HPE NonStop CIP Manpages

HPE NonStop Cluster I/O

Protocols (CIP) CLIMCMD

Manpages

Abstract

This document consolidates the CLIMCMD manpages in CIP subsystem for Hewlett

Packard Enterprise systems that use the HPE NonStop operating system. The document publishes the manpages for offline reference otherwise available online on a running system.

Technical White Paper

Part Number: 875808-001

Published: March 2017

About This Document

This manual provides consolidated CLIMCMD manpages for HPE NonStop Cluster I/O Protocols (CIP) subsystem. Each manpage is included in its original format preserving its independent page numbers.

Table of Contents

The manpages are included in alphabetical order. When opened as a pdf file, the bookmark references

(normally in the left pane of the pdf viewer) in the file function as table of contents for this document. Note that the page numbers are preserved within each manpage to match the output of the manpage shown through the CLIMCMD.

Intended Audience

This manual is intended for network and storage administrators who need manpages for CLIM commands for managing the CIP subsystem on an HPE Integrity NonStop system.

Publishing History

Part Number Product Version Publication Date

875808-001 L02, L03 March 2017

© Copyright 2017 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein.

875808-001, March 2017

clim(1) clim(1)

NAME

clim − query and control the CLIM software.

SYNOPSIS

CLIMCMD {clim-name|ip-address} clim [option]

CLIM DESCRIPTION

clim provides a set of commands to query and control the CLIM software, and to display the process status of each of the clim processes.

PARAMETERS abort

Abort and dump all CLIM processes.

clearlog

Allows a CLIM that has stopped trying to restart itself after reaching a retry threshold to be resumed. Should be followed by ’clim start’.

disable-policy-routing

Disables policy routing on the next CLIM reboot.

enable-policy-routing

Enables policy routing on the next CLIM reboot. This is the default configuration.

info

Provides clim configuration information.

value/status of configurable clim parameters.

This command displays the current

onlinedebug

Packages clim-related information into a compressed tar file for debugging purposes.

reboot start status

Reboots the CLIM, after taking a system memory dump.

Starts the CLIM software.

Displays the process status of the CLIM processes. The details of the CLIM processes in terms of system resource consumption are displayed. This is essentially the same as executing the psclim command at the prompt.

ERROR MESSAGES

None.

CONSIDERATIONS

1. If the application restart threshold is exceeded, the ’clim start’ command will output an error message and switch from doing an application level restart to doing a CLIM reboot.

If the CLIM reboot threshold is exceeded, the ’clim start’ command will output an error message and exit without attempting to do any further application-level restarts or reboots. Once the CLIM has given up attempting to restart the CLIM, operator intervention will be required to enable the CLIM to restart. The operator can accomplish this by using the ’clim clearlog’ command, which will delete the log.

EXAMPLES

None.

SEE ALSO

psclim(1), climstatus(1)

1

climconfig(1) climconfig(1)

NAME

climconfig − configure network protocol parameters

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig command [parameter]

CLIMCONFIG DESCRIPTION

This command is a parameter to the CLIMCMD command-line interface. It allows you to configure network, IPSec, climiptables, iptables, ip6tables, failover and SNMP parameters. Enter CLIMCMD at the

TA CL prompt on the NonStop system followed by the clim-name or CLIM IP address, climconfig and one or more command objects and associated parameters.

COMMANDS

climconfig supports the network configuration commands documented in this section.

ERROR MESSAGES

None.

EXAMPLES

> CLIMCMD 17.24.17.5 climconfig arp -add eth1 -host 17.24.17.50 &

-hwaddress 00:0E:7f:F5:6E:8A

SEE ALSO

For details about the climconfig command arguments, see the following man pages:

CLIMCMD {clim-name|ip-address} man climconfig.all

CLIMCMD {clim-name|ip-address} man climconfig.arp

CLIMCMD {clim-name|ip-address} man climconfig.bondmode

CLIMCMD {clim-name|ip-address} man climconfig.climiptables

CLIMCMD {clim-name|ip-address} man climconfig.failover

CLIMCMD {clim-name|ip-address} man climconfig.hostname

CLIMCMD {clim-name|ip-address} man climconfig.interface

CLIMCMD {clim-name|ip-address} man climconfig.ip

CLIMCMD {clim-name|ip-address} man climconfig.ip6tables

CLIMCMD {clim-name|ip-address} man climconfig.iptables

CLIMCMD {clim-name|ip-address} man climconfig.prov

CLIMCMD {clim-name|ip-address} man climconfig.psk

CLIMCMD {clim-name|ip-address} man climconfig.remote

1

climconfig(1) climconfig(1)

CLIMCMD {clim-name|ip-address} man climconfig.route

CLIMCMD {clim-name|ip-address} man climconfig.sa

CLIMCMD {clim-name|ip-address} man climconfig.slaveinterface

CLIMCMD {clim-name|ip-address} man climconfig.snmp

CLIMCMD {clim-name|ip-address} man climconfig.sp

CLIMCMD {clim-name|ip-address} man climconfig.sysctl

CLIMCMD {clim-name|ip-address} man climconfig.tunnel

CLIMCMD {clim-name|ip-address} man climconfig.vlan

CLIMCMD {clim-name|ip-address} man climconfig.vpn

CLIMCMD {clim-name|ip-address} man climconfig.vxlan

2

climconfig.all(1) climconfig.all(1)

NAME

climconfig.all − display the entire CLIM configuration

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig all -info [-obeyform]

CLIMCONFIG.ALL DESCRIPTION

This command displays the entire CLIM configuration.

PARAMETERS

-info Displays the cumulative output of these commands: climconfig interface -info all climconfig vlan -info all climconfig vxlan -info all climconfig route -info all climconfig arp -info climconfig snmp -info climconfig bondmode -info climconfig failover -info climconfig sysctl -info all climconfig psk -info climconfig sp -info climconfig sa -info climconfig remote -info climconfig climiptables -info climconfig prov -info

-info -obeyform

Displays the cumulative output of these commands followed by the "exit" command: climconfig interface -info all -obeyform

1

climconfig.all(1) climconfig.all(1) climconfig vlan -info all -obeyform climconfig vxlan -info all -obeyform climconfig snmp -info -obeyform climconfig bondmode -info -obeyform climconfig failover -info -obeyform climconfig sysctl -info all -obeyform climconfig psk -info -obeyform climconfig sp -info -obeyform climconfig sa -info -obeyform climconfig remote -info -obeyform climconfig climiptables -info -obeyform climconfig prov -info -obeyform

ERROR MESSAGES

None.

EXAMPLES

> CLIMCMD n100253 climconfig all -info

> CLIMCMD n100253 climconfig all -info -obeyform

2

climconfig.arp(1) climconfig.arp(1)

NAME

climconfig.arp − manage arp entries

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig arp -add

{eth0|interface} -host host -hwaddress MAC-address

CLIMCMD {clim-name|ip-address} climconfig arp -delete

{eth0|interface} -host host

CLIMCMD {clim-name|ip-address} climconfig arp -info

[-obeyform]

CLIMCONFIG.ARP DESCRIPTION

This command:

arp -add

adds information about ARP entries.

arp -delete

deletes manually-added ARP entries.

arp -info

displays manually-added and kernel-added ARP entries.

The arp -add and arp -delete commands add to or delete from the /etc/network/interfaces file and if the interface is active, to the kernel. If the interface is not active, the add and delete commands affect only the

/etc/network/interfaces file. The arp -info command displays information about ARP entries in the kernel

(includes both manually-added and automatically-added entries). Entries that are automatically added by the Kernel cannot be deleted using this command. This command does not support InfiniBand interfaces.

PARAMETERS

eth0 Specifies the dedicated service LAN interface.

interface

Specifies an interface to configure. The interface can be either an existing physical interface name (for example, eth2) or a bonding interface name (for example, bond0) or a VLAN interface name (for example, e1v7) or a VXLAN interface name (for example e1xzt7).

-host host Specifies the host. Use the host IP address for this parameter.

-hwaddress MAC-address

Specifies the MAC address of the host.

-delete eth0

Specifies the dedicated service LAN interface.

-delete interface

Specifies an interface (physical or bonding or VLAN or VXLAN interface).

-info Displays information about ARP entries.

-obeyform Generates user-configured ARP entries.

ERROR MESSAGES

For arp -add and arp -delete:

The interface interface-name is not configured.

This command is not supported for the interface lo.

This command is not supported for the interface eth0:0.

1

climconfig.arp(1) climconfig.arp(1)

This command is not supported for the interface tunnel-interface.

The specified arp entry already exists for the interface-name.

This command does not support InfiniBand interfaces.

EXAMPLES

> CLIMCMD NCLIM002 climconfig arp -add eth1 -host 15.76.219.4

-hwaddress 00:0E:7f:F5:6E:8A

> CLIMCMD NCLIM001 climconfig arp -add e1v7 -host 10.10.10.10

-hwaddress 00:0E:7F:E8:6D:9A

> CLIMCMD 192.168.36.51 climconfig arp -delete eth1 -host 15.76.219.4

> CLIMCMD NCLIM001 climconfig arp -delete e1xzt7 -host 15.76.219.5

> CLIMCMD N100241 climconfig arp -info

Interface : eth0

IP Address : 192.168.36.11

Hardware Address : 00:01:30:10:E6:50

Hardware Type : ether

Flags : C

Mask :

> CLIMCMD NCLIM003 climconfig arp -info -obeyform climconfig arp \

-add eth1 \

-host 15.146.232.112 \

-hwaddress 00:1c:c4:de:cf:ae climconfig arp \

-add eth1 \

-host 15.146.232.113 \

-hwaddress 00:1b:78:07:69:70 climconfig arp \

-add eth1 \

-host 15.146.232.1 \

-hwaddress 00:19:bb:1c:0c:00

#CLIMCMD expects ’exit’ to be the last command.

#This is required to terminate CLIMCMD session.

exit

Termination Info: 0

2

climconfig.bondmode(1) climconfig.bondmode(1)

NAME

climconfig.bondmode − change bonding mode, get bondmode info

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig bondmode

-modify bonding-mode [-xmithashpolicy <value>]

[-lacprate <value>] [-adselect <value>]

CLIMCMD {clim-name|ip-address} climconfig bondmode

-info [-obeyform]

CLIMCONFIG.BONDMODE DESCRIPTION

This command displays information about the bonding mode. The bonding mode applies to all the bonding interfaces in the CLIM. Only one slave in the bond is active.

The supported bonding modes are: mode=1 (active-backup)

Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option, specified in the climconfig slave interface command, affects the behavior of this mode.

mode=4 (802.3ad)

IEEE 802.3ad Dynamic link aggregation: Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification. To utilize this feature, the endpoints to which the CLIM is connected must support IEEE 802.3ad.

mode=5 (balance-tlb)

Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

mode=6 (balance-alb)

Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for

IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP

Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

A different slave becomes active if the active slave fails. The bond MAC address is externally visible on only one network interface to avoid problems in the switch. This mode provides fault tolerance.

Configuring the bonding mode applies to both bond interfaces, bond0 and bond1. Even if those bonds are assigned to different providers on CLIMs with MULTIPROV ON, the bonding mode still applies to both.

PARAMETERS

-modify bonding-mode

Specifies the bonding mode to be applied to all the bonding interfaces

-xmithashpolicy value

This option specifies the transmit hash policy to use for slave selection in bonding mode 4 (802.3ad). The possible values are 0, 1, and 2.

1


The default value is 0 (layer2).

• 0 (layer2)

This policy uses XOR of the hardware MAC addresses and packet ID type field to generate the hash. This will place all traffic to a particular network peer on the same slave.

• 1 (layer3+4)

This policy uses upper layer protocol information, when available, to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a connection will not span across multiple slaves. For fragmented TCP or

UDP packets and all other IPv4 and IPv6 protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy.

• 2 (layer2+3)

This policy uses a combination of layer2 and layer3 protocol information to generate the hash. This will place all traffic to a particular network peer on the same slave. For non-IP traffic, the behavior is the same as for the layer2 transmit hash policy. This policy is intended to provide a more balanced distribution of traffic than layer2 alone, especially in environments where a layer3 gateway device is required to reach most destinations.

