1dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\documentstyle[12pt,twoside]{article} 2dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\def\TITLE{IP Command Reference} 3dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\input preamble 4dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{center} 5dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\Large\bf IP Command Reference. 6dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{center} 7dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 8dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 9dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{center} 10dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat{ \large Alexey~N.~Kuznetsov } \\ 11dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\em Institute for Nuclear Research, Moscow \\ 12dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|kuznet@ms2.inr.ac.ru| \\ 13dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\rm April 14, 1999 14dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{center} 15dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 16dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\vspace{5mm} 17dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 18dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\tableofcontents 19dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 20dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\newpage 21dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 22dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{About this document} 23dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 24dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis document presents a comprehensive description of the \verb|ip| utility 25dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom the \verb|iproute2| package. It is not a tutorial or user's guide. 26dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is a {\em dictionary\/}, not explaining terms, 27dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbut translating them into other terms, which may also be unknown to the reader. 28dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatHowever, the document is self-contained and the reader, provided they have a 29dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbasic networking background, will find enough information 30dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand examples to understand and configure Linux-2.2 IP and IPv6 31dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetworking. 32dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 33dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis document is split into sections explaining \verb|ip| commands 34dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand options, decrypting \verb|ip| output and containing a few examples. 35dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatMore voluminous examples and some topics, which require more elaborate 36dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdiscussion, are in the appendix. 37dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 38dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe paragraphs beginning with NB contain side notes, warnings about 39dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbugs and design drawbacks. They may be skipped at the first reading. 40dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 41dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip} --- command syntax} 42dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 43dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe generic form of an \verb|ip| command is: 44dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 45dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip [ OPTIONS ] OBJECT [ COMMAND [ ARGUMENTS ]] 46dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 47dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhere \verb|OPTIONS| is a set of optional modifiers affecting the 48dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgeneral behaviour of the \verb|ip| utility or changing its output. All options 49dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbegin with the character \verb|'-'| and may be used in either long or abbreviated 50dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatforms. Currently, the following options are available: 51dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 52dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 53dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-V|, \verb|-Version| 54dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 55dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- print the version of the \verb|ip| utility and exit. 56dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 57dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 58dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-s|, \verb|-stats|, \verb|-statistics| 59dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 60dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- output more information. If the option 61dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatappears twice or more, the amount of information increases. 62dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAs a rule, the information is statistics or some time values. 63dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 64dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 65dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-f|, \verb|-family| followed by a protocol family 66dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatidentifier: \verb|inet|, \verb|inet6| or \verb|link|. 67dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 68dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- enforce the protocol family to use. If the option is not present, 69dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe protocol family is guessed from other arguments. If the rest of the command 70dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatline does not give enough information to guess the family, \verb|ip| falls back to the default 71dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatone, usually \verb|inet| or \verb|any|. \verb|link| is a special family 72dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatidentifier meaning that no networking protocol is involved. 73dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 74dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-4| 75dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 76dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- shortcut for \verb|-family inet|. 77dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 78dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-6| 79dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 80dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- shortcut for \verb|-family inet6|. 81dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 82dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-0| 83dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 84dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- shortcut for \verb|-family link|. 85dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 86dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 87dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-o|, \verb|-oneline| 88dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 89dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- output each record on a single line, replacing line feeds 90dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the \verb|'\'| character. This is convenient when you want to 91dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcount records with \verb|wc| or to \verb|grep| the output. The trivial 92dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatscript \verb|rtpr| converts the output back into readable form. 93dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 94dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|-r|, \verb|-resolve| 95dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 96dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- use the system's name resolver to print DNS names instead of 97dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathost addresses. 98dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 99dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 100dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Do not use this option when reporting bugs or asking for advice. 101dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 102dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 103dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \verb|ip| never uses DNS to resolve names to addresses. 104dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 105dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 106dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 107dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 108dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|OBJECT| is the object to manage or to get information about. 109dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe object types currently understood by \verb|ip| are: 110dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 111dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 112dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|link| --- network device 113dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|address| --- protocol (IP or IPv6) address on a device 114dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|neighbour| --- ARP or NDISC cache entry 115dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|route| --- routing table entry 116dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|rule| --- rule in routing policy database 117dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|maddress| --- multicast address 118dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|mroute| --- multicast routing cache entry 119dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tunnel| --- tunnel over IP 120dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 121dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 122dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAgain, the names of all objects may be written in full or 123dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatabbreviated form, f.e.\ \verb|address| is abbreviated as \verb|addr| 124dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator just \verb|a|. 125dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 126dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|COMMAND| specifies the action to perform on the object. 127dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe set of possible actions depends on the object type. 128dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAs a rule, it is possible to \verb|add|, \verb|delete| and 129dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|show| (or \verb|list|) objects, but some objects 130dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdo not allow all of these operations or have some additional commands. 131dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|help| command is available for all objects. It prints 132dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatout a list of available commands and argument syntax conventions. 133dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 134dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf no command is given, some default command is assumed. 135dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatUsually it is \verb|list| or, if the objects of this class 136dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcannot be listed, \verb|help|. 137dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 138dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ARGUMENTS| is a list of arguments to the command. 139dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe arguments depend on the command and object. There are two types of arguments: 140dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat{\em flags\/}, consisting of a single keyword, and {\em parameters\/}, 141dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatconsisting of a keyword followed by a value. For convenience, 142dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehateach command has some {\em default parameter\/} 143dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich may be omitted. F.e.\ parameter \verb|dev| is the default 144dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfor the {\tt ip link} command, so {\tt ip link ls eth0} is equivalent 145dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto {\tt ip link ls dev eth0}. 146dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn the command descriptions below such parameters 147dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare distinguished with the marker: ``(default)''. 148dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 149dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAlmost all keywords may be abbreviated with several first (or even single) 150dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatletters. The shortcuts are convenient when \verb|ip| is used interactively, 151dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbut they are not recommended in scripts or when reporting bugs 152dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator asking for advice. ``Officially'' allowed abbreviations are listed 153dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the document body. 154dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 155dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 156dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 157dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip} --- error messages} 158dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 159dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| may fail for one of the following reasons: 160dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 161dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 162dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item 163dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatA syntax error on the command line: an unknown keyword, incorrectly formatted 164dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIP address {\em et al\/}. In this case \verb|ip| prints an error message 165dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand exits. As a rule, the error message will contain information 166dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatabout the reason for the failure. Sometimes it also prints a help page. 167dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 168dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item 169dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe arguments did not pass verification for self-consistency. 170dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 171dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item 172dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| failed to compile a kernel request from the arguments 173dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecause the user didn't give enough information. 174dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 175dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item 176dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe kernel returned an error to some syscall. In this case \verb|ip| 177dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprints the error message, as it is output with \verb|perror(3)|, 178dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprefixed with a comment and a syscall identifier. 179dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 180dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item 181dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe kernel returned an error to some RTNETLINK request. 182dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case \verb|ip| prints the error message, as it is output 183dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith \verb|perror(3)| prefixed with ``RTNETLINK answers:''. 184dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 185dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 186dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 187dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAll the operations are atomic, i.e.\ 188dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif the \verb|ip| utility fails, it does not change anything 189dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the system. One harmful exception is \verb|ip link| command 190dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(Sec.\ref{IP-LINK}, p.\pageref{IP-LINK}), 191dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich may change only some of the device parameters given 192dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton command line. 193dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 194dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is difficult to list all the error messages (especially 195dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsyntax errors). However, as a rule, their meaning is clear 196dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom the context of the command. 197dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 198dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe most common mistakes are: 199dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 200dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 201dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Netlink is not configured in the kernel. The message is: 202dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 203dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCannot open netlink socket: Invalid value 204dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 205dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 206dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item RTNETLINK is not configured in the kernel. In this case 207dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatone of the following messages may be printed, depending on the command: 208dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 209dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCannot talk to rtnetlink: Connection refused 210dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCannot send dump request: Connection refused 211dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 212dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 213dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item The \verb|CONFIG_IP_MULTIPLE_TABLES| option was not selected 214dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhen configuring the kernel. In this case any attempt to use the 215dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| \verb|rule| command will fail, f.e. 216dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 217dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@kaiser $ ip rule list 218dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRTNETLINK error: Invalid argument 219dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdump terminated 220dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 221dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 222dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 223dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 224dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 225dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip link} --- network device configuration} 226dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-LINK} 227dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 228dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} A \verb|link| is a network device and the corresponding 229dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcommands display and change the state of devices. 230dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 231dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|set| and \verb|show| (or \verb|list|). 232dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 233dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip link set} --- change device attributes} 234dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 235dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|set|, \verb|s|. 236dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 237dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 238dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 239dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 240dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| (default) 241dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 242dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \verb|NAME| specifies the network device on which to operate. 243dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 244dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|up| and \verb|down| 245dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 246dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the state of the device to \verb|UP| or \verb|DOWN|. 247dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 248dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|arp on| or \verb|arp off| 249dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 250dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the \verb|NOARP| flag on the device. 251dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 252dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 253dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis operation is {\em not allowed\/} if the device is in state \verb|UP|. 254dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThough neither the \verb|ip| utility nor the kernel check for this condition. 255dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatYou can get unpredictable results changing this flag while the 256dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdevice is running. 257dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 258dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 259dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|multicast on| or \verb|multicast off| 260dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 261dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the \verb|MULTICAST| flag on the device. 262dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 263dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dynamic on| or \verb|dynamic off| 264dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 265dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the \verb|DYNAMIC| flag on the device. 266dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 267dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|name NAME| 268dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 269dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the name of the device. This operation is not 270dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrecommended if the device is running or has some addresses 271dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatalready configured. 272dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 273dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|txqueuelen NUMBER| or \verb|txqlen NUMBER| 274dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 275dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the transmit queue length of the device. 276dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 277dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|mtu NUMBER| 278dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 279dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the MTU of the device. 280dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 281dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|address LLADDRESS| 282dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 283dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the station address of the interface. 284dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 285dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|broadcast LLADDRESS|, \verb|brd LLADDRESS| or \verb|peer LLADDRESS| 286dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 287dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the link layer broadcast address or the peer address when 288dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe interface is \verb|POINTOPOINT|. 289dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 290dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\vskip 1mm 291dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 292dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFor most devices (f.e.\ for Ethernet) changing the link layer 293dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbroadcast address will break networking. 294dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatDo not use it, if you do not understand what this operation really does. 295dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 296dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 297dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|netns PID| 298dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 299dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- move the device to the network namespace associated with the process PID. 300dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 301dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 302dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 303dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\vskip 1mm 304dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 305dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|PROMISC| and \verb|ALLMULTI| flags are considered 306dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatobsolete and should not be changed administratively, though 307dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe {\tt ip} utility will allow that. 308dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 309dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 310dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Warning:} If multiple parameter changes are requested, 311dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| aborts immediately after any of the changes have failed. 312dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis is the only case when \verb|ip| can move the system to 313dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatan unpredictable state. The solution is to avoid changing 314dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatseveral parameters with one {\tt ip link set} call. 315dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 316dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 317dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 318dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip link set dummy address 00:00:00:00:00:01| 319dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 320dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change the station address of the interface \verb|dummy|. 321dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 322dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip link set dummy up| 323dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 324dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- start the interface \verb|dummy|. 325dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 326dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 327dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 328dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 329dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip link show} --- display device attributes} 330dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-LINK-SHOW} 331dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 332dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|lst|, \verb|sh|, \verb|ls|, 333dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|l|. 334dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 335dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 336dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 337dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| (default) 338dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 339dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \verb|NAME| specifies the network device to show. 340dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf this argument is omitted all devices are listed. 341dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 342dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|up| 343dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 344dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only display running interfaces. 345dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 346dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 347dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 348dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 349dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 350dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 351dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 352dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip link ls eth0 353dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 354dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff 355dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip link ls sit0 356dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat5: sit0@NONE: <NOARP,UP> mtu 1480 qdisc noqueue 357dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link/sit 0.0.0.0 brd 0.0.0.0 358dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip link ls dummy 359dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop 360dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 361dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 362dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 363dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 364dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 365dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe number before each colon is an {\em interface index\/} or {\em ifindex\/}. 366dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis number uniquely identifies the interface. This is followed by the {\em interface name\/} 367dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(\verb|eth0|, \verb|sit0| etc.). The interface name is also 368dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatunique at every given moment. However, the interface may disappear from the 369dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlist (f.e.\ when the corresponding driver module is unloaded) and another 370dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatone with the same name may be created later. Besides that, 371dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe administrator may change the name of any device with 372dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| \verb|link| \verb|set| \verb|name| 373dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto make it more intelligible. 374dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 375dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe interface name may have another name or \verb|NONE| appended 376dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatafter the \verb|@| sign. This means that this device is bound to some other 377dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdevice, 378dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehati.e.\ packets send through it are encapsulated and sent via the ``master'' 379dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdevice. If the name is \verb|NONE|, the master is unknown. 380dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 381dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThen we see the interface {\em mtu\/} (``maximal transfer unit''). This determines 382dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe maximal size of data which can be sent as a single packet over this interface. 383dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 384dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat{\em qdisc\/} (``queuing discipline'') shows the queuing algorithm used 385dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton the interface. Particularly, \verb|noqueue| means that this interface 386dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdoes not queue anything and \verb|noop| means that the interface is in blackhole 387dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmode i.e.\ all packets sent to it are immediately discarded. 388dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat{\em qlen\/} is the default transmit queue length of the device measured 389dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin packets. 390dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 391dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe interface flags are summarized in the angle brackets. 392dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 393dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 394dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|UP| --- the device is turned on. It is ready to accept 395dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpackets for transmission and it may inject into the kernel packets received 396dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom other nodes on the network. 397dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 398dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|LOOPBACK| --- the interface does not communicate with other 399dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathosts. All packets sent through it will be returned 400dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand nothing but bounced packets can be received. 401dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 402dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|BROADCAST| --- the device has the facility to send packets 403dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto all hosts sharing the same link. A typical example is an Ethernet link. 404dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 405dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|POINTOPOINT| --- the link has only two ends with one node 406dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatattached to each end. All packets sent to this link will reach the peer 407dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand all packets received by us came from this single peer. 408dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 409dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf neither \verb|LOOPBACK| nor \verb|BROADCAST| nor \verb|POINTOPOINT| 410dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare set, the interface is assumed to be NMBA (Non-Broadcast Multi-Access). 411dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis is the most generic type of device and the most complicated one, because 412dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe host attached to a NBMA link has no means to send to anyone 413dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwithout additionally configured information. 414dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 415dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|MULTICAST| --- is an advisory flag indicating that the interface 416dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis aware of multicasting i.e.\ sending packets to some subset of neighbouring 417dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnodes. Broadcasting is a particular case of multicasting, where the multicast 418dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgroup consists of all nodes on the link. It is important to emphasize 419dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthat software {\em must not\/} interpret the absence of this flag as the inability 420dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto use multicasting on this interface. Any \verb|POINTOPOINT| and 421dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|BROADCAST| link is multicasting by definition, because we have 422dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdirect access to all the neighbours and, hence, to any part of them. 423dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCertainly, the use of high bandwidth multicast transfers is not recommended 424dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton broadcast-only links because of high expense, but it is not strictly 425dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprohibited. 426dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 427dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|PROMISC| --- the device listens to and feeds to the kernel all 428dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattraffic on the link even if it is not destined for us, not broadcasted 429dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand not destined for a multicast group of which we are member. Usually 430dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis mode exists only on broadcast links and is used by bridges and for network 431dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmonitoring. 432dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 433dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ALLMULTI| --- the device receives all multicast packets 434dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwandering on the link. This mode is used by multicast routers. 435dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 436dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|NOARP| --- this flag is different from the other ones. It has 437dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatno invariant value and its interpretation depends on the network protocols 438dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinvolved. As a rule, it indicates that the device needs no address 439dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatresolution and that the software or hardware knows how to deliver packets 440dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwithout any help from the protocol stacks. 441dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 442dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|DYNAMIC| --- is an advisory flag indicating that the interface is 443dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdynamically created and destroyed. 444dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 445dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|SLAVE| --- this interface is bonded to some other interfaces 446dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto share link capacities. 447dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 448dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 449dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 450dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\vskip 1mm 451dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 452dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThere are other flags but they are either obsolete (\verb|NOTRAILERS|) 453dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator not implemented (\verb|DEBUG|) or specific to some devices 454dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(\verb|MASTER|, \verb|AUTOMEDIA| and \verb|PORTSEL|). We do not discuss 455dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthem here. 456dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 457dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 458dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 459dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe second line contains information on the link layer addresses 460dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatassociated with the device. The first word (\verb|ether|, \verb|sit|) 461dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdefines the interface hardware type. This type determines the format and semantics 462dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the addresses and is logically part of the address. 463dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe default format of the station address and the broadcast address 464dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(or the peer address for pointopoint links) is a 465dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsequence of hexadecimal bytes separated by colons, but some link 466dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattypes may have their natural address format, f.e.\ addresses 467dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof tunnels over IP are printed as dotted-quad IP addresses. 468dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 469dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\vskip 1mm 470dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 471dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat NBMA links have no well-defined broadcast or peer address, 472dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat however this field may contain useful information, f.e.\ 473dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat about the address of broadcast relay or about the address of the ARP server. 474dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 475dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 476dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatMulticast addresses are not shown by this command, see 477dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip maddr ls| in~Sec.\ref{IP-MADDR} (p.\pageref{IP-MADDR} of this 478dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdocument). 479dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 480dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 481dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 482dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} With the \verb|-statistics| option, \verb|ip| also 483dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprints interface statistics: 484dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 485dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 486dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip -s link ls eth0 487dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 488dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff 489dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat RX: bytes packets errors dropped overrun mcast 490dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2449949362 2786187 0 0 0 0 491dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat TX: bytes packets errors dropped carrier collsns 492dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 178558497 1783945 332 0 332 35172 493dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 494dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 495dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|RX:| and \verb|TX:| lines summarize receiver and transmitter 496dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstatistics. They contain: 497dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 498dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|bytes| --- the total number of bytes received or transmitted 499dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton the interface. This number wraps when the maximal length of the data type 500dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnatural for the architecture is exceeded, so continuous monitoring requires 501dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata user level daemon snapping it periodically. 502dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|packets| --- the total number of packets received or transmitted 503dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton the interface. 504dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|errors| --- the total number of receiver or transmitter errors. 505dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dropped| --- the total number of packets dropped due to lack 506dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof resources. 507dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|overrun| --- the total number of receiver overruns resulting 508dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin dropped packets. As a rule, if the interface is overrun, it means 509dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatserious problems in the kernel or that your machine is too slow 510dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfor this interface. 511dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|mcast| --- the total number of received multicast packets. This option 512dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis only supported by a few devices. 513dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|carrier| --- total number of link media failures f.e.\ because 514dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof lost carrier. 515dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|collsns| --- the total number of collision events 516dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton Ethernet-like media. This number may have a different sense on other 517dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlink types. 518dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|compressed| --- the total number of compressed packets. This is 519dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatavailable only for links using VJ header compression. 520dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 521dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 522dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 523dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the \verb|-s| option is entered twice or more, 524dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| prints more detailed statistics on receiver 525dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand transmitter errors. 526dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 527dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 528dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip -s -s link ls eth0 529dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 530dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff 531dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat RX: bytes packets errors dropped overrun mcast 532dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2449949362 2786187 0 0 0 0 533dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat RX errors: length crc frame fifo missed 534dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 0 0 0 0 0 535dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat TX: bytes packets errors dropped carrier collsns 536dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 178558497 1783945 332 0 332 35172 537dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat TX errors: aborted fifo window heartbeat 538dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 0 0 0 332 539dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 540dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 541dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThese error names are pure Ethernetisms. Other devices 542dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmay have non zero values in these fields but they may be 543dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinterpreted differently. 544dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 545dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 546dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip address} --- protocol address management} 547dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 548dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|address|, \verb|addr|, \verb|a|. 549dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 550dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} The \verb|address| is a protocol (IP or IPv6) address attached 551dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto a network device. Each device must have at least one address 552dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto use the corresponding protocol. It is possible to have several 553dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdifferent addresses attached to one device. These addresses are not 554dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdiscriminated, so that the term {\em alias\/} is not quite appropriate 555dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfor them and we do not use it in this document. 556dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 557dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|ip addr| command displays addresses and their properties, 558dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadds new addresses and deletes old ones. 559dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 560dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|add|, \verb|delete|, \verb|flush| and \verb|show| 561dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(or \verb|list|). 562dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 563dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 564dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip address add} --- add a new protocol address} 565dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ADDR-ADD} 566dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 567dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|add|, \verb|a|. 568dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 569dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 570dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 571dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 572dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 573dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 574dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent--- the name of the device to add the address to. 575dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 576dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|local ADDRESS| (default) 577dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 578dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address of the interface. The format of the address depends 579dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton the protocol. It is a dotted quad for IP and a sequence of hexadecimal halfwords 580dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatseparated by colons for IPv6. The \verb|ADDRESS| may be followed by 581dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata slash and a decimal number which encodes the network prefix length. 582dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 583dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 584dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|peer ADDRESS| 585dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 586dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address of the remote endpoint for pointopoint interfaces. 587dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAgain, the \verb|ADDRESS| may be followed by a slash and a decimal number, 588dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatencoding the network prefix length. If a peer address is specified, 589dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe local address {\em cannot\/} have a prefix length. The network prefix is associated 590dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the peer rather than with the local address. 591dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 592dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 593dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|broadcast ADDRESS| 594dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 595dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the broadcast address on the interface. 596dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 597dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is possible to use the special symbols \verb|'+'| and \verb|'-'| 598dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinstead of the broadcast address. In this case, the broadcast address 599dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis derived by setting/resetting the host bits of the interface prefix. 600dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 601dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\vskip 1mm 602dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 603dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatUnlike \verb|ifconfig|, the \verb|ip| utility {\em does not\/} set any broadcast 604dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddress unless explicitly requested. 605dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 606dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 607dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 608dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|label NAME| 609dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 610dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- Each address may be tagged with a label string. 611dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn order to preserve compatibility with Linux-2.0 net aliases, 612dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis string must coincide with the name of the device or must be prefixed 613dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the device name followed by colon. 614dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 615dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 616dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|scope SCOPE_VALUE| 617dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 618dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the scope of the area where this address is valid. 619dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe available scopes are listed in file \verb|/etc/iproute2/rt_scopes|. 620dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatPredefined scope values are: 621dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 622dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \begin{itemize} 623dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \item \verb|global| --- the address is globally valid. 624dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \item \verb|site| --- (IPv6 only) the address is site local, 625dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat i.e.\ it is valid inside this site. 626dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \item \verb|link| --- the address is link local, i.e.\ 627dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat it is valid only on this device. 628dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \item \verb|host| --- the address is valid only inside this host. 629dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \end{itemize} 630dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 631dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAppendix~\ref{ADDR-SEL} (p.\pageref{ADDR-SEL} of this document) 632dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcontains more details on address scopes. 633dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 634dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 635dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 636dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 637dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 638dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip addr add 127.0.0.1/8 dev lo brd + scope host| 639dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 640dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- add the usual loopback address to the loopback device. 641dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 642dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip addr add 10.0.0.1/24 brd + dev eth0 label eth0:Alias| 643dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 644dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- add the address 10.0.0.1 with prefix length 24 (i.e.\ netmask 645dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|255.255.255.0|), standard broadcast and label \verb|eth0:Alias| 646dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto the interface \verb|eth0|. 647dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 648dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 649dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 650dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip address delete} --- delete a protocol address} 651dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 652dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|delete|, \verb|del|, \verb|d|. 653dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 654dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} coincide with the arguments of \verb|ip addr add|. 655dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe device name is a required argument. The rest are optional. 656dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf no arguments are given, the first address is deleted. 657dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 658dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 659dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 660dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip addr del 127.0.0.1/8 dev lo| 661dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 662dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- deletes the loopback address from the loopback device. 663dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt would be best not to repeat this experiment. 664dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 665dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Disable IP on the interface \verb|eth0|: 666dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 667dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat while ip -f inet addr del dev eth0; do 668dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat : nothing 669dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat done 670dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 671dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAnother method to disable IP on an interface using {\tt ip addr flush} 672dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmay be found in sec.\ref{IP-ADDR-FLUSH}, p.\pageref{IP-ADDR-FLUSH}. 673dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 674dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 675dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 676dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 677dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip address show} --- display protocol addresses} 678dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 679dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|lst|, \verb|sh|, \verb|ls|, 680dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|l|. 681dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 682dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 683dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 684dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 685dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| (default) 686dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 687dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the name of the device. 688dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 689dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|scope SCOPE_VAL| 690dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 691dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list addresses with this scope. 692dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 693dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to PREFIX| 694dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 695dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list addresses matching this prefix. 696dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 697dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|label PATTERN| 698dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 699dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list addresses with labels matching the \verb|PATTERN|. 700dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|PATTERN| is a usual shell style pattern. 701dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 702dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 703dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dynamic| and \verb|permanent| 704dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 705dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- (IPv6 only) only list addresses installed due to stateless 706dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddress configuration or only list permanent (not dynamic) addresses. 707dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 708dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tentative| 709dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 710dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- (IPv6 only) only list addresses which did not pass duplicate 711dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddress detection. 712dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 713dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|deprecated| 714dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 715dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- (IPv6 only) only list deprecated addresses. 716dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 717dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 718dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|primary| and \verb|secondary| 719dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 720dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list primary (or secondary) addresses. 721dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 722dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 723dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 724dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 725dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 726dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 727dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 728dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip addr ls eth0 729dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 730dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff 731dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat inet 193.233.7.90/24 brd 193.233.7.255 scope global eth0 732dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat inet6 3ffe:2400:0:1:2a0:ccff:fe66:1878/64 scope global dynamic 733dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat valid_lft forever preferred_lft 604746sec 734dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat inet6 fe80::2a0:ccff:fe66:1878/10 scope link 735dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 736dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 737dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 738dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe first two lines coincide with the output of \verb|ip link ls|. 739dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is natural to interpret link layer addresses 740dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatas addresses of the protocol family \verb|AF_PACKET|. 741dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 742dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThen the list of IP and IPv6 addresses follows, accompanied by 743dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadditional address attributes: scope value (see Sec.\ref{IP-ADDR-ADD}, 744dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatp.\pageref{IP-ADDR-ADD} above), flags and the address label. 745dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 746dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAddress flags are set by the kernel and cannot be changed 747dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadministratively. Currently, the following flags are defined: 748dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 749dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 750dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|secondary| 751dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 752dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address is not used when selecting the default source address 753dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof outgoing packets (Cf.\ Appendix~\ref{ADDR-SEL}, p.\pageref{ADDR-SEL}.). 754dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAn IP address becomes secondary if another address with the same 755dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprefix bits already exists. The first address is primary. 756dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is the leader of the group of all secondary addresses. When the leader 757dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis deleted, all secondaries are purged too. 758dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThere is a tweak in \verb|/proc/sys/net/ipv4/conf/<dev>/promote_secondaries| 759dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich activate secondaries promotion when a primary is deleted. 760dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTo permanently enable this feature on all devices add 761dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|net.ipv4.conf.all.promote_secondaries=1| to \verb|/etc/sysctl.conf|. 762dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis tweak is available in linux 2.6.15 and later. 763dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 764dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 765dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dynamic| 766dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 767dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address was created due to stateless autoconfiguration~\cite{RFC-ADDRCONF}. 768dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case the output also contains information on times, when 769dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe address is still valid. After \verb|preferred_lft| expires the address is 770dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmoved to the deprecated state. After \verb|valid_lft| expires the address 771dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis finally invalidated. 772dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 773dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|deprecated| 774dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 775dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address is deprecated, i.e.\ it is still valid, but cannot 776dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbe used by newly created connections. 777dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 778dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tentative| 779dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 780dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address is not used because duplicate address detection~\cite{RFC-ADDRCONF} 781dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis still not complete or failed. 782dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 783dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 784dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 785dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 786dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip address flush} --- flush protocol addresses} 787dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ADDR-FLUSH} 788dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 789dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|flush|, \verb|f|. 790dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 791dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:}This command flushes the protocol addresses 792dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatselected by some criteria. 793dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 794dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} This command has the same arguments as \verb|show|. 795dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe difference is that it does not run when no arguments are given. 796dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 797dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Warning:} This command (and other \verb|flush| commands 798dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdescribed below) is pretty dangerous. If you make a mistake, it will 799dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnot forgive it, but will cruelly purge all the addresses. 800dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 801dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} With the \verb|-statistics| option, the command 802dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecomes verbose. It prints out the number of deleted addresses and the number 803dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof rounds made to flush the address list. If this option is given 804dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattwice, \verb|ip addr flush| also dumps all the deleted addresses 805dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the format described in the previous subsection. 806dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 807dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Example:} Delete all the addresses from the private network 808dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat10.0.0.0/8: 809dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 810dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -s -s a f to 10/8 811dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat2: dummy inet 10.7.7.7/16 brd 10.7.255.255 scope global dummy 812dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3: eth0 inet 10.10.7.7/16 brd 10.10.255.255 scope global eth0 813dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat4: eth1 inet 10.8.7.7/16 brd 10.8.255.255 scope global eth1 814dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 815dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Round 1, deleting 3 addresses *** 816dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Flush is complete after 1 round *** 817dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # 818dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 819dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAnother instructive example is disabling IP on all the Ethernets: 820dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 821dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -4 addr flush label "eth*" 822dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 823dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAnd the last example shows how to flush all the IPv6 addresses 824dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatacquired by the host from stateless address autoconfiguration 825dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatafter you enabled forwarding or disabled autoconfiguration. 826dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 827dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -6 addr flush dynamic 828dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 829dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 830dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 831dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 832dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip neighbour} --- neighbour/arp tables management} 833dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 834dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|neighbour|, \verb|neighbor|, \verb|neigh|, 835dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|n|. 836dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 837dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} \verb|neighbour| objects establish bindings between protocol 838dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddresses and link layer addresses for hosts sharing the same link. 839dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNeighbour entries are organized into tables. The IPv4 neighbour table 840dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis known by another name --- the ARP table. 841dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 842dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe corresponding commands display neighbour bindings 843dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand their properties, add new neighbour entries and delete old ones. 844dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 845dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|add|, \verb|change|, \verb|replace|, 846dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|delete|, \verb|flush| and \verb|show| (or \verb|list|). 847dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 848dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{See also:} Appendix~\ref{PROXY-NEIGH}, p.