Network management with the IPRoute2 toolbox
A Well-Stocked Toolbox
IPRoute2 is the successor to the net-tools networking utilities, including ifconfig
and route
. Instead of having to use a separate tool for every aspect of network management, with IPRoute2, administrators now have a unified interface. Although IPRoute2 has been available for some time, the toolbox has struggled to replace the legacy tools.
Feature Scope
IPRoute2 [1] lets the admin manage most aspects of the network, including:
- IP configuration of interfaces
- Adding and deleting entries in the routing table
- Adjusting the ARP cache settings or NDISC (Neighbor Discovery)
- Managing network tunnels
- Displaying the link-layer information (MAC addresses, etc.)
- Configuring Quality of Service (QoS)
Management features cover both IPv4 and IPv6, and new features are implemented in a timely manner. For example, 6rd tunnel management [2] has already been added. IPRoute2 is now part of the basic install set for all major Linux distributions and is fundamental to many of the advanced network features. For example, IPRoute2 is required for some routing and gateway functions. Even the Gnome desktop cannot communicate on the network without IPRoute2.
IPRoute2 Programs and Files
Usually the configuration files for the individual tools are located in /etc/iproute2
and contain some values that are required only in advanced scenarios. Most of the programs provided by IPRoute2 have a special task, and all of them play a specific role in managing network functions:
-
/sbin/ip
– The main program, with which most network aspects of the Linux kernel can be controlled. -
/sbin/cbq
– Serves as a sample script for the class-based QoS (class-based queuing, CBQ). -
/sbin/ifcfg
– Replaces the IP address management option in ifconfig. -
/sbin/rtmon
– Enables monitoring of the routing table. -
/sbin/tc
– Used to configure advanced traffic control features. -
/sbin/arpd
– Collects gratuitous ARP information. These ARP messages announce a change in the IP-to-MAC address mapping. -
/sbin/lnstat
– Shows kernel statistics on various aspects of network communication and replacesrtstat
. - Additional tools –
/sbin/nstat
and/sbin/rtacct
are simple tools for displaying SNMP counters and network statistics.
The most important tool in IPRoute2 is ip
. It handles most of the common tasks associated with network management by specifying particular objects and providing them with the desired parameters and options that serve as the context. Important contexts include, for example:
- Link – Displays or manipulates information at the link-layer level.
- Address – Displays or manipulates IP information.
- Route – Displays or manipulates routing information.
- Tunnel – Displays or manipulates tunnel configurations.
- Xfrm – Displays or manipulates IPsec policies.
The commands do not typically need to be fully entered as rules; they can be completed just to the extent at which they become unambiguous. Thus, ip address
, ip addr
, and ip a
all output the IP configuration of the interface. The complete command is actually ip address show
, and appropriate show commands are available for almost all contexts. These may also be the default values (Figure 1).
In many cases, additional options can be set for the show commands. For example, if you only want to output the IP configuration for eth0
, the short command is
ip address show eth0 or ip a s eth0
for short.
As with ifconfig, information for both IPv4 and IPv6 is output. If you prefer to restrict the output to one of the two protocol versions, you can enable the option ip -4
or ip -6
as a filter.
Self-Help
Help is available from the man pages for each tool in IPRoute2 and via the help
option, which can be specified after the respective context. For example,
ip addr help
shows context-sensitive help for the ip addr
options. Detailed information is provided by the man pages for the individual contexts. In the case of ip addr
, for example, you can call:
man ip-address
The specific call required for the context in question is shown in the SEE ALSO
section of the man page for ip
itself, that is, man ip 8
.
Managing IP Addresses
To assign an additional IP address of 172.16.55.1/24
to the interface eth0
, you would issue the following command:
ip address add 172.16.55.1/24 brd 172.16.55.255 dev eth0
The specification of the broadcast address (brd
) is optional, but still recommended. To remove the assignment of an IP address from an interface, you need the del
option, as the following example shows:
ip address del 172.16.55.1/24 dev eth0
The flush
option takes a somewhat harder line here, and it also lets you remove all the IP addresses from an interface. To remove all IP addresses from the interface eth0
, you can enter:
ip address flush dev eth0
This condition persists until the interface is reinitialized. Also, DHCP-based interfaces do not immediately pick up a new address after their previous address is removed.
The important thing is that this kind of IP address manipulation for an interface does not end up in the configuration file. After reinitializing the interface or restarting the system, the changes made by ip
are no longer available. If you want them to stick, you need to create a startup script.
Predestined for IPv6
The ip
command lets you view and manipulate the advanced features of IPv6. This includes, for example, the prefix policy as per RFC 3484, which defines the rules by which the various IPv6 addresses are used. This policy can be displayed by typing ip addrlabel
or ip addrl
(Figure 2). The label determines the priority of each address. The well-known IPv6 prefixes are used here.