-lacprate value

This option specifies the rate in which the link partner is asked to transmit LACPDU packets in 802.3ad mode. The possible values are 0 and 1.

The default value is 1 (fast).

• 0 (slow)

Request the link partner to transmit LACPDUs every 30 seconds.

• 1 (fast)

Request the link partner to transmit LACPDUs every 1 second.

-adselect value

This option specifies the 802.3ad aggregation selection logic to use. The possible values are 0, 1, and 2.

The default value is 0 (stable).

• 0 (stable)

The active aggregator is chosen by largest aggregate bandwidth. Reselection of the active aggregator occurs only when all slaves of the active aggregator are down or the active aggregator has no slaves.

• 1 (bandwidth)

The active aggregator is chosen by largest aggregate bandwidth. Reselection occurs if:

-

A slave is added to or removed from the bond

Any slave’s link state changes

-

Any slave’s 802.3ad association state changes

The bond’s administrative state changes to UP

• 2 (count)

The active aggregator is chosen by the largest number of ports (slaves). Reselection occurs as described under the "bandwidth" setting, above. The bandwidth and count selection policies permit failover of 802.3ad aggregations when partial failure of the active aggregator occurs. This keeps the aggregator with the highest availability

(either in bandwidth or in number of ports) active at all times.

-info Displays the configured bonding mode. Also, it displays value of associated parameters, if any. The display format is:

2


Example 1:

Bonding Mode : 1 ( active-backup )

Example 2:

Bonding Mode

: 4 ( 802.3ad )

Transmit Hash Policy : 2 ( layer2+3 )

LACP Rate

: 1 ( fast )

Aggregation Selection

: 2 ( count )

-obeyform Generates the configured bonding mode information in modify command format. The display format is: climconfig bondmode -modify bonding-mode

[-xmithashpolicy value][-lacprate value][-adselect value]

ERROR MESSAGES

For bondmode -modify, one or more of the Bonding interfaces is UP

The value of the bonding mode should be either 1, 4, 5, or 6

The software MAC address of the slaves <slave interface> and <slave interface> of bonding interface

<bonding interface> cannot be same for bonding mode <mode>.

The <option name> option is supported only for bonding mode 4(802.3ad).

The bonding mode 4(802.3ad) is not supported on <clim mode> CLIM.

WARNING MESSAGES

For bondmode -modify:

• Warning: For bonding mode 4(802.3ad),the line speed and duplex settings of all the slaves of a bonding interface should be same.

CONSIDERATIONS

The bonding mode cannot be changed while the bonding interfaces are UP.

The bonding mode 4(803.2ad) is supported only Gen9 L-Series CLIMs.

For modes 5(balance-tlb) and 6(balance-alb), the software MAC addresses of all the slaves of a bonding interface should be unique.

For mode 4(802.3ad), the line speed and duplex settings of all the slaves of a bonding interface should be same.

The xmithashpolicy, laprate and adselect options can be specified only with bonding mode 4(802.3ad).

EXAMPLES

> CLIMCMD n100253 climconfig bondmode -info

Bonding Mode : 1 ( active-backup )

> CLIMCMD n100253 climconfig bondmode -info -obeyform climconfig bondmode -modify 1



exit

Termination Info: 0

3


> CLIMCMD n100253 climconfig bondmode -info

Bonding Mode : 4 ( 802.3ad )

Transmit Hash Policy : 2 ( layer2+3 )

LACP Rate : 1 ( fast )

Aggregation Selection : 2 ( count )

> CLIMCMD n100253 climconfig bondmode -info -obeyform climconfig bondmode -modify 4 -xmithashpolicy 2 -lacprate 1 -adselect 2



exit

Termination Info: 0

4

climconfig.climiptables(1) climconfig.climiptables(1)

NAME

climconfig.climiptables − configure climiptables

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig climiptables

[-prov prov-name] -enable


[-prov prov-name] -disable [-force]


[-prov prov-name] -info [-obeyform]


[-prov prov-name] -status

CLIMCONFIG.CLIMIPTABLES DESCRIPTION

This command allows you to display and configure CLIM IP tables:

climiptables -enable

activates configurations for the climiptables. Enable and disable states are persistent through CLIM reboots and software updates.

climiptables -disable

deactivates configurations for the climiptables. Enable and disable states are persistent through CLIM reboots and software updates.

climiptables -info

displays the state of the climiptables, iptables and ip6tables configurations.

climiptables -info -obeyform

obtains the obeyform lines for configuring climiptables in add/delete command format.

climiptables -status

displays the state of the climiptables.

PARAMETERS

-force

Used with the -disable option, causes the command to bypass user confirmation.

-prov

Specifies a provider name. This option is mandatory for CLIMs that have MULTI-

PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own iptables configuration. The provider name is case-insensitive and always converted to UPPER case.

-obeyform Used with the -info option, obtains climiptables configuration in obeyform format.

ERROR MESSAGES

For climconfig climiptables [-enable | -disable [-force] | -info [-obeyform]]:

Error: File /etc/clim/climiptables/state does not exist.

Error: Cannot open the file /etc/clim/climiptables/state: error code.

Error: invalid version string "version", file "/etc/clim/climiptables/state".

Error: version string major, minor is not compatible, file "/etc/clim/climiptables/state".

1


Error: Invalid climiptables state file.

CONSIDERATIONS

None.

EXAMPLES

To enable climiptables:

> CLIMCMD N1001253 climconfig climiptables -enable climiptables is now enabled

> CLIMCMD N1001253 climconfig climiptables -disable

Do you want to continue with DISABLING climiptables? yes/[no] - yes climiptables is now disabled

> CLIMCMD N1001253 climconfig climiptables -force -disable climiptables is now disabled

> CLIMCMD N1001253 climconfig climiptables -status climiptables is currently enabled

> CLIMCMD N1001253 climconfig climiptables -info climiptables is currently enabled iptables configuration:

-N snmptrap

-A CIP_INPUT -p tcp -m tcp --dport 162 -j snmptrap

-A CIP_INPUT -p udp -m udp --dport 162 -j snmptrap

-A snmptrap ! -s 100.100.100.56/32 -j

REJECT --reject-with icmp-port-unreachable ip6tables configuration:

-P CIP_INPUT DROP

> CLIMCMD N1001253 climconfig climiptables -info -obeyform climconfig climiptables -disable -force climconfig iptables -force -N abc climconfig iptables -force -P CIP_INPUT ACCEPT climconfig iptables -force -A abc -p tcp -j ACCEPT climconfig ip6tables -force -P CIP_INPUT DROP climconfig climiptables -enable



exit

Termination Info: 0

2


SEE ALSO

climconfig iptables, ip6tables

3

climconfig.failover(1) climconfig.failover(1)

NAME

climconfig.failover − configure failover

SYNOPSIS

If CLIM is an OPEN CLIM:

CLIMCMD {clim-name|ip-address} climconfig failover -add src-interface

-dest dest-clim-name.dest-interface [-autofo {cip | partner}]

Else for other types of CLIMs:

CLIMCMD {clim-name|ip-address} climconfig failover -add src-interface

-dest dest-clim-name.dest-interface

CLIMCMD {clim-name|ip-address} climconfig failover -delete

{src-interface|all} [-force]

CLIMCMD {clim-name|ip-address} climconfig failover -info clim-name -interface {interface-name|all}[-obeyform]

CLIMCONFIG.FAILOVER DESCRIPTION

This command allows you to configure the failover behavior between CLIMs. You can configure both physical and bonding interfaces to failover to an interface on a different CLIM.

• failover -add adds a failover configuration to the failover.conf file. The command must be run for the CLIM that contains the src-interface for which the failover configuration is to be added.

• failover -delete deletes the failover configuration for the specified interface. The command must be run for the CLIM that contains the src-interface with the failover configuration that is to be deleted.

• failover -info displays the failover configuration of the specified interface. This command can be run for any CLIM.

PARAMETERS

src-interface

Specifies the native interface name. It can be a physical (Ethernet or InfiniBand) or bonding interface.

dest-clim-name

Specifies the destination CLIM.

dest-interface

Specifies the destination interface. The specified interface can be a physical interface

(Ethernet or InfiniBand) or a bonding interface.

-autofo {cip | partner}

Interface failover attribute. The options are as follows: cip - If the primary interface goes down, the interface failover is initiated by CIP. If no option is specified with the command, then option cip is taken as a default option.

partner - If the primary interface goes down, the interface failover is externally directed by NonStop partner process.

-all Deletes all of the failover configurations for the native CLIM.

clim-name Specifies the CLIM containing the interface whose failover configuration is to be displayed.

1


-clim Is the interface containing the failover configuration to display. If you specify inter-

face-name the output is only one line.

interface-name

Specifies the interface for the failover configuration. For the -info command, the display format is: clim-name.interface-name.failover clim name.failover-interface all Specifies all failover configurations for the CLIM. The display format is: clim-name.interface-name failover-clim-name.failover-interface-name

-force Runs the command without prompting for confirmation.

-obeyform Generates failover configuration information in add command format.

ERROR MESSAGES

For failover -add:

• Invalid source interface.

• Invalid destination interface, it should be one of the eth[1-n], bond[0-n], or ib[0-n].

• Source and Destination CLIM name are same.

• Failover configuration for the source interface exists.

• The specified destination already exists.

• An Ethernet interface can failover only to another Ethernet interface. The dest-interface is not an Ethernet interface.

• An InfiniBand interface can failover only to another InfiniBand interface. The dest-interface is not an InfiniBand interface.

• The option -autofo is supported only on OPEN CLIMs.

For failover -delete:

• Failover configuration for the source interface does not exist.

For failover -info:

• The CLIM clim-name does not exist.

• The interface interface-name does not exist.

WARNINGS

• Warning: virtio interfaces do not automatically failover due to a host connectivity failure.

CONSIDERATIONS

• Automatic failover of virtio interfaces due to link pulse failure is not supported on VCLIM.

• Failover of virtual interfaces is not supported.

• Failover configuration for a tunnel interface is not supported. Tunnel interfaces are automatically failed over along with the parent physical or bonding interface.

• Failover configuration of VLAN and VXLAN interfaces is not supported. These interfaces will be automatically failed over along with their physical or bonding host interface.

• For each VLAN interface, the failover interface for the associated physical or bonding interface must also has a VLAN interface with the same VID (Virtual LAN Identifier).

• For each VXLAN interface, the failover interface for the associated physical or bonding interface must also has a VXLAN interface with the same VNI (VXLAN Network Identifier), same multicast IP address, and same UDP destination port.

• There cannot be multiple failover configurations for a source interface.

2


• lo, eth0, and eth0:0 cannot be configured to fail over.

• To achieve a failover configuration, two interfaces are associated as a failover pair.

• Each interface can be paired with no more than one other interface and each interface of a pair must use either the other as its failover interface or no failover interface.

• At the time of configuration, the climconfig tool does not validate whether the failover configurations follow failover pairs. The host validates the configuration when the CLIM is

STARTED.

• At the time of configuration, the climconfig tool does not validate whether the destination

CLIM and destination interface exist and are part of the same provider. The NonStop server host does this validation when the CLIM is STARTED.

• If src-interface is Ethernet, then the dest-interface> should also be Ethernet.

• If src-interface is InfiniBand, then the dest-interface should also be InfiniBand.

• Only CLIM interfaces of the same type can be paired. Ethernet and InfiniBand interface pairing is invalid.

For Example, Ethernet interfaces can be paired with only Ethernet interfaces and InfiniBand with only InfiniBand interfaces.