\pageref{PROXY-NEIGH} 849dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdescribes how to manage proxy ARP/NDISC with the \verb|ip| utility. 850dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 851dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 852dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip neighbour add} --- add a new neighbour entry\\ 853dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip neighbour change} --- change an existing entry\\ 854dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip neighbour replace} --- add a new entry or change an existing one} 855dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 856dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|add|, \verb|a|; \verb|change|, \verb|chg|; 857dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|replace|, \verb|repl|. 858dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 859dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:} These commands create new neighbour records 860dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator update existing ones. 861dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 862dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 863dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 864dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 865dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to ADDRESS| (default) 866dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 867dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the protocol address of the neighbour. It is either an IPv4 or IPv6 address. 868dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 869dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 870dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 871dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the interface to which this neighbour is attached. 872dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 873dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 874dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|lladdr LLADDRESS| 875dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 876dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the link layer address of the neighbour. \verb|LLADDRESS| can also be 877dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|null|. 878dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 879dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nud NUD_STATE| 880dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 881dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the state of the neighbour entry. \verb|nud| is an abbreviation for ``Neighbour 882dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatUnreachability Detection''. The state can take one of the following values: 883dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 884dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 885dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|permanent| --- the neighbour entry is valid forever and can be only be removed 886dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadministratively. 887dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|noarp| --- the neighbour entry is valid. No attempts to validate 888dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis entry will be made but it can be removed when its lifetime expires. 889dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|reachable| --- the neighbour entry is valid until the reachability 890dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattimeout expires. 891dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|stale| --- the neighbour entry is valid but suspicious. 892dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis option to \verb|ip neigh| does not change the neighbour state if 893dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatit was valid and the address is not changed by this command. 894dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 895dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 896dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 897dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 898dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 899dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 900dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip neigh add 10.0.0.3 lladdr 0:0:0:0:0:1 dev eth0 nud perm| 901dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 902dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- add a permanent ARP entry for the neighbour 10.0.0.3 on the device \verb|eth0|. 903dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 904dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip neigh chg 10.0.0.3 dev eth0 nud reachable| 905dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 906dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- change its state to \verb|reachable|. 907dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 908dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 909dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 910dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip neighbour delete} --- delete a neighbour entry} 911dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 912dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|delete|, \verb|del|, \verb|d|. 913dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 914dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:} This command invalidates a neighbour entry. 915dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 916dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} The arguments are the same as with \verb|ip neigh add|, 917dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatexcept that \verb|lladdr| and \verb|nud| are ignored. 918dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 919dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 920dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Example:} 921dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 922dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip neigh del 10.0.0.3 dev eth0| 923dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 924dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- invalidate an ARP entry for the neighbour 10.0.0.3 on the device \verb|eth0|. 925dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 926dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 927dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 928dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 929dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The deleted neighbour entry will not disappear from the tables 930dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat immediately. If it is in use it cannot be deleted until the last 931dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat client releases it. Otherwise it will be destroyed during 932dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat the next garbage collection. 933dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 934dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 935dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 936dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Warning:} Attempts to delete or manually change 937dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata \verb|noarp| entry created by the kernel may result in unpredictable behaviour. 938dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatParticularly, the kernel may try to resolve this address even 939dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton a \verb|NOARP| interface or if the address is multicast or broadcast. 940dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 941dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 942dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip neighbour show} --- list neighbour entries} 943dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 944dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|sh|, \verb|ls|. 945dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 946dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:}This commands displays neighbour tables. 947dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 948dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 949dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 950dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 951dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 952dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to ADDRESS| (default) 953dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 954dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the prefix selecting the neighbours to list. 955dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 956dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 957dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 958dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list the neighbours attached to this device. 959dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 960dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|unused| 961dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 962dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list neighbours which are not currently in use. 963dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 964dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nud NUD_STATE| 965dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 966dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list neighbour entries in this state. \verb|NUD_STATE| takes 967dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatvalues listed below or the special value \verb|all| which means all states. 968dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis option may occur more than once. If this option is absent, \verb|ip| 969dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlists all entries except for \verb|none| and \verb|noarp|. 970dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 971dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 972dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 973dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 974dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 975dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 976dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 977dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip neigh ls 978dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat:: dev lo lladdr 00:00:00:00:00:00 nud noarp 979dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfe80::200:cff:fe76:3f85 dev eth0 lladdr 00:00:0c:76:3f:85 router \ 980dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat nud stale 981dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat0.0.0.0 dev lo lladdr 00:00:00:00:00:00 nud noarp 982dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.254 dev eth0 lladdr 00:00:0c:76:3f:85 nud reachable 983dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.85 dev eth0 lladdr 00:e0:1e:63:39:00 nud stale 984dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 985dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 986dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 987dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe first word of each line is the protocol address of the neighbour. 988dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThen the device name follows. The rest of the line describes the contents of 989dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe neighbour entry identified by the pair (device, address). 990dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 991dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|lladdr| is the link layer address of the neighbour. 992dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 993dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|nud| is the state of the ``neighbour unreachability detection'' machine 994dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfor this entry. The detailed description of the neighbour 995dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstate machine can be found in~\cite{RFC-NDISC}. Here is the full list 996dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the states with short descriptions: 997dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 998dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 999dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|none| --- the state of the neighbour is void. 1000dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|incomplete| --- the neighbour is in the process of resolution. 1001dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|reachable| --- the neighbour is valid and apparently reachable. 1002dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|stale| --- the neighbour is valid, but is probably already 1003dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatunreachable, so the kernel will try to check it at the first transmission. 1004dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|delay| --- a packet has been sent to the stale neighbour and the kernel is waiting 1005dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfor confirmation. 1006dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|probe| --- the delay timer expired but no confirmation was received. 1007dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe kernel has started to probe the neighbour with ARP/NDISC messages. 1008dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|failed| --- resolution has failed. 1009dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|noarp| --- the neighbour is valid. No attempts to check the entry 1010dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwill be made. 1011dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item\verb|permanent| --- it is a \verb|noarp| entry, but only the administrator 1012dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmay remove the entry from the neighbour table. 1013dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 1014dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1015dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe link layer address is valid in all states except for \verb|none|, 1016dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|failed| and \verb|incomplete|. 1017dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1018dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIPv6 neighbours can be marked with the additional flag \verb|router| 1019dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich means that the neighbour introduced itself as an IPv6 router~\cite{RFC-NDISC}. 1020dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1021dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} The \verb|-statistics| option displays some usage 1022dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstatistics, f.e.\ 1023dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1024dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1025dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip -s n ls 193.233.7.254 1026dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.254 dev eth0 lladdr 00:00:0c:76:3f:85 ref 5 used 12/13/20 \ 1027dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat nud reachable 1028dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 1029dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1030dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1031dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatHere \verb|ref| is the number of users of this entry 1032dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand \verb|used| is a triplet of time intervals in seconds 1033dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatseparated by slashes. In this case they show that: 1034dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1035dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 1036dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item the entry was used 12 seconds ago. 1037dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item the entry was confirmed 13 seconds ago. 1038dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item the entry was updated 20 seconds ago. 1039dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 1040dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1041dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip neighbour flush} --- flush neighbour entries} 1042dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1043dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|flush|, \verb|f|. 1044dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1045dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:}This command flushes neighbour tables, selecting 1046dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatentries to flush by some criteria. 1047dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1048dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} This command has the same arguments as \verb|show|. 1049dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe differences are that it does not run when no arguments are given, 1050dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand that the default neighbour states to be flushed do not include 1051dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|permanent| and \verb|noarp|. 1052dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1053dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1054dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} With the \verb|-statistics| option, the command 1055dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecomes verbose. It prints out the number of deleted neighbours and the number 1056dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof rounds made to flush the neighbour table. If the option is given 1057dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattwice, \verb|ip neigh flush| also dumps all the deleted neighbours 1058dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the format described in the previous subsection. 1059dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1060dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Example:} 1061dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1062dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip -s -s n f 193.233.7.254 1063dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.254 dev eth0 lladdr 00:00:0c:76:3f:85 ref 5 used 12/13/20 \ 1064dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat nud reachable 1065dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1066dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Round 1, deleting 1 entries *** 1067dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Flush is complete after 1 round *** 1068dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # 1069dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1070dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1071dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1072dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip route} --- routing table management} 1073dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ROUTE} 1074dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1075dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|route|, \verb|ro|, \verb|r|. 1076dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1077dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} \verb|route| entries in the kernel routing tables keep 1078dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinformation about paths to other networked nodes. 1079dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1080dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatEach route entry has a {\em key\/} consisting of a {\em prefix\/} 1081dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(i.e.\ a pair containing a network address and the length of its mask) and, 1082dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatoptionally, the TOS value. An IP packet matches the route if the highest 1083dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbits of its destination address are equal to the route prefix at least 1084dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatup to the prefix length and if the TOS of the route is zero or equal to 1085dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe TOS of the packet. 1086dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1087dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf several routes match the packet, the following pruning rules 1088dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare used to select the best one (see~\cite{RFC1812}): 1089dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 1090dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item The longest matching prefix is selected. All shorter ones 1091dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare dropped. 1092dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1093dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If the TOS of some route with the longest prefix is equal to the TOS 1094dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the packet, the routes with different TOS are dropped. 1095dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1096dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf no exact TOS match was found and routes with TOS=0 exist, 1097dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe rest of routes are pruned. 1098dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1099dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatOtherwise, the route lookup fails. 1100dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1101dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If several routes remain after the previous steps, then 1102dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe routes with the best preference values are selected. 1103dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1104dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If we still have several routes, then the {\em first\/} of them 1105dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis selected. 1106dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1107dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1108dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Note the ambiguity of the last step. Unfortunately, Linux 1109dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat historically allows such a bizarre situation. The sense of the 1110dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatword ``first'' depends on the order of route additions and it is practically 1111dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatimpossible to maintain a bundle of such routes in this order. 1112dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1113dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1114dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFor simplicity we will limit ourselves to the case where such a situation 1115dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis impossible and routes are uniquely identified by the triplet 1116dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\{prefix, tos, preference\}. Actually, it is impossible to create 1117dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnon-unique routes with \verb|ip| commands described in this section. 1118dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1119dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatOne useful exception to this rule is the default route on non-forwarding 1120dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathosts. It is ``officially'' allowed to have several fallback routes 1121dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhen several routers are present on directly connected networks. 1122dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case, Linux-2.2 makes ``dead gateway detection''~\cite{RFC1122} 1123dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcontrolled by neighbour unreachability detection and by advice 1124dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom transport protocols to select a working router, so the order 1125dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the routes is not essential. However, in this case, 1126dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfiddling with default routes manually is not recommended. Use the Router Discovery 1127dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprotocol (see Appendix~\ref{EXAMPLE-SETUP}, p.\pageref{EXAMPLE-SETUP}) 1128dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinstead. Actually, Linux-2.2 IPv6 does not give user level applications 1129dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatany access to default routes. 1130dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 1131dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1132dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCertainly, the steps above are not performed exactly 1133dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin this sequence. Instead, the routing table in the kernel is kept 1134dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin some data structure to achieve the final result 1135dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith minimal cost. However, not depending on a particular 1136dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrouting algorithm implemented in the kernel, we can summarize 1137dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe statements above as: a route is identified by the triplet 1138dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\{prefix, tos, preference\}. This {\em key\/} lets us locate 1139dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe route in the routing table. 1140dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1141dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Route attributes:} Each route key refers to a routing 1142dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinformation record containing 1143dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe data required to deliver IP packets (f.e.\ output device and 1144dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnext hop router) and some optional attributes (f.e. the path MTU or 1145dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe preferred source address when communicating with this destination). 1146dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThese attributes are described in the following subsection. 1147dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1148dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Route types:} \label{IP-ROUTE-TYPES} 1149dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is important that the set 1150dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof required and optional attributes depend on the route {\em type\/}. 1151dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe most important route type 1152dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis \verb|unicast|. It describes real paths to other hosts. 1153dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAs a rule, common routing tables contain only such routes. However, 1154dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthere are other types of routes with different semantics. The 1155dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfull list of types understood by Linux-2.2 is: 1156dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1157dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|unicast| --- the route entry describes real paths to the 1158dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdestinations covered by the route prefix. 1159dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|unreachable| --- these destinations are unreachable. Packets 1160dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare discarded and the ICMP message {\em host unreachable\/} is generated. 1161dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe local senders get an \verb|EHOSTUNREACH| error. 1162dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|blackhole| --- these destinations are unreachable. Packets 1163dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare discarded silently. The local senders get an \verb|EINVAL| error. 1164dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|prohibit| --- these destinations are unreachable. Packets 1165dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare discarded and the ICMP message {\em communication administratively 1166dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprohibited\/} is generated. The local senders get an \verb|EACCES| error. 1167dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|local| --- the destinations are assigned to this 1168dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathost. The packets are looped back and delivered locally. 1169dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|broadcast| --- the destinations are broadcast addresses. 1170dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe packets are sent as link broadcasts. 1171dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|throw| --- a special control route used together with policy 1172dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrules (see sec.\ref{IP-RULE}, p.\pageref{IP-RULE}). If such a route is selected, lookup 1173dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin this table is terminated pretending that no route was found. 1174dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatWithout policy routing it is equivalent to the absence of the route in the routing 1175dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattable. The packets are dropped and the ICMP message {\em net unreachable\/} 1176dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis generated. The local senders get an \verb|ENETUNREACH| error. 1177dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nat| --- a special NAT route. Destinations covered by the prefix 1178dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare considered to be dummy (or external) addresses which require translation 1179dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto real (or internal) ones before forwarding. The addresses to translate to 1180dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare selected with the attribute \verb|via|. More about NAT is 1181dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin Appendix~\ref{ROUTE-NAT}, p.\pageref{ROUTE-NAT}. 1182dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|anycast| --- ({\em not implemented\/}) the destinations are 1183dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat{\em anycast\/} addresses assigned to this host. They are mainly equivalent 1184dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto \verb|local| with one difference: such addresses are invalid when used 1185dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatas the source address of any packet. 1186dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|multicast| --- a special type used for multicast routing. 1187dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is not present in normal routing tables. 1188dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1189dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1190dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Route tables:} Linux-2.2 can pack routes into several routing 1191dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattables identified by a number in the range from 1 to 255 or by 1192dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatname from the file \verb|/etc/iproute2/rt_tables|. By default all normal 1193dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatroutes are inserted into the \verb|main| table (ID 254) and the kernel only uses 1194dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis table when calculating routes. 1195dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1196dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatActually, one other table always exists, which is invisible but 1197dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehateven more important. It is the \verb|local| table (ID 255). This table 1198dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatconsists of routes for local and broadcast addresses. The kernel maintains 1199dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis table automatically and the administrator usually need not modify it 1200dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator even look at it. 1201dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1202dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe multiple routing tables enter the game when {\em policy routing\/} 1203dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis used. See sec.\ref{IP-RULE}, p.\pageref{IP-RULE}. 1204dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case, the table identifier effectively becomes 1205dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatone more parameter, which should be added to the triplet 1206dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\{prefix, tos, preference\} to uniquely identify the route. 1207dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1208dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1209dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip route add} --- add a new route\\ 1210dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip route change} --- change a route\\ 1211dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip route replace} --- change a route or add a new one} 1212dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ROUTE-ADD} 1213dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1214dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|add|, \verb|a|; \verb|change|, \verb|chg|; 1215dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \verb|replace|, \verb|repl|. 1216dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1217dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1218dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 1219dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1220dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to PREFIX| or \verb|to TYPE PREFIX| (default) 1221dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1222dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the destination prefix of the route. If \verb|TYPE| is omitted, 1223dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| assumes type \verb|unicast|. Other values of \verb|TYPE| 1224dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare listed above. \verb|PREFIX| is an IP or IPv6 address optionally followed 1225dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby a slash and the prefix length. If the length of the prefix is missing, 1226dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| assumes a full-length host route. There is also a special 1227dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|PREFIX| --- \verb|default| --- which is equivalent to IP \verb|0/0| or 1228dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto IPv6 \verb|::/0|. 1229dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1230dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tos TOS| or \verb|dsfield TOS| 1231dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1232dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the Type Of Service (TOS) key. This key has no associated mask and 1233dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe longest match is understood as: First, compare the TOS 1234dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the route and of the packet. If they are not equal, then the packet 1235dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmay still match a route with a zero TOS. \verb|TOS| is either an 8 bit hexadecimal 1236dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnumber or an identifier from {\tt /etc/iproute2/rt\_dsfield}. 1237dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1238dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1239dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|metric NUMBER| or \verb|preference NUMBER| 1240dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1241dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the preference value of the route. \verb|NUMBER| is an arbitrary 32bit number. 