ip xfrm

设置xfrm。xfrm是一个IP框架,它可以转换数据报的格式,即用一些算法加密数据包。xfrm策略和xfrm状态通过模板TMPL_LIST关联。
该框架用作IPsec协议的一部分

ip xfrm state add - 将新状态添加到xfrm
ip xfrm state update - 更新现有xfrm状态
ip xfrm state allocspi - 分配SPI值
ip xfrm policy add - 添加新策略
ip xfrm policy update - 更新现有策略
ip xfrm policy delete - 删除现有策略
ip xfrm policy get - 获取现有策略
ip xfrm policy deleteall - 删除所有现有xfrm策略
ip xfrm policy list - 打印出xfrm策略列表
ip xfrm policy flush - 刷新策略
ip xfrm monitor - 列出所有对象或已定义他们的一群。

语法

  ip xfrm XFRM_OBJECT { COMMAND }

     XFRM_OBJECT := { state | policy | monitor }

  ip xfrm state { add | update } ID [ XFRM_OPT ] [ mode MODE ] [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ]
     [ flag FLAG-LIST ] [ encap ENCAP ] [ sel SELECTOR ] [ LIMIT-LIST ]

  ip xfrm state allocspi ID [ mode MODE ] [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]

  ip xfrm state { delete | get } ID

  ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG_LIST ]

  ip xfrm state flush [ proto XFRM_PROTO ]

  ip xfrm state count

     ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]

     XFRM_PROTO := [ esp | ah | comp | route2 | hao ]

     MODE := [ transport | tunnel | ro | beet ] (default=transport)

     FLAG-LIST := [ FLAG-LIST ] FLAG

     FLAG := [ noecn | decap-dscp | wildrecv ]

     ENCAP := ENCAP-TYPE SPORT DPORT OADDR

     ENCAP-TYPE := espinudp | espinudp-nonike

     ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]

     ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY

     ALGO_TYPE := [ enc | auth | comp ]

     SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]

     UPSPEC := proto PROTO [[ sport PORT ] [ dport PORT ] | [ type NUMBER ] [ code NUMBER ]]

     LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]

     LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |
                 [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] COUNT ]

  ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ]
                    [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]
                       [ LIMIT-LIST ] [ TMPL-LIST ]

  ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ] [ ptype PTYPE ]

  ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ] [ index INDEX ]
                    [ action ACTION ] [ priority PRIORITY ]

  ip xfrm policy flush [ ptype PTYPE ]

  ip xfrm count

     PTYPE := [ main | sub ] (default=main)

     >DIR := [ in | out | fwd ]

     SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]

     UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |
                  [ type NUMBER ] [ code NUMBER ] ]

     ACTION := [ allow | block ] (default=allow)

     >LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]

     LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |
                 [ [byte-soft|byte-hard] SIZE ] | [packet-soft|packet-hard] NUMBER ]

     TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]

     TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]

     ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]

     XFRM_PROTO := [ esp | ah | comp | route2 | hao ]

     MODE := [ transport | tunnel | beet ] (default=transport)

     LEVEL := [ required | use ] (default=required)

  ip xfrm monitor [ all | LISTofOBJECTS ]

选项



ip xfrm state add - 将新状态添加到xfrm 
ip xfrm state update - 更新现有xfrm状态
ip xfrm state allocspi - 分配SPI值
   MODE
      设置为默认传输,但可以设置为tunnel,ro或beet.
   FLAG-LIST
     包含一个或多个标志
   FLAG
      可以设置为noecn,decap-dscp或wildrecv。
   ENCAP
      封装设置为封装类型ENCAP-TYPE,源端口SPORT,目标端口DPORT和OADDR。
   ENCAP-TYPE
      可以设置为espinudp或espinudp-nonike。
   ALGO-LIST
      包含一个或多个算法ALGO,它取决于ALGO_TYPE设置的算法类型。它可以用于这些algoritms enc,auth或comp


ip xfrm policy add - 添加新策略
ip xfrm policy update - 更新现有策略 
ip xfrm policy delete - 删除现有策略 
ip xfrm policy get - 获取现有策略 
ip xfrm policy deleteall - 删除所有现有xfrm策略 
ip xfrm策略列表 - 打印out xfrm policy 
ip xfrm policy flush-flush策略列表,可以刷新所有策略,也可以只刷新用ptype指定的策略。

   dir DIR
      目录可以是以下之一:inp,out或fwd。
   SELECTOR
      选择将为哪些地址设置策略
   UPSPEC
      由源端口运动,目标端口dport
   dev DEV
      指定网络设备。
   index INDEX
     索引策略的数量
   ptype PTYPE
     类型在main上设置为默认值,可以在sub上切换。
   action ACTION
       在允许时设置为默认值。它可能是开启块。
   priority PRIORITY
      优先级是一个数字。默认优先级设置为零。
   LIMIT-LIST
       限制以秒,字节或数据包数设置。
   TMPL-LIST
      模板列表基于ID,模式,reqid和级别。
   ID
     由源地址,目标地址,原型和spi值指定
   XFRM_PROTO
      值: esp, ah, comp, route2 or hao. 
   MODE
      i在传输时设置为默认值,但可以在隧道或beet上设置
   LEVEL
       根据需要设置为默认值,另一个选择是使用
   UPSPEC
      由源端口运动,目标端口dport


ip_xfrm 命令实例:

Linux的Bash命令行(A-Z排序)