EXAMPLES

> CLIMCMD N100241 climconfig failover -add eth1 -dest N100242.eth2

> CLIMCMD OCLIM001 climconfig failover -add eth1 -dest OCLIM002.eth2 -autofo partner

> CLIMCMD 17.205.15.2 climconfig failover -delete eth1

> CLIMCMD n100253 climconfig failover -info clim2 eth1

SOURCE DESTINATION FAMILY clim2.eth1 clim1.eth1

INET clim1.eth2 clim3.eth1

INET

> CLIMCMD n100253 climconfig failover -info climx -interface eth1

SOURCE DESTINATION climx.eth1 climy.eth2

> CLIMCMD OCLIM001 climconfig failover -info OCLIM001 -interface all

SOURCE DESTINATION AUTOFO

OCLIM001.eth1 OCLIM002.eth2 partner

> CLIMCMD n100253 climconfig failover -info climx -interface eth1 -obeyform climconfig failover \

-add eth1 \

-dest climy.eth2



exit

SEE ALSO

climconfig interface -add

3

climconfig.hostname(1) climconfig.hostname(1)

NAME

climconfig.hostname − manage the CLIM host name

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig hostname -modify hostname

CLIMCMD {clim-name|ip-address} climconfig hostname -info

CLIMCONFIG.HOSTNAME DESCRIPTION

This command modifies and displays the host name of the CLIM.

PARAMETERS

-modify Changes the host name of the specified CLIM.

-info Displays the host name of the specified CLIM.

hostname

Specifies the host name to be modified. The hostname is converted to upper case.

ERROR MESSAGES

None

CONSIDERATIONS

• The host name of a CLIM cannot be modified when the CLIM is in the STARTED state.

• The CLIM host name and the SCF CLIM object name must match. If you change the CLIM host name, you also need to change the name of the CLIM in the host. Use SCF to delete the

CLIM and then add a new CLIM with a name that matches the new host name you have assigned to the CLIM.

• Hostname cannot exceed 8 characters.

• If there are any failover configurations existing for the CLIM for which you change the hostname, the climconfig tool automatically changes the source-CLIM name in its failover configurations.

• If the interfaces of the other CLIM are configured to fail over to this CLIM, manually change the failover configurations of the other CLIMs.

EXAMPLES

> CLIMCMD 172.18.105.17 climconfig hostname -info

CLIM1

> CLIMCMD 172.18.105.17 climconfig hostname -modify N100253

SEE ALSO

SCF DELETE CLIM command, SCF ADD CLIM command

1

climconfig.interface(1) climconfig.interface(1)

NAME

climconfig.interface − manage CLIM interfaces

SYNOPSIS

interface -add command:

CLIMCMD {clim-name|ip-address} climconfig interface -add

{eth0:0|interface-name} [-prov prov-name] [-mtu mtu-value |

-jumbo { on | off } ] interface -delete command:

CLIMCMD {clim-name|ip-address} climconfig interface -delete

{eth0:0|interface-name} interface -modify command for eth0 interface:

CLIMCMD {clim-name|ip-address} climconfig interface -modify eth0

{ [-ipaddress ipv4-address -netmask ipv4-netmask] |

[-autonegotiation on] |

[-autonegotiation on -linespeed 1000 [-duplex full ] ] |

[-autonegotiation { on | off } -linespeed {10 | 100} -duplex { half | full } ]

}[-force] interface -modify command for data interfaces:

CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name

{ [-mtu mtu-value] |

[-jumbo { on | off } ] |

[-autonegotiation on] |

[-autonegotiation on -linespeed 1000 -duplex full]] |

[-autonegotiation { on | off } -linespeed { 10 | 100 } -duplex { half | full } ] |

[-macaddr {mac address | default} ]

}[-force]

For changing the eth0 IP address:

CLIMCMD {clim-name|ip-address} climconfig interface -modify eth0 -ipaddress ipv4-address -netmask ipv4-netmask

For changing MTU settings:

CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name -mtu mtu-value

1


For changing jumbo frame settings:

CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name -jumbo { on | off }

For changing Ethernet card settings:

CLIMCMD {clim-name | ip-address} climconfig interface -modify interface-name [ -force ]

{[ -autonegotiation on ] |

[ -autonegotiation on -linespeed 1000 [ -duplex full ] ] |

[ -autonegotiation { on | off } -linespeed { 10 | 100 }

-duplex { half | full } ] }

For changing the MAC address for physical and slave interfaces:

CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name -macaddr {mac-address|default} [-force]

For displaying the configuration of an interface:

CLIMCMD {clim-name|ip-address} climconfig interface -info

{eth0|eth0:0|interface-name|all}[-obeyform]

CLIMCONFIG.INTERFACE DESCRIPTION

This command does the following:

interface -add

adds the interface name to the /etc/network/interfaces file of the CLIM. The host brings up the interface when it is added.

If the CLIM has MULTIPROV ON and the operator specifies the -prov command with the name of an unconfigured prov object, that object is implicitly added. Thus, for an unknown provider, you can specify climconfig interface -addinterface-name

prov-name, which would be the equivalent of issuing the two commands, climconfig

prov -addprov-name and climconfig interface -addinterface-name prov-name.

The interface can be added even when the CLIM is in the STARTED state.

Slave interfaces can be added by using the slaveinterface -configure command. If a bonding interface does not have any slave interfaces, it is not activated by the host.

interface -delete

removes the configured physical or bonding interface and its configuration (all the IP addresses and routes associated with the interface) from the /etc/network/interfaces file of CLIM.

interface -modify

changes the existing interface configuration in the CLIM /etc/network/interfaces file.

For eth0, its IP address or MAC address settings can be modified. For modifying parameters of any option, only the modified parameter can be specified and other

2

climconfig.interface(1) climconfig.interface(1) unmodified parameters need not be specified. You can modify the jumbo setting, IP address, mtu, autonegotiation settings, and MAC address individually, but not all on the same command. If an option does not exist, the new option and its parameter can be added. However, you cannot delete a previously configured option. This command does not support InfiniBand interfaces.

interface -info

displays the configuration of an interface. For a given interface, the IP address, netmask, gateway, minimum TCP Retransmission Timeout (RTO) value (in milliseconds), and other information, are displayed. An interface can have both IPv4 and

IPv6 addresses; in this case, the command displays both of the configuration details for the interface. The command displays the configurations only for an interface existing in the /etc/network/interfaces file. To display the configurations for an interface existing in the kernel, use the ifconfig command.

PARAMETERS


eth0:0 Specifies the maintenance Provider LAN interface.

interface Refers to the physical (Ethernet or InfiniBand interface) or logical (software abstraction such as bond or tunnel) interfaces on the CLIM.

interface-name

Specifies the interface for the operation. For the -macaddr option, the interface, including slave interfaces must be physical interfaces. For other options, the interface can be either a physical interface (for example, eth1, ib0) or a bonding interface (for example, bond0).

-ipaddress ipaddress

Specifies an IPv4 address.

-prov Specifies a provider name. This option is mandatory for CLIMs that have MULTI-

PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own interface configuration. The provider name is case-insensitive and always converted to UPPER case.

-netmask netmask

Specifies an IPv4 network address in dotted quad form.

all Displays information for all interfaces.

-obeyform This option displays the user-configured resources of an interface in add command format.

-mtu Sets frame size for an interface. If the option is not specified, the default frame size is

1500.

For physical and bonding interface allowable values are 1280 to 9000.

For tunnel interfaces allowable values are 1280 to 65508.

If the mtu option is set for bonding interface, it will also be applied to a slave interface.

Setting mtu option separately for a slave interface is not allowed.

You cannot specify both the jumbo and mtu options.

mtu cannot be specified for eth0, eth0:0, and InfiniBand interfaces.

Specifying mtu overrides previous values set for jumbo.

-jumbo on Changes jumbo frames for an interface other than eth0 or eth0:0. If jumbo is set (on), the frame size is 9000 bytes. If jumbo is reset (off), the frame size is1500 bytes. If the option is not specified, the default frame size is 1500 bytes.

3


The jumbo option has a limited set of allowable values (1500 - OFF and 9000 - ON) for frame size, whereas the mtu option supports a range of values. The mtu option is the recommended method for setting the MTU size.

The climconfig tool reports an error if the NIC does not support a frame size of 9000 bytes.

If the jumbo option is set for a bonding interface, it will also be applied to a slave interface.

Setting the jumbo option separately for a slave interface is not allowed.

If the bonding interface is UP, the jumbo option is set and a slave interface is added that does not support frames of 9000 bytes, Climconfig reports an error while adding the slave interface.


A jumbo frame cannot be set for eth0 and eth0:0.

Specifying jumbo overrides previous values set for mtu.

-jumbo off Disables jumbo frames for an interface. The frame size is set to 1500 bytes. If this parameter is not specified, the jumbo option is reset and the frame size set to 1500 bytes.

-force Causes the command to modify the interface without prompting for confirmation.

-autonegotiation on

Enables autonegotiation.

-autonegotiation off

Disables autonegotiation. -linespeed and -duplex options must be specified.

-linespeed 10

Sets the linespeed to 10MB/sec.

-linespeed 100

Sets the linespeed to 100MB/sec.

-linespeed 1000

Sets the linespeed to 1000MB/sec. This option can be set only if -autonegotiation is set to on.

-duplex half

Sets the duplex mode to half.

-duplex full

Sets the duplex mode to full.

-macaddr Specifies the MAC address to be assigned to the specified interface. If default is specified, the original hardware MAC address is assigned. (This option is not supported on virtio interfaces).

Note:

When the interface is deleted from the configuration, either as a slave interface or an independent interface, the configured software MAC address is not retained with the interface.

ERROR MESSAGES

For interface -add:

The interface interface-name is already configured as an independent interface.

Interface interface-name is slave interface for a bonding interface. It cannot be configured as an independent interface.

Interface interface-name does not exist in the kernel.

4


The -jumbo option is not supported for eth0/eth0:0.

The -mtu option is not supported for eth0/eth0:0 or for ib0/ib1.

Only one of -jumbo or -mtu options can be specified.

A value within the range 1280 to 9000 must be specified for -mtu option.

The -prov option is not supported for CLIM with SCF MULTIPROV option set to

OFF.

The -prov option must be specified for CLIM with SCF MULTIPROV option set to

ON.

The -prov option is not supported for eth0 and eth0:0.

eth0:0 is not supported on virtio interfaces.

The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.

For interface -delete:

This command is not supported for the interface eth0.



The interface interface-name has a tunnel interface tunnel-interface-name associated with it.

The specified interface interface-name has a vlan interface vlan-interface-name associated with it.

The specified interface interface-name has a vxlan interface vxlan-interface-name associated with it.

The interface interface-name is UP, cannot execute this command.

Cannot execute this command for the interface eth0:0, with eth0:0 in use.

For interface -modify:


The -jumbo option is not supported for eth0/eth0:0 or ib0/ib1.

The -mtu option is not supported for eth0/eth0:0.


A value within the range 1280 to 9000 must be specified for -mtu option.

The specified mtu <mtu-value> is less than that of its VLAN interface <vlan-inter-

face>.

The specified mtu <mtu-value> must be at least 50 bytes more than that of its

VXLAN interface <vxlan-interface> (with IPV4 multicast IP address).

The specified mtu <mtu-value> must be at least 70 bytes more than that of its

VXLAN interface <vxlan-interface> (with IPV6 multicast IP address).

The specified line speed <linespeed-value> is invalid. The line speed of all the slaves of a bonding interface should be same in bonding mode 4 (802.3ad).

The specified duplex setting <duplex-value> is invalid. The duplex settings of all the slaves of a bonding interface should be same in bonding mode 4 (802.3ad).

The IPv6 family cannot be specified for the eth0.

-ipaddress option for the command - "climconfig interface -modify", is supported only for eth0.

5



Cannot execute this command for the interface eth0 when the CLIM is in STARTED state.

The tunnel interface and its parent interface have different jumbo settings.

Internal Error in updating SLNP rules, error-code.

The specified MAC address is not a software MAC address.The software MAC address of the slaves slave-interface-1 and slave-interface-2 of bonding interface

bonding-interface cannot be the same for bonding mode mode.

This command is not supported for InfiniBand interfaces.

The specified Jumbo value already exists for the interface.

The specified interface does not support the specified speed and mode.

For interface -info:



For interface -modify:

Warning: SNMP configuration file /etc/default/snmpd is missing.

Warning: SNMP configuration file /etc/default/snmpd is corrupt.

Warning: Cannot restart SNMP daemon.

Warning: Cannot restart SNMP agents.

Warning: Cannot write to SNMP configuration file /etc/default/snmpd.