1242dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1243dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|table TABLEID| 1244dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1245dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the table to add this route to. 1246dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|TABLEID| may be a number or a string from the file 1247dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|/etc/iproute2/rt_tables|. If this parameter is omitted, 1248dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| assumes the \verb|main| table, with the exception of 1249dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|local|, \verb|broadcast| and \verb|nat| routes, which are 1250dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatput into the \verb|local| table by default. 1251dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1252dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 1253dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1254dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the output device name. 1255dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1256dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|via ADDRESS| 1257dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1258dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the address of the nexthop router. Actually, the sense of this field depends 1259dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton the route type. For normal \verb|unicast| routes it is either the true nexthop 1260dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrouter or, if it is a direct route installed in BSD compatibility mode, 1261dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatit can be a local address of the interface. 1262dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFor NAT routes it is the first address of the block of translated IP destinations. 1263dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1264dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|src ADDRESS| 1265dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1266dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the source address to prefer when sending to the destinations 1267dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcovered by the route prefix. 1268dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1269dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|realm REALMID| 1270dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1271dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the realm to which this route is assigned. 1272dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|REALMID| may be a number or a string from the file 1273dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|/etc/iproute2/rt_realms|. Sec.\ref{RT-REALMS} (p.\pageref{RT-REALMS}) 1274dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcontains more information on realms. 1275dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1276dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|mtu MTU| or \verb|mtu lock MTU| 1277dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1278dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the MTU along the path to the destination. If the modifier \verb|lock| is 1279dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnot used, the MTU may be updated by the kernel due to Path MTU Discovery. 1280dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the modifier \verb|lock| is used, no path MTU discovery will be tried, 1281dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatall packets will be sent without the DF bit in IPv4 case 1282dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator fragmented to MTU for IPv6. 1283dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1284dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|window NUMBER| 1285dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1286dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the maximal window for TCP to advertise to these destinations, 1287dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmeasured in bytes. It limits maximal data bursts that our TCP 1288dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpeers are allowed to send to us. 1289dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1290dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|rtt NUMBER| 1291dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1292dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the initial RTT (``Round Trip Time'') estimate. 1293dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1294dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1295dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|rttvar NUMBER| 1296dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1297dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \threeonly the initial RTT variance estimate. 1298dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1299dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1300dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ssthresh NUMBER| 1301dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1302dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \threeonly an estimate for the initial slow start threshold. 1303dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1304dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1305dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|cwnd NUMBER| 1306dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1307dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \threeonly the clamp for congestion window. It is ignored if the \verb|lock| 1308dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat flag is not used. 1309dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1310dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1311dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|advmss NUMBER| 1312dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1313dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \threeonly the MSS (``Maximal Segment Size'') to advertise to these 1314dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat destinations when establishing TCP connections. If it is not given, 1315dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Linux uses a default value calculated from the first hop device MTU. 1316dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1317dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1318dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat If the path to these destination is asymmetric, this guess may be wrong. 1319dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1320dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1321dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|reordering NUMBER| 1322dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1323dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- \threeonly Maximal reordering on the path to this destination. 1324dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat If it is not given, Linux uses the value selected with \verb|sysctl| 1325dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat variable \verb|net/ipv4/tcp_reordering|. 1326dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1327dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|hoplimit NUMBER| 1328dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1329dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- [2.5.74+ only] Maximum number of hops on the path to this destination. 1330dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The default is the value selected with the \verb|sysctl| variable 1331dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \verb|net/ipv4/ip_default_ttl|. 1332dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1333dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|initcwnd NUMBER| 1334dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- [2.5.70+ only] Initial congestion window size for connections to 1335dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat this destination. Actual window size is this value multiplied by the 1336dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat MSS (``Maximal Segment Size'') for same connection. The default is 1337dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat zero, meaning to use the values specified in~\cite{RFC2414}. 1338dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 13391a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt+\item \verb|initrwnd NUMBER| 13401a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt 13411a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt+--- [2.6.33+ only] Initial receive window size for connections to 13421a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt+ this destination. The actual window size is this value multiplied 13431a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt+ by the MSS (''Maximal Segment Size'') of the connection. The default 13441a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt+ value is zero, meaning to use Slow Start value. 13451a441f49ec87ef74b978d7ae17da2a9b2ca6e811Dmitry Shmidt 1346dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nexthop NEXTHOP| 1347dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1348dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the nexthop of a multipath route. \verb|NEXTHOP| is a complex value 1349dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith its own syntax similar to the top level argument lists: 1350dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1351dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|via ADDRESS| is the nexthop router. 1352dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| is the output device. 1353dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|weight NUMBER| is a weight for this element of a multipath 1354dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatroute reflecting its relative bandwidth or quality. 1355dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1356dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1357dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|scope SCOPE_VAL| 1358dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1359dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the scope of the destinations covered by the route prefix. 1360dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|SCOPE_VAL| may be a number or a string from the file 1361dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|/etc/iproute2/rt_scopes|. 1362dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf this parameter is omitted, 1363dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip| assumes scope \verb|global| for all gatewayed \verb|unicast| 1364dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatroutes, scope \verb|link| for direct \verb|unicast| and \verb|broadcast| routes 1365dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand scope \verb|host| for \verb|local| routes. 1366dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1367dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|protocol RTPROTO| 1368dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1369dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the routing protocol identifier of this route. 1370dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|RTPROTO| may be a number or a string from the file 1371dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|/etc/iproute2/rt_protos|. If the routing protocol ID is 1372dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnot given, \verb|ip| assumes protocol \verb|boot| (i.e.\ 1373dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatit assumes the route was added by someone who doesn't 1374dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatunderstand what they are doing). Several protocol values have a fixed interpretation. 1375dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNamely: 1376dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1377dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|redirect| --- the route was installed due to an ICMP redirect. 1378dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|kernel| --- the route was installed by the kernel during 1379dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatautoconfiguration. 1380dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|boot| --- the route was installed during the bootup sequence. 1381dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf a routing daemon starts, it will purge all of them. 1382dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|static| --- the route was installed by the administrator 1383dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto override dynamic routing. Routing daemon will respect them 1384dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand, probably, even advertise them to its peers. 1385dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ra| --- the route was installed by Router Discovery protocol. 1386dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1387dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe rest of the values are not reserved and the administrator is free 1388dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto assign (or not to assign) protocol tags. At least, routing 1389dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdaemons should take care of setting some unique protocol values, 1390dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatf.e.\ as they are assigned in \verb|rtnetlink.h| or in \verb|rt_protos| 1391dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdatabase. 1392dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1393dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1394dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|onlink| 1395dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1396dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- pretend that the nexthop is directly attached to this link, 1397dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehateven if it does not match any interface prefix. One application of this 1398dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatoption may be found in~\cite{IP-TUNNELS}. 1399dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1400dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1401dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1402dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1403dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1404dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Actually there are more commands: \verb|prepend| does the same 1405dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat thing as classic \verb|route add|, i.e.\ adds a route, even if another 1406dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat route to the same destination exists. Its opposite case is \verb|append|, 1407dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat which adds the route to the end of the list. Avoid these 1408dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat features. 1409dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1410dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1411dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat More sad news, IPv6 only understands the \verb|append| command correctly. 1412dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat All the others are translated into \verb|append| commands. Certainly, 1413dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat this will change in the future. 1414dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1415dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1416dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 1417dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1418dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item add a plain route to network 10.0.0/24 via gateway 193.233.7.65 1419dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1420dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add 10.0.0/24 via 193.233.7.65 1421dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1422dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item change it to a direct route via the \verb|dummy| device 1423dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1424dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip ro chg 10.0.0/24 dev dummy 1425dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1426dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item add a default multipath route splitting the load between \verb|ppp0| 1427dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand \verb|ppp1| 1428dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1429dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add default scope global nexthop dev ppp0 \ 1430dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat nexthop dev ppp1 1431dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1432dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNote the scope value. It is not necessary but it informs the kernel 1433dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthat this route is gatewayed rather than direct. Actually, if you 1434dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatknow the addresses of remote endpoints it would be better to use the 1435dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|via| parameter. 1436dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item announce that the address 192.203.80.144 is not a real one, but 1437dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatshould be translated to 193.233.7.83 before forwarding 1438dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1439dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add nat 192.203.80.144 via 193.233.7.83 1440dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1441dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatBackward translation is setup with policy rules described 1442dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the following section (sec.\ref{IP-RULE}, p.\pageref{IP-RULE}). 1443dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1444dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1445dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip route delete} --- delete a route} 1446dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1447dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|delete|, \verb|del|, \verb|d|. 1448dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1449dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} \verb|ip route del| has the same arguments as 1450dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip route add|, but their semantics are a bit different. 1451dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1452dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatKey values (\verb|to|, \verb|tos|, \verb|preference| and \verb|table|) 1453dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatselect the route to delete. If optional attributes are present, \verb|ip| 1454dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatverifies that they coincide with the attributes of the route to delete. 1455dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf no route with the given key and attributes was found, \verb|ip route del| 1456dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfails. 1457dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1458dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatLinux-2.0 had the option to delete a route selected only by prefix address, 1459dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatignoring its length (i.e.\ netmask). This option no longer exists 1460dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecause it was ambiguous. However, look at {\tt ip route flush} 1461dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(sec.\ref{IP-ROUTE-FLUSH}, p.\pageref{IP-ROUTE-FLUSH}) which 1462dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprovides similar and even richer functionality. 1463dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1464dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1465dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Example:} 1466dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1467dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item delete the multipath route created by the command in previous subsection 1468dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1469dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route del default scope global nexthop dev ppp0 \ 1470dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat nexthop dev ppp1 1471dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1472dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1473dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1474dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1475dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1476dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip route show} --- list routes} 1477dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1478dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|sh|, \verb|ls|, \verb|l|. 1479dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1480dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:} the command displays the contents of the routing tables 1481dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator the route(s) selected by some criteria. 1482dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1483dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1484dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 1485dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1486dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to SELECTOR| (default) 1487dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1488dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only select routes from the given range of destinations. \verb|SELECTOR| 1489dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatconsists of an optional modifier (\verb|root|, \verb|match| or \verb|exact|) 1490dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand a prefix. \verb|root PREFIX| selects routes with prefixes not shorter 1491dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthan \verb|PREFIX|. F.e.\ \verb|root 0/0| selects the entire routing table. 1492dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|match PREFIX| selects routes with prefixes not longer than 1493dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|PREFIX|. F.e.\ \verb|match 10.0/16| selects \verb|10.0/16|, 1494dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|10/8| and \verb|0/0|, but it does not select \verb|10.1/16| and 1495dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|10.0.0/24|. And \verb|exact PREFIX| (or just \verb|PREFIX|) 1496dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatselects routes with this exact prefix. If neither of these options 1497dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare present, \verb|ip| assumes \verb|root 0/0| i.e.\ it lists the entire table. 1498dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1499dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1500dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tos TOS| or \verb|dsfield TOS| 1501dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1502dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat --- only select routes with the given TOS. 1503dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1504dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1505dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|table TABLEID| 1506dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1507dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat --- show the routes from this table(s). The default setting is to show 1508dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|table| \verb|main|. \verb|TABLEID| may either be the ID of a real table 1509dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehator one of the special values: 1510dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \begin{itemize} 1511dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \item \verb|all| --- list all of the tables. 1512dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \item \verb|cache| --- dump the routing cache. 1513dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \end{itemize} 1514dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1515dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat IPv6 has a single table. However, splitting it into \verb|main|, \verb|local| 1516dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat and \verb|cache| is emulated by the \verb|ip| utility. 1517dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1518dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1519dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|cloned| or \verb|cached| 1520dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1521dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- list cloned routes i.e.\ routes which were dynamically forked from 1522dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatother routes because some route attribute (f.e.\ MTU) was updated. 1523dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatActually, it is equivalent to \verb|table cache|. 1524dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1525dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|from SELECTOR| 1526dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1527dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the same syntax as for \verb|to|, but it binds the source address range 1528dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrather than destinations. Note that the \verb|from| option only works with 1529dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcloned routes. 1530dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1531dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|protocol RTPROTO| 1532dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1533dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes of this protocol. 1534dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1535dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1536dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|scope SCOPE_VAL| 1537dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1538dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes with this scope. 1539dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1540dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|type TYPE| 1541dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1542dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes of this type. 1543dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1544dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 1545dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1546dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes going via this device. 1547dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1548dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|via PREFIX| 1549dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1550dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes going via the nexthop routers selected by \verb|PREFIX|. 1551dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1552dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|src PREFIX| 1553dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1554dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes with preferred source addresses selected 1555dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby \verb|PREFIX|. 1556dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1557dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|realm REALMID| or \verb|realms FROMREALM/TOREALM| 1558dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1559dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- only list routes with these realms. 1560dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1561dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1562dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1563dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} Let us count routes of protocol \verb|gated/bgp| 1564dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton a router: 1565dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1566dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip ro ls proto gated/bgp | wc 1567dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1413 9891 79010 1568dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1569dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1570dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTo count the size of the routing cache, we have to use the \verb|-o| option 1571dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecause cached attributes can take more than one line of output: 1572dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1573dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip -o ro ls cloned | wc 1574dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 159 2543 18707 1575dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1576dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1577dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1578dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1579dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} The output of this command consists 1580dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof per route records separated by line feeds. 1581dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatHowever, some records may consist 1582dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof more than one line: particularly, this is the case when the route 1583dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis cloned or you requested additional statistics. If the 1584dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|-o| option was given, then line feeds separating lines inside 1585dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrecords are replaced with the backslash sign. 1586dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1587dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe output has the same syntax as arguments given to {\tt ip route add}, 1588dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatso that it can be understood easily. F.e.\ 1589dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1590dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip ro ls 193.233.7/24 1591dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.0/24 dev eth0 proto gated/conn scope link \ 1592dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat src 193.233.7.65 realms inr.ac 1593dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1594dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1595dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1596dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf you list cloned entries, the output contains other attributes which 1597dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare evaluated during route calculation and updated during route 1598dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlifetime. An example of the output is: 1599dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1600dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip ro ls 193.233.7.82 tab cache 1601dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.82 from 193.233.7.82 dev eth0 src 193.233.7.65 \ 1602dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat realms inr.ac/inr.ac 1603dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache <src-direct,redirect> mtu 1500 rtt 300 iif eth0 1604dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.82 dev eth0 src 193.233.7.65 realms inr.ac 1605dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache mtu 1500 rtt 300 1606dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1607dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1608dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1609dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \label{NB-strange-route} 1610dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The route looks a bit strange, doesn't it? Did you notice that 1611dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat it is a path from 193.233.7.82 back to 193.233.82? Well, you will 1612dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat see in the section on \verb|ip route get| (p.\pageref{NB-nature-of-strangeness}) 1613dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat how it appeared. 1614dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1615dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe second line, starting with the word \verb|cache|, shows 1616dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadditional attributes which normal routes do not possess. 1617dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCached flags are summarized in angle brackets: 1618dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1619dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|local| --- packets are delivered locally. 1620dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt stands for loopback unicast routes, for broadcast routes 1621dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand for multicast routes, if this host is a member of the corresponding 1622dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgroup. 1623dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1624dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|reject| --- the path is bad. Any attempt to use it results 1625dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin an error. See attribute \verb|error| below (p.\pageref{IP-ROUTE-GET-error}). 1626dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1627dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|mc| --- the destination is multicast. 1628dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1629dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|brd| --- the destination is broadcast. 1630dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1631dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|src-direct| --- the source is on a directly connected 1632dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinterface. 1633dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1634dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|redirected| --- the route was created by an ICMP Redirect. 1635dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1636dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|redirect| --- packets going via this route will 1637dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattrigger an ICMP redirect. 1638dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1639dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|fastroute| --- the route is eligible to be used for fastroute. 1640dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1641dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|equalize| --- make packet by packet randomization 1642dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatalong this path. 1643dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1644dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dst-nat| --- the destination address requires translation. 1645dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1646dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|src-nat| --- the source address requires translation. 1647dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1648dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|masq| --- the source address requires masquerading. 1649dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis feature disappeared in linux-2.4. 1650dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1651dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|notify| --- ({\em not implemented}) change/deletion 1652dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof this route will trigger RTNETLINK notification. 1653dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1654dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1655dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThen some optional attributes follow: 1656dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1657dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|error| --- on \verb|reject| routes it is error code 1658dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatreturned to local senders when they try to use this route. 1659dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThese error codes are translated into ICMP error codes, sent to remote 1660dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsenders, according to the rules described above in the subsection 1661dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdevoted to route types (p.\pageref{IP-ROUTE-TYPES}). 