[PATCH] man ip.8 miss xfrm option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I was asked to at least mention the xfrm option in ip manual. I added all usage into ip.8 and try to write some basic information about xfrm. If someone want complete it, I'll be happy. 

Marcela Maslanova

a16304c0cdbdbc8926b112743b4bd49069a50cd7
 man/man8/ip.8 |  474 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 474 insertions(+), 0 deletions(-)

diff --git a/man/man8/ip.8 b/man/man8/ip.8
index 136448c..d706ac6 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -335,6 +335,313 @@ throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
 .ti -8
 .BR "ip monitor" " [ " all " |"
 .IR LISTofOBJECTS " ]"
+
+.ti -8
+.BR "ip xfrm"
+.IR XFRM_OBJECT " { " COMMAND " }"
+
+.ti -8
+.IR XFRM_OBJECT " := { " state " | " policy " | " monitor " } "
+
+.ti -8
+.BR "ip xfrm state " { " add " | " update " } " 
+.IR ID " [ " 
+.IR XFRM_OPT " ] "
+.RB " [ " mode 
+.IR MODE " ] "
+.br
+.RB " [ " reqid 
+.IR REQID " ] "
+.RB " [ " seq 
+.IR SEQ " ] " 
+.RB " [ " replay-window 
+.IR SIZE " ] "
+.br
+.RB " [ " flag 
+.IR FLAG-LIST " ] "
+.RB " [ " encap 
+.IR ENCAP " ] "
+.RB " [ " sel 
+.IR SELECTOR " ] "
+.br
+.RB " [ "
+.IR LIMIT-LIST " ] "
+
+.ti -8
+.BR "ip xfrm state allocspi " 
+.IR ID 
+.RB " [ " mode
+.IR MODE " ] " 
+.RB " [ " reqid 
+.IR REQID " ] "
+.RB " [ " seq 
+.IR SEQ " ] "
+.RB " [ " min 
+.IR SPI 
+.B max 
+.IR SPI " ] "
+
+.ti -8
+.BR "ip xfrm state" " { " delete " | " get " } "
+.IR ID
+
+.ti -8
+.BR "ip xfrm state" " { " deleteall " | " list " } [ " 
+.IR ID " ] " 
+.RB " [ " mode 
+.IR MODE " ] "
+.br
+.RB " [ " reqid 
+.IR REQID " ] "
+.RB " [ " flag 
+.IR FLAG_LIST " ] "
+
+.ti -8
+.BR "ip xfrm state flush" " [ " proto 
+.IR XFRM_PROTO " ] "
+
+.ti -8
+.BR "ip xfrm state count"
+
+.ti -8
+.IR ID " := "
+.RB " [ " src 
+.IR ADDR " ] " 
+.RB " [ " dst 
+.IR ADDR " ] " 
+.RB " [ " proto 
+.IR XFRM_PROTO " ] " 
+.RB " [ " spi 
+.IR SPI " ] "
+
+.ti -8
+.IR XFRM_PROTO " := " 
+.RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
+
+.ti -8
+.IR MODE " := " 
+.RB " [ " transport " | " tunnel " | " ro " | " beet " ] "
+.b (default=transport)
+
+.ti -8
+.IR FLAG-LIST " := " 
+.RI " [ " FLAG-LIST " ] " FLAG
+
+.ti -8
+.IR FLAG " := " 
+.RB " [ " noecn " | " decap-dscp " | " wildrecv " ] "
+
+.ti -8
+.IR ENCAP " := " ENCAP-TYPE " " SPORT " " DPORT " " OADDR
+
+.ti -8
+.IR ENCAP-TYPE " := " 
+.B espinudp 
+.RB " | " 
+.B espinudp-nonike
+
+.ti -8
+.IR ALGO-LIST " := [ " 
+.IR ALGO-LIST " ] | [ " 
+.IR ALGO " ] "
+
+.ti -8
+.IR ALGO " := " 
+.IR ALGO_TYPE 
+.IR ALGO_NAME 
+.IR ALGO_KEY
+
+.ti -8
+.IR ALGO_TYPE " := " 
+.RB " [ " enc " | " auth " | " comp " ] "
+
+.ti -8
+.IR SELECTOR " := " 
+.B src 
+.IR ADDR "[/" PLEN "]"
+.B dst 
+.IR ADDR "[/" PLEN "]" 
+.RI " [ " UPSPEC " ] " 
+.RB " [ " dev 
+.IR DEV " ] "
+
+.ti -8
+.IR UPSPEC " := " 
+.B proto 
+.IR PROTO " [[ "
+.B sport 
+.IR PORT " ] " 
+.RB " [ " dport 
+.IR PORT " ] | "
+.br