CONSIDERATIONS

Considerations for interface -add:

The bonding interface will find an entry as one of the interfaces, with the slave interfaces configured within that bonding interface definition. Slave interfaces should not be added using this command. Slave interfaces for a bonding interface can be configured using the command climconfig slaveinterface -configure . . ..

The climconfig tool does not allow addition of a virtual interface other than eth0:0.

eth0:0 cannot be added when the CLIM is in the STARTED state.

If the interface to be added is UP, it should first be brought down using the CLIM-

CMD ifstop command, and then added.

climconfig tool does not allow addition of the eth0:0 interface on vCLIM (MAINTE-

NANCE type providers are not supported, and ZTCP0/1 are configured as standard data providers with data interface (e.g. eth1)).

Considerations for interface -delete:

You cannot delete eth0, the dedicated service LAN interface.

lo, the loopback interface, cannot be deleted.

This command cannot be executed when the specified interface is active (UP). Use the CLIMCMD ifstop command to deactivate the interface before deleting it.

An interface cannot be deleted before deleting all tunnel and VLAN and VXLAN interfaces associated with it.

This command cannot be used to delete tunnel interfaces.

This command cannot be used to delete VLAN and VXLAN interfaces.

eth0:0, the maintenance provider interface, cannot be deleted when eth0:0 is in use by the NonStop host.

6


Considerations for interface -modify:

You cannot modify the IP address and netmask of eth0 when the CLIM is in the

STARTED state. To modify the IP address on a CLIM, do a climcmd clim-name, then a climcmd clim-name. Then issue the SCF CLIM START command to restart the CLIM after the changes.

An IPv6 address cannot be assigned to eth0 interface.

The -jumbo option cannot be used for eth0 and eth0:0.

If the Maximum Transfer Unit (MTU) of an active interface is changed using the jumbo option, a failover of that interface might occur.

The mtu value cannot be less than the mtu of its VLAN interface.

The mtu value must be at least 50 bytes more than that of its VXLAN interface (with

IPv4 multicast IP address).

The mtu value must be at least 70 bytes more than that of its VXLAN interface (with

IPv4 multicast IP address).

The loopback interface, lo, cannot be modified.

Not all ethernet cards support all linespeeds and duplex modes.

Fibre channel supports only -autonegotiation on. Virtio and IB interfaces do not support speed settings.

Gigabit ethernet standard requires auto-negotiation to be ON. You cannot specify

SPEED 1000 Mb/s and AUTONEGOTIATION OFF.

Modifying the MAC address on virtio interfaces is not supported.

A MAC address can be modified only for an interface that is DOWN (stopped).

Therefore, effectively, eth0 MAC address cannot be changed.

When a MAC address is being modified, the interface must not have been failed over.

The software MAC addresses of all slaves of a bonding interface must be unique in bonding modes 5 (balance-tlb) and 6 (balance-alb). A check is performed when you attempt to change the bonding mode.

The line speed and duplex settings of all the slaves of a bonding interface should be same in bonding mode 4 (802.3ad).

If the eth0 IP address is being changed, the known host information SSHDB on the

NonStop host must be modified. Here are the required steps:

1. At the TACL prompt, enter:

Tacl> sshcom open $zssp0; mode client; info knownhost *:old-eth0-ip-address.22; exit

2. For each entry listed above (one per user), issue this command: sshcom open $zssp0; mode client; delete knownhost user-name:old-eth0-ip-address.22; exit

The old-eth0-ip-address is the IP address configured on eth0 that is being changed to a new IP address.

Considerations for interface -info:

7


For vCLIM, the Type of Card field and MAC address of the interface are used for determining the mapping to the vCLIM configuration in the hypervisor.

Also note that the maintenance provider, ZTCP0/1 is configured using data interface

(e.g. eth1), rather than the (unsupported) eth0:0.

EXAMPLES

> CLIMCMD clim1 climconfig interface -add eth1 -jumbo on

> CLIMCMD clim1 climconfig interface -add bond0 -jumbo on

> CLIMCMD clim1 climconfig interface -delete eth1

> CLIMCMD clim1 climconfig interface -modify eth0

-ipaddress 15.76.217.112 -netmask 255.255.128.0

> CLIMCMD 17.205.15.2 climconfig interface -modify eth1

-jumbo off


-autonegotation off -linespeed 100 -duplex half


-autonegotiation on -linespeed 1000


-macaddr 00:16:b4:3B:90:EE

> CLIMCMD 16.107.170.241 climconfig interface -info all

> CLIMCMD 16.107.170.241 climconfig interface -info all -obeyform

> CLIMCMD NCLIM000 climconfig interface -info all -obeyform

Maintenance LAN Interfaces

Interface : lo

Interface Type : Loopback Interface

Interface : eth0

Interface Type : Virtio Interface

MTU Size

IP Address

: 1500

: 192.168.38.163

Netmask : 255.255.0.0

ROUTE Details :

Route Type : Default Route

Destination Address : 0.0.0.0

Netmask : 0.0.0.0

Gateway Address : 192.168.38.1

Metric : 0

Minimum RTO : Unspecified

InitCWND : Unspecified

Src : Unspecified

Type of Card : virtio

8


Software MAC Address : Unspecified

Data Provider ZTC0 interfaces

Interface : eth1


MTU Size : 1500

IP Address : 15.213.85.114

Netmask : 255.255.254.0

ROUTE Details

-

:



Netmask : 0.0.0.0


Metric : 0



Src : Unspecified



Interface : eth2


MTU Size

IP Address

: 1500

: 192.168.36.180

Netmask : 255.255.0.0



Data Provider ZTCP1 interfaces

Interface : eth6


MTU Size : 1500

IP Address : 192.168.136.186

Netmask : 255.255.0.0




Interface : eth4


MTU Size : 1500

IP Address : 192.168.136.116

Netmask : 255.255.0.0



SEE ALSO

climconfig ip -add

9

climconfig.ip(1) climconfig.ip(1)

NAME

climconfig.ip − add or delete IP addresses

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig ip -add

{eth0|eth0:0|interface} -ipaddress ip-address -netmask netmask

CLIMCMD {clim-name|ip-address} climconfig ip -delete interface

-ipaddress ip-address -netmask netmask [-force]

CLIMCONFIG.IP DESCRIPTION


• ip -add adds an IP address to an existing interface. Multiple IP addresses can be added to an interface.

• ip -delete deletes an IP address from the specified interface. The IP address is deleted from the configuration file. If the IP address exists in the kernel, it is deleted from the kernel.

PARAMETERS


eth0:0 Specifies the maintenance provider LAN interface.

interface

Specifies an interface. This parameter can be either a physical interface name (such as eth1, ib0), a bonding interface name (such as bond0), a tunnel interface name

(such as tun0), a vlan interface name (such as e1v7, b0v8), or a vxlan interface name

(such as e1xzt7, b0xzt8).

-ipaddress ipaddress

Is the new IP address to be assigned to the interface (for ip -add) or the IP address to be deleted from the interface (for ip -delete). It can be an IPv4 or an IPv6 IP address.

-netmask netmask

Specifies the netmask for the interface. For IPv4 addresses, use dotted quad format.

For IPv6 addresses, use the number of bits appropriate for the IPv6 address (for example, 64).

-delete interface

Deletes an IP address for the specified physical or bonding interface from the /etc/net-

work/interfaces file of the CLIM. This command also deletes the tunnel configurations associated with the interface.

-force Causes the command to delete the IP address without prompting for confirmation.

ERROR MESSAGES

For ip -add:

• The interface interface-name is not configured.

• This command is not supported for the interface lo.

• Configuring IPv6 "address" is not allowed for eth0 and eth0:0 interfaces.

• Interface "eth0" already has an IP.

• Interface "eth0:0" already has an IP.

• The specified IP address already exists for the interface.

1


• Cannot execute this command for the interface interface-name when the CLIM is in

STARTED state.

• The "IPv4" family cannot be specified for the "tunnel interface".

For ip -delete:

• This command is not supported for the interface lo.

• The interface interface-name is not configured.

• The specified IP address ip-address is not configured for the interface.

• The IP address cannot be deleted from eth0.

• The IP address cannot be deleted from eth0:0 with eth0:0 in use.

• A route with the specified IP address as a -src exists.

• The specified IP address ip-address is in use by the VXLAN interface interface-name.


For ip -add:

• Warning: SNMP configuration file /etc/default/snmpd are missing.

• Warning: SNMP configuration file /etc/default/snmpd are corrupt.

• Warning: Cannot restart SNMP daemon.

• Warning: Cannot write to SNMP configuration file /etc/default/snmpd.

• Cannot restart SNMP agents.

For ip -delete:

• Warning: Could not remove IPv4 compatible IPv6 address from the kernel.

CONSIDERATIONS

For ip -add:

• For SNMP listening address configuration, when the IP address is added to eth0, the climconfig tool updates the /etc/defaults/snmpd configuration file with the new listening address as the dedicated service LAN IP.

• Tunnel interfaces can be assigned only with IPv6 addresses.

• An IPv6 address cannot be assigned to eth0 and eth0:0.

• On vCLIM, the hypervisor may constrain the IP addresses that may be configured.

(This is not checked by CLIM software).

• Only one IPv4 address can be assigned to eth0 or eth0:0.

• The IP address is added either to the /etc/network/interfaces file, to the kernel, or to both.

The behavior is defined as:

• If the specified interface is down, the IP address is added to the file.

• If the CLIM is in the STOPPED state, the IP address is added to the file.

• If the specified interface is UP and the CLIM is in the STARTED state, the IP address is added to the file and to the kernel.

• The customer data interfaces, eth1 - eth5, cannot have IP addresses in the 192.168.*.* range, or whatever the dedicated service LAN address range is for the system.

• If the same static IPv6 address is configured and added to more than one CLIM, during the interface activation, the IPv6 address being duplicated remains as a tentative address. This

IPv6 address is not automatically removed from the kernel/file configuration by climconfig. It is the operator’s responsibility to remove such duplicate static IPv6 addresses from the configuration.

2


For ip -delete

• The IP address cannot be deleted from eth0.

• The IP address cannot be deleted from eth0:0, with eth0:0 in use.

• IP address from Loopback interface lo, cannot be deleted.

• If an interface is hosting one or more VXLAN interfaces, the last IP address cannot be deleted from it.

• All the routes belonging to an interface for a particular network are automatically deleted from the kernel when the last IPv4 address belonging to that network is deleted from the interface.

However, the routes remain in the configuration file. These routes will come into effect only when the interface is restarted (ifstop followed by ifstart) or when the routes are deleted and then added back after adding at least one IPv4 address corresponding to that network. For example: interface -info eth5

Interface : eth5

Interface Type : Physical Interface

MTU Size : 1500

IP Address : 172.17.190.71

Netmask : 255.255.255.0

ROUTE Details

-

:



Netmask : 0.0.0.0


Metric : 0


When the IP 172.17.190.71 is deleted, the default route 172.17.190.1 is automatically deleted from the kernel.

EXAMPLES

> ip -add eth1 -ipaddress 15.76.217.14 -netmask 255.255.255.0

> ip -add e1xzt7 -ipaddress 15.76.217.14 -netmask 255.255.255.0

> ip -delete eth1 -ipaddress 15.76.217.14 -netmask 255.255.255.0

> ip -delete e1xzt7 -ipaddress 15.76.217.14 -netmask 255.255.255.0

3

climconfig.ip6tables(1) climconfig.ip6tables(1)

NAME

climconfig.ip6tables − configure ip6tables

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig ip6tables

[-prov prov-name] [-force] arguments

Or,

CLIMCMD {clim-name|ip-address} climconfig ip6tables

[-prov prov-name] arguments [-force]

CLIMCONFIG.IP6TABLES DESCRIPTION

This command supports the following options. If a command is labeled as sensitive, a user confirmation is required for execution unless the -force option is also specified.

--append | -A chain rule-specification options

This command appends one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. This command is valid only for the

CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains.

--delete | -D chain rulenum rule-specification options

This command deletes one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting from 1 for the first rule) or a rule to match. For the latter case, the specified rule must match an existing entry in the chain exactly. This command is valid only for the

CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains. This is a sensitive command.