1662dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ROUTE-GET-error} 1663dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1664dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|expires| --- this entry will expire after this timeout. 1665dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1666dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|iif| --- the packets for this path are expected to arrive 1667dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton this interface. 1668dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1669dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1670dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} With the \verb|-statistics| option, more 1671dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinformation about this route is shown: 1672dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1673dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|users| --- the number of users of this entry. 1674dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|age| --- shows when this route was last used. 1675dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|used| --- the number of lookups of this route since its creation. 1676dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1677dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1678dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1679dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip route flush} --- flush routing tables} 1680dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ROUTE-FLUSH} 1681dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1682dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|flush|, \verb|f|. 1683dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1684dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:} this command flushes routes selected 1685dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby some criteria. 1686dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1687dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} the arguments have the same syntax and semantics 1688dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatas the arguments of \verb|ip route show|, but routing tables are not 1689dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlisted but purged. The only difference is the default action: \verb|show| 1690dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdumps all the IP main routing table but \verb|flush| prints the helper page. 1691dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe reason for this difference does not require any explanation, does it? 1692dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1693dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1694dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} With the \verb|-statistics| option, the command 1695dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecomes verbose. It prints out the number of deleted routes and the number 1696dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof rounds made to flush the routing table. If the option is given 1697dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattwice, \verb|ip route flush| also dumps all the deleted routes 1698dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the format described in the previous subsection. 1699dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1700dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} The first example flushes all the 1701dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgatewayed routes from the main table (f.e.\ after a routing daemon crash). 1702dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1703dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -4 ro flush scope global type unicast 1704dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1705dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis option deserves to be put into a scriptlet \verb|routef|. 1706dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1707dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis option was described in the \verb|route(8)| man page borrowed 1708dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom BSD, but was never implemented in Linux. 1709dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1710dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1711dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe second example flushes all IPv6 cloned routes: 1712dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1713dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -6 -s -s ro flush cache 1714dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3ffe:2400::220:afff:fef4:c5d1 via 3ffe:2400::220:afff:fef4:c5d1 \ 1715dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dev eth0 metric 0 1716dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache used 2 age 12sec mtu 1500 rtt 300 1717dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3ffe:2400::280:adff:feb7:8034 via 3ffe:2400::280:adff:feb7:8034 \ 1718dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dev eth0 metric 0 1719dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache used 2 age 15sec mtu 1500 rtt 300 1720dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3ffe:2400::280:c8ff:fe59:5bcc via 3ffe:2400::280:c8ff:fe59:5bcc \ 1721dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dev eth0 metric 0 1722dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache users 1 used 1 age 23sec mtu 1500 rtt 300 1723dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3ffe:2400:0:1:2a0:ccff:fe66:1878 via 3ffe:2400:0:1:2a0:ccff:fe66:1878 \ 1724dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dev eth1 metric 0 1725dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache used 2 age 20sec mtu 1500 rtt 300 1726dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat3ffe:2400:0:1:a00:20ff:fe71:fb30 via 3ffe:2400:0:1:a00:20ff:fe71:fb30 \ 1727dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dev eth1 metric 0 1728dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache used 2 age 33sec mtu 1500 rtt 300 1729dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatff02::1 via ff02::1 dev eth1 metric 0 1730dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache users 1 used 1 age 45sec mtu 1500 rtt 300 1731dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1732dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Round 1, deleting 6 entries *** 1733dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Flush is complete after 1 round *** 1734dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -6 -s -s ro flush cache 1735dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNothing to flush. 1736dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # 1737dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1738dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1739dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe third example flushes BGP routing tables after a \verb|gated| 1740dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdeath. 1741dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1742dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip ro ls proto gated/bgp | wc 1743dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1408 9856 78730 1744dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip -s ro f proto gated/bgp 1745dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1746dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Round 1, deleting 1408 entries *** 1747dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*** Flush is complete after 1 round *** 1748dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip ro f proto gated/bgp 1749dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNothing to flush. 1750dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip ro ls proto gated/bgp 1751dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # 1752dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1753dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1754dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1755dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip route get} --- get a single route} 1756dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-ROUTE-GET} 1757dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1758dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|get|, \verb|g|. 1759dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1760dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:} this command gets a single route to a destination 1761dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand prints its contents exactly as the kernel sees it. 1762dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1763dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 1764dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1765dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to ADDRESS| (default) 1766dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1767dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the destination address. 1768dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1769dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|from ADDRESS| 1770dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1771dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the source address. 1772dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1773dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tos TOS| or \verb|dsfield TOS| 1774dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1775dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the Type Of Service. 1776dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1777dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|iif NAME| 1778dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1779dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the device from which this packet is expected to arrive. 1780dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1781dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|oif NAME| 1782dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1783dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- force the output device on which this packet will be routed. 1784dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1785dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|connected| 1786dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1787dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- if no source address (option \verb|from|) was given, relookup 1788dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe route with the source set to the preferred address received from the first lookup. 1789dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf policy routing is used, it may be a different route. 1790dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1791dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1792dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1793dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNote that this operation is not equivalent to \verb|ip route show|. 1794dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|show| shows existing routes. \verb|get| resolves them and 1795dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcreates new clones if necessary. Essentially, \verb|get| 1796dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis equivalent to sending a packet along this path. 1797dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the \verb|iif| argument is not given, the kernel creates a route 1798dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto output packets towards the requested destination. 1799dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis is equivalent to pinging the destination 1800dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith a subsequent {\tt ip route ls cache}, however, no packets are 1801dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatactually sent. With the \verb|iif| argument, the kernel pretends 1802dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthat a packet arrived from this interface and searches for 1803dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata path to forward the packet. 1804dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1805dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} This command outputs routes in the same 1806dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatformat as \verb|ip route ls|. 1807dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1808dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 1809dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1810dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Find a route to output packets to 193.233.7.82: 1811dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1812dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip route get 193.233.7.82 1813dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.82 dev eth0 src 193.233.7.65 realms inr.ac 1814dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache mtu 1500 rtt 300 1815dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1816dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1817dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1818dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Find a route to forward packets arriving on \verb|eth0| 1819dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom 193.233.7.82 and destined for 193.233.7.82: 1820dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1821dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip r g 193.233.7.82 from 193.233.7.82 iif eth0 1822dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.82 from 193.233.7.82 dev eth0 src 193.233.7.65 \ 1823dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat realms inr.ac/inr.ac 1824dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache <src-direct,redirect> mtu 1500 rtt 300 iif eth0 1825dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1826dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1827dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1828dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \label{NB-nature-of-strangeness} 1829dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat This is the command that created the funny route from 193.233.7.82 1830dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat looped back to 193.233.7.82 (cf.\ NB on~p.\pageref{NB-strange-route}). 1831dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Note the \verb|redirect| flag on it. 1832dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1833dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1834dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Find a multicast route for packets arriving on \verb|eth0| 1835dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfrom host 193.233.7.82 and destined for multicast group 224.2.127.254 1836dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(it is assumed that a multicast routing daemon is running. 1837dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case, it is \verb|pimd|) 1838dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1839dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip r g 224.2.127.254 from 193.233.7.82 iif eth0 1840dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmulticast 224.2.127.254 from 193.233.7.82 dev lo \ 1841dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat src 193.233.7.65 realms inr.ac/cosmos 1842dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache <mc> iif eth0 Oifs: eth1 pimreg 1843dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 1844dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1845dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis route differs from the ones seen before. It contains a ``normal'' part 1846dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand a ``multicast'' part. The normal part is used to deliver (or not to 1847dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdeliver) the packet to local IP listeners. In this case the router 1848dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis not a member 1849dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof this group, so that route has no \verb|local| flag and only 1850dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatforwards packets. The output device for such entries is always loopback. 1851dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe multicast part consists of an additional \verb|Oifs:| list showing 1852dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe output interfaces. 1853dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1854dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1855dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1856dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is time for a more complicated example. Let us add an invalid 1857dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgatewayed route for a destination which is really directly connected: 1858dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1859dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip route add 193.233.7.98 via 193.233.7.254 1860dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip route get 193.233.7.98 1861dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.98 via 193.233.7.254 dev eth0 src 193.233.7.90 1862dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache mtu 1500 rtt 3072 1863dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # 1864dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1865dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand probe it with ping: 1866dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1867dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ping -n 193.233.7.98 1868dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatPING 193.233.7.98 (193.233.7.98) from 193.233.7.90 : 56 data bytes 1869dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFrom 193.233.7.254: Redirect Host(New nexthop: 193.233.7.98) 1870dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat64 bytes from 193.233.7.98: icmp_seq=0 ttl=255 time=3.5 ms 1871dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFrom 193.233.7.254: Redirect Host(New nexthop: 193.233.7.98) 1872dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat64 bytes from 193.233.7.98: icmp_seq=1 ttl=255 time=2.2 ms 1873dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat64 bytes from 193.233.7.98: icmp_seq=2 ttl=255 time=0.4 ms 1874dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat64 bytes from 193.233.7.98: icmp_seq=3 ttl=255 time=0.4 ms 1875dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat64 bytes from 193.233.7.98: icmp_seq=4 ttl=255 time=0.4 ms 1876dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat^C 1877dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- 193.233.7.98 ping statistics --- 1878dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat5 packets transmitted, 5 packets received, 0% packet loss 1879dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatround-trip min/avg/max = 0.4/1.3/3.5 ms 1880dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # 1881dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1882dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatWhat happened? Router 193.233.7.254 understood that we have a much 1883dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbetter path to the destination and sent us an ICMP redirect message. 1884dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatWe may retry \verb|ip route get| to see what we have in the routing 1885dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattables now: 1886dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 1887dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip route get 193.233.7.98 1888dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.98 dev eth0 src 193.233.7.90 1889dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat cache <redirected> mtu 1500 rtt 3072 1890dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # 1891dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 1892dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1893dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1894dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1895dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip rule} --- routing policy database management} 1896dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-RULE} 1897dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1898dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|rule|, \verb|ru|. 1899dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1900dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} \verb|rule|s in the routing policy database control 1901dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe route selection algorithm. 1902dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1903dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatClassic routing algorithms used in the Internet make routing decisions 1904dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbased only on the destination address of packets (and in theory, 1905dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbut not in practice, on the TOS field). The seminal review of classic 1906dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrouting algorithms and their modifications can be found in~\cite{RFC1812}. 1907dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1908dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn some circumstances we want to route packets differently depending not only 1909dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton destination addresses, but also on other packet fields: source address, 1910dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIP protocol, transport protocol ports or even packet payload. 1911dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis task is called ``policy routing''. 1912dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1913dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 1914dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ``policy routing'' $\neq$ ``routing policy''. 1915dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1916dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent ``policy routing'' $=$ ``cunning routing''. 1917dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1918dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent ``routing policy'' $=$ ``routing tactics'' or ``routing plan''. 1919dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 1920dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1921dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTo solve this task, the conventional destination based routing table, ordered 1922dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataccording to the longest match rule, is replaced with a ``routing policy 1923dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdatabase'' (or RPDB), which selects routes 1924dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby executing some set of rules. The rules may have lots of keys of different 1925dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnatures and therefore they have no natural ordering, but one imposed 1926dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby the administrator. Linux-2.2 RPDB is a linear list of rules 1927dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatordered by numeric priority value. 1928dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRPDB explicitly allows matching a few packet fields: 1929dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1930dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 1931dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item packet source address. 1932dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item packet destination address. 1933dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item TOS. 1934dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item incoming interface (which is packet metadata, rather than a packet field). 1935dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 1936dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1937dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatMatching IP protocols and transport ports is also possible, 1938dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatindirectly, via \verb|ipchains|, by exploiting their ability 1939dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto mark some classes of packets with \verb|fwmark|. Therefore, 1940dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|fwmark| is also included in the set of keys checked by rules. 1941dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1942dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatEach policy routing rule consists of a {\em selector\/} and an {\em action\/} 1943dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpredicate. The RPDB is scanned in the order of increasing priority. The selector 1944dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof each rule is applied to \{source address, destination address, incoming 1945dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinterface, tos, fwmark\} and, if the selector matches the packet, 1946dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe action is performed. The action predicate may return with success. 1947dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case, it will either give a route or failure indication 1948dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand the RPDB lookup is terminated. Otherwise, the RPDB program 1949dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcontinues on the next rule. 1950dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1951dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatWhat is the action, semantically? The natural action is to select the 1952dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnexthop and the output device. This is what 1953dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCisco IOS~\cite{IOS} does. Let us call it ``match \& set''. 1954dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe Linux-2.2 approach is more flexible. The action includes 1955dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlookups in destination-based routing tables and selecting 1956dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata route from these tables according to the classic longest match algorithm. 1957dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe ``match \& set'' approach is the simplest case of the Linux one. It is realized 1958dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhen a second level routing table contains a single default route. 1959dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRecall that Linux-2.2 supports multiple tables 1960dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmanaged with the \verb|ip route| command, described in the previous section. 1961dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1962dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAt startup time the kernel configures the default RPDB consisting of three 1963dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrules: 1964dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1965dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 1966dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Priority: 0, Selector: match anything, Action: lookup routing 1967dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattable \verb|local| (ID 255). 1968dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|local| table is a special routing table containing 1969dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathigh priority control routes for local and broadcast addresses. 1970dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1971dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRule 0 is special. It cannot be deleted or overridden. 1972dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1973dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1974dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Priority: 32766, Selector: match anything, Action: lookup routing 1975dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattable \verb|main| (ID 254). 1976dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|main| table is the normal routing table containing all non-policy 1977dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatroutes. This rule may be deleted and/or overridden with other 1978dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatones by the administrator. 1979dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1980dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Priority: 32767, Selector: match anything, Action: lookup routing 1981dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattable \verb|default| (ID 253). 1982dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|default| table is empty. It is reserved for some 1983dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpost-processing if no previous default rules selected the packet. 1984dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis rule may also be deleted. 1985dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1986dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 1987dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1988dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatDo not confuse routing tables with rules: rules point to routing tables, 1989dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatseveral rules may refer to one routing table and some routing tables 1990dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmay have no rules pointing to them. If the administrator deletes all the rules 1991dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatreferring to a table, the table is not used, but it still exists 1992dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand will disappear only after all the routes contained in it are deleted. 1993dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1994dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 1995dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Rule attributes:} Each RPDB entry has additional 1996dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatattributes. F.e.\ each rule has a pointer to some routing 1997dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattable. NAT and masquerading rules have an attribute to select new IP 1998dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddress to translate/masquerade. Besides that, rules have some 1999dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatoptional attributes, which routes have, namely \verb|realms|. 2000dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThese values do not override those contained in the routing tables. They 2001dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare only used if the route did not select any attributes. 2002dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2003dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2004dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Rule types:} The RPDB may contain rules of the following 2005dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattypes: 2006dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2007dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|unicast| --- the rule prescribes to return the route found 2008dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the routing table referenced by the rule. 2009dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|blackhole| --- the rule prescribes to silently drop the packet. 2010dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|unreachable| --- the rule prescribes to generate a ``Network 2011dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis unreachable'' error. 2012dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|prohibit| --- the rule prescribes to generate 2013dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Communication is administratively prohibited'' error. 2014dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nat| --- the rule prescribes to translate the source address 2015dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the IP packet into some other value. More about NAT is 2016dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin Appendix~\ref{ROUTE-NAT}, p.\pageref{ROUTE-NAT}. 2017dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2018dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2019dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2020dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|add|, \verb|delete| and \verb|show| 2021dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(or \verb|list|). 2022dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2023dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip rule add} --- insert a new rule\\ 2024dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip rule delete} --- delete a rule} 2025dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-RULE-ADD} 2026dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2027dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|add|, \verb|a|; \verb|delete|, \verb|del|, 2028dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \verb|d|. 2029dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2030dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 2031dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2032dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2033dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|type TYPE| (default) 2034dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2035dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the type of this rule. The list of valid types was given in the previous 2036dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsubsection. 2037dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2038dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|from PREFIX| 2039dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2040dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- select the source prefix to match. 2041dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2042dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to PREFIX| 2043dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2044dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- select the destination prefix to match. 2045dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2046dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|iif NAME| 2047dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2048dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- select the incoming device to match. If the interface is loopback, 2049dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe rule only matches packets originating from this host. This means that you 2050dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmay create separate routing tables for forwarded and local packets and, 2051dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathence, completely segregate them. 2052dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2053dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tos TOS| or \verb|dsfield TOS| 2054dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2055dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- select the TOS value to match. 2056dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2057dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|fwmark MARK| 2058dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2059dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- select the \verb|fwmark| value to match. 2060dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2061dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|priority PREFERENCE| 2062dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2063dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the priority of this rule. Each rule should have an explicitly 2064dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatset {\em unique\/} priority value. 2065dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2066dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Really, for historical reasons \verb|ip rule add| does not require a 2067dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat priority value and allows them to be non-unique. 2068dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat If the user does not supplied a priority, it is selected by the kernel. 