logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ip-xfrm.8 (15385B)


  1. '\" t
  2. .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
  3. .SH "NAME"
  4. ip-xfrm \- transform configuration
  5. .SH "SYNOPSIS"
  6. .sp
  7. .ad l
  8. .in +8
  9. .ti -8
  10. .B ip
  11. .RI "[ " OPTIONS " ]"
  12. .B xfrm
  13. .RI " { " COMMAND " | "
  14. .BR help " }"
  15. .sp
  16. .ti -8
  17. .B "ip xfrm"
  18. .IR XFRM-OBJECT " { " COMMAND " | "
  19. .BR help " }"
  20. .sp
  21. .ti -8
  22. .IR XFRM-OBJECT " :="
  23. .BR state " | " policy " | " monitor
  24. .sp
  25. .ti -8
  26. .BR "ip xfrm state" " { " add " | " update " } "
  27. .IR ID " [ " ALGO-LIST " ]"
  28. .RB "[ " mode
  29. .IR MODE " ]"
  30. .RB "[ " mark
  31. .I MARK
  32. .RB "[ " mask
  33. .IR MASK " ] ]"
  34. .RB "[ " reqid
  35. .IR REQID " ]"
  36. .RB "[ " seq
  37. .IR SEQ " ]"
  38. .RB "[ " replay-window
  39. .IR SIZE " ]"
  40. .RB "[ " replay-seq
  41. .IR SEQ " ]"
  42. .RB "[ " replay-oseq
  43. .IR SEQ " ]"
  44. .RB "[ " replay-seq-hi
  45. .IR SEQ " ]"
  46. .RB "[ " replay-oseq-hi
  47. .IR SEQ " ]"
  48. .RB "[ " flag
  49. .IR FLAG-LIST " ]"
  50. .RB "[ " sel
  51. .IR SELECTOR " ] [ " LIMIT-LIST " ]"
  52. .RB "[ " encap
  53. .IR ENCAP " ]"
  54. .RB "[ " coa
  55. .IR ADDR "[/" PLEN "] ]"
  56. .RB "[ " ctx
  57. .IR CTX " ]"
  58. .RB "[ " extra-flag
  59. .IR EXTRA-FLAG-LIST " ]"
  60. .RB "[ " output-mark
  61. .IR OUTPUT-MARK
  62. .RB "[ " mask
  63. .IR MASK " ] ]"
  64. .RB "[ " if_id
  65. .IR IF-ID " ]"
  66. .RB "[ " offload
  67. .RB "[ " crypto | packet " ]"
  68. .RB dev
  69. .IR DEV "
  70. .RB dir
  71. .IR DIR " ]"
  72. .RB "[ " tfcpad
  73. .IR LENGTH " ]"
  74. .ti -8
  75. .B "ip xfrm state allocspi"
  76. .I ID
  77. .RB "[ " mode
  78. .IR MODE " ]"
  79. .RB "[ " mark
  80. .I MARK
  81. .RB "[ " mask
  82. .IR MASK " ] ]"
  83. .RB "[ " reqid
  84. .IR REQID " ]"
  85. .RB "[ " seq
  86. .IR SEQ " ]"
  87. .RB "[ " min
  88. .I SPI
  89. .B max
  90. .IR SPI " ]"
  91. .ti -8
  92. .BR "ip xfrm state" " { " delete " | " get " } "
  93. .I ID
  94. .RB "[ " mark
  95. .I MARK
  96. .RB "[ " mask
  97. .IR MASK " ] ]"
  98. .ti -8
  99. .BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
  100. .IR ID " ]"
  101. .RB "[ " mode
  102. .IR MODE " ]"
  103. .RB "[ " reqid
  104. .IR REQID " ]"
  105. .RB "[ " flag
  106. .IR FLAG-LIST " ]"
  107. .ti -8
  108. .BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
  109. .IR ID " ]"
  110. .RB "[ " nokeys " ]"
  111. .RB "[ " mode
  112. .IR MODE " ]"
  113. .RB "[ " reqid
  114. .IR REQID " ]"
  115. .RB "[ " flag
  116. .IR FLAG-LIST " ]"
  117. .ti -8
  118. .BR "ip xfrm state flush" " [ " proto
  119. .IR XFRM-PROTO " ]"
  120. .ti -8
  121. .BR "ip xfrm state count"
  122. .ti -8
  123. .IR ID " :="
  124. .RB "[ " src
  125. .IR ADDR " ]"
  126. .RB "[ " dst
  127. .IR ADDR " ]"
  128. .RB "[ " proto
  129. .IR XFRM-PROTO " ]"
  130. .RB "[ " spi
  131. .IR SPI " ]"
  132. .ti -8
  133. .IR XFRM-PROTO " :="
  134. .BR esp " | " ah " | " comp " | " route2 " | " hao
  135. .ti -8
  136. .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
  137. .ti -8
  138. .IR ALGO " :="