--insert | -I chain rulenumrule-specification options

This inserts one or more rules in the selected chain as the given rule number. Number starts from 1. This is also the default if no rule number is specified. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains.

--replace | -R chain rulenum rule-specification options

This command replaces a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. This command is valid only for the CIP_INPUT chain of filter table,

CIP_OUTPUT chain of mangle table, and user-defined chains. This is a sensitive command.

--list | -L [chain rulenum]

Lists all rules or the rule of the specified rule number in the selected chain. Any chain

(including the built-in chains) can be listed. This command is valid for all chains including the Linux built-in chains, the CIP built-in chains, and all user-defined chains. If no chain is selected, all chains are listed.

--list-rules | -S [chain rulenum]

Prints all rules or the rule of the specified rule number in the selected chain in form of iptables/ip6tables commands. This command is valid only for the CIP_INPUT chain and user-defined chains. If no chain is selected, all users chains, if any, and the

CIP_INPUT chain are listed.

1


--flush | -F [chain]

This command deletes all user-defined rules in a chain. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains. If no chain is specified, this flushes all rules in the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and in all user-defined chains. The CIP_INPUT_p chain is not flushed. This is a sensitive command.

--zero | -Z [chain]

This command zeros out the packet and bytes counters in the specified chain or all chains if the chain name is not specified. This applies to all user-defined chains, the

CIP built-in chains and Linux built-in chains if chain is not specified. A user may also specify the Linux built-in INPUT chain for this command.

--new | -N chain

This command creates a new user-defined chain by the given name. There must be no target of that name already, or an error is returned. Creating a Linux built-in or CIP built-in chain is not allowed.

--delete-chain | -X [chain]

Delete the user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must also be empty, i.e. not containing any rules. If no argument is given, it will attempt to delete every user-defined chain in the table. The Linux built-in chains and CIP built-in chains cannot be deleted.

--rename-chain | -E old-chain new-chain

This command renames the specified user-defined chain to the user-supplied name.

Any references to the old chain name are automatically renamed by Linux iptables/ip6tables itself. The Linux built-in chains and CIP built-in chains cannot be renamed.

--policy | -P chain target

This command sets the policy for the chain to the given target. Only a CIP built-in

CIP_INPUT chain can be specified with a policy. Neither Linux built-in nor userdefined chains can be policy targets.

Setting a policy to CIP_INPUT chain causes the target (the first and only rule) in

CIP_INPUT_p chain to be replaced.

-h | -help | --help

This command prints the climconfig iptables/ip6tables help information. If it is specified after a match extension, some more information pertinent to that match could also be given.

PARAMETERS

-prov

-force


PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own ip6tables configuration. The provider name is case-insensitive and always converted to UPPER case.

Used with a sensitive command, causes the command to bypass user confirmation.

Must be either ahead of the command or at end of the line.

[!] --protocol | -p proto

To match protocol proto, which is either a protocol name or number. Supported protocols are: all(0), tcp(6), udp(17), icmpv6(58), esp(50), ah(51), and sctp(132). When the "!" argument is used, the ’match’ operation is changed to the ’not match’ operation.

2


[!] --source | --src | -s addressmask

To match a source address. Address can be either a network IPv4/IPv6 address (with

/mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1s at the left side of the network mask. Thus, a mask of

24 is equivalent to 255.255.255.0. When the "!" argument is used the ’match’ operation is changed to the ’not match’ operation.

[!] --destination | --dst | -d addressmask

To match a destination address. Address can be either a network IP address (with

/mask), or a plain IPv4/IPv6 address. The mask can be either a network mask or a plain number, specifying the number of 1s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. When the "!" argument is used the

’match’ operation is changed to the ’not match’ operation.

[!] --in-interface | -i interface_name

To match a packet by the interface in which it was received. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. When the "!" argument is used the


[!] −−out−interface | −o name

Name of an interface via which a packet is going to be sent (for packets entering the

FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a

"+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.

--jump | -j target

Jump to a target, which can be a user-defined chain, a built-in or extension target.

--match | -m match-module-name

Load a match extension module.

--numeric | -n

Select numeric output of addresses and ports.

--table | -t table

Specify table to manipulate. table must be ’filter’ or ’mangle’.

--verbose | -v

Verbose mode.

--line-numbers

Print line numbers when listing.

--exact | -x To expand numbers (display exact values).

--set-counters | -c pkts bytes

This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations). For example, ip6tables -A CIP_INPUT -c 100 2000 -p tcp -i eth2

--dport 21 -j ACCEPT would set the rule in the CIP_INPUT chain for accepting ftp packets targeted for interface eth2 and, at the same time, initialize the number of packets accepted to be

100 and number of bytes to be 2000.

MATCH EXTENSIONS

The supported match extensions are based on the Linux ip6tables man pages. They are subject to future changes made by Linux ip6tables implementation.

3


ah

Matches the SPIs in Authentication header of IPsec packets.

[!] --ahspi spi[:spi]

[!] --ahlen length

--ahres comment

Allows you to add comments (up to 256 characters) to any rule.

--comment comment

Example: ip6tables -A CIP_INPUT -s fe80::221:5aff:fec9:1a32/64

-m comment --comment ’A privatized IP block’

connbytes Matches by how many bytes/packets a connection has transferred.

[!] --connbytes from:[to]

--connbytes-dir {original|reply|both}

--connbytes-mode {packets|bytes|avgpkt}

Example: ip6tables .. -m connbytes --connbytes 10000:100000

--connbytes-dir both --connbytes-mode bytes ...

connlimit

Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).

−−connlimit−upto n

Match if the number of existing connections is below or equal n.

−−connlimit−above n

Match if the number of existing connections is above n.

−−connlimit−mask prefix_length

Group hosts using the prefix length. For IPv4, this must be a number between

(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the maximum prefix length for the applicable protocol is used.

−−connlimit−saddr

Apply the limit onto the source group. This is the default if

−−connlimit−daddr is not specified.

−−connlimit−daddr

Apply the limit onto the destination group.

Examples:

# allow 16 telnet connections per client host ip6tables -p tcp --syn --dport 80 -s fe80::/64

-m connlimit

--connlimit-above 16 --connlimit-mask 64 -j REJECT

connmark *

Matches packets in connections with value set by CONNMARK target.

This is not supported on CIP.

conntrack Matches additional connection tracking information.

4


dccp * dscp dst

[!] --ctstate statelist statelist is a comma-separated list of the connection states to match.

[!] --ctproto l4proto

[!] --ctorigsrc address[/mask]

[!] --ctorigdst address[/mask]

[!] --ctreplsrc address[/mask]

[!] --ctrepldst address[/mask]

Matches against original/reply source/destination address.

[!] --ctorigsrcport port[:port]

[!] --ctorigdstport port[:port]

[!] --ctreplsrcport port[:port]

[!] --ctrepldstport port[:port]

Matches against original/reply source/destination port (TCP/UDP/etc.) or GRE key.

[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]

[!] --ctexpire time[:time]

--ctdir {ORIGINAL|REPLY}

Matches DCCP-specific fields and types.

Not supported because CIP does not support Datagram Congestion Control Protocol.

This module matches the 6 bit DSCP field within the TOS field in the IP header.

DSCP has superseded TOS within the IETF.

[!] −−dscp value Match against a numeric (decimal or hex) value [0-63].

[!] −−dscp−class class Match the DiffServ class. This value may be any of the BE,

EF, AFxx or CSx classes. It will then be converted into its according numeric value.

Matches parameters in Destination Options header.

[!] --dst-len length

esp eui64 frag

--dst-opts type[:length][,type[:length]...]

Matches the SPIs in ESP header of IPsec packets.

[!] --espspi spi[:spi]

Matches EUI-64 part of a stateless auto configured IPv6 address.

Matches parameters in the Fragment header.

[!] --fragid id[:id]

[!] --fraglen length

--fragres

--fragfirst

--fragmore

--fraglast hashlimit

Hashlimit for something like per destination-ip or per (destip, destport) tuple. It gives you the ability to express:

"1000 packets per second for every host in 192.168.0.0/16"

5


hbh helper

"100 packets per second for every service of 192.168.1.1" with a single ip6tables rule.

--hashlimit-upto amount[/second|/minute|/hour|/day]

--hashlimit-above amount[/second|/minute|/hour|/day]

--hashlimit-burst amount

--hashlimit-mode {srcip|srcport|dstip|dstport},...

--hashlimit-srcmask prefix

--hashlimit-dstmask prefix

--hashlimit-name foo

--hashlimit-htable-size buck ets

--hashlimit-htable-max entries

--hashlimit-htable-expire msec

--hashlimit-htable-gcinterval msec

Matches parameters in Hop-by-Hop Options header.

[!] --hbh-len length

--hbh-opts type[:length][,type[:length]...]

Specifies the conntrack-helper module.

[!] --helper string

hl icmp6

Matches the Hop Limit field in the IPv6 header.

[!] --hl-eq value

--hl-lt value

--hl-gt value

Matches ICMPv6-specific values.

[!] --icmp-type {type[/code]|typename}

Allows specification of the ICMPv6 type, which can be a numeric ICMPv6 type, type and code, or one of the ICMPv6 type names shown by the command: ip6tables -p ipv6-icmp -h

iprange

Matches on a given arbitrary range of IP addresses.

[!] --src-range from[-to]

[!] --dst-range from[-to]

ipv6header

Matches IPv6 extension headers and/or upper layer header.

length

--soft

[!] --header header[,header...]

Matches the length of a packet against a value or range of values.

limit

[!] --length length[:length]

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the

LOG target to give limited logging, for example.

6


mac mark quota

xt_limit has no negation support - you will have to use −m hashlimit ! −−hashlimit

rate in this case whilst omitting −−hashlimit−mode.

--limit rate [/second|/minute|/hour|/day]

--limit-burst number

Matches source MAC address.

[!] --mac-source address

This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).

[!] −−mark value[/mask]

Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison). Matches packets with value previously set by MARK target.

mh *

Matches the Mobility Header (MH) type.

Not supported because CIP does not support ipv6-mh protocol.

multiport Matches a set of source or destination ports.

[!] --source-ports | --sports port[,port|,port:port]...

[!] --destination-ports | --dports port[,port|,port:port]...

[!] --ports port[,port|,port:port]...

owner *

Matches various characteristics of the (locally generated) packet creator.

Not supported because it is only valid in the OUTPUT and POSTROUTING chains.

physdev * Matches on the bridge port input and output devices enslaved to a bridge device.

Not supported because CIP is not a bridge device.

pkttype

Matches link-layer packet type.

[!] --pkt-type {unicast|broadcast|multicast} policy

Matches IPsec policy.

--dir {in|out}

--pol {none|ipsec}

--strict

[!] --reqid id

[!] --spi spi

[!] --proto {ah|esp|ipcomp}

[!] --mode {tunnel|transport}

[!] --tunnel-src addr[/mask]

[!] --tunnel-dst addr[/mask]

--next

Implements network quota by decrementing a byte counter with each packet. The condition matches until the byte counter reaches zero. Behavior is reversed with negation (i.e. the condition does not match until the byte counter reaches zero).

[!] --quota bytes

The quota in bytes.

7


rateest *

Rate estimator.

Not supported because it is mainly for making routing decisions (mangle table).

realm *

Matches the routing realm.

recent

Not supported because it is for dynamic routing.

Matches against dynamically constructed list of IP addresses.

--name name

[!] --set

--rsource rt

--rdest

[!] --rcheck

[!] --update

[!] --remove

--seconds seconds

--reap

--hitcount hits

--rttl

Matches on IPv6 routing header.

--rt-type [!] type

sctp set *

--rt-segsleft [!] num[:num]

--rt-len [!] length

--rt-0-res

--rt-0-addrs ADDR[,ADDR...]

--rt-0-not-strict

Matches SCTP-specific information.

[!] --source-port | --sport port[:port]

[!] --destination-port | --dport port[:port]

[!] --chunk-types all|any|only chunktype[:flags] [...]

Matches IP sets which can be defined by ipset(8).

socket state

Not supported because ipset is not supported.

Matches if an open socket can be found by doing a socket lookup on the packet.

