccp
|
|
protocols, the source and destination port can optionally be specified.
|
|
For the
|
|
.BR icmp ", " ipv6-icmp ", or " mobility-header
|
|
protocols, the type and code numbers can optionally be specified.
|
|
For the
|
|
.B gre
|
|
protocol, the key can optionally be specified as a dotted-quad or number.
|
|
Other protocols can be selected by name or number
|
|
.IR PROTO "."
|
|
|
|
.TP
|
|
.I LIMIT-LIST
|
|
sets limits in seconds, bytes, or numbers of packets.
|
|
|
|
.TP
|
|
.I ENCAP
|
|
encapsulates packets with protocol
|
|
.BR espinudp " or " espinudp-nonike ","
|
|
.RI "using source port " SPORT ", destination port " DPORT
|
|
.RI ", and original address " OADDR "."
|
|
|
|
.TP
|
|
.I MARK
|
|
used to match xfrm policies and states
|
|
|
|
.TP
|
|
.I OUTPUT-MARK
|
|
used to set the output mark to influence the routing
|
|
of the packets emitted by the state
|
|
|
|
.sp
|
|
.PP
|
|
.TS
|
|
l l.
|
|
ip xfrm policy add add a new policy
|
|
ip xfrm policy update update an existing policy
|
|
ip xfrm policy delete delete an existing policy
|
|
ip xfrm policy get get an existing policy
|
|
ip xfrm policy deleteall delete all existing xfrm policies
|
|
ip xfrm policy list print out the list of xfrm policies
|
|
ip xfrm policy flush flush policies
|
|
.TE
|
|
|
|
.TP
|
|
.IR SELECTOR
|
|
selects the traffic that will be controlled by the policy, based on the source
|
|
address, the destination address, the network device, and/or
|
|
.IR UPSPEC "."
|
|
|
|
.TP
|
|
.IR UPSPEC
|
|
selects traffic by protocol. For the
|
|
.BR tcp ", " udp ", " sctp ", or " dccp
|
|
protocols, the source and destination port can optionally be specified.
|
|
For the
|
|
.BR icmp ", " ipv6-icmp ", or " mobility-header
|
|
protocols, the type and code numbers can optionally be specified.
|
|
For the
|
|
.B gre
|
|
protocol, the key can optionally be specified as a dotted-quad or number.
|
|
Other protocols can be selected by name or number
|
|
.IR PROTO "."
|
|
|
|
.TP
|
|
.I DIR
|
|
selects the policy direction as
|
|
.BR in ", " out ", or " fwd "."
|
|
|
|
.TP
|
|
.I CTX
|
|
sets the security context.
|
|
|
|
.TP
|
|
.I PTYPE
|
|
can be
|
|
.BR main " (default) or " sub "."
|
|
|
|
.TP
|
|
.I ACTION
|
|
can be
|
|
.BR allow " (default) or " block "."
|
|
|
|
.TP
|
|
.I PRIORITY
|
|
is a number that defaults to zero.
|
|
|
|
.TP
|
|
.I FLAG-LIST
|
|
contains one or both of the following optional flags:
|
|
.BR local " or " icmp "."
|
|
|
|
.TP
|
|
.I LIMIT-LIST
|
|
sets limits in seconds, bytes, or numbers of packets.
|
|
|
|
.TP
|
|
.I TMPL-LIST
|
|
is a template list specified using
|
|
.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
|
|
|
|
.TP
|
|
.IR ID
|
|
is specified by a source address, destination address,
|
|
.RI "transform protocol " XFRM-PROTO ","
|
|
and/or Security Parameter Index
|
|
.IR SPI "."
|
|
(For IP Payload Compression, the Compression Parameter Index or CPI is used for
|
|
.IR SPI ".)"
|
|
|
|
.TP
|
|
.I XFRM-PROTO
|
|
specifies a transform protocol:
|
|
.RB "IPsec Encapsulating Security Payload (" esp "),"
|
|
.RB "IPsec Authentication Header (" ah "),"
|
|
.RB "IP Payload Compression (" comp "),"
|
|
.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
|
|
.RB "Mobile IPv6 Home Address Option (" hao ")."
|
|
|
|
.TP
|
|
.I MODE
|
|
specifies a mode of operation for the transform protocol. IPsec and IP Payload
|
|
Compression modes are
|
|
.BR transport ", " tunnel ","
|
|
and (for IPsec ESP only) Bound End-to-End Tunnel
|
|
.RB "(" beet ")."
|
|
Mobile IPv6 modes are route optimization
|
|
.RB "(" ro ")"
|
|
and inbound trigger
|
|
.RB "(" in_trigger ")."
|
|
|
|
.TP
|
|
.I LEVEL
|
|
can be
|
|
.BR required " (default) or " use "."
|
|
|
|
.sp
|
|
.PP
|
|
.TS
|
|
l l.
|
|
ip xfrm policy count count existing policies
|
|
.TE
|
|
|
|
.PP
|
|
Use one or more -s options to display more details, including policy hash table
|
|
information.
|
|
|
|
.sp
|
|
.PP
|
|
.TS
|
|
l l.
|
|
ip xfrm policy set configure the policy hash table
|
|
.TE
|
|
|
|
.PP
|
|
Security policies whose address prefix lengths are greater than or equal
|
|
policy hash table thresholds are hashed. Others are stored in the
|
|
policy_inexact chained list.
|
|
|
|
.TP
|
|
.I LBITS
|
|
specifies the minimum local address prefix length of policies that are
|
|
stored in the Security Policy Database hash table.
|
|
|
|
.TP
|
|
.I RBITS
|
|
specifies the minimum remote address prefix length of policies that are
|
|
stored in the Security Policy Database hash table.
|
|
|
|
.sp
|
|
.PP
|
|
.TS
|
|
l l.
|
|
ip xfrm monitor state monitoring for xfrm objects
|
|
.TE
|
|
|
|
.PP
|
|
The xfrm objects to monitor can be optionally specified.
|
|
|
|
.P
|
|
If the
|
|
.BI all-nsid
|
|
option is set, the program listens to all network namespaces that have a
|
|
nsid assigned into the network namespace were the program is running.
|
|
A prefix is displayed to show the network namespace where the message
|
|
originates. Example:
|
|
.sp
|
|
.in +2
|
|
[nsid 1]Flushed state proto 0
|
|
.in -2
|
|
.sp
|
|
|
|
.SH AUTHOR
|
|
Manpage revised by David Ward <david.ward@ll.mit.edu>
|
|
.br
|
|
Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
|
|
.br
|
|
Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
|