{
    "content": [
        {
            "type": "text",
            "text": "# ip-xfrm (man)\n\n## NAME\n\nip-xfrm - transform configuration\n\n## SYNOPSIS\n\nip [ OPTIONS ] xfrm  { COMMAND | help }\nip xfrm XFRM-OBJECT { COMMAND | help }\nXFRM-OBJECT := state | policy | monitor\nip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask MASK ] ] [\nreqid REQID ] [ seq SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ\n] [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELECTOR ] [\nLIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-\nLIST ] [ output-mark OUTPUT-MARK [ mask MASK ] ] [ ifid IF-ID ] [ tfcpad LENGTH ]\nip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ\n] [ min SPI max SPI ]\nip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\nip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-LIST ]\nip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-\nLIST ]\nip xfrm state flush [ proto XFRM-PROTO ]\n\n## DESCRIPTION\n\nxfrm  is  an  IP framework for transforming packets (such as encrypting their payloads). This\nframework is used to implement the IPsec protocol suite (with the state object  operating  on\nthe  Security  Association  Database,  and the policy object operating on the Security Policy\nDatabase). It is also used for the IP Payload Compression Protocol  and  features  of  Mobile\nIPv6.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS** (2 subsections)\n- **DESCRIPTION**\n- **AUTHOR**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "ip-xfrm",
        "section": "",
        "mode": "man",
        "summary": "ip-xfrm - transform configuration",
        "synopsis": "ip [ OPTIONS ] xfrm  { COMMAND | help }\nip xfrm XFRM-OBJECT { COMMAND | help }\nXFRM-OBJECT := state | policy | monitor\nip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask MASK ] ] [\nreqid REQID ] [ seq SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ\n] [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELECTOR ] [\nLIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-\nLIST ] [ output-mark OUTPUT-MARK [ mask MASK ] ] [ ifid IF-ID ] [ tfcpad LENGTH ]\nip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ\n] [ min SPI max SPI ]\nip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\nip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-LIST ]\nip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-\nLIST ]\nip xfrm state flush [ proto XFRM-PROTO ]",
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [],
        "examples": [],
        "see_also": [],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SYNOPSIS",
                "lines": 27,
                "subsections": [
                    {
                        "name": "ip xfrm state count",
                        "lines": 49
                    },
                    {
                        "name": "ip xfrm policy count",
                        "lines": 46
                    }
                ]
            },
            {
                "name": "DESCRIPTION",
                "lines": 210,
                "subsections": []
            },
            {
                "name": "AUTHOR",
                "lines": 7,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "ip-xfrm - transform configuration\n",
                "subsections": []
            },
            "SYNOPSIS": {
                "content": "ip [ OPTIONS ] xfrm  { COMMAND | help }\n\n\nip xfrm XFRM-OBJECT { COMMAND | help }\n\n\nXFRM-OBJECT := state | policy | monitor\n\n\nip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask MASK ] ] [\nreqid REQID ] [ seq SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ\n] [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELECTOR ] [\nLIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-\nLIST ] [ output-mark OUTPUT-MARK [ mask MASK ] ] [ ifid IF-ID ] [ tfcpad LENGTH ]\n\nip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ\n] [ min SPI max SPI ]\n\nip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n\nip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-LIST ]\n\nip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-\nLIST ]\n\nip xfrm state flush [ proto XFRM-PROTO ]\n",
                "subsections": [
                    {
                        "name": "ip xfrm state count",
                        "content": "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]\n\nXFRM-PROTO := esp | ah | comp | route2 | hao\n\nALGO-LIST := [ ALGO-LIST ] ALGO\n\nALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |\nauth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |\naead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |\ncomp ALGO-NAME\n\nMODE := transport | tunnel | beet | ro | intrigger\n\nFLAG-LIST := [ FLAG-LIST ] FLAG\n\nFLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec | align4 | esn\n\nSELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]\n[ UPSPEC ]\n\nUPSPEC := proto { PROTO |\n{ tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |\n{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |\ngre [ key { DOTTED-QUAD | NUMBER } ] }\n\nLIMIT-LIST := [ LIMIT-LIST ] limit LIMIT\n\nLIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS |\n{ byte-soft | byte-hard } SIZE |\n{ packet-soft | packet-hard } COUNT\n\nENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR\n\nEXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG\n\nEXTRA-FLAG := dont-encap-dscp | oseq-may-wrap\n\nip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark MARK [ mask MASK ] ] [\nindex INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-\nLIST ] [ ifid IF-ID ] [ LIMIT-LIST ] [ TMPL-LIST ]\n\nip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [ ctx CTX ] [ mark MARK [\nmask MASK ] ] [ ptype PTYPE ] [ ifid IF-ID ]\n\nip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ] [ dir DIR ] [ index\nINDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST]\n\nip xfrm policy flush [ ptype PTYPE ]\n"
                    },
                    {
                        "name": "ip xfrm policy count",
                        "content": "ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]\n\nSELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]\n\nUPSPEC := proto { PROTO |\n{ tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |\n{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |\ngre [ key { DOTTED-QUAD | NUMBER } ] }\n\nDIR := in | out | fwd\n\nPTYPE := main | sub\n\nACTION := allow | block\n\nFLAG-LIST := [ FLAG-LIST ] FLAG\n\nFLAG := localok | icmp\n\nLIMIT-LIST := [ LIMIT-LIST ] limit LIMIT\n\nLIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS |\n{ byte-soft | byte-hard } SIZE |\n{ packet-soft | packet-hard } COUNT\n\nTMPL-LIST := [ TMPL-LIST ] tmpl TMPL\n\nTMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]\n\nID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]\n\nXFRM-PROTO := esp | ah | comp | route2 | hao\n\nMODE := transport | tunnel | beet | ro | intrigger\n\nLEVEL := required | use\n\nip xfrm monitor [ all-nsid ] [ nokeys ] [ all\n| LISTofXFRM-OBJECTS ]\n\nLISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT\n\nXFRM-OBJECT := acquire | expire | SA | policy | aevent | report\n\n\n"
                    }
                ]
            },
            "DESCRIPTION": {
                "content": "xfrm  is  an  IP framework for transforming packets (such as encrypting their payloads). This\nframework is used to implement the IPsec protocol suite (with the state object  operating  on\nthe  Security  Association  Database,  and the policy object operating on the Security Policy\nDatabase). It is also used for the IP Payload Compression Protocol  and  features  of  Mobile\nIPv6.\n\n\nip xfrm state add         add new state into xfrm\nip xfrm state update      update existing state in xfrm\nip xfrm state allocspi    allocate an SPI value\nip xfrm state delete      delete existing state in xfrm\nip xfrm state get         get existing state in xfrm\nip xfrm state deleteall   delete all existing state in xfrm\nip xfrm state list        print out the list of existing state in xfrm\nip xfrm state flush       flush all state in xfrm\nip xfrm state count       count all existing state in xfrm\n\n\nID     is  specified by a source address, destination address, transform protocol XFRM-PROTO,\nand/or Security Parameter Index SPI.  (For IP Payload Compression, the Compression Pa‐\nrameter Index or CPI is used for SPI.)\n\n\nXFRM-PROTO\nspecifies  a transform protocol: IPsec Encapsulating Security Payload (esp), IPsec Au‐\nthentication Header (ah), IP Payload Compression (comp), Mobile IPv6  Type  2  Routing\nHeader (route2), or Mobile IPv6 Home Address Option (hao).\n\n\nALGO-LIST\ncontains one or more algorithms to use. Each algorithm ALGO is specified by:\n\n•      the  algorithm type: encryption (enc), authentication (auth or auth-trunc), au‐\nthenticated encryption with associated data (aead), or compression (comp)\n\n•      the algorithm name ALGO-NAME (see below)\n\n•      (for all except comp) the keying material ALGO-KEYMAT, which may include both a\nkey and a salt or nonce value; refer to the corresponding RFC\n\n•      (for auth-trunc only) the truncation length ALGO-TRUNC-LEN in bits\n\n•      (for aead only) the Integrity Check Value length ALGO-ICV-LEN in bits\n\nEncryption  algorithms  include ecb(ciphernull), cbc(des), cbc(des3ede), cbc(cast5),\ncbc(blowfish),    cbc(aes),    cbc(serpent),    cbc(camellia),    cbc(twofish),    and\nrfc3686(ctr(aes)).\n\nAuthentication  algorithms  include  digestnull, hmac(md5), hmac(sha1), hmac(sha256),\nhmac(sha384), hmac(sha512), hmac(rmd160), and xcbc(aes).\n\nAuthenticated   encryption   with   associated   data   (AEAD)   algorithms    include\nrfc4106(gcm(aes)), rfc4309(ccm(aes)), and rfc4543(gcm(aes)).\n\nCompression algorithms include deflate, lzs, and lzjh.\n\n\nMODE   specifies  a  mode  of operation for the transform protocol. IPsec and IP Payload Com‐\npression modes are transport, tunnel, and (for IPsec ESP only) Bound End-to-End Tunnel\n(beet).   Mobile  IPv6 modes are route optimization (ro) and inbound trigger (intrig‐‐\nger).\n\n\nFLAG-LIST\ncontains one or more of the following optional flags: noecn,  decap-dscp,  nopmtudisc,\nwildrecv, icmp, af-unspec, align4, or esn.\n\n\nSELECTOR\nselects  the  traffic  that  will be controlled by the policy, based on the source ad‐\ndress, the destination address, the network device, and/or UPSPEC.\n\n\nUPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp protocols, the source and\ndestination  port  can optionally be specified.  For the icmp, ipv6-icmp, or mobility-\nheader protocols, the type and code numbers can optionally be specified.  For the  gre\nprotocol,  the key can optionally be specified as a dotted-quad or number.  Other pro‐\ntocols can be selected by name or number PROTO.\n\n\nLIMIT-LIST\nsets limits in seconds, bytes, or numbers of packets.\n\n\nENCAP  encapsulates packets with  protocol  espinudp,  espinudp-nonike,  or  espintcp,  using\nsource port SPORT, destination port DPORT , and original address OADDR.\n\n\nMARK   used to match xfrm policies and states\n\n\nOUTPUT-MARK\nused  to  set  the  output mark to influence the routing of the packets emitted by the\nstate\n\n\nIF-ID  xfrm interface identifier used to in both xfrm policies and states\n\n\n\nip xfrm policy add         add a new policy\nip xfrm policy update      update an existing policy\nip xfrm policy delete      delete an existing policy\nip xfrm policy get         get an existing policy\nip xfrm policy deleteall   delete all existing xfrm policies\nip xfrm policy list        print out the list of xfrm policies\nip xfrm policy flush       flush policies\n\n\nnosock filter (remove) all socket policies from the output.\n\n\nSELECTOR\nselects the traffic that will be controlled by the policy, based  on  the  source  ad‐\ndress, the destination address, the network device, and/or UPSPEC.\n\n\nUPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp protocols, the source and\ndestination port can optionally be specified.  For the icmp, ipv6-icmp,  or  mobility-\nheader  protocols, the type and code numbers can optionally be specified.  For the gre\nprotocol, the key can optionally be specified as a dotted-quad or number.  Other  pro‐\ntocols can be selected by name or number PROTO.\n\n\nDIR    selects the policy direction as in, out, or fwd.\n\n\nCTX    sets the security context.\n\n\nPTYPE  can be main (default) or sub.\n\n\nACTION can be allow (default) or block.\n\n\nPRIORITY\nis a number that defaults to zero.\n\n\nFLAG-LIST\ncontains one or both of the following optional flags: local or icmp.\n\n\nLIMIT-LIST\nsets limits in seconds, bytes, or numbers of packets.\n\n\nTMPL-LIST\nis a template list specified using ID, MODE, REQID, and/or LEVEL.\n\n\nID     is  specified by a source address, destination address, transform protocol XFRM-PROTO,\nand/or Security Parameter Index SPI.  (For IP Payload Compression, the Compression Pa‐\nrameter Index or CPI is used for SPI.)\n\n\nXFRM-PROTO\nspecifies  a transform protocol: IPsec Encapsulating Security Payload (esp), IPsec Au‐\nthentication Header (ah), IP Payload Compression (comp), Mobile IPv6  Type  2  Routing\nHeader (route2), or Mobile IPv6 Home Address Option (hao).\n\n\nMODE   specifies  a  mode  of operation for the transform protocol. IPsec and IP Payload Com‐\npression modes are transport, tunnel, and (for IPsec ESP only) Bound End-to-End Tunnel\n(beet).   Mobile  IPv6 modes are route optimization (ro) and inbound trigger (intrig‐‐\nger).\n\n\nLEVEL  can be required (default) or use.\n\n\n\nip xfrm policy count   count existing policies\n\n\nUse one or more -s options to display more details, including policy hash table information.\n\n\n\nip xfrm policy set   configure the policy hash table\n\n\nSecurity policies whose address prefix lengths are greater than or equal  policy  hash  table\nthresholds are hashed. Others are stored in the policyinexact chained list.\n\n\nLBITS  specifies  the  minimum local address prefix length of policies that are stored in the\nSecurity Policy Database hash table.\n\n\nRBITS  specifies the minimum remote address prefix length of policies that are stored in  the\nSecurity Policy Database hash table.\n\n\n\nip xfrm monitor    state monitoring for xfrm objects\n\n\nThe xfrm objects to monitor can be optionally specified.\n\n\nIf the all-nsid option is set, the program listens to all network namespaces that have a nsid\nassigned into the network namespace were the program is running.  A prefix  is  displayed  to\nshow the network namespace where the message originates. Example:\n\n[nsid 1]Flushed state proto 0\n\n\n",
                "subsections": []
            },
            "AUTHOR": {
                "content": "Manpage revised by David Ward <david.ward@ll.mit.edu>\nManpage revised by Christophe Gouault <christophe.gouault@6wind.com>\nManpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>\n\n\n\niproute2                                     20 Dec 2011                                  IP-XFRM(8)",
                "subsections": []
            }
        }
    }
}