--transparent

Allows access to conntrack state for this packet.

[!] --state statelist

Where statelist is a comma-separated list of the connection states to match. Possible states are INVALID, ESTABLISHED, NEW, and RELATED.

statistic

Matches packets based on some statistic condition.

--mode mode

[!] --probability p

[!] --every n

8


string tcp tcpmss time tos u32

--packet p

Matches a given string pattern.

--algo bm|kmp

--from offset

--to offset

[!] --string pattern

[!] --hex-string pattern

Matches TCP-specific values.

[!] --source-port | --sport port[:port]

[!] --destination-port | --dport port[:port]

[!] --tcp-flags mask comp

[!] --syn

[!] --tcp-option number

Matches the TCP MSS field of the TCP header.

[!] --mss value[:value]

Matches the arrival time/date of packets.

--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

--timestart hh:mm[:ss]

--timestop hh:mm[:ss]

[!] --monthdays day[,day...]

[!] --weekdays day[,day...]

--kerneltz

Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.

Matches the 8 bits ToS (Type of Service) field in the IP header.

[!] --tos value[/mask]

[!] --tos symbol

Tests whether quantities of up to 4 bytes extracted from a packet have specified values. The specification of what to extract is general enough to find data at given offsets from tcp headers or payloads.

[!] --u32 tests

The argument amounts to a program in a small language described below: tests := location "=" value | tests "&&" location "=" value value := range | value "," range range := number | number ":" number a single number, n, is interpreted the same as n:n. n:m is interpreted as the range of numbers >=n and <=m.

location := number | location operator number

9


udp

operator := "&" | "<<" | ">>" | "@"

The operators &, <<, >> and && mean the same as in C. The = is really a set membership operator and the value syntax describes a set. The @ operator is what allows moving to the next header.

Matches UDP-specific values.



Extensions with an asterisk (*) are not supported but are not disallowed by CIP.

TARGET EXTENSIONS

The supported target extensions are based on the Linux ip6tables man pages. They are subject to future changes made by Linux ip6tables implementation.

DSCP

This target allows to alter the value of the DSCP bits within the TOS header of the IPv4 packet.

As this manipulates a packet, it can only be used in the mangle table.

−−set−dscp value

Set the DSCP field to a numerical value (can be decimal or hex)

−−set−dscp−class class

Set the DSCP field to a DiffServ class.

LOG

When the LOG target is set for a rule, the Linux kernel will print some information on all matching packets (i.e., most IP header fields) to syslog. This is a "non-terminating target", i.e. rule traversal continues at the next rule. If you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG, the next using DROP (or REJECT).

LOG has the following options:

--log-level level

Level of logging (keyword or numeric): debug (or 7), info (or 6), notice (or 5), warning (or 4), err

(or 3), crit (or 2), alert (or 1), emerg (or 0).

Default is warning if not specified. If the specified severity of log-level is ’info’ or above (e.g., warning), the log message is also sent to NSK host generating a 5232 EMS event in $0.

NOTE: Care should be used so as to not flood EMS with events.

--log-prefix prefix

Prefix log messages with the specified prefix; up to 25 letters long, and useful for distinguishing messages in the logs.

--log-tcp-sequence

Log TCP sequence numbers. This is a security risk if the log is readable by users.

--log-tcp-options

Log options from the TCP packet header.

--log-ip-options

Log options from the IP packet header.

--log-uid

Log the userid of the process which generated the packet.

10


Example 1:

Both syslog and EMS display the message.

climconfig ip6tables -A CIP_INPUT -j LOG --log-level info --log-prefix "LOGDROP" climconfig ip6tables -A CIP_INPUT -j DROP

Example 2:

The message is only logged in the syslog not in EMS.

climconfig ip6tables -A CIP_INPUT -j LOG --log-level debug --log-prefix "LOGDROP" climconfig ip6tables -A CIP_INPUT -j DROP

MARK

This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.

−−set−xmark value[/mask]

Zeroes out the bits given by mask and XORs value into the packet mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.

−−set−mark value[/mask]

Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted,

0xFFFFFFFF is assumed.

The following mnemonics are available:

−−and−mark bits

Binary AND the nfmark with bits.

(Mnemonic for −−set−xmark 0/invbits, where invbits is the binary negation of bits.)

−−or−mark bits

Binary OR the nfmark with bits. (Mnemonic for −−set−xmark bits/bits.)

−−xor−mark bits

Binary XOR the nfmark with bits. (Mnemonic for −−set−xmark bits/0.)

REJECT

Used to send back an error packet in response to the matched packet: otherwise it is equivalent to

DROP so it is a terminating TARGET, ending rule traversal. The following option controls the nature of the error packet returned:

--reject-with type

The type given for ip6tables can be icmp6-no-route no-route icmp6-adm-prohibited adm-prohibited icmp6-addr-unreachable addr-unreach icmp6-port-unreachable

11

climconfig.ip6tables(1) climconfig.ip6tables(1) port-unreach

ERROR MESSAGES

climconfig ip6tables requires options/commands.

Try ’climconfig ip6tables -h’ for more information.

climconfig ip6tables Error: File /etc/clim/climiptables/state does not exist.

climconfig ip6tables Error: Cannot open the file /etc/clim/climiptables/state: error-code.

Error: invalid version string ’version’, file ’/etc/clim/climiptables/state’.

Error: version string major, minor is not compatible, file ’/etc/clim/climiptables/state’.

climconfig ip6tables Error: Invalid climiptables state file.

climconfig ip6tables Error: max prefix length for ’--log-prefix’ is 25.

climconfig ip6tables Error: Deleting/Appending/Renaming/Flushing a rule from/to the Linux built-in chain

’xxx’ is not allowed.

climconfig ip6tables Error: Deleting/Appending/Renaming/Flushing a rule from/to the CIP policy chain is not allowed.

climconfig ip6tables Error: the -t option must be ’-t filter’ or ’-t mangle’; table=’name’.

climconfig ip6tables Error: the ’-t mangle’ option is NOT supported on this hardware.

CONSIDERATIONS

None.

EXAMPLES

> climcmd n1002583 climconfig ip6tables -S

-N ftp

-N telnet

-A CIP_INPUT -p tcp -m tcp --dport 20:21 -j ftp

-A CIP_INPUT -p tcp -m tcp --dport 23 -j telnet

-A ftp -i eth2 -j REJECT --reject-with icmp-port-unreachable

-A telnet ! -i eth2 -j REJECT --reject-with icmp-port-unreachable

Termination Info: 0

> climcmd n1002583 climconfig ip6tables -vL

Chain INPUT (policy ACCEPT 11 packets, 889 bytes) pkts bytes target prot opt in out source destination

7636 1970K ACCEPT all -- any any N1002583 anywhere

657K 229M ACCEPT all -- eth0 any anywhere anywhere

204 13045 CIP_INPUT all -- any any anywhere anywhere

146 9781 CIP_INPUT_p all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1313 packets, 246K bytes) pkts bytes target prot opt in out source destination

Chain CIP_INPUT (1 references) pkts bytes target prot opt in out source destination

18 972 ftp tcp -- any any anywhere anywhere

12

climconfig.ip6tables(1) climconfig.ip6tables(1) tcp dpts:ftp-data:ftp

4 224 telnet tcp -- any any anywhere anywhere tcp dpt:telnet

Chain CIP_INPUT_p (1 references) pkts bytes target prot opt in out source destination

Chain ftp (1 references) pkts bytes target prot opt in out source destination

2 120 REJECT all -- eth2 any anywhere anywhere reject-with icmp-port-unreachable

Chain telnet (1 references) pkts bytes target prot opt in out source destination

1 60 REJECT all -- !eth2 any anywhere anywhere reject-with icmp-port-unreachable

Termination Info: 0

SEE ALSO

climconfig iptables, climiptables

13

climconfig.iptables(1) climconfig.iptables(1)

NAME

climconfig.iptables − configure iptables

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig iptables

[-prov prov-name] [-force] arguments

Or,

CLIMCMD {clim-name|ip-address} climconfig iptables

[-prov prov-name] arguments [-force]

CLIMCONFIG.IPTABLES DESCRIPTION

This command supports the following arguments. If a command is labeled as sensitive, a user confirmation is required for execution unless the -force option is also specified.

--append | -A chain rule-specification options

This command appends one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. This command is valid only for the

CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains.

--delete | -D chain rulenum rule-specification options

This command deletes one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting from 1 for the first rule) or a rule to match. For the latter case, the specified rule must match an existing entry in the chain exactly. This command is valid only for the

CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains. This is a sensitive command.

--insert | -I chain rulenumrule-specification options

This inserts one or more rules in the selected chain as the given rule number. Number starts from 1. This is also the default if no rule number is specified. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains.

--replace | -R chain rulenum rule-specification options

This command replaces a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. This command is valid only for the CIP_INPUT chain of filter table,

CIP_OUTPUT chain of mangle table, and user-defined chains. This is a sensitive command.

--list | -L [chain rulenum]

Lists all rules or the rule of the specified rule number in the selected chain. Any chain

(including the built-in chains) can be listed. This command is valid for all chains including the Linux built-in chains, the CIP built-in chains, and all user-defined chains. If no chain is selected, all chains are listed.

--list-rules | -S [chain rulenum]

Prints all rules or the rule of the specified rule number in the selected chain in form of iptables/ip6tables commands. This command is valid only for the CIP_INPUT chain and user-defined chains. If no chain is selected, all users chains, if any, and the

CIP_INPUT chain are listed.

1


--flush | -F [chain]

This command deletes all user-defined rules in a chain. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains. If no chain is specified, this flushes all rules in the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and in all user-defined chains. The CIP_INPUT_p chain is not flushed. This is a sensitive command.

--zero | -Z [chain]

This command zeros out the packet and bytes counters in the specified chain or all chains if the chain name is not specified. This applies to all user-defined chains, the

CIP built-in chains and Linux built-in chains if chain is not specified. A user may also specify the Linux built-in INPUT chain for this command.

--new | -N chain

This command creates a new user-defined chain by the given name. There must be no target of that name already, or an error is returned. Creating a Linux built-in or CIP built-in chain is not allowed.

--delete-chain | -X [chain]

Delete the user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must also be empty, i.e. not containing any rules. If no argument is given, it will attempt to delete every user-defined chain in the table. The Linux built-in chains and CIP built-in chains cannot be deleted.

--rename-chain | -E old-chain new-chain

This command renames the specified user-defined chain to the user-supplied name.

Any references to the old chain name are automatically renamed by Linux iptables/ip6tables itself. The Linux built-in chains and CIP built-in chains cannot be renamed.

--policy | -P chain target

This command sets the policy for the chain to the given target. Only a CIP built-in

CIP_INPUT chain can be specified with a policy. Neither Linux built-in nor userdefined chains can be policy targets.

Setting a policy to CIP_INPUT chain causes the target (the first and only rule) in

CIP_INPUT_p chain to be replaced.

-h | -help | --help

This command prints the climconfig iptables/ip6tables help information. If it is specified after a match extension, some more information pertinent to that match could also be given.

PARAMETERS

-prov

-force


PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own iptables configuration. The provider name is case-insensitive and always converted to UPPER case.

Used with a sensitive command, causes the command to bypass user confirmation.

Must be either ahead of the command or at end of the line.

[!] --protocol | -p proto

To match protocol proto, which is either a protocol name or number. Supported protocols are: all(0), tcp(6), udp(17), icmp(1), esp(50), ah(51), and sctp(132). When the

"!" argument is used, the ’match’ operation is changed to the ’not match’ operation.

[!] --source | --src | -s addressmask

To match a source address. Address can be either a network IPv4/IPv6 address (with

/mask), or a plain IP address. The mask can be either a network mask or a plain

2

climconfig.iptables(1) climconfig.iptables(1) number, specifying the number of 1s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. When the "!" argument is used the


[!] --destination | --dst | -d addressmask

To match a destination address. Address can be either a network IP address (with

/mask), or a plain IPv4/IPv6 address. The mask can be either a network mask or a plain number, specifying the number of 1s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. When the "!" argument is used the


[!] --in-interface | -i interface_name

To match a packet by the interface in which it was received. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. When the "!" argument is used the


[!] −−out−interface | −o name

Name of an interface via which a packet is going to be sent (for packets entering the

FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a

"+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.

