logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ip-xfrm.8 (15385B)

    

  1. '\" t
  2. .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
  3. .SH "NAME"
  4. ip-xfrm \- transform configuration
  5. .SH "SYNOPSIS"
  6. .sp
  7. .ad l
  8. .in +8
  9. .ti -8
  10. .B ip
  11. .RI "[ " OPTIONS " ]"
  12. .B xfrm
  13. .RI " { " COMMAND " | "
  14. .BR help " }"
  15. .sp
  17. .ti -8
  18. .B "ip xfrm"
  19. .IR XFRM-OBJECT " { " COMMAND " | "
  20. .BR help " }"
  21. .sp
  23. .ti -8
  24. .IR XFRM-OBJECT " :="
  25. .BR state " | " policy " | " monitor
  26. .sp
  28. .ti -8
  29. .BR "ip xfrm state" " { " add " | " update " } "
  30. .IR ID " [ " ALGO-LIST " ]"
  31. .RB "[ " mode
  32. .IR MODE " ]"
  33. .RB "[ " mark
  34. .I MARK
  35. .RB "[ " mask
  36. .IR MASK " ] ]"
  37. .RB "[ " reqid
  38. .IR REQID " ]"
  39. .RB "[ " seq
  40. .IR SEQ " ]"
  41. .RB "[ " replay-window
  42. .IR SIZE " ]"
  43. .RB "[ " replay-seq
  44. .IR SEQ " ]"
  45. .RB "[ " replay-oseq
  46. .IR SEQ " ]"
  47. .RB "[ " replay-seq-hi
  48. .IR SEQ " ]"
  49. .RB "[ " replay-oseq-hi
  50. .IR SEQ " ]"
  51. .RB "[ " flag
  52. .IR FLAG-LIST " ]"
  53. .RB "[ " sel
  54. .IR SELECTOR " ] [ " LIMIT-LIST " ]"
  55. .RB "[ " encap
  56. .IR ENCAP " ]"
  57. .RB "[ " coa
  58. .IR ADDR "[/" PLEN "] ]"
  59. .RB "[ " ctx
  60. .IR CTX " ]"
  61. .RB "[ " extra-flag
  62. .IR EXTRA-FLAG-LIST " ]"
  63. .RB "[ " output-mark
  64. .IR OUTPUT-MARK
  65. .RB "[ " mask
  66. .IR MASK " ] ]"
  67. .RB "[ " if_id
  68. .IR IF-ID " ]"
  69. .RB "[ " offload
  70. .RB "[ " crypto | packet " ]"
  71. .RB dev
  72. .IR DEV "
  73. .RB dir
  74. .IR DIR " ]"
  75. .RB "[ " tfcpad
  76. .IR LENGTH " ]"
  78. .ti -8
  79. .B "ip xfrm state allocspi"
  80. .I ID
  81. .RB "[ " mode
  82. .IR MODE " ]"
  83. .RB "[ " mark
  84. .I MARK
  85. .RB "[ " mask
  86. .IR MASK " ] ]"
  87. .RB "[ " reqid
  88. .IR REQID " ]"
  89. .RB "[ " seq
  90. .IR SEQ " ]"
  91. .RB "[ " min
  92. .I SPI
  93. .B max
  94. .IR SPI " ]"
  96. .ti -8
  97. .BR "ip xfrm state" " { " delete " | " get " } "
  98. .I ID
  99. .RB "[ " mark
  100. .I MARK
  101. .RB "[ " mask
  102. .IR MASK " ] ]"
  104. .ti -8
  105. .BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
  106. .IR ID " ]"
  107. .RB "[ " mode
  108. .IR MODE " ]"
  109. .RB "[ " reqid
  110. .IR REQID " ]"
  111. .RB "[ " flag
  112. .IR FLAG-LIST " ]"
  114. .ti -8
  115. .BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
  116. .IR ID " ]"
  117. .RB "[ " nokeys " ]"
  118. .RB "[ " mode
  119. .IR MODE " ]"
  120. .RB "[ " reqid
  121. .IR REQID " ]"
  122. .RB "[ " flag
  123. .IR FLAG-LIST " ]"
  125. .ti -8
  126. .BR "ip xfrm state flush" " [ " proto
  127. .IR XFRM-PROTO " ]"
  129. .ti -8
  130. .BR "ip xfrm state count"
  132. .ti -8
  133. .IR ID " :="
  134. .RB "[ " src
  135. .IR ADDR " ]"
  136. .RB "[ " dst
  137. .IR ADDR " ]"
  138. .RB "[ " proto
  139. .IR XFRM-PROTO " ]"
  140. .RB "[ " spi
  141. .IR SPI " ]"
  143. .ti -8
  144. .IR XFRM-PROTO " :="
  145. .BR esp " | " ah " | " comp " | " route2 " | " hao
  147. .ti -8
  148. .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
  150. .ti -8
  151. .IR ALGO " :="