2069dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat If the user creates a rule with a priority value that 2070dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat already exists, the kernel does not reject the request. It adds 2071dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat the new rule before all old rules of the same priority. 2072dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2073dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat It is mistake in design, no more. And it will be fixed one day, 2074dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat so do not rely on this feature. Use explicit priorities. 2075dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2076dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2077dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2078dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|table TABLEID| 2079dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2080dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the routing table identifier to lookup if the rule selector matches. 2081dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2082dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|realms FROM/TO| 2083dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2084dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- Realms to select if the rule matched and the routing table lookup 2085dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsucceeded. Realm \verb|TO| is only used if the route did not select 2086dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatany realm. 2087dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2088dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nat ADDRESS| 2089dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2090dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- The base of the IP address block to translate (for source addresses). 2091dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|ADDRESS| may be either the start of the block of NAT addresses 2092dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(selected by NAT routes) or in linux-2.2 a local host address (or even zero). 2093dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn the last case the router does not translate the packets, 2094dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbut masquerades them to this address; this feature disappered in 2.4. 2095dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatMore about NAT is in Appendix~\ref{ROUTE-NAT}, 2096dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatp.\pageref{ROUTE-NAT}. 2097dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2098dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2099dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2100dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Warning:} Changes to the RPDB made with these commands 2101dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdo not become active immediately. It is assumed that after 2102dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata script finishes a batch of updates, it flushes the routing cache 2103dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith \verb|ip route flush cache|. 2104dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2105dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Examples:} 2106dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2107dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Route packets with source addresses from 192.203.80/24 2108dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataccording to routing table \verb|inr.ruhep|: 2109dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2110dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip ru add from 192.203.80.0/24 table inr.ruhep prio 220 2111dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2112dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2113dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Translate packet source address 193.233.7.83 into 192.203.80.144 2114dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand route it according to table \#1 (actually, it is \verb|inr.ruhep|): 2115dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2116dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip ru add from 193.233.7.83 nat 192.203.80.144 table 1 prio 320 2117dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2118dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2119dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Delete the unused default rule: 2120dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2121dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip ru del prio 32767 2122dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2123dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2124dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2125dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2126dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2127dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2128dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip rule show} --- list rules} 2129dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-RULE-SHOW} 2130dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2131dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|sh|, \verb|ls|, \verb|l|. 2132dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2133dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2134dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} Good news, this is one command that has no arguments. 2135dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2136dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 2137dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2138dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2139dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip ru ls 2140dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat0: from all lookup local 2141dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat200: from 192.203.80.0/24 to 193.233.7.0/24 lookup main 2142dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat210: from 192.203.80.0/24 to 192.203.80.0/24 lookup main 2143dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat220: from 192.203.80.0/24 lookup inr.ruhep realms inr.ruhep/radio-msu 2144dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat300: from 193.233.7.83 to 193.233.7.0/24 lookup main 2145dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat310: from 193.233.7.83 to 192.203.80.0/24 lookup main 2146dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat320: from 193.233.7.83 lookup inr.ruhep map-to 192.203.80.144 2147dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat32766: from all lookup main 2148dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 2149dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2150dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2151dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn the first column is the rule priority value followed 2152dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby a colon. Then the selectors follow. Each key is prefixed 2153dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the same keyword that was used to create the rule. 2154dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2155dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe keyword \verb|lookup| is followed by a routing table identifier, 2156dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatas it is recorded in the file \verb|/etc/iproute2/rt_tables|. 2157dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2158dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the rule does NAT (f.e.\ rule \#320), it is shown by the keyword 2159dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|map-to| followed by the start of the block of addresses to map. 2160dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2161dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe sense of this example is pretty simple. The prefixes 2162dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat192.203.80.0/24 and 193.233.7.0/24 form the internal network, but 2163dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthey are routed differently when the packets leave it. 2164dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatBesides that, the host 193.233.7.83 is translated into 2165dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatanother prefix to look like 192.203.80.144 when talking 2166dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto the outer world. 2167dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2168dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2169dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2170dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip maddress} --- multicast addresses management} 2171dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-MADDR} 2172dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2173dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} \verb|maddress| objects are multicast addresses. 2174dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2175dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|add|, \verb|delete|, \verb|show| (or \verb|list|). 2176dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2177dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip maddress show} --- list multicast addresses} 2178dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2179dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|sh|, \verb|ls|, \verb|l|. 2180dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2181dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 2182dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2183dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2184dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2185dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| (default) 2186dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2187dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the device name. 2188dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2189dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2190dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2191dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 2192dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2193dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2194dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ ip maddr ls dummy 2195dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat2: dummy 2196dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link 33:33:00:00:00:01 2197dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link 01:00:5e:00:00:01 2198dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat inet 224.0.0.1 users 2 2199dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat inet6 ff02::1 2200dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@alisa:~ $ 2201dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2202dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2203dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe first line of the output shows the interface index and its name. 2204dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThen the multicast address list follows. Each line starts with the 2205dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprotocol identifier. The word \verb|link| denotes a link layer 2206dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmulticast addresses. 2207dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2208dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf a multicast address has more than one user, the number 2209dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof users is shown after the \verb|users| keyword. 2210dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2211dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatOne additional feature not present in the example above 2212dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis the \verb|static| flag, which indicates that the address was joined 2213dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith \verb|ip maddr add|. See the following subsection. 2214dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2215dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2216dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2217dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip maddress add} --- add a multicast address\\ 2218dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip maddress delete} --- delete a multicast address} 2219dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2220dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|add|, \verb|a|; \verb|delete|, \verb|del|, \verb|d|. 2221dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2222dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Description:} these commands attach/detach 2223dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehata static link layer multicast address to listen on the interface. 2224dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNote that it is impossible to join protocol multicast groups 2225dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstatically. This command only manages link layer addresses. 2226dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2227dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2228dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 2229dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2230dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2231dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|address LLADDRESS| (default) 2232dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2233dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the link layer multicast address. 2234dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2235dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 2236dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2237dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the device to join/leave this multicast address. 2238dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2239dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2240dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2241dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2242dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Example:} Let us continue with the example from the previous subsection. 2243dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2244dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2245dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip maddr add 33:33:00:00:00:01 dev dummy 2246dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip -0 maddr ls dummy 2247dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat2: dummy 2248dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link 33:33:00:00:00:01 users 2 static 2249dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat link 01:00:5e:00:00:01 2250dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@alisa:~ # ip maddr del 33:33:00:00:00:01 dev dummy 2251dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2252dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2253dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2254dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Neither \verb|ip| nor the kernel check for multicast address validity. 2255dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Particularly, this means that you can try to load a unicast address 2256dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat instead of a multicast address. Most drivers will ignore such addresses, 2257dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat but several (f.e.\ Tulip) will intern it to their on-board filter. 2258dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The effects may be strange. Namely, the addresses become additional 2259dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat local link addresses and, if you loaded the address of another host 2260dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat to the router, wait for duplicated packets on the wire. 2261dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat It is not a bug, but rather a hole in the API and intra-kernel interfaces. 2262dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat This feature is really more useful for traffic monitoring, but using it 2263dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat with Linux-2.2 you {\em have to\/} be sure that the host is not 2264dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat a router and, especially, that it is not a transparent proxy or masquerading 2265dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat agent. 2266dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2267dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2268dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2269dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2270dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip mroute} --- multicast routing cache management} 2271dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-MROUTE} 2272dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2273dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|mroute|, \verb|mr|. 2274dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2275dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} \verb|mroute| objects are multicast routing cache 2276dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatentries created by a user level mrouting daemon 2277dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(f.e.\ \verb|pimd| or \verb|mrouted|). 2278dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2279dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatDue to the limitations of the current interface to the multicast routing 2280dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatengine, it is impossible to change \verb|mroute| objects administratively, 2281dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatso we may only display them. This limitation will be removed 2282dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the future. 2283dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2284dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|show| (or \verb|list|). 2285dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2286dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2287dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip mroute show} --- list mroute cache entries} 2288dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2289dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|sh|, \verb|ls|, \verb|l|. 2290dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2291dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 2292dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2293dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2294dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|to PREFIX| (default) 2295dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2296dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the prefix selecting the destination multicast addresses to list. 2297dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2298dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2299dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|iif NAME| 2300dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2301dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the interface on which multicast packets are received. 2302dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2303dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2304dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|from PREFIX| 2305dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2306dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- the prefix selecting the IP source addresses of the multicast route. 2307dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2308dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2309dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2310dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2311dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 2312dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2313dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2314dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip mroute ls 2315dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(193.232.127.6, 224.0.1.39) Iif: unresolved 2316dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(193.232.244.34, 224.0.1.40) Iif: unresolved 2317dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(193.233.7.65, 224.66.66.66) Iif: eth0 Oifs: pimreg 2318dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 2319dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2320dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2321dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatEach line shows one (S,G) entry in the multicast routing cache, 2322dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhere S is the source address and G is the multicast group. \verb|Iif| is 2323dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe interface on which multicast packets are expected to arrive. 2324dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the word \verb|unresolved| is there instead of the interface name, 2325dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatit means that the routing daemon still hasn't resolved this entry. 2326dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe keyword \verb|oifs| is followed by a list of output interfaces, separated 2327dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby spaces. If a multicast routing entry is created with non-trivial 2328dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTTL scope, administrative distances are appended to the device names 2329dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the \verb|oifs| list. 2330dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2331dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} The \verb|-statistics| option also prints the 2332dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnumber of packets and bytes forwarded along this route and 2333dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe number of packets that arrived on the wrong interface, if this number is not zero. 2334dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2335dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2336dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip -s mr ls 224.66/16 2337dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(193.233.7.65, 224.66.66.66) Iif: eth0 Oifs: pimreg 2338dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 9383 packets, 300256 bytes 2339dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 2340dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2341dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2342dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2343dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip tunnel} --- tunnel configuration} 2344dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-TUNNEL} 2345dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2346dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|tunnel|, \verb|tunl|. 2347dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2348dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Object:} \verb|tunnel| objects are tunnels, encapsulating 2349dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpackets in IPv4 packets and then sending them over the IP infrastructure. 2350dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2351dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Commands:} \verb|add|, \verb|delete|, \verb|change|, \verb|show| 2352dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(or \verb|list|). 2353dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2354dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{See also:} A more informal discussion of tunneling 2355dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatover IP and the \verb|ip tunnel| command can be found in~\cite{IP-TUNNELS}. 2356dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2357dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip tunnel add} --- add a new tunnel\\ 2358dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip tunnel change} --- change an existing tunnel\\ 2359dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat {\tt ip tunnel delete} --- destroy a tunnel} 2360dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2361dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|add|, \verb|a|; \verb|change|, \verb|chg|; 2362dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|delete|, \verb|del|, \verb|d|. 2363dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2364dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2365dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} 2366dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2367dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2368dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2369dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|name NAME| (default) 2370dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2371dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- select the tunnel device name. 2372dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2373dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|mode MODE| 2374dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2375dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- set the tunnel mode. Three modes are currently available: 2376dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \verb|ipip|, \verb|sit| and \verb|gre|. 2377dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2378dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|remote ADDRESS| 2379dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2380dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- set the remote endpoint of the tunnel. 2381dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2382dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|local ADDRESS| 2383dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2384dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- set the fixed local address for tunneled packets. 2385dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt must be an address on another interface of this host. 2386dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2387dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ttl N| 2388dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2389dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- set a fixed TTL \verb|N| on tunneled packets. 2390dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat \verb|N| is a number in the range 1--255. 0 is a special value 2391dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat meaning that packets inherit the TTL value. 2392dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The default value is: \verb|inherit|. 2393dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2394dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|tos T| or \verb|dsfield T| 2395dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2396dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- set a fixed TOS \verb|T| on tunneled packets. 2397dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The default value is: \verb|inherit|. 2398dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2399dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2400dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2401dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|dev NAME| 2402dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2403dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- bind the tunnel to the device \verb|NAME| so that 2404dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat tunneled packets will only be routed via this device and will 2405dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat not be able to escape to another device when the route to endpoint changes. 2406dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2407dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|nopmtudisc| 2408dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2409dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- disable Path MTU Discovery on this tunnel. 2410dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat It is enabled by default. Note that a fixed ttl is incompatible 2411dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat with this option: tunnelling with a fixed ttl always makes pmtu discovery. 2412dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2413dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|key K|, \verb|ikey K|, \verb|okey K| 2414dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2415dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- (only GRE tunnels) use keyed GRE with key \verb|K|. \verb|K| is 2416dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat either a number or an IP address-like dotted quad. 2417dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|key| parameter sets the key to use in both directions. 2418dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|ikey| and \verb|okey| parameters set different keys for input and output. 2419dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2420dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2421dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|csum|, \verb|icsum|, \verb|ocsum| 2422dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2423dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- (only GRE tunnels) generate/require checksums for tunneled packets. 2424dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|ocsum| flag calculates checksums for outgoing packets. 2425dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|icsum| flag requires that all input packets have the correct 2426dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat checksum. The \verb|csum| flag is equivalent to the combination 2427dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ``\verb|icsum| \verb|ocsum|''. 2428dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2429dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|seq|, \verb|iseq|, \verb|oseq| 2430dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2431dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat--- (only GRE tunnels) serialize packets. 2432dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|oseq| flag enables sequencing of outgoing packets. 2433dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|iseq| flag requires that all input packets are serialized. 2434dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat The \verb|seq| flag is equivalent to the combination ``\verb|iseq| \verb|oseq|''. 2435dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2436dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2437dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat I think this option does not 2438dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat work. At least, I did not test it, did not debug it and 2439dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat do not even understand how it is supposed to work or for what 2440dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat purpose Cisco planned to use it. Do not use it. 2441dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2442dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2443dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2444dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2445dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2446dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Example:} Create a pointopoint IPv6 tunnel with maximal TTL of 32. 2447dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2448dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetadm@amber:~ # ip tunl add Cisco mode sit remote 192.31.7.104 \ 2449dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat local 192.203.80.142 ttl 32 2450dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2451dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2452dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\subsection{{\tt ip tunnel show} --- list tunnels} 2453dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2454dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Abbreviations:} \verb|show|, \verb|list|, \verb|sh|, \verb|ls|, \verb|l|. 2455dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2456dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2457dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Arguments:} None. 2458dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2459dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Output format:} 2460dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2461dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip tunl ls Cisco 2462dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCisco: ipv6/ip remote 192.31.7.104 local 192.203.80.142 ttl 32 2463dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 2464dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2465dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe line starts with the tunnel device name followed by a colon. 2466dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThen the tunnel mode follows. The parameters of the tunnel are listed 2467dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the same keywords that were used when creating the tunnel. 2468dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2469dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{Statistics:} 2470dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2471dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2472dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ ip -s tunl ls Cisco 2473dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCisco: ipv6/ip remote 192.31.7.104 local 192.203.80.142 ttl 32 2474dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts 2475dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 12566 1707516 0 0 0 0 2476dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTX: Packets Bytes Errors DeadLoop NoRoute NoBufs 2477dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 13445 1879677 0 0 0 0 2478dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 2479dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2480dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatEssentially, these numbers are the same as the numbers 2481dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatprinted with {\tt ip -s link show} 2482dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(sec.\ref{IP-LINK-SHOW}, p.\pageref{IP-LINK-SHOW}) but the tags are different 2483dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto reflect that they are tunnel specific. 2484dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2485dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|CsumErrs| --- the total number of packets dropped 2486dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecause of checksum failures for a GRE tunnel with checksumming enabled. 2487dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|OutOfSeq| --- the total number of packets dropped 2488dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecause they arrived out of sequence for a GRE tunnel with 2489dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatserialization enabled. 2490dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|Mcasts| --- the total number of multicast packets 2491dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatreceived on a broadcast GRE tunnel. 2492dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|DeadLoop| --- the total number of packets which were not 2493dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattransmitted because the tunnel is looped back to itself. 2494dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|NoRoute| --- the total number of packets which were not 2495dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattransmitted because there is no IP route to the remote endpoint. 2496dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|NoBufs| --- the total number of packets which were not 2497dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattransmitted because the kernel failed to allocate a buffer. 2498dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2499dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2500dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2501dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{{\tt ip monitor} and {\tt rtmon} --- state monitoring} 2502dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{IP-MONITOR} 2503dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2504dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|ip| utility can monitor the state of devices, addresses 2505dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand routes continuously. This option has a slightly different format. 