--fragment | -f

To match only the second and subsequent fragments of a datagram.

! --fragment | -f

To match only the first fragment, or an unfragmented datagram.

--jump | -j target

Jump to a target, which can be a user-defined chain, a built-in or extension target.

--match | -m match-module-name

Load a match extension module.

--numeric | -n

Select numeric output of addresses and ports.

--table | -t table

Specify table to manipulate. table must be ’filter’ or ’mangle’.

--verbose | -v

Verbose mode.

--line-numbers

Print line numbers when listing.

--exact | -x To expand numbers (display exact values).

--set-counters | -c pkts bytes

This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations). For example, iptables -A CIP_INPUT -c 100 2000 -p tcp -i eth2 --dport 21 -j ACCEPT would set the rule in the CIP_INPUT chain for accepting ftp packets targeted for interface eth2 and, at the same time, initialize the number of packets accepted to be

100 and number of bytes to be 2000.

MATCH EXTENSIONS

The supported match extensions are based on the Linux iptables man pages. They are subject to future changes made by Linux iptables implementation.

3


addrtype

Matches packets based on address type. Valid address types are: UNSPEC, UNI-

CAST, LOCAL, BROADCAST, ANYCAST, MULTICAST, BLACKHOLE,

UNREACHABLE, PROHIBIT, THROW, NAT , XRESOLVE.

[!] --src-type type

[!] --dst-type type

ah

--limit-iface-in

Matches the SPIs in Authentication header of IPsec packets.

[!] --ahspi spi[:spi]

comment

Allows you to add comments (up to 256 characters) to any rule.

--comment comment

Example: iptables -A INPUT -s 192.168.0.0/16 -m comment

--comment ’A privatized IP block’

connbytes Matches by how many bytes/packets a connection has transferred.

[!] --connbytes from:[to]

Matches packets from a connection whose packets/bytes/average packet size is more than FROM and less than TO bytes/packets. If TO is omitted, only a FROM check is done. "!" is used to match packets not falling in the range:

--connbytes-dir {original|reply|both}

--connbytes-mode {packets|bytes|avgpkt}

Example: iptables .. -m connbytes --connbytes 10000:100000

--connbytes-dir both

--connbytes-mode bytes ...

connlimit

Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).

−−connlimit−upto n

Match if the number of existing connections is below or equal n.

−−connlimit−above n

Match if the number of existing connections is above n.

−−connlimit−mask prefix_length

Group hosts using the prefix length. For IPv4, this must be a number between

(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the maximum prefix length for the applicable protocol is used.

−−connlimit−saddr

Apply the limit onto the source group. This is the default if

−−connlimit−daddr is not specified.

−−connlimit−daddr

Apply the limit onto the destination group.

Examples:

# allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit

--connlimit-above 2 -j REJECT

4


connmark *

Matches packets in connections with value set by CONNMARK target.

This is not supported on CIP.

conntrack Matches additional connection tracking information.

[!] --ctstate statelist statelist is a comma-separated list of the connection states to match.

[!] --ctproto l4proto

[!] --ctorigsrc address[/mask]

[!] --ctorigdst address[/mask]

[!] --ctreplsrc address[/mask]

[!] --ctrepldst address[/mask]

Matches against original/reply source/destination address.

[!] --ctorigsrcport port[:port]

[!] --ctorigdstport port[:port]

[!] --ctreplsrcport port[:port]

[!] --ctrepldstport port[:port]

Matches against original/reply source/destination port (TCP/UDP/etc.) or GRE key.

[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]

[!] --ctexpire time[:time]

dccp * dscp ecn

--ctdir {ORIGINAL|REPLY}

Matches DCCP-specific fields and types.

Not supported because CIP does not support Datagram Congestion Control Protocol.

This module matches the 6 bit DSCP field within the TOS field in the IP header.

DSCP has superseded TOS within the IETF.

[!] −−dscp value Match against a numeric (decimal or hex) value [0-63].

[!] −−dscp−class class Match the DiffServ class. This value may be any of the BE,

EF, AFxx or CSx classes. It will then be converted into its according numeric value.

Matches different ECN fields in the TCP and IPv4 headers.

[!] --ecn-tcp-cwr

[!] --ecn-tcp-ece

[!] --ecn-ip-ect num

esp

Matches the SPIs in ESP header of IPsec packets.

[!] --espspi spi[:spi]

hashlimit

Hashlimit for something like per destination-ip or per (destip,destport) tuple. It gives you the ability to express:

’1000 packets per second for every host in 192.168.0.0/16’

’100 packets per second for every service of 192.168.1.1’ with a single iptables rule.

--hashlimit-upto amount[/second|/minute|/hour|/day]

5


--hashlimit-above amount[/second|/minute|/hour|/day]

--hashlimit-burst amount

--hashlimit-mode {srcip|srcport|dstip|dstport},...

--hashlimit-srcmask prefix

--hashlimit-dstmask prefix

--hashlimit-name foo

--hashlimit-htable-size buck ets

--hashlimit-htable-max entries

helper icmp

[!] --icmp-type {type[/code]|typename}

Allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command: iptables -p icmp -h

iprange

Matches on a given arbitrary range of IP addresses.

[!] --src-range from[-to]

[!] --dst-range from[-to]

length

--hashlimit-htable-expire msec

--hashlimit-htable-gcinterval msec

Specifies the conntrack-helper module.

[!] --helper string

This extension is loaded if ’--protocol icmp’ is specified. It provides the following option:

limit

Matches the length of a packet against a value or range of values.

[!] --length length[:length]

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the

LOG target to give limited logging, for example.

xt_limit has no negation support - you will have to use −m hashlimit ! −−hashlimit

rate in this case whilst omitting −−hashlimit−mode.

--limit rate [/second|/minute|/hour|/day]

mac mark

--limit-burst number

Matches source MAC address.

[!] --mac-source address

This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).

[!] −−mark value[/mask]

Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison). Matches packets with value previously set by MARK target.

multiport Matches a set of source or destination ports.

[!] --source-ports | --sports port[,port|,port:port]...

[!] --destination-ports | --dports port[,port|,port:port]...

[!] --ports port[,port|,port:port]...

6


owner *

Matches various characteristics of the (locally generated) packet creator.

Not supported because it is only valid in the OUTPUT and POSTROUTING chains.

physdev * Matches on the bridge port input and output devices enslaved to a bridge device.

Not supported because CIP is not a bridge device.

pkttype

Matches link-layer packet type.

policy

[!] --pkt-type {unicast|broadcast|multicast}

Matches IPsec policy.

--dir {in|out} quota

--pol {none|ipsec}

--strict

[!] --reqid id

[!] --spi spi

[!] --proto {ah|esp|ipcomp}

[!] --mode {tunnel|transport}

[!] --tunnel-src addr[/mask]

[!] --tunnel-dst addr[/mask]

--next

Implements network quota by decrementing a byte counter with each packet. The condition matches until the byte counter reaches zero. Behavior is reversed with negation (i.e. the condition does not match until the byte counter reaches zero).

[!] --quota bytes

The quota in bytes.

rateest *

Rate estimator.

Not supported because it is mainly for making routing decisions (mangle table).

realm *

Matches the routing realm.

recent

Not supported because it is for dynamic routing.

Matches against dynamically constructed list of IP addresses.

--name name

[!] --set

--rsource sctp

--rdest

[!] --rcheck

[!] --update

[!] --remove

--seconds seconds

--reap

--hitcount hits

--rttl

Matches SCTP-specific information.

7


set * socket

[!] --source-port | --sport port[:port]

[!] --destination-port | --dport port[:port]

[!] --chunk-types all|any|only chunktype[:flags] [...]

Matches IP sets which can be defined by ipset(8).

Not supported because ipset is not supported.

Matches if an open socket can be found by doing a socket lookup on the packet.

--transparent

Allows access to conntrack state for this packet.

state

[!] --state statelist

Where statelist is a comma-separated list of the connection states to match. Possible states are INVALID, ESTABLISHED, NEW, and RELATED.

statistic

Matches packets based on some statistic condition.

--mode mode

[!] --probability p

string tcp tcpmss time

[!] --every n

--packet p

Matches a given string pattern.

--algo bm|kmp

--from offset

--to offset

[!] --string pattern

[!] --hex-string pattern

Matches TCP-specific values.



[!] --tcp-flags mask comp

[!] --syn

[!] --tcp-option number

Matches the TCP MSS field of the TCP header.

[!] --mss value[:value]

Matches the arrival time/date of packets.

--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

--timestart hh:mm[:ss]

--timestop hh:mm[:ss]

[!] --monthdays day[,day...]

[!] --weekdays day[,day...]

--kerneltz

Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.

8


tos ttl u32

Matches the 8 bits ToS (Type of Service) field in the IP header.

[!] --tos value[/mask]

[!] --tos symbol

Matches the Time to Live (TTL) field in the IP header.

[!] --ttl-eq ttl

--ttl-gt ttl

--ttl-lt ttl

Tests whether quantities of up to 4 bytes extracted from a packet have specified values. The specification of what to extract is general enough to find data at given offsets from tcp headers or payloads.

[!] --u32 tests

The argument amounts to a program in a small language described below: tests := location "=" value | tests "&&" location "=" value value := range | value "," range range := number | number ":" number a single number, n, is interpreted the same as n:n. n:m is interpreted as the range of numbers >=n and <=m.

location := number | location operator number operator := "&" | "<<" | ">>" | "@"

The operators &, <<, >> and && mean the same as in C. The = is really a set membership operator and the value syntax describes a set. The @ operator is what allows moving to the next header.

Matches UDP-specific values.

udp



Extensions with an asterisk (*) are not supported but are not disallowed by CIP.

TARGET EXTENSIONS

The supported target extensions are based on the Linux iptables man pages. They are subject to future changes made by Linux iptables implementation.

DSCP

This target allows to alter the value of the DSCP bits within the TOS header of the IPv4 packet.

As this manipulates a packet, it can only be used in the mangle table.

−−set−dscp value

Set the DSCP field to a numerical value (can be decimal or hex)

−−set−dscp−class class

Set the DSCP field to a DiffServ class.

LOG

When the LOG target is set for a rule, the Linux kernel will print some information on all matching packets (i.e., most IP header fields) to syslog. This is a "non-terminating target", i.e. rule traversal continues at the next rule. If you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG, the next using DROP (or REJECT).

9


LOG has the following options:

--log-level level

Level of logging (keyword or numeric): debug (or 7), info (or 6), notice (or 5), warning (or 4), err

(or 3), crit (or 2), alert (or 1), emerg (or 0).

Default is warning if not specified. If the specified severity of log-level is ’info’ or above (e.g., warning), the log message is also sent to NSK host generating a 5232 EMS event in $0.

NOTE: Care should be used so as to not flood EMS with events.

--log-prefix prefix

Prefix log messages with the specified prefix; up to 25 letters long, and useful for distinguishing messages in the logs.

--log-tcp-sequence

Log TCP sequence numbers. This is a security risk if the log is readable by users.

--log-tcp-options

Log options from the TCP packet header.

--log-ip-options

Log options from the IP packet header.

--log-uid

Log the userid of the process which generated the packet.

Example 1:

Both syslog and EMS display the message.

climconfig iptables -A CIP_INPUT -j LOG --log-level info --log-prefix "LOGDROP" climconfig iptables -A CIP_INPUT -j DROP

Example 2:

The message is only logged in the syslog not in EMS.

climconfig iptables -A CIP_INPUT -j LOG --log-level debug --log-prefix "LOGDROP" climconfig iptables -A CIP_INPUT -j DROP

MARK

This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.

−−set−xmark value[/mask]

Zeroes out the bits given by mask and XORs value into the packet mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.

−−set−mark value[/mask]

Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted,

0xFFFFFFFF is assumed.

The following mnemonics are available:

−−and−mark bits

Binary AND the nfmark with bits.

10


(Mnemonic for −−set−xmark 0/invbits, where invbits is the binary negation of bits.)

