用途

show / manipulate routing, devices, policy routing and tunnels

用法

通用格式

ip [ OPTIONS ] OBJECT { COMMAND | help }

OBJECT := { link | addr | addrlabel | route | rule | neigh | tunnel | maddr | mroute | monitor }

OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | -f[amily] { inet | inet6 | ipx | dnet | link } | -o[neline] }

link格式(网卡)

ip link set DEVICE { up | down | arp { on | off } |
                    promisc { on | off } |
                    allmulticast { on | off } |
                    dynamic { on | off } |
                    multicast { on | off } |
                    txqueuelen PACKETS |
                    name NEWNAME |
                    address LLADDR | broadcast LLADDR |
                    mtu MTU |
                    netns PID |
                    alias NAME |
                    vf NUM [ mac LLADDR ] [ vlan VLANID [ qos VLAN-QOS ] ] [ rate TXRATE ] [ spoofchk { on | off } ] |
                }
ip link show [ DEVICE ]

addr格式(IP地址)

ip addr { add | del } IFADDR dev STRING

ip addr { show | flush } [ dev STRING ] [ scope SCOPE-ID ] [ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]

IFADDR := PREFIX | ADDR peer PREFIX [ broadcast ADDR ] [ anycast ADDR ] [ label STRING ] [ scope SCOPE-ID ]

SCOPE-ID := [ host | link | global | NUMBER ]

FLAG-LIST := [ FLAG-LIST ] FLAG

FLAG := [ permanent | dynamic | secondary | primary | tentative | deprecated ]

addrlabel格式

ip addrlabel { add | del } prefix PREFIX [ dev DEV ] [ label NUMBER ]

ip addrlabel { list | flush }

route格式

ip route { list | flush } SELECTOR

ip route get ADDRESS [ from ADDRESS iif STRING  ] [ oif STRING ] [ tos TOS ]

ip route { add | del | change | append | replace | monitor } ROUTE

SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table TABLE_ID ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]

ROUTE := NODE_SPEC [ INFO_SPEC ]

NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ]

INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...

NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS

OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ rtt TIME ] [ rttvar TIME ] [ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ] [ ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initrwnd NUMBER ]

TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ]

TABLE_ID := [ local| main | default | all | NUMBER ]

SCOPE := [ host | link | global | NUMBER ]

FLAGS := [ equalize ]

NHFLAGS := [ onlink | pervasive ]

RTPROTO := [ kernel | boot | static | NUMBER ]

rule格式

ip rule  [ list | add | del | flush ] SELECTOR ACTION

SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ dev STRING ] [ pref NUMBER ]

ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ realms [SRCREALM/]DSTREALM ]

TABLE_ID := [ local | main | default | NUMBER ]

neigh格式

ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ] [ nud { permanent | noarp | stale | reachable} ] | proxy ADDR } [ dev DEV ]

ip neigh { show | flush } [ to PREFIX ] [ dev DEV ] [ nud STATE ]

tunnel格式

ip tunnel { add | change | del | show | prl } [ NAME ]
               [ mode MODE ] [ remote ADDR ] [ local ADDR ]
               [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] ]
               [ encaplimit ELIM ] [ ttl TTL ]
               [ tos TOS ] [ flowlabel FLOWLABEL ]
               [ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]
               [ [no]pmtudisc ] [ dev PHYS_DEV ] [ dscp inherit ]

MODE :=  { ipip | gre | sit | isatap | ip6ip6 | ipip6 | any }

ADDR := { IP_ADDRESS | any }

TOS := { NUMBER | inherit }

ELIM := { none | 0..255 }

TTL := { 1..255 | inherit }

KEY := { DOTTED_QUAD | NUMBER }

TIME := NUMBER[s|ms]

maddr格式

ip maddr [ add | del ] MULTIADDR dev NAME

ip maddr show [ dev NAME ]

mroute格式

ip mroute show [ PREFIX ] [ from PREFIX ] [ iif DEVICE ]

monitor格式

ip monitor [ all | OBJECT-LIST ]