2506dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNamely, 2507dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe \verb|monitor| command is the first in the command line and then 2508dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe object list follows: 2509dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2510dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip monitor [ file FILE ] [ all | OBJECT-LIST ] 2511dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2512dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|OBJECT-LIST| is the list of object types that we want to monitor. 2513dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt may contain \verb|link|, \verb|address| and \verb|route|. 2514dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf no \verb|file| argument is given, \verb|ip| opens RTNETLINK, 2515dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlistens on it and dumps state changes in the format described 2516dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin previous sections. 2517dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2518dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf a file name is given, it does not listen on RTNETLINK, 2519dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbut opens the file containing RTNETLINK messages saved in binary format 2520dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand dumps them. Such a history file can be generated with the 2521dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|rtmon| utility. This utility has a command line syntax similar to 2522dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip monitor|. 2523dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIdeally, \verb|rtmon| should be started before 2524dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe first network configuration command is issued. F.e.\ if 2525dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatyou insert: 2526dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2527dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat rtmon file /var/log/rtmon.log 2528dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2529dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin a startup script, you will be able to view the full history 2530dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlater. 2531dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2532dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCertainly, it is possible to start \verb|rtmon| at any time. 2533dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt prepends the history with the state snapshot dumped at the moment 2534dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof starting. 2535dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2536dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2537dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{Route realms and policy propagation, {\tt rtacct}} 2538dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{RT-REALMS} 2539dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2540dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatOn routers using OSPF ASE or, especially, the BGP protocol, routing 2541dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehattables may be huge. If we want to classify or to account for the packets 2542dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatper route, we will have to keep lots of information. Even worse, if we 2543dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwant to distinguish the packets not only by their destination, but 2544dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatalso by their source, the task gets quadratic complexity and its solution 2545dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis physically impossible. 2546dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2547dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatOne approach to propagating the policy from routing protocols 2548dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto the forwarding engine has been proposed in~\cite{IOS-BGP-PP}. 2549dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatEssentially, Cisco Policy Propagation via BGP is based on the fact 2550dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthat dedicated routers all have the RIB (Routing Information Base) 2551dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatclose to the forwarding engine, so policy routing rules can 2552dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcheck all the route attributes, including ASPATH information 2553dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand community strings. 2554dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2555dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe Linux architecture, splitting the RIB (maintained by a user level 2556dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdaemon) and the kernel based FIB (Forwarding Information Base), 2557dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdoes not allow such a simple approach. 2558dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2559dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is to our fortune because there is another solution 2560dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich allows even more flexible policy and richer semantics. 2561dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2562dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNamely, routes can be clustered together in user space, based on their 2563dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatattributes. F.e.\ a BGP router knows route ASPATH, its community; 2564dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatan OSPF router knows the route tag or its area. The administrator, when adding 2565dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatroutes manually, also knows their nature. Providing that the number of such 2566dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataggregates (we call them {\em realms\/}) is low, the task of full 2567dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatclassification both by source and destination becomes quite manageable. 2568dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2569dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatSo each route may be assigned to a realm. It is assumed that 2570dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis identification is made by a routing daemon, but static routes 2571dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcan also be handled manually with \verb|ip route| (see sec.\ref{IP-ROUTE}, 2572dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatp.\pageref{IP-ROUTE}). 2573dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2574dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat There is a patch to \verb|gated|, allowing classification of routes 2575dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat to realms with all the set of policy rules implemented in \verb|gated|: 2576dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat by prefix, by ASPATH, by origin, by tag etc. 2577dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2578dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2579dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTo facilitate the construction (f.e.\ in case the routing 2580dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdaemon is not aware of realms), missing realms may be completed 2581dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith routing policy rules, see sec.~\ref{IP-RULE}, p.\pageref{IP-RULE}. 2582dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2583dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFor each packet the kernel calculates a tuple of realms: source realm 2584dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand destination realm, using the following algorithm: 2585dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2586dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 2587dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If the route has a realm, the destination realm of the packet is set to it. 2588dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If the rule has a source realm, the source realm of the packet is set to it. 2589dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the destination realm was not inherited from the route and the rule has a destination realm, 2590dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatit is also set. 2591dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If at least one of the realms is still unknown, the kernel finds 2592dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe reversed route to the source of the packet. 2593dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If the source realm is still unknown, get it from the reversed route. 2594dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item If one of the realms is still unknown, swap the realms of reversed 2595dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatroutes and apply step 2 again. 2596dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 2597dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2598dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatAfter this procedure is completed we know what realm the packet 2599dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatarrived from and the realm where it is going to propagate to. 2600dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf some of the realms are unknown, they are initialized to zero 2601dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(or realm \verb|unknown|). 2602dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2603dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe main application of realms is the TC \verb|route| classifier~\cite{TC-CREF}, 2604dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhere they are used to help assign packets to traffic classes, 2605dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto account, police and schedule them according to this 2606dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatclassification. 2607dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2608dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatA much simpler but still very useful application is incoming packet 2609dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataccounting by realms. The kernel gathers a packet statistics summary 2610dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich can be viewed with the \verb|rtacct| utility. 2611dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2612dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ rtacct russia 2613dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRealm BytesTo PktsTo BytesFrom PktsFrom 2614dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrussia 20576778 169176 47080168 153805 2615dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkuznet@amber:~ $ 2616dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2617dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis shows that this router received 153805 packets from 2618dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe realm \verb|russia| and forwarded 169176 packets to \verb|russia|. 2619dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe realm \verb|russia| consists of routes with ASPATHs not leaving 2620dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRussia. 2621dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2622dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNote that locally originating packets are not accounted here, 2623dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|rtacct| shows incoming packets only. Using the \verb|route| 2624dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatclassifier (see~\cite{TC-CREF}) you can get even more detailed 2625dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataccounting information about outgoing packets, optionally 2626dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsummarizing traffic not only by source or destination, but 2627dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby any pair of source and destination realms. 2628dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2629dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2630dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{thebibliography}{99} 2631dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\addcontentsline{toc}{section}{References} 2632dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{RFC-NDISC} T.~Narten, E.~Nordmark, W.~Simpson. 2633dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Neighbor Discovery for IP Version 6 (IPv6)'', RFC-2461. 2634dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2635dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{RFC-ADDRCONF} S.~Thomson, T.~Narten. 2636dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``IPv6 Stateless Address Autoconfiguration'', RFC-2462. 2637dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2638dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{RFC1812} F.~Baker. 2639dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Requirements for IP Version 4 Routers'', RFC-1812. 2640dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2641dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{RFC1122} R.~T.~Braden. 2642dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Requirements for Internet hosts --- communication layers'', RFC-1122. 2643dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2644dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{IOS} ``Cisco IOS Release 12.0 Network Protocols 2645dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCommand Reference, Part 1'' and 2646dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Cisco IOS Release 12.0 Quality of Service Solutions 2647dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatConfiguration Guide: Configuring Policy-Based Routing'',\\ 2648dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathttp://www.cisco.com/univercd/cc/td/doc/product/software/ios120. 2649dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2650dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{IP-TUNNELS} A.~N.~Kuznetsov. 2651dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Tunnels over IP in Linux-2.2'', \\ 2652dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn: {\tt ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz}. 2653dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2654dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{TC-CREF} A.~N.~Kuznetsov. ``TC Command Reference'',\\ 2655dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn: {\tt ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz}. 2656dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2657dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{IOS-BGP-PP} ``Cisco IOS Release 12.0 Quality of Service Solutions 2658dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatConfiguration Guide: Configuring QoS Policy Propagation via 2659dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatBorder Gateway Protocol'',\\ 2660dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathttp://www.cisco.com/univercd/cc/td/doc/product/software/ios120. 2661dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2662dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{RFC-DHCP} R.~Droms. 2663dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Dynamic Host Configuration Protocol.'', RFC-2131 2664dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2665dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\bibitem{RFC2414} M.~Allman, S.~Floyd, C.~Partridge. 2666dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat``Increasing TCP's Initial Window'', RFC-2414. 2667dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2668dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{thebibliography} 2669dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2670dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2671dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2672dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2673dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\appendix 2674dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\addcontentsline{toc}{section}{Appendix} 2675dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2676dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{Source address selection} 2677dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{ADDR-SEL} 2678dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2679dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatWhen a host creates an IP packet, it must select some source 2680dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddress. Correct source address selection is a critical procedure, 2681dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbecause it gives the receiver the information needed to deliver a 2682dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatreply. If the source is selected incorrectly, in the best case, 2683dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe backward path may appear different to the forward one which 2684dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis harmful for performance. In the worst case, when the addresses 2685dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare administratively scoped, the reply may be lost entirely. 2686dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2687dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatLinux-2.2 selects source addresses using the following algorithm: 2688dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2689dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2690dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item 2691dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe application may select a source address explicitly with \verb|bind(2)| 2692dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsyscall or supplying it to \verb|sendmsg(2)| via the ancillary data object 2693dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|IP_PKTINFO|. In this case the kernel only checks the validity 2694dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the address and never tries to ``improve'' an incorrect user choice, 2695dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgenerating an error instead. 2696dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2697dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Never say ``Never''. The sysctl option \verb|ip_dynaddr| breaks 2698dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat this axiom. It has been made deliberately with the purpose 2699dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat of automatically reselecting the address on hosts with dynamic dial-out interfaces. 2700dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat However, this hack {\em must not\/} be used on multihomed hosts 2701dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat and especially on routers: it would break them. 2702dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2703dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2704dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2705dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Otherwise, IP routing tables can contain an explicit source 2706dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddress hint for this destination. The hint is set with the \verb|src| parameter 2707dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto the \verb|ip route| command, sec.\ref{IP-ROUTE}, p.\pageref{IP-ROUTE}. 2708dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2709dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2710dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Otherwise, the kernel searches through the list of addresses 2711dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatattached to the interface through which the packets will be routed. 2712dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe search strategies are different for IP and IPv6. Namely: 2713dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2714dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{itemize} 2715dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item IPv6 searches for the first valid, not deprecated address 2716dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the same scope as the destination. 2717dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2718dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item IP searches for the first valid address with a scope wider 2719dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthan the scope of the destination but it prefers addresses 2720dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich fall to the same subnet as the nexthop of the route 2721dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto the destination. Unlike IPv6, the scopes of IPv4 destinations 2722dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatare not encoded in their addresses but are supplied 2723dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin routing tables instead (the \verb|scope| parameter to the \verb|ip route| command, 2724dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsec.\ref{IP-ROUTE}, p.\pageref{IP-ROUTE}). 2725dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2726dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2727dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2728dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2729dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Otherwise, if the scope of the destination is \verb|link| or \verb|host|, 2730dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe algorithm fails and returns a zero source address. 2731dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2732dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item Otherwise, all interfaces are scanned to search for an address 2733dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith an appropriate scope. The loopback device \verb|lo| is always the first 2734dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the search list, so that if an address with global scope (not 127.0.0.1!) 2735dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis configured on loopback, it is always preferred. 2736dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2737dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{itemize} 2738dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2739dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2740dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{Proxy ARP/NDISC} 2741dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{PROXY-NEIGH} 2742dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2743dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRouters may answer ARP/NDISC solicitations on behalf of other hosts. 2744dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn Linux-2.2 proxy ARP on an interface may be enabled 2745dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby setting the kernel \verb|sysctl| variable 2746dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|/proc/sys/net/ipv4/conf/<dev>/proxy_arp| to 1. After this, the router 2747dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstarts to answer ARP requests on the interface \verb|<dev>|, provided 2748dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe route to the requested destination does {\em not\/} go back via the same 2749dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdevice. 2750dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2751dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe variable \verb|/proc/sys/net/ipv4/conf/all/proxy_arp| enables proxy 2752dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatARP on all the IP devices. 2753dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2754dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatHowever, this approach fails in the case of IPv6 because the router 2755dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmust join the solicited node multicast address to listen for the corresponding 2756dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNDISC queries. It means that proxy NDISC is possible only on a per destination 2757dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatbasis. 2758dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2759dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatLogically, proxy ARP/NDISC is not a kernel task. It can easily be implemented 2760dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin user space. However, similar functionality was present in BSD kernels 2761dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand in Linux-2.0, so we have to preserve it at least to the extent that 2762dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis standardized in BSD. 2763dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2764dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat Linux-2.0 ARP had a feature called {\em subnet\/} proxy ARP. 2765dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat It is replaced with the sysctl flag in Linux-2.2. 2766dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2767dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2768dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2769dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe \verb|ip| utility provides a way to manage proxy ARP/NDISC 2770dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwith the \verb|ip neigh| command, namely: 2771dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2772dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip neigh add proxy ADDRESS [ dev NAME ] 2773dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2774dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadds a new proxy ARP/NDISC record and 2775dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2776dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip neigh del proxy ADDRESS [ dev NAME ] 2777dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2778dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdeletes it. 2779dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2780dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the name of the device is not given, the router will answer solicitations 2781dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfor address \verb|ADDRESS| on all devices, otherwise it will only serve 2782dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe device \verb|NAME|. Even if the proxy entry is created with 2783dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\verb|ip neigh|, the router {\em will not\/} answer a query if the route 2784dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto the destination goes back via the interface from which the solicitation 2785dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwas received. 2786dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2787dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is important to emphasize that proxy entries have {\em no\/} 2788dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatparameters other than these (IP/IPv6 address and optional device). 2789dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatParticularly, the entry does not store any link layer address. 2790dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt always advertises the station address of the interface 2791dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton which it sends advertisements (i.e. it's own station address). 2792dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2793dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{Route NAT status} 2794dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{ROUTE-NAT} 2795dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2796dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNAT (or ``Network Address Translation'') remaps some parts 2797dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the IP address space into other ones. Linux-2.2 route NAT is supposed 2798dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto be used to facilitate policy routing by rewriting addresses 2799dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto other routing domains or to help while renumbering sites 2800dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto another prefix. 2801dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2802dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{What it is not:} 2803dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is necessary to emphasize that {\em it is not supposed\/} 2804dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto be used to compress address space or to split load. 2805dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis is not missing functionality but a design principle. 2806dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRoute NAT is {\em stateless\/}. It does not hold any state 2807dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatabout translated sessions. This means that it handles any number 2808dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof sessions flawlessly. But it also means that it is {\em static\/}. 2809dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt cannot detect the moment when the last TCP client stops 2810dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatusing an address. For the same reason, it will not help to split 2811dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatload between several servers. 2812dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2813dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is a pretty commonly held belief that it is useful to split load between 2814dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatseveral servers with NAT. This is a mistake. All you get from this 2815dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis the requirement that the router keep the state of all the TCP connections 2816dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatgoing via it. Well, if the router is so powerful, run apache on it. 8) 2817dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2818dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2819dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe second feature: it does not touch packet payload, 2820dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdoes not try to ``improve'' broken protocols by looking 2821dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthrough its data and mangling it. It mangles IP addresses, 2822dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatonly IP addresses and nothing but IP addresses. 2823dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis also, is not missing any functionality. 2824dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2825dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatTo resume: if you need to compress address space or keep 2826dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatactive FTP clients happy, your choice is not route NAT but masquerading, 2827dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatport forwarding, NAPT etc. 2828dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2829dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatBy the way, you may also want to look at 2830dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathttp://www.suse.com/\~mha/HyperNews/get/linux-ip-nat.html 2831dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2832dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2833dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2834dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{How it works.} 2835dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatSome part of the address space is reserved for dummy addresses 2836dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhich will look for all the world like some host addresses 2837dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinside your network. No other hosts may use these addresses, 2838dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathowever other routers may also be configured to translate them. 2839dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2840dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatA great advantage of route NAT is that it may be used not 2841dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatonly in stub networks but in environments with arbitrarily complicated 2842dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstructure. It does not firewall, it {\em forwards.} 2843dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2844dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThese addresses are selected by the \verb|ip route| command 2845dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat(sec.\ref{IP-ROUTE-ADD}, p.\pageref{IP-ROUTE-ADD}). F.e.\ 2846dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2847dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add nat 192.203.80.144 via 193.233.7.83 2848dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2849dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstates that the single address 192.203.80.144 is a dummy NAT address. 2850dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFor all the world it looks like a host address inside our network. 2851dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatFor neighbouring hosts and routers it looks like the local address 2852dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatof the translating router. The router answers ARP for it, advertises 2853dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis address as routed via it, {\em et al\/}. When the router 2854dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatreceives a packet destined for 192.203.80.144, it replaces 2855dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthis address with 193.233.7.83 which is the address of some real 2856dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathost and forwards the packet. If you need to remap 2857dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatblocks of addresses, you may use a command like: 2858dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2859dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add nat 192.203.80.192/26 via 193.233.7.64 2860dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2861dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis command will map a block of 63 addresses 192.203.80.192-255 to 2862dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat193.233.7.64-127. 2863dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2864dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatWhen an internal host (193.233.7.83 in the example above) 2865dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsends something to the outer world and these packets are forwarded 2866dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatby our router, it should translate the source address 193.233.7.83 2867dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatinto 192.203.80.144. This task is solved by setting a special 2868dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpolicy rule (sec.\ref{IP-RULE-ADD}, p.\pageref{IP-RULE-ADD}): 2869dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2870dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip rule add prio 320 from 193.233.7.83 nat 192.203.80.144 2871dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2872dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis rule says that the source address 193.233.7.83 2873dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatshould be translated into 192.203.80.144 before forwarding. 2874dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt is important that the address after the \verb|nat| keyword 2875dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatis some NAT address, declared by {\tt ip route add nat}. 2876dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf it is just a random address the router will not map to it. 2877dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2878dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe exception is when the address is a local address of this 2879dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrouter (or 0.0.0.0) and masquerading is configured in the linux-2.2 2880dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkernel. In this case the router will masquerade the packets as this address. 