  139. .RB "{ " enc " | " auth " } "
  140. .IR ALGO-NAME " " ALGO-KEYMAT " |"
  141. .br
  142. .B auth-trunc
  143. .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
  144. .br
  145. .B aead
  146. .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
  147. .br
  148. .B comp
  149. .IR ALGO-NAME
  150. .ti -8
  151. .IR MODE " := "
  152. .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
  153. .ti -8
  154. .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
  155. .ti -8
  156. .IR FLAG " :="
  157. .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
  158. .BR af-unspec " | " align4 " | " esn
  159. .ti -8
  160. .IR SELECTOR " :="
  161. .RB "[ " src
  162. .IR ADDR "[/" PLEN "] ]"
  163. .RB "[ " dst
  164. .IR ADDR "[/" PLEN "] ]"
  165. .RB "[ " dev
  166. .IR DEV " ]"
  167. .br
  168. .RI "[ " UPSPEC " ]"
  169. .ti -8
  170. .IR UPSPEC " := "
  171. .BR proto " {"
  172. .IR PROTO " |"
  173. .br
  174. .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
  175. .IR PORT " ]"
  176. .RB "[ " dport
  177. .IR PORT " ] |"
  178. .br
  179. .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
  180. .IR NUMBER " ]"
  181. .RB "[ " code
  182. .IR NUMBER " ] |"
  183. .br
  184. .BR gre " [ " key
  185. .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
  186. .ti -8
  187. .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
  188. .B limit
  189. .I LIMIT
  190. .ti -8
  191. .IR LIMIT " :="
  192. .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
  193. .IR "SECONDS" " |"
  194. .br
  195. .RB "{ " byte-soft " | " byte-hard " }"
  196. .IR SIZE " |"
  197. .br
  198. .RB "{ " packet-soft " | " packet-hard " }"
  199. .I COUNT
  200. .ti -8
  201. .IR ENCAP " :="
  202. .RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
  203. .IR SPORT " " DPORT " " OADDR
  204. .ti -8
  205. .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
  206. .ti -8
  207. .IR EXTRA-FLAG " := "
  208. .BR dont-encap-dscp " | " oseq-may-wrap
  209. .ti -8
  210. .BR "ip xfrm policy" " { " add " | " update " }"
  211. .I SELECTOR
  212. .B dir
  213. .I DIR
  214. .RB "[ " ctx
  215. .IR CTX " ]"
  216. .RB "[ " mark
  217. .I MARK
  218. .RB "[ " mask
  219. .IR MASK " ] ]"
  220. .RB "[ " index
  221. .IR INDEX " ]"
  222. .RB "[ " ptype
  223. .IR PTYPE " ]"
  224. .RB "[ " action
  225. .IR ACTION " ]"
  226. .RB "[ " priority
  227. .IR PRIORITY " ]"
  228. .RB "[ " flag
  229. .IR FLAG-LIST " ]"
  230. .RB "[ " if_id
  231. .IR IF-ID " ]"
  232. .RB "[ " offload
  233. .RB packet
  234. .RB dev
  235. .IR DEV " ]"
  236. .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
  237. .ti -8
  238. .BR "ip xfrm policy" " { " delete " | " get " }"
  239. .RI "{ " SELECTOR " | "
  240. .B index
  241. .IR INDEX " }"
  242. .B dir
  243. .I DIR
  244. .RB "[ " ctx
  245. .IR CTX " ]"
  246. .RB "[ " mark
  247. .I MARK
  248. .RB "[ " mask
  249. .IR MASK " ] ]"
  250. .RB "[ " ptype
  251. .IR PTYPE " ]"
  252. .RB "[ " if_id
  253. .IR IF-ID " ]"
  254. .ti -8
  255. .BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
  256. .RB "[ " nosock " ]"
  257. .RI "[ " SELECTOR " ]"
  258. .RB "[ " dir
  259. .IR DIR " ]"
  260. .RB "[ " index
  261. .IR INDEX " ]"