xfrm格式

ip xfrm XFRM_OBJECT { COMMAND }

XFRM_OBJECT := { state | policy | monitor }

ip xfrm state { add | update } ID [ XFRM_OPT ]  [ mode MODE ]
                [ reqid REQID ]  [ seq SEQ ]  [ replay-window SIZE ]
                [ flag FLAG-LIST ]  [ encap ENCAP ]  [ sel SELECTOR ]
                [ LIMIT-LIST ]

ip xfrm state allocspi ID  [ mode MODE ]  [ reqid REQID ]  [ seq SEQ ]  [ min SPI max SPI ]

ip xfrm state { delete | get } ID

ip xfrm state { deleteall | list } [ ID ]  [ mode MODE ]
                [ reqid REQID ]  [ flag FLAG_LIST ]

ip xfrm state flush [ proto XFRM_PROTO ]

ip xfrm state count

ID :=  [ src ADDR ]  [ dst ADDR ]  [ proto XFRM_PROTO ]  [ spi SPI ]

XFRM_PROTO :=  [ esp | ah | comp | route2 | hao ]

MODE :=  [ transport | tunnel | ro | beet ] (default=transport)

FLAG-LIST :=  [ FLAG-LIST ] FLAG

FLAG :=  [ noecn | decap-dscp | wildrecv ]

ENCAP := ENCAP-TYPE SPORT DPORT OADDR

ENCAP-TYPE := espinudp  | espinudp-nonike

ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]

ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY

ALGO_TYPE :=  [ enc | auth | comp ]

SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN]  [ UPSPEC ]  [ dev DEV ]

UPSPEC := proto PROTO [[ sport PORT ]  [ dport PORT ] |
                [ type NUMBER ]  [ code NUMBER ]]

LIMIT-LIST := [ LIMIT-LIST ] |  [ limit LIMIT ]

LIMIT :=  [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] | [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] COUNT ]

ip xfrm policy { add | update }  dir DIR SELECTOR [ index INDEX ]
                [ ptype PTYPE ]  [ action ACTION ]  [ priority PRIORITY ]
                [ LIMIT-LIST ] [ TMPL-LIST ]

ip xfrm policy { delete | get }  dir DIR [ SELECTOR | index INDEX  ]
                [ ptype PTYPE ]

ip xfrm policy { deleteall | list }  [ dir DIR ] [ SELECTOR ]
                [ index INDEX ]  [ action ACTION ]  [ priority PRIORITY ]

ip xfrm policy flush  [ ptype PTYPE ]

ip xfrm count

PTYPE :=  [ main | sub ] (default=main)

DIR :=  [ in | out | fwd ]

SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC  ] [ dev DEV ]

UPSPEC := proto PROTO [  [ sport PORT ]  [ dport PORT ] |
                [ type NUMBER ]  [ code NUMBER ] ]

ACTION :=  [ allow | block ] (default=allow)

LIMIT-LIST :=  [ LIMIT-LIST ] |  [ limit LIMIT ]

LIMIT :=  [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |  [ [byte-soft|byte-hard] SIZE ] | [packet-soft|packet-hard] NUMBER ]

TMPL-LIST :=  [ TMPL-LIST ] |  [ tmpl TMPL ]

TMPL := ID [ mode MODE ]  [ reqid REQID ]  [ level LEVEL ]

ID :=  [ src ADDR ]  [ dst ADDR ]  [ proto XFRM_PROTO ]  [ spi SPI ]

XFRM_PROTO :=  [ esp | ah | comp | route2 | hao ]

MODE :=  [ transport | tunnel | beet ] (default=transport)

LEVEL :=  [ required | use ] (default=required)

ip xfrm monitor [ all | OBJECT-LIST ]

token格式

ip token { COMMAND | help }

ip token { set } TOKEN dev DEV

ip token { get } dev DEV

ip token { list }

常用选项

-V, -Version
打印程序版本

-s, -stats, -statistics
输出更多信息，出现多次，输出信息越多

-h, -human, -human-readable
以适合人类阅读的方式输出信息

-iec
和-h选项类似，基本单位是1024

-f, -family
指定使用的协议族，值列表：inet, inet6, ipx, dnet or link，如果没有指定会根据上下文猜测或者使用默认的协议族，一般是inet。link is a special family identifier meaning that no networking protocol is involved.
简写形式 -4 = -f inet, -6 = -f inet6, -0 = -f link

-o, -oneline
一行显示

-r, -resolve
use the system’s name resolver to print DNS names instead of host addresses.