  152. .RB "{ " enc " | " auth " } "
  153. .IR ALGO-NAME " " ALGO-KEYMAT " |"
  154. .br
  155. .B auth-trunc
  156. .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
  157. .br
  158. .B aead
  159. .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
  160. .br
  161. .B comp
  162. .IR ALGO-NAME
  164. .ti -8
  165. .IR MODE " := "
  166. .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
  168. .ti -8
  169. .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
  171. .ti -8
  172. .IR FLAG " :="
  173. .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
  174. .BR af-unspec " | " align4 " | " esn
  176. .ti -8
  177. .IR SELECTOR " :="
  178. .RB "[ " src
  179. .IR ADDR "[/" PLEN "] ]"
  180. .RB "[ " dst
  181. .IR ADDR "[/" PLEN "] ]"
  182. .RB "[ " dev
  183. .IR DEV " ]"
  184. .br
  185. .RI "[ " UPSPEC " ]"
  187. .ti -8
  188. .IR UPSPEC " := "
  189. .BR proto " {"
  190. .IR PROTO " |"
  191. .br
  192. .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
  193. .IR PORT " ]"
  194. .RB "[ " dport
  195. .IR PORT " ] |"
  196. .br
  197. .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
  198. .IR NUMBER " ]"
  199. .RB "[ " code
  200. .IR NUMBER " ] |"
  201. .br
  202. .BR gre " [ " key
  203. .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
  205. .ti -8
  206. .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
  207. .B limit
  208. .I LIMIT
  210. .ti -8
  211. .IR LIMIT " :="
  212. .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
  213. .IR "SECONDS" " |"
  214. .br
  215. .RB "{ " byte-soft " | " byte-hard " }"
  216. .IR SIZE " |"
  217. .br
  218. .RB "{ " packet-soft " | " packet-hard " }"
  219. .I COUNT
  221. .ti -8
  222. .IR ENCAP " :="
  223. .RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
  224. .IR SPORT " " DPORT " " OADDR
  226. .ti -8
  227. .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
  229. .ti -8
  230. .IR EXTRA-FLAG " := "
  231. .BR dont-encap-dscp " | " oseq-may-wrap
  233. .ti -8
  234. .BR "ip xfrm policy" " { " add " | " update " }"
  235. .I SELECTOR
  236. .B dir
  237. .I DIR
  238. .RB "[ " ctx
  239. .IR CTX " ]"
  240. .RB "[ " mark
  241. .I MARK
  242. .RB "[ " mask
  243. .IR MASK " ] ]"
  244. .RB "[ " index
  245. .IR INDEX " ]"
  246. .RB "[ " ptype
  247. .IR PTYPE " ]"
  248. .RB "[ " action
  249. .IR ACTION " ]"
  250. .RB "[ " priority
  251. .IR PRIORITY " ]"
  252. .RB "[ " flag
  253. .IR FLAG-LIST " ]"
  254. .RB "[ " if_id
  255. .IR IF-ID " ]"
  256. .RB "[ " offload
  257. .RB packet
  258. .RB dev
  259. .IR DEV " ]"
  260. .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
  262. .ti -8
  263. .BR "ip xfrm policy" " { " delete " | " get " }"
  264. .RI "{ " SELECTOR " | "
  265. .B index
  266. .IR INDEX " }"
  267. .B dir
  268. .I DIR
  269. .RB "[ " ctx
  270. .IR CTX " ]"
  271. .RB "[ " mark
  272. .I MARK
  273. .RB "[ " mask
  274. .IR MASK " ] ]"
  275. .RB "[ " ptype
  276. .IR PTYPE " ]"
  277. .RB "[ " if_id
  278. .IR IF-ID " ]"
  280. .ti -8
  281. .BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
  282. .RB "[ " nosock " ]"
  283. .RI "[ " SELECTOR " ]"
  284. .RB "[ " dir
  285. .IR DIR " ]"
  286. .RB "[ " index
  287. .IR INDEX " ]"