  262. .RB "[ " ptype
  263. .IR PTYPE " ]"
  264. .RB "[ " action
  265. .IR ACTION " ]"
  266. .RB "[ " priority
  267. .IR PRIORITY " ]"
  268. .RB "[ " flag
  269. .IR FLAG-LIST "]"
  270. .ti -8
  271. .B "ip xfrm policy flush"
  272. .RB "[ " ptype
  273. .IR PTYPE " ]"
  274. .ti -8
  275. .B "ip xfrm policy count"
  276. .ti -8
  277. .B "ip xfrm policy set"
  278. .RB "[ " hthresh4
  279. .IR LBITS " " RBITS " ]"
  280. .RB "[ " hthresh6
  281. .IR LBITS " " RBITS " ]"
  282. .ti -8
  283. .B "ip xfrm policy setdefault"
  284. .IR DIR
  285. .IR ACTION " [ "
  286. .IR DIR
  287. .IR ACTION " ] [ "
  288. .IR DIR
  289. .IR ACTION " ]"
  290. .ti -8
  291. .B "ip xfrm policy getdefault"
  292. .ti -8
  293. .IR SELECTOR " :="
  294. .RB "[ " src
  295. .IR ADDR "[/" PLEN "] ]"
  296. .RB "[ " dst
  297. .IR ADDR "[/" PLEN "] ]"
  298. .RB "[ " dev
  299. .IR DEV " ]"
  300. .RI "[ " UPSPEC " ]"
  301. .ti -8
  302. .IR UPSPEC " := "
  303. .BR proto " {"
  304. .IR PROTO " |"
  305. .br
  306. .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
  307. .IR PORT " ]"
  308. .RB "[ " dport
  309. .IR PORT " ] |"
  310. .br
  311. .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
  312. .IR NUMBER " ]"
  313. .RB "[ " code
  314. .IR NUMBER " ] |"
  315. .br
  316. .BR gre " [ " key
  317. .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
  318. .ti -8
  319. .IR DIR " := "
  320. .BR in " | " out " | " fwd
  321. .ti -8
  322. .IR PTYPE " := "
  323. .BR main " | " sub
  324. .ti -8
  325. .IR ACTION " := "
  326. .BR allow " | " block
  327. .ti -8
  328. .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
  329. .ti -8
  330. .IR FLAG " :="
  331. .BR localok " | " icmp
  332. .ti -8
  333. .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
  334. .B limit
  335. .I LIMIT
  336. .ti -8
  337. .IR LIMIT " :="
  338. .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
  339. .IR "SECONDS" " |"
  340. .br
  341. .RB "{ " byte-soft " | " byte-hard " }"
  342. .IR SIZE " |"
  343. .br
  344. .RB "{ " packet-soft " | " packet-hard " }"
  345. .I COUNT
  346. .ti -8
  347. .IR TMPL-LIST " := [ " TMPL-LIST " ]"
  348. .B tmpl
  349. .I TMPL
  350. .ti -8
  351. .IR TMPL " := " ID
  352. .RB "[ " mode
  353. .IR MODE " ]"
  354. .RB "[ " reqid
  355. .IR REQID " ]"
  356. .RB "[ " level
  357. .IR LEVEL " ]"
  358. .ti -8
  359. .IR ID " :="
  360. .RB "[ " src
  361. .IR ADDR " ]"
  362. .RB "[ " dst
  363. .IR ADDR " ]"
  364. .RB "[ " proto
  365. .IR XFRM-PROTO " ]"
  366. .RB "[ " spi
  367. .IR SPI " ]"
  368. .ti -8
  369. .IR XFRM-PROTO " :="
  370. .BR esp " | " ah " | " comp " | " route2 " | " hao
  371. .ti -8
  372. .IR MODE " := "
  373. .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
  374. .ti -8
  375. .IR LEVEL " :="
  376. .BR required " | " use
  377. .ti -8
  378. .BR "ip xfrm monitor" " ["
  379. .BI all-nsid
  380. ] [
  381. .BI nokeys
  382. ] [
  383. .BI all
  384. |
  385. .IR LISTofXFRM-OBJECTS " ]"
  386. .ti -8
  387. .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
  388. .ti -8
  389. .IR XFRM-OBJECT " := "
  390. .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
  391. .in -8
  392. .ad b