Because the various IPv6 addresses assigned to an IPv6-enabled interface have a different scope, the labels ensure that an IPv6 packet uses a sender address that matches the destination address.
To do this, the label of a source address in an incoming packet is used to find a suitable local address that has the same scope.
For example, to add another entry for the prefix 2002::2/64
with a label of 99
to this prefix policy, you can use the following:
ip addrlabel add prefix 2002::2/64 label 99
Accordingly, you can do:
ip addrlabel del prefix 2002::2/64 label 99
to remove prefixes with their labels again.
One Level Down
Link-layer information, that is, MAC addresses and the like, is handled by the link
option. For example, using ip link
or ip link show
shows you the low-level information about the interfaces (Figure 3) in a similar way to ip address
. Using
ip -s link show
gives you a statistical overview of the available interfaces, which can be limited by adding the interface again:
ip -s link show eth0
In a way that is almost typical of Linux, you can extend the output by adding another -s
. For example:
ip -s -s link show eth0
However, the combination of both -s
and -ss
is not possible.
The command ip link set
lets you set various hardware parameters for the interfaces. For example, you can shut down the eth0 interface with
ip link set eth0 down
and fire it up again with:
ip link set eth0 up
Additionally, you can manipulate the maximum transmission unit (MTU), the MAC address, promiscuous mode, and many other parameters.
Good Neighbors
Another useful option is neighbor
. It lets admins display and manipulate the IPv4 ARP cache and the IPv6 NDISC cache [3]. NDISC replaces the ARP mechanism in IPv6. The command
ip neighbor show
returns all cached mappings between MAC addresses and logical addresses for both IPv4 and IPv6. To restrict your results to one protocol, add -4
or -6
(e.g., -4 ip neighbor show
).
In some situations, static addressing assignments are useful (e.g., to make address spoofing more difficult). Additionally, selectively preventing access to hosts with an intentionally incorrect link-layer address means a host cannot be addressed. If you want to assign the IP address 10.1.1.1 to a fixed MAC address of 00:d0:a7:b1:c7:de on eth1, the following command will do the trick:
ip neigh add 10.1.1.1 lladdr 00:d0:a7:b1:c7:de dev eth1 nud perm
Here, nud
stands for Neighbor Unreachability Detection, a mechanism that was introduced in IPv6 but that can also set the status of an entry in IPv4. Conversely, an entry can also be removed using:
ip neigh del 10.1.1.1 dev eth1
The IPRoute2 toolbox is extremely comprehensive; ip
alone contains a seemingly endless number of possibilities and options.
More Options for ip
The ip route
command lets you view and manipulate the kernel routing table. For example, ip route show
displays the IPv4 routing table, and ip -6 route show
generates the same output for IPv6. A static route, say, for the prefix 200.1.1.0/24 via the next hop at 10.1.1.254, can be created with the command:
ip route add 200.1.1.0/24 via 10.1.1.254
Similarly, you can delete or modify routes or even configure forbidden paths. This approach applies equally to IPv4 and IPv6, of course.
With ip
, you also can adjust the multicast properties, configure different types of tunnels, and manipulate the Routing Policy Database (RPDB) [4], which determines the routing table used to forward a packet.
Traffic Shaping
Beyond ip
, IPRoute2 offers several other ways of manipulating network traffic – in particular, the tc
(Traffic Control) tool. With tc
, you can manage QoS and traffic shaping, which is based on queuing mechanisms, wherein individual queues (interface queues) are assigned to certain traffic. On the basis of the IP QoS mechanisms, which set an appropriate value in the Type of Service (ToS) byte in the IP header, each packet can be assigned to a particular queue, which, in turn, is associated with a predetermined processing priority.
In this way, the Linux kernel can ensure that a certain amount of bandwidth is reserved for important traffic flows, and that less important traffic is limited at the same time. The concept of traffic shaping relies on various mechanisms, including CBQ [5], wherein the traffic is divided into different classes that are then prioritized.
Conclusions
IPRoute2 is a comprehensive toolbox with capabilities that are not immediately apparent. Although IPRoute2 is already used in many scenarios behind the scenes, its use at the command line has not quite taken root in the minds of many administrators. However, the learning curve is not as long and arduous as many admins might fear.
Of course, you cannot intuitively grasp all the options and features of IPRoute2, but working with tools such as ip
or tc
quickly provides new opportunities that may be of inestimable value for analysis and troubleshooting. Additionally, you have to consider that the upcoming IPv6 can no longer be managed in any other way than with the new ip
tool.