  288. .RB "[ " ptype
  289. .IR PTYPE " ]"
  290. .RB "[ " action
  291. .IR ACTION " ]"
  292. .RB "[ " priority
  293. .IR PRIORITY " ]"
  294. .RB "[ " flag
  295. .IR FLAG-LIST "]"
  297. .ti -8
  298. .B "ip xfrm policy flush"
  299. .RB "[ " ptype
  300. .IR PTYPE " ]"
  302. .ti -8
  303. .B "ip xfrm policy count"
  305. .ti -8
  306. .B "ip xfrm policy set"
  307. .RB "[ " hthresh4
  308. .IR LBITS " " RBITS " ]"
  309. .RB "[ " hthresh6
  310. .IR LBITS " " RBITS " ]"
  312. .ti -8
  313. .B "ip xfrm policy setdefault"
  314. .IR DIR
  315. .IR ACTION " [ "
  316. .IR DIR
  317. .IR ACTION " ] [ "
  318. .IR DIR
  319. .IR ACTION " ]"
  321. .ti -8
  322. .B "ip xfrm policy getdefault"
  324. .ti -8
  325. .IR SELECTOR " :="
  326. .RB "[ " src
  327. .IR ADDR "[/" PLEN "] ]"
  328. .RB "[ " dst
  329. .IR ADDR "[/" PLEN "] ]"
  330. .RB "[ " dev
  331. .IR DEV " ]"
  332. .RI "[ " UPSPEC " ]"
  334. .ti -8
  335. .IR UPSPEC " := "
  336. .BR proto " {"
  337. .IR PROTO " |"
  338. .br
  339. .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
  340. .IR PORT " ]"
  341. .RB "[ " dport
  342. .IR PORT " ] |"
  343. .br
  344. .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
  345. .IR NUMBER " ]"
  346. .RB "[ " code
  347. .IR NUMBER " ] |"
  348. .br
  349. .BR gre " [ " key
  350. .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
  352. .ti -8
  353. .IR DIR " := "
  354. .BR in " | " out " | " fwd
  356. .ti -8
  357. .IR PTYPE " := "
  358. .BR main " | " sub
  360. .ti -8
  361. .IR ACTION " := "
  362. .BR allow " | " block
  364. .ti -8
  365. .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
  367. .ti -8
  368. .IR FLAG " :="
  369. .BR localok " | " icmp
  371. .ti -8
  372. .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
  373. .B limit
  374. .I LIMIT
  376. .ti -8
  377. .IR LIMIT " :="
  378. .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
  379. .IR "SECONDS" " |"
  380. .br
  381. .RB "{ " byte-soft " | " byte-hard " }"
  382. .IR SIZE " |"
  383. .br
  384. .RB "{ " packet-soft " | " packet-hard " }"
  385. .I COUNT
  387. .ti -8
  388. .IR TMPL-LIST " := [ " TMPL-LIST " ]"
  389. .B tmpl
  390. .I TMPL
  392. .ti -8
  393. .IR TMPL " := " ID
  394. .RB "[ " mode
  395. .IR MODE " ]"
  396. .RB "[ " reqid
  397. .IR REQID " ]"
  398. .RB "[ " level
  399. .IR LEVEL " ]"
  401. .ti -8
  402. .IR ID " :="
  403. .RB "[ " src
  404. .IR ADDR " ]"
  405. .RB "[ " dst
  406. .IR ADDR " ]"
  407. .RB "[ " proto
  408. .IR XFRM-PROTO " ]"
  409. .RB "[ " spi
  410. .IR SPI " ]"
  412. .ti -8
  413. .IR XFRM-PROTO " :="
  414. .BR esp " | " ah " | " comp " | " route2 " | " hao
  416. .ti -8
  417. .IR MODE " := "
  418. .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
  420. .ti -8
  421. .IR LEVEL " :="
  422. .BR required " | " use
  424. .ti -8
  425. .BR "ip xfrm monitor" " ["
  426. .BI all-nsid
  427. ] [
  428. .BI nokeys
  429. ] [
  430. .BI all
  431.  |
  432. .IR LISTofXFRM-OBJECTS " ]"
  434. .ti -8
  435. .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
  437. .ti -8
  438. .IR XFRM-OBJECT " := "
  439. .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
  441. .in -8
  442. .ad b