2881dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf 0.0.0.0 is selected, the result is equivalent to one 2882dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatobtained with firewalling rules. Otherwise, you have the way 2883dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto order Linux to masquerade to this fixed address. 2884dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatNAT mechanism used in linux-2.4 is more flexible than 2885dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatmasquerading, so that this feature has lost meaning and disabled. 2886dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2887dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2888dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf the network has non-trivial internal structure, it is 2889dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatuseful and even necessary to add rules disabling translation 2890dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhen a packet does not leave this network. Let us return to the 2891dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatexample from sec.\ref{IP-RULE-SHOW} (p.\pageref{IP-RULE-SHOW}). 2892dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2893dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat300: from 193.233.7.83 to 193.233.7.0/24 lookup main 2894dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat310: from 193.233.7.83 to 192.203.80.0/24 lookup main 2895dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat320: from 193.233.7.83 lookup inr.ruhep map-to 192.203.80.144 2896dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2897dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis block of rules causes normal forwarding when 2898dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpackets from 193.233.7.83 do not leave networks 193.233.7/24 2899dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand 192.203.80/24. Also, if the \verb|inr.ruhep| table does not 2900dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcontain a route to the destination (which means that the routing 2901dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdomain owning addresses from 192.203.80/24 is dead), no translation 2902dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwill occur. Otherwise, the packets are translated. 2903dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2904dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\paragraph{How to only translate selected ports:} 2905dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIf you only want to translate selected ports (f.e.\ http) 2906dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand leave the rest intact, you may use \verb|ipchains| 2907dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatto \verb|fwmark| a class of packets. 2908dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatSuppose you did and all the packets from 193.233.7.83 2909dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdestined for port 80 are marked with marker 0x1234 in input fwchain. 2910dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIn this case you may replace rule \#320 with: 2911dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2912dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat320: from 193.233.7.83 fwmark 1234 lookup main map-to 192.203.80.144 2913dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2914dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatand translation will only be enabled for outgoing http requests. 2915dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2916dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{Example: minimal host setup} 2917dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{EXAMPLE-SETUP} 2918dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2919dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe following script gives an example of a fault safe 2920dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsetup of IP (and IPv6, if it is compiled into the kernel) 2921dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatin the common case of a node attached to a single broadcast 2922dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnetwork. A more advanced script, which may be used both on multihomed 2923dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehathosts and on routers, is described in the following 2924dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsection. 2925dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2926dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThe utilities used in the script may be found in the 2927dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdirectory ftp://ftp.inr.ac.ru/ip-routing/: 2928dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{enumerate} 2929dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|ip| --- package \verb|iproute2|. 2930dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|arping| --- package \verb|iputils|. 2931dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\item \verb|rdisc| --- package \verb|iputils|. 2932dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{enumerate} 2933dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{NB} 2934dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatIt also refers to a DHCP client, \verb|dhcpcd|. I should refrain from 2935dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatrecommending a good DHCP client to use. All that I can 2936dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsay is that ISC \verb|dhcp-2.0b1pl6| patched with the patch that 2937dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcan be found in the \verb|dhcp.bootp.rarp| subdirectory of 2938dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe same ftp site {\em does\/} work, 2939dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatat least on Ethernet and Token Ring. 2940dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{NB} 2941dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2942dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2943dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat#! /bin/bash 2944dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2945dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 2946dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Usage: \verb|ifone ADDRESS[/PREFIX-LENGTH] [DEVICE]|}\\ 2947dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Parameters:}\\ 2948dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# \$1 --- Static IP address, optionally followed by prefix length.\\ 2949dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# \$2 --- Device name. If it is missing, \verb|eth0| is asssumed.\\ 2950dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# F.e. \verb|ifone 193.233.7.90| 2951dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 2952dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2953dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdev=$2 2954dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat: ${dev:=eth0} 2955dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatipaddr= 2956dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2957dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Parse IP address, splitting prefix length. 2958dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2959dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$1" != "" ]; then 2960dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ipaddr=${1%/*} 2961dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$1" != "$ipaddr" ]; then 2962dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat pfxlen=${1#*/} 2963dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 2964dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat : ${pfxlen:=24} 2965dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 2966dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpfx="${ipaddr}/${pfxlen}" 2967dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2968dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2969dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 2970dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 0} --- enable loopback.\\ 2971dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 2972dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# This step is necessary on any networked box before attempt\\ 2973dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# to configure any other device.\\ 2974dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 2975dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2976dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip link set up dev lo 2977dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip addr add 127.0.0.1/8 dev lo brd + scope host 2978dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2979dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 2980dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# IPv6 autoconfigure themself on loopback.\\ 2981dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 2982dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If user gave loopback as device, we add the address as alias and exit. 2983dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 2984dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2985dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$dev" = "lo" ]; then 2986dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$ipaddr" != "" -a "$ipaddr" != "127.0.0.1" ]; then 2987dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip address add $ipaddr dev $dev 2988dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit $? 2989dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 2990dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 0 2991dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 2992dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 2993dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2994dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent\# {\bf Step 1} --- enable device \verb|$dev| 2995dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 2996dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 2997dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif ! ip link set up dev $dev ; then 2998dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Cannot enable interface $dev. Aborting." 1>&2 2999dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3000dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3001dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3002dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3003dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# The interface is \verb|UP|. IPv6 started stateless autoconfiguration itself,\\ 3004dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# and its configuration finishes here. However,\\ 3005dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# IP still needs some static preconfigured address. 3006dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3007dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3008dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$ipaddr" = "" ]; then 3009dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "No address for $dev is configured, trying DHCP..." 1>&2 3010dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dhcpcd 3011dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit $? 3012dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3013dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3014dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3015dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3016dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 2} --- IP Duplicate Address Detection~\cite{RFC-DHCP}.\\ 3017dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Send two probes and wait for result for 3 seconds.\\ 3018dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If the interface opens slower f.e.\ due to long media detection,\\ 3019dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# you want to increase the timeout.\\ 3020dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3021dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3022dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif ! arping -q -c 2 -w 3 -D -I $dev $ipaddr ; then 3023dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Address $ipaddr is busy, trying DHCP..." 1>&2 3024dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dhcpcd 3025dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit $? 3026dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3027dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3028dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3029dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# OK, the address is unique, we may add it on the interface.\\ 3030dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 3031dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 3} --- Configure the address on the interface. 3032dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3033dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3034dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3035dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif ! ip address add $pfx brd + dev $dev; then 3036dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Failed to add $pfx on $dev, trying DHCP..." 1>&2 3037dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat dhcpcd 3038dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit $? 3039dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3040dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3041dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3042dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent\# {\bf Step 4} --- Announce our presence on the link. 3043dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3044dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatarping -A -c 1 -I $dev $ipaddr 3045dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnoarp=$? 3046dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat( sleep 2; 3047dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat arping -U -c 1 -I $dev $ipaddr ) >& /dev/null </dev/null & 3048dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3049dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3050dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3051dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 5} (optional) --- Add some control routes.\\ 3052dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 3053dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# 1. Prohibit link local multicast addresses.\\ 3054dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# 2. Prohibit link local (alias, limited) broadcast.\\ 3055dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# 3. Add default multicast route. 3056dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3057dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3058dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip route add unreachable 224.0.0.0/24 3059dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip route add unreachable 255.255.255.255 3060dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ `ip link ls $dev | grep -c MULTICAST` -ge 1 ]; then 3061dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add 224.0.0.0/4 dev $dev scope global 3062dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3063dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3064dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3065dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3066dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 6} --- Add fallback default route with huge metric.\\ 3067dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If a proxy ARP server is present on the interface, we will be\\ 3068dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# able to talk to all the Internet without further configuration.\\ 3069dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# It is not so cheap though and we still hope that this route\\ 3070dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# will be overridden by more correct one by rdisc.\\ 3071dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Do not make this step if the device is not ARPable,\\ 3072dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# because dead nexthop detection does not work on them. 3073dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3074dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3075dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$noarp" = "0" ]; then 3076dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip ro add default dev $dev metric 30000 scope global 3077dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3078dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3079dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3080dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3081dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 7} --- Restart router discovery and exit. 3082dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3083dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3084dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatkillall -HUP rdisc || rdisc -fs 3085dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatexit 0 3086dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3087dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3088dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3089dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\section{Example: {\protect\tt ifcfg} --- interface address management} 3090dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\label{EXAMPLE-IFCFG} 3091dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3092dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatThis is a simplistic script replacing one option of \verb|ifconfig|, 3093dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnamely, IP address management. It not only adds 3094dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehataddresses, but also carries out Duplicate Address Detection~\cite{RFC-DHCP}, 3095dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatsends unsolicited ARP to update the caches of other hosts sharing 3096dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatthe interface, adds some control routes and restarts Router Discovery 3097dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatwhen it is necessary. 3098dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3099dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatI strongly recommend using it {\em instead\/} of \verb|ifconfig| both 3100dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehaton hosts and on routers. 3101dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3102dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3103dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat#! /bin/bash 3104dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3105dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3106dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Usage: \verb?ifcfg DEVICE[:ALIAS] [add|del] ADDRESS[/LENGTH] [PEER]?}\\ 3107dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Parameters:}\\ 3108dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# ---Device name. It may have alias suffix, separated by colon.\\ 3109dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# ---Command: add, delete or stop.\\ 3110dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# ---IP address, optionally followed by prefix length.\\ 3111dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# ---Optional peer address for pointopoint interfaces.\\ 3112dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# F.e. \verb|ifcfg eth0 193.233.7.90/24| 3113dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3114dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent\# This function determines, whether it is router or host.\\ 3115dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# It returns 0, if the host is apparently not router. 3116dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3117dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3118dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCheckForwarding () { 3119dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat local sbase fwd 3120dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat sbase=/proc/sys/net/ipv4/conf 3121dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fwd=0 3122dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ -d $sbase ]; then 3123dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat for dir in $sbase/*/forwarding; do 3124dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fwd=$[$fwd + `cat $dir`] 3125dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat done 3126dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat else 3127dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fwd=2 3128dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3129dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat return $fwd 3130dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat} 3131dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3132dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3133dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# This function restarts Router Discovery.\\ 3134dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3135dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3136dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatRestartRDISC () { 3137dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat killall -HUP rdisc || rdisc -fs 3138dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat} 3139dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3140dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3141dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Calculate ABC "natural" mask length\\ 3142dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Arg: \$1 = dotquad address 3143dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3144dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3145dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatABCMaskLen () { 3146dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat local class; 3147dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat class=${1%%.*} 3148dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ $class -eq 0 -o $class -ge 224 ]; then return 0 3149dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat elif [ $class -ge 192 ]; then return 24 3150dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat elif [ $class -ge 128 ]; then return 16 3151dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat else return 8 ; fi 3152dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat} 3153dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3154dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3155dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3156dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3157dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf MAIN()}\\ 3158dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 3159dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Strip alias suffix separated by colon. 3160dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3161dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3162dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatlabel="label $1" 3163dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatldev=$1 3164dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdev=${1%:*} 3165dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$dev" = "" -o "$1" = "help" ]; then 3166dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Usage: ifcfg DEV [[add|del [ADDR[/LEN]] [PEER] | stop]" 1>&2 3167dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo " add - add new address" 1>&2 3168dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo " del - delete address" 1>&2 3169dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo " stop - completely disable IP" 1>&2 3170dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3171dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3172dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatshift 3173dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3174dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San MehatCheckForwarding 3175dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfwd=$? 3176dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3177dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3178dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Parse command. If it is ``stop'', flush and exit. 3179dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3180dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3181dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdeleting=0 3182dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatcase "$1" in 3183dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatadd) shift ;; 3184dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatstop) 3185dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$ldev" != "$dev" ]; then 3186dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Cannot stop alias $ldev" 1>&2 3187dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1; 3188dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3189dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip -4 addr flush dev $dev $label || exit 1 3190dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ $fwd -eq 0 ]; then RestartRDISC; fi 3191dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 0 ;; 3192dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatdel*) 3193dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat deleting=1; shift ;; 3194dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat*) 3195dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatesac 3196dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3197dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3198dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Parse prefix, split prefix length, separated by slash. 3199dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3200dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3201dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatipaddr= 3202dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpfxlen= 3203dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$1" != "" ]; then 3204dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ipaddr=${1%/*} 3205dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$1" != "$ipaddr" ]; then 3206dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat pfxlen=${1#*/} 3207dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3208dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$ipaddr" = "" ]; then 3209dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "$1 is bad IP address." 1>&2 3210dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3211dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3212dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3213dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatshift 3214dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3215dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3216dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If peer address is present, prefix length is 32.\\ 3217dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Otherwise, if prefix length was not given, guess it. 3218dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3219dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3220dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatpeer=$1 3221dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$peer" != "" ]; then 3222dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$pfxlen" != "" -a "$pfxlen" != "32" ]; then 3223dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Peer address with non-trivial netmask." 1>&2 3224dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3225dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3226dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat pfx="$ipaddr peer $peer" 3227dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatelse 3228dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ "$pfxlen" = "" ]; then 3229dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ABCMaskLen $ipaddr 3230dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat pfxlen=$? 3231dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3232dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat pfx="$ipaddr/$pfxlen" 3233dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3234dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$ldev" = "$dev" -a "$ipaddr" != "" ]; then 3235dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat label= 3236dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3237dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3238dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3239dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If deletion was requested, delete the address and restart RDISC 3240dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3241dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3242dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ $deleting -ne 0 ]; then 3243dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip addr del $pfx dev $dev $label || exit 1 3244dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ $fwd -eq 0 ]; then RestartRDISC; fi 3245dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 0 3246dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3247dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3248dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3249dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Start interface initialization.\\ 3250dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 3251dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 0} --- enable device \verb|$dev| 3252dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3253dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3254dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif ! ip link set up dev $dev ; then 3255dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Error: cannot enable interface $dev." 1>&2 3256dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3257dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3258dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ "$ipaddr" = "" ]; then exit 0; fi 3259dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3260dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3261dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 1} --- IP Duplicate Address Detection~\cite{RFC-DHCP}.\\ 3262dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Send two probes and wait for result for 3 seconds.\\ 3263dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If the interface opens slower f.e.\ due to long media detection,\\ 3264dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# you want to increase the timeout.\\ 3265dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3266dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3267dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif ! arping -q -c 2 -w 3 -D -I $dev $ipaddr ; then 3268dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Error: some host already uses address $ipaddr on $dev." 1>&2 3269dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3270dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3271dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3272dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3273dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# OK, the address is unique. We may add it to the interface.\\ 3274dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 3275dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 2} --- Configure the address on the interface. 3276dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3277dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3278dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif ! ip address add $pfx brd + dev $dev $label; then 3279dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat echo "Error: failed to add $pfx on $dev." 1>&2 3280dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat exit 1 3281dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3282dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3283dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\noindent\# {\bf Step 3} --- Announce our presence on the link 3284dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3285dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatarping -q -A -c 1 -I $dev $ipaddr 3286dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatnoarp=$? 3287dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat( sleep 2 ; 3288dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat arping -q -U -c 1 -I $dev $ipaddr ) >& /dev/null </dev/null & 3289dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3290dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3291dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 4} (optional) --- Add some control routes.\\ 3292dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\#\\ 3293dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# 1. Prohibit link local multicast addresses.\\ 3294dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# 2. Prohibit link local (alias, limited) broadcast.\\ 3295dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# 3. Add default multicast route. 3296dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3297dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3298dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip route add unreachable 224.0.0.0/24 >& /dev/null 3299dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatip route add unreachable 255.255.255.255 >& /dev/null 3300dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ `ip link ls $dev | grep -c MULTICAST` -ge 1 ]; then 3301dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip route add 224.0.0.0/4 dev $dev scope global >& /dev/null 3302dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3303dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3304dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3305dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# {\bf Step 5} --- Add fallback default route with huge metric.\\ 3306dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# If a proxy ARP server is present on the interface, we will be\\ 3307dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# able to talk to all the Internet without further configuration.\\ 3308dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# Do not make this step on router or if the device is not ARPable.\\ 3309dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# because dead nexthop detection does not work on them. 3310dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3311dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{verbatim} 3312dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatif [ $fwd -eq 0 ]; then 3313dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if [ $noarp -eq 0 ]; then 3314dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip ro append default dev $dev metric 30000 scope global 3315dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat elif [ "$peer" != "" ]; then 3316dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat if ping -q -c 2 -w 4 $peer ; then 3317dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat ip ro append default via $peer dev $dev metric 30001 3318dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3319dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat fi 3320dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat RestartRDISC 3321dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatfi 3322dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3323dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehatexit 0 3324dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{verbatim} 3325dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\begin{flushleft} 3326dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\# End of {\bf MAIN()} 3327dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{flushleft} 3328dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3329dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat 3330dcfb7a77f8709125e97c313cb8ab6ec4d87468f4San Mehat\end{document} 3331