IP命令支持IPSec配置,子命令为ip xfrm。命令内容如下:
IP-XFRM(8) Linux IP-XFRM(8)
NAME
ip-xfrm - transform configuration
SYNOPSIS
ip [ OPTIONS ] xfrm { COMMAND | help }ip xfrm XFRM-OBJECT { COMMAND | help }XFRM-OBJECT := state | policy | monitorip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [seq SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ flag FLAG-LIST ] [ sel SELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-LIST ]ip xfrm state flush [ proto XFRM-PROTO ]ip xfrm state countID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]XFRM-PROTO := esp | ah | comp | route2 | haoALGO-LIST := [ ALGO-LIST ] ALGOALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |comp ALGO-NAMEMODE := transport | tunnel | beet | ro | in_triggerFLAG-LIST := [ FLAG-LIST ] FLAGFLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec | align4SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]UPSPEC := proto { PROTO |{ tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |gre [ key { DOTTED-QUAD | NUMBER } ] }LIMIT-LIST := [ LIMIT-LIST ] limit LIMITip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [ ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]ip xfrm policy { deleteall | list } [ SELECTOR ] [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST]ip xfrm policy flush [ ptype PTYPE ]ip xfrm policy countip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]UPSPEC := proto { PROTO |{ tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |gre [ key { DOTTED-QUAD | NUMBER } ] }DIR := in | out | fwdPTYPE := main | subACTION := allow | blockFLAG-LIST := [ FLAG-LIST ] FLAGFLAG := localok | icmpLIMIT-LIST := [ LIMIT-LIST ] limit LIMITLIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS | { byte-soft | byte-hard } SIZE | { packet-soft | packet-hard } COUNTTMPL-LIST := [ TMPL-LIST ] tmpl TMPLTMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]XFRM-PROTO := esp | ah | comp | route2 | haoMODE := transport | tunnel | beet | ro | in_triggerLEVEL := required | useip xfrm monitor [ all-nsid ] [ all | LISTofXFRM-OBJECTS ]LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECTXFRM-OBJECT := acquire | expire | SA | policy | aevent | reportip xfrm state allocspi allocate an SPI valueip xfrm state delete delete existing state in xfrmip xfrm state get get existing state in xfrmip xfrm state deleteall delete all existing state in xfrmip xfrm state list print out the list of existing state in xfrmip xfrm state flush flush all state in xfrmip xfrm state count count all existing state in xfrmID is specified by a source address, destination address, transform protocol XFRM-PROTO, and/or SecurityParameter Index SPI. (For IP Payload Compression, the Compression Parameter Index or CPI is used forSPI.)XFRM-PROTOspecifies a transform protocol: IPsec Encapsulating Security Payload (esp), IPsec Authentication Header(ah), IP Payload Compression (comp), Mobile IPv6 Type 2 Routing Header (route2), or Mobile IPv6 HomeAddress Option (hao).ALGO-LISTcontains one or more algorithms to use. Each algorithm ALGO is specified by:· the algorithm type: encryption (enc), authentication (auth or auth-trunc), authenticated encryp‐tion with associated data (aead), or compression (comp)· the algorithm name ALGO-NAME (see below)· (for all except comp) the keying material ALGO-KEYMAT, which may include both a key and a saltor nonce value; refer to the corresponding RFC· (for auth-trunc only) the truncation length ALGO-TRUNC-LEN in bits· (for aead only) the Integrity Check Value length ALGO-ICV-LEN in bitsEncryption algorithms include ecb(cipher_null), cbc(des), cbc(des3_ede), cbc(cast5), cbc(blowfish),cbc(aes), cbc(serpent), cbc(camellia), cbc(twofish), and rfc3686(ctr(aes)).Authentication algorithms include digest_null, hmac(md5), hmac(sha1), hmac(sha256), hmac(sha384),hmac(sha512), hmac(rmd610), and xcbc(aes).Authenticated encryption with associated data (AEAD) algorithms include rfc4106(gcm(aes)),rfc4309(ccm(aes)), and rfc4543(gcm(aes)).Compression algorithms include deflate, lzs, and lzjh.MODE specifies a mode of operation for the transform protocol. IPsec and IP Payload Compression modes aretransport, tunnel, and (for IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6 modes areroute optimization (ro) and inbound trigger (in_trigger).FLAG-LISTcontains one or more of the following optional flags: noecn, decap-dscp, nopmtudisc, wildrecv, icmp,LIMIT-LISTsets limits in seconds, bytes, or numbers of packets.ENCAP encapsulates packets with protocol espinudp or espinudp-nonike, using source port SPORT, destination port DPORT , and original address OADDR.ip xfrm policy add add a new policyip xfrm policy update update an existing policyip xfrm policy delete delete an existing policyip xfrm policy get get an existing policyip xfrm policy deleteall delete all existing xfrm policiesip xfrm policy list print out the list of xfrm policiesip xfrm policy flush flush policiesSELECTORselects the traffic that will be controlled by the policy, based on the source address, the destinationaddress, the network device, and/or UPSPEC.UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp protocols, the source and destination portcan optionally be specified. For the icmp, ipv6-icmp, or mobility-header protocols, the type and codenumbers can optionally be specified. For the gre protocol, the key can optionally be specified as adotted-quad or number. Other protocols can be selected by name or number PROTO.DIR selects the policy direction as in, out, or fwd.CTX sets the security context.PTYPE can be main (default) or sub.ACTION can be allow (default) or block.PRIORITYis a number that defaults to zero.FLAG-LISTcontains one or both of the following optional flags: local or icmp.LIMIT-LISTsets limits in seconds, bytes, or numbers of packets.(ah), IP Payload Compression (comp), Mobile IPv6 Type 2 Routing Header (route2), or Mobile IPv6 Home Address Option (hao).MODE specifies a mode of operation for the transform protocol. IPsec and IP Payload Compression modes aretransport, tunnel, and (for IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6 modes areroute optimization (ro) and inbound trigger (in_trigger).LEVEL can be required (default) or use.ip xfrm policy count count existing policiesUse one or more -s options to display more details, including policy hash table information.ip xfrm policy set configure the policy hash tableSecurity policies whose address prefix lengths are greater than or equal policy hash table thresholds arehashed. Others are stored in the policy_inexact chained list.LBITS specifies the minimum local address prefix length of policies that are stored in the Security PolicyDatabase hash table.RBITS specifies the minimum remote address prefix length of policies that are stored in the Security PolicyDatabase hash table.ip xfrm monitor state monitoring for xfrm objectsThe xfrm objects to monitor can be optionally specified.If the all-nsid option is set, the program listens to all network namespaces that have a nsid assigned intothe network namespace were the program is running. A prefix is displayed to show the network namespace wherethe message originates. Example:[nsid 1]Flushed state proto 0
)
)
)
