Policy Routing Using Linux

Abbreviations: tunnel, tunl

The tunnel objects encapsulate packets within IPv4 packets and sends them over the IP infrastructure.

As with the other sections this will make more sense if you understand the logic of the command line. The output of ip tunnel help is as follows :

Usage: ip tunnel { add change del show } [ NAME ] [ mode { ipip gre sit } ] [ remote ADDR ] [ local ADDR ] [ [io]seq ] [ [io]key KEY ] [ [io]csum ] [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ dev PHYS_DEV ] Where: NAME := STRING ADDR := { IP_ADDRESS any } TOS := { NUMBER inherit } TTL := { 1..255 inherit } KEY := { DOTTED_QUAD NUMBER }

ip tunnel add ” Creating Tunnels

Use this command to create IPIP, GRE, or SIT tunnels.

Abbreviations: add, a

Arguments

These options define how to setup a tunnel.

• name NAME (default) ”Select the tunnel device name.

• mode MODE ”Set the tunnel mode. Three modes are available: ipip, sit , and gre .

• remote ADDRESS ”Set the remote endpoint of the tunnel.

• local ADDRESS ”Set the fixed local address for tunneled packets. It must be an address on another interface of this host.

• ttl N ”Set fixed TTL N on tunneled packets. N is a number in the range 1 “255. is a special value, meaning that packets inherit TTL value. Default value is inherit .

• tos TOS or dsfield TOS ”Set fixed TOS on tunneled packets. Default value is inherit .

• dev NAME ”Bind the tunnel to device NAME , so that tunneled packets will be routed only via this device and will not able to escape to another device when the route to an endpoint changes.

• nopmtudisc ” Disable Path MTU Discovery on this tunnel. It is enabled by default. Note that a fixed TTL is incompatible with this option. A tunnel with fixed TTL always performs pmtu discovery.

• key K , ikey K , okey K (GRE only) ”Use keyed GRE with key K. K is either a number or an IP address-like dotted quad. The parameter key sets key to use in both directions; ikey and okey allow setting different keys for input and output.

• csum, icsum, ocsum (GRE only) ”Checksum tunneled packets. The flag ocsum orders the checksumming of outgoing packets, and icsum requires that all the input packets have a correct checksum. csum is equivalent to the combination icsum ocsum .

• seq, iseq, oseq (GRE only) ”Serialize packets. The flag oseq enables sequencing outgoing packets, and iseq requires that all input packets be serialized. seq is equivalent to the combination iseq oseq .

ip tunnel add Examples

To create POINTOPOINT IPv6 tunnel with maximum TTL of 32:

ip tunl add Cisco mode sit remote 192.31.7.104 local 192.203.80.142 ttl 32

ip tunnel show ” List Tunnel Attributes

Use this command to list tunnel attributes.

Abbreviations: show, list, sh, ls, l

Example

kuznet@amber~ $ ip tunl ls Cisco Cisco: ipv6/ip remote 192.31.7.104 local 192.203.80.142 ttl 32

The line starts with the tunnel device name terminated by a colon , then the tunnel mode follows. The parameters of the tunnel are listed with the same keywords used at tunnel creation.

kuznet@amber~ $ ip -s tunl ls Cisco Cisco: ipv6/ip remote 192.31.7.104 local 192.203.80.142 ttl 32 RX Packets Bytes Errors CsumErrs OutOfSeq Mcasts 12566 1707516 0 0 0 0 TX Packets Bytes Errors DeadLoop NoRoute NoBufs 13445 1879677 0 0 0 0

Essentially these numbers are the same as those printed using ip -s link show , but the tags are different to reflect tunnel-specific features. These features are

• CsumErrs ” The total number of packets dropped because of checksum failures for a GRE tunnel with enabled checksumming.

• OutOfSeq ” The total number of packets dropped because they arrived out of sequence for a GRE tunnel with enabled serialization.

• Mcasts ” The total number of multicast packets received on a broadcast GRE tunnel.

• DeadLoop ” The total number of packets that were not transmitted because the tunnel is looped back to itself.

• NoRoute ” The total number of packets that were not transmitted because there is no IP route to a remote endpoint.

• NoBufs ” The total number of packets that were not transmitted because the kernel failed to allocate the buffer.