  444. .SH DESCRIPTION
  446. xfrm is an IP framework for transforming packets (such as encrypting
  447. their payloads). This framework is used to implement the IPsec protocol
  448. suite (with the
  449. .B state
  450. object operating on the Security Association Database, and the
  451. .B policy
  452. object operating on the Security Policy Database). It is also used for
  453. the IP Payload Compression Protocol and features of Mobile IPv6.
  455. .TS
  456. l l.
  457. ip xfrm state add	add new state into xfrm
  458. ip xfrm state update	update existing state in xfrm
  459. ip xfrm state allocspi	allocate an SPI value
  460. ip xfrm state delete	delete existing state in xfrm
  461. ip xfrm state get	get existing state in xfrm
  462. ip xfrm state deleteall	delete all existing state in xfrm
  463. ip xfrm state list	print out the list of existing state in xfrm
  464. ip xfrm state flush	flush all state in xfrm
  465. ip xfrm state count	count all existing state in xfrm
  466. .TE
  468. .TP
  469. .IR ID
  470. is specified by a source address, destination address,
  471. .RI "transform protocol " XFRM-PROTO ","
  472. and/or Security Parameter Index
  473. .IR SPI "."
  474. (For IP Payload Compression, the Compression Parameter Index or CPI is used for
  475. .IR SPI ".)"
  477. .TP
  478. .I XFRM-PROTO
  479. specifies a transform protocol:
  480. .RB "IPsec Encapsulating Security Payload (" esp "),"
  481. .RB "IPsec Authentication Header (" ah "),"
  482. .RB "IP Payload Compression (" comp "),"
  483. .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
  484. .RB "Mobile IPv6 Home Address Option (" hao ")."
  486. .TP
  487. .I ALGO-LIST
  488. contains one or more algorithms to use. Each algorithm
  489. .I ALGO
  490. is specified by:
  491. .RS
  492. .IP \[bu]
  493. the algorithm type:
  494. .RB "encryption (" enc "),"
  495. .RB "authentication (" auth " or " auth-trunc "),"
  496. .RB "authenticated encryption with associated data (" aead "), or"
  497. .RB "compression (" comp ")"
  498. .IP \[bu]
  499. the algorithm name
  500. .IR ALGO-NAME
  501. (see below)
  502. .IP \[bu]
  503. .RB "(for all except " comp ")"
  504. the keying material
  505. .IR ALGO-KEYMAT ","
  506. which may include both a key and a salt or nonce value; refer to the
  507. corresponding RFC
  508. .IP \[bu]
  509. .RB "(for " auth-trunc " only)"
  510. the truncation length
  511. .I ALGO-TRUNC-LEN
  512. in bits
  513. .IP \[bu]
  514. .RB "(for " aead " only)"
  515. the Integrity Check Value length
  516. .I ALGO-ICV-LEN
  517. in bits
  518. .RE
  520. .nh
  521. .RS
  522. Encryption algorithms include
  523. .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
  524. .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
  525. .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
  527. Authentication algorithms include
  528. .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
  529. .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
  531. Authenticated encryption with associated data (AEAD) algorithms include
  532. .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
  534. Compression algorithms include
  535. .BR deflate ", " lzs ", and " lzjh "."