  393. .SH DESCRIPTION
  394. xfrm is an IP framework for transforming packets (such as encrypting
  395. their payloads). This framework is used to implement the IPsec protocol
  396. suite (with the
  397. .B state
  398. object operating on the Security Association Database, and the
  399. .B policy
  400. object operating on the Security Policy Database). It is also used for
  401. the IP Payload Compression Protocol and features of Mobile IPv6.
  402. .TS
  403. l l.
  404. ip xfrm state add add new state into xfrm
  405. ip xfrm state update update existing state in xfrm
  406. ip xfrm state allocspi allocate an SPI value
  407. ip xfrm state delete delete existing state in xfrm
  408. ip xfrm state get get existing state in xfrm
  409. ip xfrm state deleteall delete all existing state in xfrm
  410. ip xfrm state list print out the list of existing state in xfrm
  411. ip xfrm state flush flush all state in xfrm
  412. ip xfrm state count count all existing state in xfrm
  413. .TE
  414. .TP
  415. .IR ID
  416. is specified by a source address, destination address,
  417. .RI "transform protocol " XFRM-PROTO ","
  418. and/or Security Parameter Index
  419. .IR SPI "."
  420. (For IP Payload Compression, the Compression Parameter Index or CPI is used for
  421. .IR SPI ".)"
  422. .TP
  423. .I XFRM-PROTO
  424. specifies a transform protocol:
  425. .RB "IPsec Encapsulating Security Payload (" esp "),"
  426. .RB "IPsec Authentication Header (" ah "),"
  427. .RB "IP Payload Compression (" comp "),"
  428. .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
  429. .RB "Mobile IPv6 Home Address Option (" hao ")."
  430. .TP
  431. .I ALGO-LIST
  432. contains one or more algorithms to use. Each algorithm
  433. .I ALGO
  434. is specified by:
  435. .RS
  436. .IP \[bu]
  437. the algorithm type:
  438. .RB "encryption (" enc "),"
  439. .RB "authentication (" auth " or " auth-trunc "),"
  440. .RB "authenticated encryption with associated data (" aead "), or"
  441. .RB "compression (" comp ")"
  442. .IP \[bu]
  443. the algorithm name
  444. .IR ALGO-NAME
  445. (see below)
  446. .IP \[bu]
  447. .RB "(for all except " comp ")"
  448. the keying material
  449. .IR ALGO-KEYMAT ","
  450. which may include both a key and a salt or nonce value; refer to the
  451. corresponding RFC
  452. .IP \[bu]
  453. .RB "(for " auth-trunc " only)"
  454. the truncation length
  455. .I ALGO-TRUNC-LEN
  456. in bits
  457. .IP \[bu]
  458. .RB "(for " aead " only)"
  459. the Integrity Check Value length
  460. .I ALGO-ICV-LEN
  461. in bits
  462. .RE
  463. .nh
  464. .RS
  465. Encryption algorithms include
  466. .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
  467. .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
  468. .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
  469. Authentication algorithms include
  470. .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
  471. .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
  472. Authenticated encryption with associated data (AEAD) algorithms include
  473. .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
  474. Compression algorithms include
  475. .BR deflate ", " lzs ", and " lzjh "."
  476. .RE
  477. .hy
  478. .TP
  479. .I MODE
  480. specifies a mode of operation for the transform protocol. IPsec and IP Payload
  481. Compression modes are
  482. .BR transport ", " tunnel ","
  483. and (for IPsec ESP only) Bound End-to-End Tunnel
  484. .RB "(" beet ")."
  485. Mobile IPv6 modes are route optimization
  486. .RB "(" ro ")"
  487. and inbound trigger
  488. .RB "(" in_trigger ")."
  489. .TP
  490. .I FLAG-LIST
  491. contains one or more of the following optional flags:
  492. .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
  493. .BR af-unspec ", " align4 ", or " esn "."
  494. .TP
  495. .IR SELECTOR
  496. selects the traffic that will be controlled by the policy, based on the source
  497. address, the destination address, the network device, and/or
  498. .IR UPSPEC "."
  499. .TP
  500. .IR UPSPEC
  501. selects traffic by protocol. For the
  502. .BR tcp ", " udp ", " sctp ", or " dccp
  503. protocols, the source and destination port can optionally be specified.
  504. For the
  505. .BR icmp ", " ipv6-icmp ", or " mobility-header
  506. protocols, the type and code numbers can optionally be specified.
  507. For the
  508. .B gre
  509. protocol, the key can optionally be specified as a dotted-quad or number.
  510. Other protocols can be selected by name or number
  511. .IR PROTO "."
  512. .TP
  513. .I LIMIT-LIST
  514. sets limits in seconds, bytes, or numbers of packets.
  515. .TP
  516. .I ENCAP
  517. encapsulates packets with protocol
  518. .BR espinudp ", " espinudp-nonike ", or " espintcp ","
  519. .RI "using source port " SPORT ", destination port " DPORT
  520. .RI ", and original address " OADDR "."
  521. .TP
  522. .I MARK
  523. used to match xfrm policies and states
  524. .TP
  525. .I OUTPUT-MARK
  526. used to set the output mark to influence the routing
  527. of the packets emitted by the state
  528. .TP
  529. .I IF-ID
  530. xfrm interface identifier used to in both xfrm policies and states
  531. .TP
  532. .I DEV
  533. Network interface name used to offload policies and states
  534. .sp
  535. .PP
  536. .TS
  537. l l.
  538. ip xfrm policy add add a new policy
  539. ip xfrm policy update update an existing policy
  540. ip xfrm policy delete delete an existing policy
  541. ip xfrm policy get get an existing policy
  542. ip xfrm policy deleteall delete all existing xfrm policies
  543. ip xfrm policy list print out the list of xfrm policies
  544. ip xfrm policy flush flush policies
  545. .TE
  546. .TP
  547. .BR nosock
  548. filter (remove) all socket policies from the output.
  549. .TP
  550. .IR SELECTOR
  551. selects the traffic that will be controlled by the policy, based on the source
  552. address, the destination address, the network device, and/or
  553. .IR UPSPEC "."
  554. .TP
  555. .IR UPSPEC
  556. selects traffic by protocol. For the
  557. .BR tcp ", " udp ", " sctp ", or " dccp
  558. protocols, the source and destination port can optionally be specified.
  559. For the
  560. .BR icmp ", " ipv6-icmp ", or " mobility-header
  561. protocols, the type and code numbers can optionally be specified.