操作对象说明

1 link
- network device.

2 address
- protocol (IP or IPv6) address on a device.

3 addrlabel
- label configuration for protocol address selection.

4 neighbour
- ARP or NDISC cache entry.

5 route
- routing table entry.

6 rule
- rule in routing policy database.

7 maddress
- multicast address.

8 mroute
- multicast routing cache entry.

9 tunnel
- tunnel over IP.

10 xfrm
- framework for IPsec protocol.

实践

操作物理网卡

1 显示网卡设备信息

[[email protected] asia_ucenter]# ip -s link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    2188533266 2199032  0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    2188533266 2199032  0       0       0       0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:40:a8:72 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    12012726   64662    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    35491390   77118    0       0       0       0   

2 关闭或者启用eth0网卡

# 关闭
[[email protected] apk]# ip link set dev eth0 down

#开启
[[email protected] apk]# ip link set dev eth0 up

3 启用或者关闭arp

# 关闭
[[email protected] apk]# ip link set dev eth0 arp off

#开启
[[email protected] apk]# ip link set dev eth0 arp on

4 启用或者关闭组播

# 关闭
[[email protected] apk]# ip link set dev eth0 multicast off

#开启
[[email protected] apk]# ip link set dev eth0 multicast on

5 启用或者关闭动态获取ip(不知道是不是这个意思？>_<)
dynamic on or dynamic off
( change the DYNAMIC flag on the device. )

6 修改网卡名字
name NAME
(网卡正在运行中或者其它配置有使用到老名字，不建议更改)

7 设置发送队列长度
方式一:txqueuelen NUMBER
方式二:txqlen NUMBER

8 设置网卡设备最大传输单元
mtu NUMBER

9 设置网卡物理地址
address LLADDRESS

10 设置广播地址相关（不知道是不是这个意思？>_<）
broadcast LLADDRESS

brd LLADDRESS

peer LLADDRESS
(change the link layer broadcast address or the peer address when the interface is POINTOPOINT.)

11 设置虚拟路由转发
netns PID
(move the device to the network namespace associated with the process PID.)

12 设置设备别名
alias NAME

ip地址操作

1 eth0设备增加本地ip:10.0.2.5，标签名为eth0:0，广播地址一样

[[email protected] apk]# ip addr add dev eth0:0 local 10.0.2.5/24 brd + label eth0:0

2 删除之前添加的ip，参数需要跟之前一样

[[email protected] apk]# ip addr delete dev eth0:0 local 10.0.2.5/24 brd - label eth0:0

3 显示ip地址信息

ip address show - look at protocol addresses
       dev NAME (default)
              name of device.

       scope SCOPE_VAL
              only list addresses with this scope.

       to PREFIX
              only list addresses matching this prefix.

       label PATTERN
              only list addresses with labels matching the PATTERN.  PATTERN is a usual shell style pattern.

       primary and secondary
              only list primary (or secondary) addresses.

4 删除ip地址，过滤条件跟显示一样，谨慎操作

ip addr flush arg1 arg2

邻居(neighbour)/arp表管理

1 添加一个邻居节点信息

[[email protected] apk]# ip neighbour add to 10.0.2.6 dev eth0 lladdr 22:33:aa:33:44:dd nud stale

# 邻居节点状态说明
permanent
    - the neighbour entry is valid forever and can be only be removed administratively.

noarp
    - the neighbour entry is valid. No attempts to validate this entry will be made but  it  can be removed when its lifetime expires.

reachable
    - the neighbour entry is valid until the reachability timeout expires.

stale
    - the neighbour entry is valid but suspicious.  This option to ip neigh does not change the neighbour state if it was valid and the address is not changed by this command.