+.RB " [ " type 
+.IR NUMBER " ] " 
+.RB " [ " code 
+.IR NUMBER " ]] "
+
+.ti -8
+.IR LIMIT-LIST " := [ " LIMIT-LIST " ] |" 
+.RB " [ "limit 
+.IR LIMIT " ] "
+
+.ti -8
+.IR LIMIT " := " 
+.RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]"
+.IR SECONDS " ] | "
+.RB "[ ["byte-soft "|" byte-hard "]" 
+.IR SIZE " ] | "
+.br
+.RB " [ ["packet-soft "|" packet-hard "]" 
+.IR COUNT " ] "
+
+.ti -8
+.BR "ip xfrm policy" " { " add " | " update " } " " dir "
+.IR DIR
+.IR SELECTOR " [ "
+.BR index 
+.IR INDEX " ] "
+.br
+.RB " [ " ptype 
+.IR PTYPE " ] "
+.RB " [ " action 
+.IR ACTION " ] "
+.RB " [ " priority 
+.IR PRIORITY " ] "
+.br
+.RI " [ " LIMIT-LIST " ] [ "
+.IR TMPL-LIST " ] "
+
+.ti -8 
+.BR "ip xfrm policy" " { " delete " | " get " } " " dir "
+.IR DIR " [ " SELECTOR " | " 
+.BR index 
+.IR INDEX 
+.RB " ] "
+.br
+.RB " [ " ptype 
+.IR PTYPE " ] "
+
+.ti -8 
+.BR "ip xfrm policy" " { " deleteall " | " list " } " 
+.RB " [ " dir 
+.IR DIR " ] [ " 
+.IR SELECTOR " ] "
+.br
+.RB " [ " index 
+.IR INDEX " ] "
+.RB " [ " action 
+.IR ACTION " ] " 
+.RB " [ " priority 
+.IR PRIORITY " ] "
+
+.ti -8 
+.B "ip xfrm policy flush" 
+.RB " [ " ptype 
+.IR PTYPE " ] "
+
+.ti -8 
+.B "ip xfrm count"
+
+.ti -8
+.IR PTYPE " := " 
+.RB " [ " main " | " sub " ] "
+.b (default=main)
+
+.ti -8
+.IR DIR " := " 
+.RB " [ " in " | " out " | " fwd " ] "
+
+.ti -8
+.IR SELECTOR " := "
+.B src 
+.IR ADDR "[/" PLEN "]"
+.B dst 
+.IR ADDR "[/" PLEN] " [ " UPSPEC 
+.RB " ] [ " dev
+.IR DEV " ] "
+
+.ti -8
+.IR UPSPEC " := " 
+.B proto 
+.IR PROTO " [ "
+.RB " [ " sport 
+.IR PORT " ] "
+.RB " [ " dport 
+.IR PORT " ] | "
+.br
+.RB " [ " type 
+.IR NUMBER " ] "
+.RB " [ " code 
+.IR NUMBER " ] ] "
+
+.ti -8
+.IR ACTION " := " 
+.RB " [ " allow " | " block " ]"
+.b (default=allow)
+
+.ti -8
+.IR LIMIT-LIST " := "
+.RB " [ " 
+.IR LIMIT-LIST " ] | "
+.RB " [ " limit 
+.IR LIMIT " ] "
+
+.ti -8
+.IR LIMIT " := "
+.RB " [ [" time-soft "|" time-hard "|" time-use-soft "|" time-use-hard "]" 
+.IR SECONDS " ] | "
+.RB " [ [" byte-soft "|" byte-hard "]"
+.IR SIZE " ] | "
+.br [ " 
+.RB "[" packet-soft "|" packet-hard "]"
+.IR NUMBER " ] "
+
+.ti -8
+.IR TMPL-LIST " := "
+.b " [ " 
+.IR TMPL-LIST " ] | "
+.RB " [ " tmpl 
+.IR TMPL " ] "
+
+.ti -8
+.IR TMPL " := "
+.IR ID " [ "
+.B mode 
+.IR MODE " ] "
+.RB " [ " reqid
+.IR REQID " ] "
+.RB " [ " level
+.IR LEVEL " ] "
+
+.ti -8
+.IR ID " := "
+.RB " [ " src 
+.IR ADDR " ] "
+.RB " [ " dst
+.IR ADDR " ] "
+.RB " [ " proto
+.IR XFRM_PROTO " ] "
+.RB " [ " spi 
+.IR SPI " ] "
+
+.ti -8
+.IR XFRM_PROTO " := "
+.RB " [ " esp " | " ah " | " comp " | " route2 " | " hao " ] "
+
+.ti -8
+.IR MODE " := "
+.RB " [ " transport " | " tunnel " | " beet " ] "
+.b (default=transport)
+
+.ti -8
+.IR LEVEL " := " 
+.RB " [ " required " | " use " ] "
+.b (default=required)
+
+.ti -8
+.BR "ip xfrm monitor" " [ " all " | "
+.IR LISTofOBJECTS " ] "
+
 .in -8
 .ad b
 
@@ -444,6 +751,10 @@ host addresses.
 .B tunnel
 - tunnel over IP.
 