  536. .RE
  537. .hy
  539. .TP
  540. .I MODE
  541. specifies a mode of operation for the transform protocol. IPsec and IP Payload
  542. Compression modes are
  543. .BR transport ", " tunnel ","
  544. and (for IPsec ESP only) Bound End-to-End Tunnel
  545. .RB "(" beet ")."
  546. Mobile IPv6 modes are route optimization
  547. .RB "(" ro ")"
  548. and inbound trigger
  549. .RB "(" in_trigger ")."
  551. .TP
  552. .I FLAG-LIST
  553. contains one or more of the following optional flags:
  554. .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
  555. .BR af-unspec ", " align4 ", or " esn "."
  557. .TP
  558. .IR SELECTOR
  559. selects the traffic that will be controlled by the policy, based on the source
  560. address, the destination address, the network device, and/or
  561. .IR UPSPEC "."
  563. .TP
  564. .IR UPSPEC
  565. selects traffic by protocol. For the
  566. .BR tcp ", " udp ", " sctp ", or " dccp
  567. protocols, the source and destination port can optionally be specified.
  568. For the
  569. .BR icmp ", " ipv6-icmp ", or " mobility-header
  570. protocols, the type and code numbers can optionally be specified.
  571. For the
  572. .B gre
  573. protocol, the key can optionally be specified as a dotted-quad or number.
  574. Other protocols can be selected by name or number
  575. .IR PROTO "."
  577. .TP
  578. .I LIMIT-LIST
  579. sets limits in seconds, bytes, or numbers of packets.
  581. .TP
  582. .I ENCAP
  583. encapsulates packets with protocol
  584. .BR espinudp ", " espinudp-nonike ", or " espintcp ","
  585. .RI "using source port " SPORT ", destination port "  DPORT
  586. .RI ", and original address " OADDR "."
  588. .TP
  589. .I MARK
  590. used to match xfrm policies and states
  592. .TP
  593. .I OUTPUT-MARK
  594. used to set the output mark to influence the routing
  595. of the packets emitted by the state
  597. .TP
  598. .I IF-ID
  599. xfrm interface identifier used to in both xfrm policies and states
  601. .TP
  602. .I DEV
  603. Network interface name used to offload policies and states
  605. .sp
  606. .PP
  607. .TS
  608. l l.
  609. ip xfrm policy add	add a new policy
  610. ip xfrm policy update	update an existing policy
  611. ip xfrm policy delete	delete an existing policy
  612. ip xfrm policy get	get an existing policy
  613. ip xfrm policy deleteall	delete all existing xfrm policies
  614. ip xfrm policy list	print out the list of xfrm policies
  615. ip xfrm policy flush	flush policies
  616. .TE
  618. .TP
  619. .BR nosock
  620. filter (remove) all socket policies from the output.
  622. .TP
  623. .IR SELECTOR
  624. selects the traffic that will be controlled by the policy, based on the source
  625. address, the destination address, the network device, and/or
  626. .IR UPSPEC "."
  628. .TP
  629. .IR UPSPEC
  630. selects traffic by protocol. For the
  631. .BR tcp ", " udp ", " sctp ", or " dccp
  632. protocols, the source and destination port can optionally be specified.
  633. For the
  634. .BR icmp ", " ipv6-icmp ", or " mobility-header
  635. protocols, the type and code numbers can optionally be specified.
