Show / manipulate routing, devices, policy routing and tunnels.
Syntax
ip [ OPTIONS ] OBJECT { COMMAND | help }
OBJECT := { link | addr | addrlabel | route | rule | neigh | tunnel | maddr | mroute | monitor }
OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | -f[amily] { inet | inet6 | ipx | dnet | link } | -o[neline] }
ip link set DEVICE { up | down | arp { on | off } |
promisc { on | off } | allmulticast { on | off } |
dynamic { on | off } | multicast { on | off } |
txqueuelen PACKETS | name NEWNAME |
address LLADDR | broadcast LLADDR | mtu MTU | netns PID |
alias NAME | vf NUM [ mac LLADDR ] [ vlan VLANID [ qos VLAN-QOS ] ] [ rate TXRATE ] }
ip link show [ DEVICE ]
dev NAME (default) - NAME specifies the network device to show.
If this argument is omitted all devices are listed.
up - Only display running interfaces, e.g. $ ip link ls up
ip address { add | del } IFADDR dev STRING
ip address { show | flush } [ dev STRING ] [ scope SCOPE-ID ] [ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]
IFADDR := PREFIX | ADDR peer PREFIX [ broadcast ADDR ] [ anycast ADDR ] [ label STRING ] [ scope SCOPE-ID ]
SCOPE-ID := [ host | link | global | NUMBER ]
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := [ permanent | dynamic | secondary | primary | tentative | deprecated ]
ip addrlabel { add | del } prefix PREFIX [ dev DEV ] [ label NUMBER ]
ip addrlabel { list | flush }
ip route { list | flush } SELECTOR
ip route get ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ tos TOS ]
ip route { add | del | change | append | replace | monitor } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table TABLE_ID ]
[ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...
NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ rtt TIME ] [ rttvar TIME ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ] [ ssthresh REALM ]
[ realms REALM ] [ rto_min TIME ] [ initrwnd NUMBER ]
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ]
TABLE_ID := [ local| main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
FLAGS := [ equalize ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
ip rule [ list | add | del | flush ] SELECTOR ACTION
SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ dev STRING ] [ pref NUMBER ]
ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ prohibit | reject | unreachable ] [ realms [SRCREALM/]DSTREALM ]
TABLE_ID := [ local | main | default | NUMBER ]
ip neighbour { add | del | change | replace } { ADDR [ lladdr LLADDR ]
[ nud { permanent | noarp | stale | reachable } ] | proxy ADDR } [ dev DEV ]
ip neighbour { show | flush } [ to PREFIX ] [ dev DEV ] [ nud STATE ]
ip tunnel { add | change | del | show | prl } [ NAME ] [ mode MODE ] [ remote ADDR ]
[ local ADDR ] [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] ] [ encaplimit ELIM ] [ ttl TTL ]
[ tos TOS ] [ flowlabel FLOWLABEL ] [ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]
[ [no]pmtudisc ] [ dev PHYS_DEV ] [ dscp inherit ]
MODE := { ipip | gre | sit | isatap | ip6ip6 | ipip6 | any }
ADDR := { IP_ADDRESS | any }
TOS := { NUMBER | inherit }
ELIM := { none | 0..255 }
TTL := { 1..255 | inherit }
KEY := { DOTTED_QUAD | NUMBER }
TIME := NUMBER[s|ms|us|ns|j]
ip maddr [ add | del ] MULTIADDR dev STRING
ip maddr show [ dev STRING ]
ip mroute show [ PREFIX ] [ from PREFIX ] [ iif DEVICE ]
ip monitor [ all | LISTofOBJECTS ]
ip xfrm XFRM_OBJECT { COMMAND }
XFRM_OBJECT := { state | policy | monitor }
ip xfrm state { add | update } ID [ XFRM_OPT ] [ mode MODE ] [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ]
[ flag FLAG-LIST ] [ encap ENCAP ] [ sel SELECTOR ] [ LIMIT-LIST ]
ip xfrm state allocspi ID [ mode MODE ] [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
ip xfrm state { delete | get } ID
ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG_LIST ]
ip xfrm state flush [ proto XFRM_PROTO ]
ip xfrm state count
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
MODE := [ transport | tunnel | ro | beet ] (default=transport)
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := [ noecn | decap-dscp | wildrecv ]
ENCAP := ENCAP-TYPE SPORT DPORT OADDR
ENCAP-TYPE := espinudp | espinudp-nonike
ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]
ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY
ALGO_TYPE := [ enc | auth | comp ]
SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
UPSPEC := proto PROTO [[ sport PORT ] [ dport PORT ] | [ type NUMBER ] [ code NUMBER ]]
LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |
[ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] COUNT ]
ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ]
[ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]
[ LIMIT-LIST ] [ TMPL-LIST ]
ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ] [ ptype PTYPE ]
ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ] [ index INDEX ]
[ action ACTION ] [ priority PRIORITY ]
ip xfrm policy flush [ ptype PTYPE ]
ip xfrm count
PTYPE := [ main | sub ] (default=main)
DIR := [ in | out | fwd ]
SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]
UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |
[ type NUMBER ] [ code NUMBER ] ]
ACTION := [ allow | block ] (default=allow)
LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]
LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |
[ [byte-soft|byte-hard] SIZE ] | [packet-soft|packet-hard] NUMBER ]
TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]
TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]
XFRM_PROTO := [ esp | ah | comp | route2 | hao ]
MODE := [ transport | tunnel | beet ] (default=transport)
LEVEL := [ required | use ] (default=required)
ip xfrm monitor [ all | LISTofOBJECTS ]
OPTIONS
-f, -family
followed by protocol family identifier: inet, inet6 or link ,enforce the protocol family to use.
If the option is not present, the protocol family is guessed from other arguments.
If the rest of the command line does not give enough information to guess the family, ip falls
back to the default one, usually inet or any. link is a special family identifier meaning that
no networking protocol is involved.
-4 shortcut for -family inet. (IPv4)
-6 shortcut for -family inet6. (IPv6)
-0 shortcut for -family link.
-o, -oneline
output each record on a single line, replacing line feeds with the '\' character.
This is convenient when you want to count records with wc(1) or to grep(1) the output.
-r, -resolve
use the system’s name resolver to print DNS names instead of host addresses.
-s, -stats, -statistics
output more information. If the option appears twice or more, the amount of information increases.
As a rule, the information is statistics or some time values.
-V, -Version
print the version of the ip utility and exit.
OBJECTS with abbreviations
link l Network device.
address a or addr Protocol (IP or IPv6) address on a device.
addrlabel addrl Label configuration for protocol address selection.
neighbour n or neigh ARP or NDISC cache entry.
route r Routing table entry.
rule ru Rule in routing policy database.
maddress m or maddr Multicast address.
mroute mr Multicast routing cache entry.
tunnel t tunnel over IP.
xfrm x framework for IPsec protocol.
The names of all objects may be written in full or abbreviated form.
COMMAND
Specifies the action to perform on the object.
The set of possible actions depends on the object type.
As a rule, it is possible to add, delete and show (or list ) objects, but some objects do not allow all of these operations or have some additional commands.The help command is available for all objects.
It prints out a list of available commands and argument syntax conventions. e.g. ip a help
If no command is given, some default command is assumed.
Usually it is list or, if the objects of this class cannot be listed, help.
List and show all ip address associated on on all network interfaces:
$ ip addr
Prevent accidental deletions by making rm interactive:
$ alias rm='rm -i'
"There are many reasons why novelists write, but they all have one thing in common - a need to create an alternative world" ~ John Fowles
ss - Socket Statistics.
netstat - Networking connections/stats.
nft - nftables for packet filtering and classification.
Configure the hosts file to redirect or block URLs.
RedHat blog -
nftables performance vs iptables.
Equivalent Windows command: Windows Firewall netsh firewall