+.TP
+.B xfrm
+- framework for IPsec protocol.
+
 .PP
 The names of all objects may be written in full or
 abbreviated form, f.e.
@@ -1868,6 +2179,169 @@ at any time.
 It prepends the history with the state snapshot dumped at the moment
 of starting.
 
+.SH ip xfrm - setting xfrm
+xfrm is an IP framework, which can transform format of the datagrams,
+.br
+i.e. encrypt the packets with some algorithm. xfrm policy and xfrm state
+are associated through templates
+.IR TMPL_LIST "."
+This framework is used as a part of IPsec protocol.
+
+.SS ip xfrm state add - add new state into xfrm
+
+.SS ip xfrm state update - update existing xfrm state
+
+.SS ip xfrm state allocspi - allocate SPI value
+
+.TP
+.I MODE
+is set as default to
+.BR transport ","
+but it could be set to
+.BR tunnel "," ro " or " beet "."
+
+.TP
+.I FLAG-LIST
+contains one or more flags.
+
+.TP
+.I FLAG
+could be set to
+.BR noecn ", " decap-dscp " or " wildrecv "."
+
+.TP
+.I ENCAP
+encapsulation is set to encapsulation type
+.IR ENCAP-TYPE ", source port " SPORT ", destination port "  DPORT " and " OADDR "."
+
+.TP
+.I ENCAP-TYPE
+could be set to
+.BR espinudp " or " espinudp-nonike "."
+
+.TP
+.I ALGO-LIST
+contains one or more algorithms
+.I ALGO
+which depend on the type of algorithm set by
+.IR ALGO_TYPE "."
+It can be used these algoritms
+.BR enc ", " auth " or " comp "."
+
+.SS ip xfrm policy add - add a new policy
+
+.SS ip xfrm policy update - update an existing policy
+
+.SS ip xfrm policy delete - delete existing policy
+
+.SS ip xfrm policy get - get existing policy
+
+.SS ip xfrm policy deleteall - delete all existing xfrm policy
+
+.SS ip xfrm policy list - print out the list of xfrm policy
+
+.SS ip xfrm policy flush - flush policies
+It can be flush
+.BR all
+policies or only those specified with
+.BR ptype "."
+
+.TP
+.BI dir " DIR "
+directory could be one of these: 
+.BR "inp", " out " or " fwd".
+
+.TP
+.IR SELECTOR
+selects for which addresses will be set up the policy. The selector
+is defined by source and destination address.
+
+.TP
+.IR UPSPEC
+is defined by source port 
+.BR sport ", "
+destination port 
+.BR dport ", " type
+as number and
+.B code
+also number.
+
+.TP
+.BI dev " DEV "
+specify network device.
+
+.TP
+.BI index " INDEX "
+the number of indexed policy.
+
+.TP
+.BI ptype " PTYPE "
+type is set as default on
+.BR "main" ,
+could be switch on
+.BR "sub" .
+
+.TP
+.BI action " ACTION "
+is set as default on
+.BR "allow".
+It could be switch on
+.BR "block".
+
+.TP
+.BI priority " PRIORITY "
+priority is a number. Default priority is set on zero.
+
+.TP
+.IR LIMIT-LIST
+limits are set in seconds, bytes or numbers of packets.
+
+.TP
+.IR TMPL-LIST
+template list is based on
+.IR ID ","
+.BR mode ", " reqid " and " level ". "
+
+.TP
+.IR ID
+is specified by source address, destination address,
+.I proto
+and value of
+.IR spi "."
+
+.TP
+.IR XFRM_PROTO
+values: 
+.BR esp ", " ah ", " comp ", " route2 " or " hao "."
+
+.TP
+.IR MODE
+is set as default on
+.BR transport ","
+but it could be set on
+.BR tunnel " or " beet "."
+
+.TP
+.IR LEVEL
+is set as default on
+.BR required
+and the other choice is
+.BR use "."
+
+.TP
+.IR UPSPEC
+is specified by 
+.BR sport ", "
+.BR dport ", " type 
+and 
+.B code 
+(NUMBER).
+
+.SS ip xfrm monitor - is used for listing all objects or defined group of them.
+The 
+.B xfrm monitor
+can monitor the policies for all objects or defined group of them.
+
 .SH HISTORY
 .B ip
 was written by Alexey N. Kuznetsov and added in Linux 2.2.
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux