Linux网络工具学习之:IP命令学习13
标签(空格分隔): 网络
本文旨在通过IP命令介绍和学习Linux网络的相关知识
1. 概述
2. ip link
3. ip addr
4 ip addrlabel
5 ip route
6 ip rule
7 ip neighbour
8 ip ntable
9 ip tunnel
10 ip tuntap
11 ip maddr/mroute/mrule
12 ip monitor
13 ip xfrm
13.1 概述
xfrm is an IP framework for transforming packets (such as encrypting their payloads). This framework is used to implement the IPsec protocol suite (with the state object operating on the Security Association Database, and the policy object operating on the Security Policy Database). It is also used for the IP Payload Compression Protocol and features of Mobile IPv6.
Usage: ip xfrm XFRM-OBJECT { COMMAND | help }
where XFRM-OBJECT := state | policy | monitor
xfrm_policy表示IPsec SP,xfrm_state表示IPsec SA
13.2 ip xfrm state
[root@10-9-151-160 ~]# ip xfrm state help
Usage: ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ]
[ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ]
[ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ]
[ flag FLAG-LIST ] [ sel SELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ]
[ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]
Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]
[ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
Usage: ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ]
[ flag FLAG-LIST ]
Usage: ip xfrm state flush [ proto XFRM-PROTO ]
Usage: ip xfrm state count
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
XFRM-PROTO := esp | ah | comp | route2 | hao
ALGO-LIST := [ ALGO-LIST ] ALGO
ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
comp ALGO-NAME
MODE := transport | tunnel | beet | ro | in_trigger
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec | align4
EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
EXTRA-FLAG := dont-encap-dscp
SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]
UPSPEC := proto { { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |
gre [ key { DOTTED-QUAD | NUMBER } ] | PROTO }
LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS |
{ byte-soft | byte-hard } SIZE | { packet-soft | packet-hard } COUNT
ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR
ip xfrm state add add new state into xfrm
ip xfrm state update update existing state in xfrm
ip xfrm state allocspi allocate an SPI value
ip xfrm state delete delete existing state in xfrm
ip xfrm state get get existing state in xfrm
ip xfrm state deleteall delete all existing state in xfrm
ip xfrm state list print out the list of existing state in xfrm
ip xfrm state flush flush all state in xfrm
ip xfrm state count count all existing state in xfrm
13.3 ip xfrm policy
[root@10-9-151-160 ~]# ip xfrm policy help
Usage: ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ]
[ mark MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ]
[ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ]
[ LIMIT-LIST ] [ TMPL-LIST ]
Usage: ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR
[ ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]
Usage: ip xfrm policy { deleteall | list } [ SELECTOR ] [ dir DIR ]
[ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]
[ flag FLAG-LIST ]
Usage: ip xfrm policy flush [ ptype PTYPE ]
Usage: ip xfrm count
SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]
UPSPEC := proto { { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |
gre [ key { DOTTED-QUAD | NUMBER } ] | PROTO }
DIR := in | out | fwd
PTYPE := main | sub
ACTION := allow | block
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := localok | icmp
LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS |
{ byte-soft | byte-hard } SIZE | { packet-soft | packet-hard } COUNT
TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
XFRM-PROTO := esp | ah | comp | route2 | hao
MODE := transport | tunnel | beet | ro | in_trigger
LEVEL := required | use
ip xfrm policy add add a new policy
ip xfrm policy update update an existing policy
ip xfrm policy delete delete an existing policy
ip xfrm policy get get an existing policy
ip xfrm policy deleteall delete all existing xfrm policies
ip xfrm policy list print out the list of xfrm policies
ip xfrm policy flush flush policies
# 例子环境见 节2.4.7
#192.168.0.1 <=======> 192.168.0.2
#192.168.0.1
ip netns exec net1 ip netns exec net1 ip xfrm state add src 192.168.0.1 dst 192.168.0.2 proto esp spi 0x00000301 mode tunnel auth md5 0x96358c90783bbfa3d7b196ceabe0536b enc des3_ede 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
ip netns exec net1 ip xfrm state add src 192.168.0.2 dst 192.168.0.1 proto esp spi 0x00000302 mode tunnel auth md5 0x99358c90783bbfa3d7b196ceabe0536b enc des3_ede 0xffddb555acfd9d77b03ea3843f2653255afe8eb5573965df
ip netns exec net1 ip xfrm state get src 192.168.0.1 dst 192.168.0.2 proto esp spi 0x00000301
ip netns exec net1 ip xfrm policy add src 192.168.0.1 dst 192.168.0.2 dir out ptype main tmpl src 192.168.0.1 dst 192.168.0.2 proto esp mode tunnel
ip netns exec net1 ip xfrm policy add src 192.168.0.2 dst 192.168.0.1 dir in ptype main tmpl src 192.168.0.2 dst 192.168.0.1 proto esp mode tunnel
ip netns exec net1 ip xfrm policy ls
#192.168.0.2
ip netns exec net2 ip xfrm state add src 192.168.0.1 dst 192.168.0.2 proto esp spi 0x00000301 mode tunnel auth md5 0x96358c90783bbfa3d7b196ceabe0536b enc des3_ede 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
ip netns exec net2 ip xfrm state add src 192.168.0.2 dst 192.168.0.1 proto esp spi 0x00000302 mode tunnel auth md5 0x99358c90783bbfa3d7b196ceabe0536b enc des3_ede 0xffddb555acfd9d77b03ea3843f2653255afe8eb5573965df
ip netns exec net2 ip xfrm state get src 192.168.0.1 dst 192.168.0.2 proto esp spi 0x00000301
ip netns exec net2 ip xfrm policy add src 192.168.0.1 dst 192.168.0.2 dir in ptype main tmpl src 192.168.0.1 dst 192.168.0.2 proto esp mode tunnel
ip netns exec net2 ip xfrm policy add src 192.168.0.2 dst 192.168.0.1 dir out ptype main tmpl src 192.168.0.2 dst 192.168.0.1 proto esp mode tunnel
ip netns exec net2 ip xfrm policy ls
#测试
ip netns exec net1 ping 192.168.0.2
# 另一个console观察
[root@10-9-151-160 ~]# ip netns exec net2 tcpdump -i net2-bridge
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on net2-bridge, link-type EN10MB (Ethernet), capture size 65535 bytes
14:32:15.413849 IP 192.168.0.1 > 10-9-151-160: ESP(spi=0x00000301,seq=0x99), length 116
14:32:15.413849 IP 192.168.0.1 > 10-9-151-160: ICMP echo request, id 16721, seq 33, length 64
14:32:15.415893 IP 10-9-151-160 > 192.168.0.1: ESP(spi=0x00000302,seq=0x99), length 116
14:32:16.414868 IP 192.168.0.1 > 10-9-151-160: ESP(spi=0x00000301,seq=0x9a), length 116
14:32:16.414868 IP 192.168.0.1 > 10-9-151-160: ICMP echo request, id 16721, seq 34, length 64
14:32:16.414923 IP 10-9-151-160 > 192.168.0.1: ESP(spi=0x00000302,seq=0x9a), length 116
14:32:17.414823 IP 192.168.0.1 > 10-9-151-160: ESP(spi=0x00000301,seq=0x9b), length 116
14:32:17.414823 IP 192.168.0.1 > 10-9-151-160: ICMP echo request, id 16721, seq 35, length 64
13.4 ip xfrm monitor
[root@10-9-151-160 ~]# ip xfrm monitor help
Usage: ip xfrm monitor [ all | LISTofXFRM-OBJECTS ]
参考:Linux内核分析–网络系统–协议无关接口层–xfrm 参考:基于Linux 的XFRM 框架下IPSec VPN 的研究 参考:基于IPv6 的IPSec 原理分析和在Linux 内核中的实现 参考:IPSec VPN基本原理(这篇文章讲得最清楚) 参考:IPSec穿越NAT 参考:Experimentation with Linux XFRM
Share this post
Twitter
Google+
Facebook
Reddit
LinkedIn
StumbleUpon
Email