Tools IPRoute2 Lead image: Lead Image © donatas1205, 123RF.com
Lead Image © donatas1205, 123RF.com
 

Network management with the IPRoute2 toolbox

A Well-Stocked Toolbox

Traditional administration command-line tools such as ifconfig, route, and arp are almost as old as TCP/IP itself. We provide an overview of how the IPRoute2 toolkit now unifies the management of kernel network components. By Eric Amberg

IPRoute2 is the successor to the net-tools networking utilities, including ifconfig and route. Instead of having to use a separate tool for every aspect of network management, with IPRoute2, administrators now have a unified interface. Although IPRoute2 has been available for some time, the toolbox has struggled to replace the legacy tools.

Feature Scope

IPRoute2 [1] lets the admin manage most aspects of the network, including:

Management features cover both IPv4 and IPv6, and new features are implemented in a timely manner. For example, 6rd tunnel management [2] has already been added. IPRoute2 is now part of the basic install set for all major Linux distributions and is fundamental to many of the advanced network features. For example, IPRoute2 is required for some routing and gateway functions. Even the Gnome desktop cannot communicate on the network without IPRoute2.

IPRoute2 Programs and Files

Usually the configuration files for the individual tools are located in /etc/iproute2 and contain some values that are required only in advanced scenarios. Most of the programs provided by IPRoute2 have a special task, and all of them play a specific role in managing network functions:

The most important tool in IPRoute2 is ip. It handles most of the common tasks associated with network management by specifying particular objects and providing them with the desired parameters and options that serve as the context. Important contexts include, for example:

The commands do not typically need to be fully entered as rules; they can be completed just to the extent at which they become unambiguous. Thus, ip address, ip addr, and ip a all output the IP configuration of the interface. The complete command is actually ip address show, and appropriate show commands are available for almost all contexts. These may also be the default values (Figure 1).

The most important tool in IPRoute2 is ip.
Figure 1: The most important tool in IPRoute2 is ip.

In many cases, additional options can be set for the show commands. For example, if you only want to output the IP configuration for eth0, the short command is

ip address show eth0 or ip a s eth0

for short.

As with ifconfig, information for both IPv4 and IPv6 is output. If you prefer to restrict the output to one of the two protocol versions, you can enable the option ip -4 or ip -6 as a filter.

Self-Help

Help is available from the man pages for each tool in IPRoute2 and via the help option, which can be specified after the respective context. For example,

ip addr help

shows context-sensitive help for the ip addr options. Detailed information is provided by the man pages for the individual contexts. In the case of ip addr, for example, you can call:

man ip-address

The specific call required for the context in question is shown in the SEE ALSO section of the man page for ip itself, that is, man ip 8.

Managing IP Addresses

To assign an additional IP address of 172.16.55.1/24 to the interface eth0, you would issue the following command:

ip address add 172.16.55.1/24 brd 172.16.55.255 dev eth0

The specification of the broadcast address (brd) is optional, but still recommended. To remove the assignment of an IP address from an interface, you need the del option, as the following example shows:

ip address del 172.16.55.1/24 dev eth0

The flush option takes a somewhat harder line here, and it also lets you remove all the IP addresses from an interface. To remove all IP addresses from the interface eth0, you can enter:

ip address flush dev eth0

This condition persists until the interface is reinitialized. Also, DHCP-based interfaces do not immediately pick up a new address after their previous address is removed.

The important thing is that this kind of IP address manipulation for an interface does not end up in the configuration file. After reinitializing the interface or restarting the system, the changes made by ip are no longer available. If you want them to stick, you need to create a startup script.

Predestined for IPv6

The ip command lets you view and manipulate the advanced features of IPv6. This includes, for example, the prefix policy as per RFC 3484, which defines the rules by which the various IPv6 addresses are used. This policy can be displayed by typing ip addrlabel or ip addrl (Figure 2). The label determines the priority of each address. The well-known IPv6 prefixes are used here.

Showing the prefix policy for IPv6.
Figure 2: Showing the prefix policy for IPv6.

Because the various IPv6 addresses assigned to an IPv6-enabled interface have a different scope, the labels ensure that an IPv6 packet uses a sender address that matches the destination address.

To do this, the label of a source address in an incoming packet is used to find a suitable local address that has the same scope.

For example, to add another entry for the prefix 2002::2/64 with a label of 99 to this prefix policy, you can use the following:

ip addrlabel add prefix 2002::2/64 label 99

Accordingly, you can do:

ip addrlabel del prefix 2002::2/64 label 99

to remove prefixes with their labels again.

One Level Down

Link-layer information, that is, MAC addresses and the like, is handled by the link option. For example, using ip link or ip link show shows you the low-level information about the interfaces (Figure 3) in a similar way to ip address. Using

ip -s link show

gives you a statistical overview of the available interfaces, which can be limited by adding the interface again:

ip -s link show eth0

In a way that is almost typical of Linux, you can extend the output by adding another -s. For example:

ip -s -s link show eth0

However, the combination of both -s and -ss is not possible.

Link-layer information is displayed by ip with the link option.
Figure 3: Link-layer information is displayed by ip with the link option.

The command ip link set lets you set various hardware parameters for the interfaces. For example, you can shut down the eth0 interface with

ip link set eth0 down

and fire it up again with:

ip link set eth0 up

Additionally, you can manipulate the maximum transmission unit (MTU), the MAC address, promiscuous mode, and many other parameters.

Good Neighbors

Another useful option is neighbor. It lets admins display and manipulate the IPv4 ARP cache and the IPv6 NDISC cache [3]. NDISC replaces the ARP mechanism in IPv6. The command

ip neighbor show

returns all cached mappings between MAC addresses and logical addresses for both IPv4 and IPv6. To restrict your results to one protocol, add -4 or -6 (e.g., -4 ip neighbor show).

In some situations, static addressing assignments are useful (e.g., to make address spoofing more difficult). Additionally, selectively preventing access to hosts with an intentionally incorrect link-layer address means a host cannot be addressed. If you want to assign the IP address 10.1.1.1 to a fixed MAC address of 00:d0:a7:b1:c7:de on eth1, the following command will do the trick:

ip neigh add 10.1.1.1 lladdr 00:d0:a7:b1:c7:de dev eth1 nud perm

Here, nud stands for Neighbor Unreachability Detection, a mechanism that was introduced in IPv6 but that can also set the status of an entry in IPv4. Conversely, an entry can also be removed using:

ip neigh del 10.1.1.1 dev eth1

The IPRoute2 toolbox is extremely comprehensive; ip alone contains a seemingly endless number of possibilities and options.

More Options for ip

The ip route command lets you view and manipulate the kernel routing table. For example, ip route show displays the IPv4 routing table, and ip -6 route show generates the same output for IPv6. A static route, say, for the prefix 200.1.1.0/24 via the next hop at 10.1.1.254, can be created with the command:

ip route add 200.1.1.0/24 via 10.1.1.254

Similarly, you can delete or modify routes or even configure forbidden paths. This approach applies equally to IPv4 and IPv6, of course.

With ip, you also can adjust the multicast properties, configure different types of tunnels, and manipulate the Routing Policy Database (RPDB) [4], which determines the routing table used to forward a packet.

Traffic Shaping

Beyond ip, IPRoute2 offers several other ways of manipulating network traffic – in particular, the tc (Traffic Control) tool. With tc, you can manage QoS and traffic shaping, which is based on queuing mechanisms, wherein individual queues (interface queues) are assigned to certain traffic. On the basis of the IP QoS mechanisms, which set an appropriate value in the Type of Service (ToS) byte in the IP header, each packet can be assigned to a particular queue, which, in turn, is associated with a predetermined processing priority.

In this way, the Linux kernel can ensure that a certain amount of bandwidth is reserved for important traffic flows, and that less important traffic is limited at the same time. The concept of traffic shaping relies on various mechanisms, including CBQ [5], wherein the traffic is divided into different classes that are then prioritized.

Conclusions

IPRoute2 is a comprehensive toolbox with capabilities that are not immediately apparent. Although IPRoute2 is already used in many scenarios behind the scenes, its use at the command line has not quite taken root in the minds of many administrators. However, the learning curve is not as long and arduous as many admins might fear.

Of course, you cannot intuitively grasp all the options and features of IPRoute2, but working with tools such as ip or tc quickly provides new opportunities that may be of inestimable value for analysis and troubleshooting. Additionally, you have to consider that the upcoming IPv6 can no longer be managed in any other way than with the new ip tool.