2 邻居节点失效：ip为10.0.2.6，设备名为eth0的节点

[[email protected] apk]# ip neighbour delete to 10.0.2.6 dev eth0

3 显示邻居节点列表，过滤参数和添加一样

[[email protected] apk]# ip neighbour list
10.0.2.6 dev eth0  FAILED
10.0.2.1 dev eth0 lladdr 52:54:00:12:35:00 STALE
10.0.2.3 dev eth0 lladdr 08:00:27:4e:35:c1 STALE
10.0.2.2 dev eth0 lladdr 52:54:00:12:35:00 REACHABLE

4 删除邻居节点，过滤参数和add一样，没有过滤参数，不做处理
备注：a 失效状态不能删除 b 执行了这个操作后，还是能看到（不知道是什么原因？>_<）

[[email protected] apk]# ip -s neighbour flush to 10.0.2.6 dev eth0

*** Round 1, deleting 1 entries ***
*** Flush is complete after 1 round ***

5 更改已存在的邻居节点ip:10.0.2.6，物理网卡地址为：22:33:aa:33:44:dd，设备名为：eth0的状态为stale

[[email protected] apk]# ip -s neighbour change to 10.0.2.6 dev eth0 lladdr 22:33:aa:33:44:dd nud stale

路由表管理

1 说明
路由类型

unicast
    - the route entry describes real paths to the destinations covered by the route prefix.

unreachable
    -  these  destinations  are  unreachable.  Packets  are  discarded and the ICMP message host unreachable is generated.  The local senders get an EHOSTUNREACH error.

blackhole
    - these destinations are unreachable. Packets are discarded silently.  The local senders get an EINVAL error.

prohibit
    -  these destinations are unreachable. Packets are discarded and the ICMP message communication administratively prohibited is generated. The local senders get an EACCES error.

local
    - the destinations are assigned to this host. The packets are looped back and delivered locally.

broadcast
    - the destinations are broadcast addresses. The packets are sent as link broadcasts.

throw
    - a special control route used together with policy rules. If such a route is selected,  lookup  in this  table  is terminated pretending that no route was found. Without policy routing it is equivalent to the absence of the route in the routing table. The packets are dropped and the ICMP message net  unreachable is generated. The local senders get an ENETUNREACH error.

nat
    -  a  special NAT route. Destinations covered by the prefix are considered to be dummy (or external)addresses which require translation to real (or internal) ones before forwarding. The addresses to translate to are selected with the attribute via.  Warning: Route NAT is no longer supported in Linux 2.6.

anycast
    -  not implemented the destinations are anycast addresses assigned to this host. They are mainly equivalent to local with one difference: such addresses are invalid when used as the  source  address  of any packet.

multicast
    - a special type used for multicast routing. It is not present in normal routing tables.

2 其它，这里偷个懒，参数列表实在太多了，相关说明直接看命令帮助文档吧 :)

其它类管理

路由策略，xfrm网络安全框架，token，监控对象状态等等

参考资料

【0】man ip
【1】linux network namespace 学习
https://segmentfault.com/a/1190000004059167
【2】linux IP 命令使用举例（转）
http://www.cnblogs.com/bamboo-talking/archive/2013/01/10/2855306.html
【3】linux XFRM整体框架简单分析
https://blog.csdn.net/scottgly/article/details/6978229
【4】一个网卡绑定多个IP和多个网卡用一个ip的设置
http://www.cnblogs.com/dkblog/archive/2011/07/26/2117383.html
【5】邻居表(Neighbour Table)问题
https://wenku.baidu.com/view/39fc2d0c581b6bd97f19ea19.html
【6】一道路由器的路由表填写习题,答案看不懂
https://segmentfault.com/q/1010000002234926
【7】Windows路由表详解
https://www.cnblogs.com/croso/p/5309553.html

原文地址：https://www.cnblogs.com/wadeyu/p/8858101.html