  562. For the
  563. .B gre
  564. protocol, the key can optionally be specified as a dotted-quad or number.
  565. Other protocols can be selected by name or number
  566. .IR PROTO "."
  567. .TP
  568. .I DIR
  569. selects the policy direction as
  570. .BR in ", " out ", or " fwd "."
  571. .TP
  572. .I CTX
  573. sets the security context.
  574. .TP
  575. .I PTYPE
  576. can be
  577. .BR main " (default) or " sub "."
  578. .TP
  579. .I ACTION
  580. can be
  581. .BR allow " (default) or " block "."
  582. .TP
  583. .I PRIORITY
  584. is a number that defaults to zero.
  585. .TP
  586. .I FLAG-LIST
  587. contains one or both of the following optional flags:
  588. .BR local " or " icmp "."
  589. .TP
  590. .I LIMIT-LIST
  591. sets limits in seconds, bytes, or numbers of packets.
  592. .TP
  593. .I TMPL-LIST
  594. is a template list specified using
  595. .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
  596. .TP
  597. .IR ID
  598. is specified by a source address, destination address,
  599. .RI "transform protocol " XFRM-PROTO ","
  600. and/or Security Parameter Index
  601. .IR SPI "."
  602. (For IP Payload Compression, the Compression Parameter Index or CPI is used for
  603. .IR SPI ".)"
  604. .TP
  605. .I XFRM-PROTO
  606. specifies a transform protocol:
  607. .RB "IPsec Encapsulating Security Payload (" esp "),"
  608. .RB "IPsec Authentication Header (" ah "),"
  609. .RB "IP Payload Compression (" comp "),"
  610. .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
  611. .RB "Mobile IPv6 Home Address Option (" hao ")."
  612. .TP
  613. .I MODE
  614. specifies a mode of operation for the transform protocol. IPsec and IP Payload
  615. Compression modes are
  616. .BR transport ", " tunnel ","
  617. and (for IPsec ESP only) Bound End-to-End Tunnel
  618. .RB "(" beet ")."
  619. Mobile IPv6 modes are route optimization
  620. .RB "(" ro ")"
  621. and inbound trigger
  622. .RB "(" in_trigger ")."
  623. .TP
  624. .I LEVEL
  625. can be
  626. .BR required " (default) or " use "."
  627. .sp
  628. .PP
  629. .TS
  630. l l.
  631. ip xfrm policy count count existing policies
  632. .TE
  633. .PP
  634. Use one or more -s options to display more details, including policy hash table
  635. information.
  636. .sp
  637. .PP
  638. .TS
  639. l l.
  640. ip xfrm policy set configure the policy hash table
  641. .TE
  642. .PP
  643. Security policies whose address prefix lengths are greater than or equal
  644. policy hash table thresholds are hashed. Others are stored in the
  645. policy_inexact chained list.
  646. .TP
  647. .I LBITS
  648. specifies the minimum local address prefix length of policies that are
  649. stored in the Security Policy Database hash table.
  650. .TP
  651. .I RBITS
  652. specifies the minimum remote address prefix length of policies that are
  653. stored in the Security Policy Database hash table.
  654. .sp
  655. .PP
  656. .TS
  657. l l.
  658. ip xfrm monitor state monitoring for xfrm objects
  659. .TE
  660. .PP
  661. The xfrm objects to monitor can be optionally specified.
  662. .P
  663. If the
  664. .BI all-nsid
  665. option is set, the program listens to all network namespaces that have a
  666. nsid assigned into the network namespace were the program is running.
  667. A prefix is displayed to show the network namespace where the message
  668. originates. Example:
  669. .sp
  670. .in +2
  671. [nsid 1]Flushed state proto 0
  672. .in -2
  673. .sp
  674. .SH AUTHOR
  675. Manpage revised by David Ward <david.ward@ll.mit.edu>
  676. .br
  677. Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
  678. .br
  679. Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>