  636. For the
  637. .B gre
  638. protocol, the key can optionally be specified as a dotted-quad or number.
  639. Other protocols can be selected by name or number
  640. .IR PROTO "."
  642. .TP
  643. .I DIR
  644. selects the policy direction as
  645. .BR in ", " out ", or " fwd "."
  647. .TP
  648. .I CTX
  649. sets the security context.
  651. .TP
  652. .I PTYPE
  653. can be
  654. .BR main " (default) or " sub "."
  656. .TP
  657. .I ACTION
  658. can be
  659. .BR allow " (default) or " block "."
  661. .TP
  662. .I PRIORITY
  663. is a number that defaults to zero.
  665. .TP
  666. .I FLAG-LIST
  667. contains one or both of the following optional flags:
  668. .BR local " or " icmp "."
  670. .TP
  671. .I LIMIT-LIST
  672. sets limits in seconds, bytes, or numbers of packets.
  674. .TP
  675. .I TMPL-LIST
  676. is a template list specified using
  677. .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
  679. .TP
  680. .IR ID
  681. is specified by a source address, destination address,
  682. .RI "transform protocol " XFRM-PROTO ","
  683. and/or Security Parameter Index
  684. .IR SPI "."
  685. (For IP Payload Compression, the Compression Parameter Index or CPI is used for
  686. .IR SPI ".)"
  688. .TP
  689. .I XFRM-PROTO
  690. specifies a transform protocol:
  691. .RB "IPsec Encapsulating Security Payload (" esp "),"
  692. .RB "IPsec Authentication Header (" ah "),"
  693. .RB "IP Payload Compression (" comp "),"
  694. .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
  695. .RB "Mobile IPv6 Home Address Option (" hao ")."
  697. .TP
  698. .I MODE
  699. specifies a mode of operation for the transform protocol. IPsec and IP Payload
  700. Compression modes are
  701. .BR transport ", " tunnel ","
  702. and (for IPsec ESP only) Bound End-to-End Tunnel
  703. .RB "(" beet ")."
  704. Mobile IPv6 modes are route optimization
  705. .RB "(" ro ")"
  706. and inbound trigger
  707. .RB "(" in_trigger ")."
  709. .TP
  710. .I LEVEL
  711. can be
  712. .BR required " (default) or " use "."
  714. .sp
  715. .PP
  716. .TS
  717. l l.
  718. ip xfrm policy count	count existing policies
  719. .TE
  721. .PP
  722. Use one or more -s options to display more details, including policy hash table
  723. information.
  725. .sp
  726. .PP
  727. .TS
  728. l l.
  729. ip xfrm policy set	configure the policy hash table
  730. .TE
  732. .PP
  733. Security policies whose address prefix lengths are greater than or equal
  734. policy hash table thresholds are hashed. Others are stored in the
  735. policy_inexact chained list.
  737. .TP
  738. .I LBITS
  739. specifies the minimum local address prefix length of policies that are
  740. stored in the Security Policy Database hash table.
  742. .TP
  743. .I RBITS
  744. specifies the minimum remote address prefix length of policies that are
  745. stored in the Security Policy Database hash table.
  747. .sp
  748. .PP
  749. .TS
  750. l l.
  751. ip xfrm monitor 	state monitoring for xfrm objects
  752. .TE
  754. .PP
  755. The xfrm objects to monitor can be optionally specified.
  757. .P
  758. If the
  759. .BI all-nsid
  760. option is set, the program listens to all network namespaces that have a
  761. nsid assigned into the network namespace were the program is running.
  762. A prefix is displayed to show the network namespace where the message
  763. originates. Example:
  764. .sp
  765. .in +2
  766. [nsid 1]Flushed state proto 0
  767. .in -2
  768. .sp
  770. .SH AUTHOR
  771. Manpage revised by David Ward <david.ward@ll.mit.edu>
  772. .br
  773. Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
  774. .br
  775. Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>