−−or−mark bits

Binary OR the nfmark with bits. (Mnemonic for −−set−xmark bits/bits.)

−−xor−mark bits

Binary XOR the nfmark with bits. (Mnemonic for −−set−xmark bits/0.)

REJECT

Used to send back an error packet in response to the matched packet: otherwise it is equivalent to

DROP so it is a terminating TARGET, ending rule traversal. The following option controls the nature of the error packet returned:

--reject-with type

The type given for iptables can be icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited icmp-admin-prohibited

ERROR MESSAGES

climconfig iptables requires options/commands. Try ’climconfig iptables -h’ for more information.

climconfig iptables Error: File /etc/clim/climiptables/state does not exist.

climconfig iptables Error: Cannot open the file /etc/clim/climiptables/state: error-code

Error: invalid version string ’version’, file ’/etc/clim/climiptables/state’.

Error: version string major, minor is not compatible, file ’/etc/clim/climiptables/state’.

climconfig iptables Error: Invalid climiptables state file.

climconfig iptables Error: max prefix length for ’--log-prefix’ is 25 climconfig iptables Error: Deleting/Appending/Renaming/Flushing a rule from/to the Linux built-in chain

’xxx’ is not allowed.

climconfig iptables Error: Deleting/Appending/Renaming/Flushing a rule from/to the CIP policy chain is not allowed.

climconfig iptables Error: the -t option must be ’-t filter’ or ’-t mangle’; table=’name’.

climconfig iptables Error: the ’-t mangle’ option is NOT supported on this hardware.

CONSIDERATIONS

None.

EXAMPLES

> climcmd n1002583 climconfig iptables -S

-N ftp

-N telnet

-A CIP_INPUT -p tcp -m tcp --dport 20:21 -j ftp

-A CIP_INPUT -p tcp -m tcp --dport 23 -j telnet

-A ftp -i eth2 -j REJECT --reject-with icmp-port-unreachable

-A telnet ! -i eth2 -j REJECT --reject-with icmp-port-unreachable

Termination Info: 0

11


> climcmd n1002583 climconfig iptables -vL

Chain INPUT (policy ACCEPT 11 packets, 889 bytes) pkts bytes target prot opt in out source destination

7636 1970K ACCEPT all -- any any N1002583 anywhere

657K 229M ACCEPT all -- eth0 any anywhere anywhere

204 13045 CIP_INPUT all -- any any anywhere anywhere

146 9781 CIP_INPUT_p all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1313 packets, 246K bytes) pkts bytes target prot opt in out source destination

Chain CIP_INPUT (1 references) pkts bytes target prot opt in out source destination

18 972 ftp tcp -- any any anywhere anywhere tcp dpts:ftp-data:ftp

4 224 telnet tcp -- any any anywhere anywhere tcp dpt:telnet

Chain CIP_INPUT_p (1 references) pkts bytes target prot opt in out source destination

Chain ftp (1 references) pkts bytes target prot opt in out source destination

2 120 REJECT all -- eth2 any anywhere anywhere reject-with icmp-port-unreachable

Chain telnet (1 references) pkts bytes target prot opt in out source destination

1 60 REJECT all -- !eth2 any anywhere anywhere reject-with icmp-port-unreachable

Termination Info: 0

SEE ALSO

climconfig ip6tables, climiptables

12

climconfig.prov(1) climconfig.prov(1)

NAME

climconfig.prov − configure prov

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig prov

-add prov-name


-delete prov-name [-force]


-info {prov-name | all} [-obeyform]

CLIMCONFIG.PROV DESCRIPTION

This command allows you to display and configure climconfig prov objects.

All network objects configured on CLIMs with the MULTIPROV attribute set to OFF are associated with the provider that this CLIM is assigned to in the SCF CLIM object configuration.

Network objects configured on CLIMs with the MULTIPROV attribute set to ON must be explicitly associated with a provider. That association is represented by a climconfig prov object.

prov -add configures a new provider association. The new provider will have a loop back interface configured automatically. The provider name must not be more than seven characters long and must be alpha-numeric characters with the first character being alphabetic, and should directly correspond to the name of the PROVIDER object in SCF that this CLIM will provide network services to. The name can be specified in caseinsensitive manner. climconfig converts the name to upper case.

prov -delete

deletes a provider association. All network objects configured using this provider association should be deleted first before deleting the prov object. If any network objects are associated with it, an error message is generated.

Note:

The sp, sa, psk, remote, iptables and ip6tables objects will be automatically deleted if the provider is deleted, and no error will be generated.

prov -info displays all the configured provider associations.

prov -info -obeyform

obtains the obeyform lines for configuring the provider association in add format.

PARAMETERS

-force

Used with the -delete option, causes the command to bypass user confirmation.

-obeyform Used with the -info option, obtains the provider association configuration in obeyform format.

ERROR MESSAGES

For climconfig prov -add:

Error: The specified provider name already exists.

Error: The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.

The maximum no.of providers that can be configured is <provider-limit>.

1

climconfig.prov(1) climconfig.prov(1)

For climconfig prov -delete:

Error: The specified provider name does not exist.

Error: The specified provider has one or more interfaces still associated with it.

Error: The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.

CONSIDERATIONS

Climconfig prov objects are added implicitly during interface addition, so this command is only required if a provider with only loopback needs to be added.

The deletion of a provider results in deletion of IPSec and iptables objects. If you want to preserve this configuration for later re-use, you can first run climconfig all -info -obeyform to capture the configuration of these objects.

Typically, A maximum of only 7 providers can be configured per CLIM. From L17.02 onwards, on Gen9

L-Series CLIMs, a maximum of 105 providers can be configured per CLIM.

EXAMPLES

To add the provider ztc1:

> CLIMCMD N1001253 climconfig prov -add ztc1

To delete the provider ztc1:

> CLIMCMD N1001253 climconfig prov -delete ztc1

To display all providers:

> CLIMCMD N1001253 climconfig prov -info all ztc0 ztc1

To display all providers with the obeyform option:

> CLIMCMD N1001253 climconfig prov -info all -obeyform climconfig prov -add ztc0 climconfig prov -add ztc1



Exit

SEE ALSO

prov.1p (man 1p prov)

2

climconfig.psk(1) climconfig.psk(1)

NAME

climconfig.psk − configure pre-shared keys

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig psk -add

[-prov prov-name] -ip {ip-address|fqdn}

-k {hex-number|string}

CLIMCMD {clim-name|ip-address} climconfig psk -delete

[-prov prov-name] -ip {ip-address|fqdn}

CLIMCMD {clim-name|ip-address} climconfig psk -info

[-prov {prov-name | all}] [-ip {ip-address|fqdn}]

[-obeyform]

CLIMCONFIG.PSK DESCRIPTION


psk -add

adds a pre-shared key for an IP address or fully-qualified domain name (FQDN) to the

psk.txt file. Both the -ip and -k parameters are required.

psk -delete

deletes the pre-shared key for a given IP address or deletes the FQDN from the

psk.txt file. The -ip parameter is required.

psk -info

displays the pre-shared key for a given IP address or displays the FQDN from the

psk.txt file. The -ip parameter is optional; if it is omitted, all pre-shared keys for various IP addresses from the psk.txt file are displayed.

PARAMETERS


PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always converted to UPPER case.

-ip ip-address

Specifies an IPv4 or IPv6 address.

-ip fqdn Specifies a fully qualified domain name.

-k string Specifies a key as a series of hexadecimal digits preceded by 0x or double-quoted character string.

-obeyform Displays the pre-shared key configuration in the format of add command(s).

ERROR MESSAGES

For psk -add:

Please give the correct options. (The wrong options are displayed.)

For psk -delete:

The pre-shared key for the matched IP address is not found.

For psk -info:

There are no pre-shared keys found for the matching IP address.

If no options are specified, all the pre-shared keys from the file psk.txt are displayed.

1

climconfig.psk(1) climconfig.psk(1)

EXAMPLES

> CLIMCMD N1001253 climconfig psk -add -ip 10.1.1.2

-k 0x12abfe34

> CLIMCMD N1001253 climconfig psk -add -ip 10.3.3.2

-k ""simple psk""

> CLIMCMD N1001253 climconfig psk -add -prov ztc0 -ip 10.3.3.2

-k "simple psk"

> CLIMCMD N1001253 climconfig psk -delete -ip 10.3.3.2

> CLIMCMD N1001253 climconfig psk -delete -prov ztc0 -ip 10.3.3.2

> CLIMCMD N1001253 climconfig psk -info

> CLIMCMD N1001253 climconfig psk -info -ip 10.3.3.2

> CLIMCMD N1001253 climconfig psk -info -prov zsam1 -ip 10.2.2.1

> CLIMCMD N1001253 climconfig psk -info -prov ztc0 -obeyform

The sample display for the psk -info command is:

10.3.3.2 simple psk

The sample display for the psk -info -obeyform command is: climconfig psk -add \

-ip 10.3.3.2 \

-k "simple psk"



exit

Termination Info: 0

2

climconfig.remote(1) climconfig.remote(1)

NAME

climconfig.remote − manage remote configuration for security associations

SYNOPSIS

Remote configuration for authentication method of pre-shared key:

CLIMCMD {clim-name | ip-address} climconfig remote -add

[-prov prov-name] -ip {ip-address | anonymous}

-M exchange_mode [-idtype address [-idvalue ip-address]

| -idtype {fqdn | user_fqdn} -idvalue string

| -idtype keyid -idvalue file]

[-peer_idtype address [-peer_idvalue ip-address]

| -peer_idtype {fqdn | user_fqdn} -peer_idvalue string

| -peer_idtype keyid -peer_idvalue file [-verify_identifier]]

[-dpd_delay seconds [-dpd_retry seconds]

[-dpd_maxfail number]]

-E encryption_algorithm

-H hash_algorithm [-A pre_shared_key]

-D dh_group [-lifetime seconds] [-restart [-force]]

Remote configuration for authentication method of certificates:

CLIMCMD {clim-name | ip-address} climconfig remote -add


-M exchange_mode [-idtype asn1dn [-idvalue string]]

[-peer_idtype asn1dn [-peer_idvalue string]

[-verify_identifier]]

-pubcert certfile -privkey privkeyfile

[-dpd_delay seconds [-dpd_retry seconds]

[-dpd_maxfail number]]

-E encryption_algorithm

-H hash_algorithm -A {rsasig | gssapi_krb}

-D dh_group [-gssid string] [-lifetime seconds]

[-restart [-force]]

Remote -delete command:

CLIMCMD {clim-name | ip-address} climconfig remote -delete

[-prov prov-name] -ip {ip-address | anonymous} [-restart

[-force]]

Remote -add_proposal command for pre-shared key:

CLIMCMD {clim-name | ip-address} climconfig remote

-add_proposal [-prov prov-name] -ip {ip-address | anonymous}

-E encryption_algorithm -H hash_algorithm

1


[-A pre_shared_key]

-D dh_group [-lifetime seconds] [-restart [-force]]

Remote -add_proposal command for certificates:

CLIMCMD {clim-name | ip-address} climconfig remote

-add_proposal [-prov prov-name] -ip {ip-address | anonymous}

-E encryption_algorithm -H hash_algorithm

-A {rsasig | gssapi_krb}

-D dh_group [-gssid string] [-lifetime seconds]

[-restart [-force]]

Remote -delete_proposal command:

CLIMCMD {clim-name | ip-address} climconfig remote -delete_proposal


-tag tag-id [-restart [-force]]

Remote -info command:

CLIMCMD {clim-name | ip-address} climconfig remote -info

[-prov {prov-name | all}][-ip {ip-address | anonymous}]

[-obeyform]

CLIMCONFIG.REMOTE DESCRIPTION remote -add

adds a remote entry into the configuration file racoon.conf.

remote -add_proposal

adds an additional proposal for the remote ip-address into the configuration file

racoon.conf for the phase 1 IKE negotiation. A maximum of 10 proposals can exist in a remote configuration.

remote -delete

deletes a remote entry from the configuration file racoon.conf.

remote -delete_proposal

deletes a proposal with a tag identifier for the remote IP address from the configuration file racoon.conf. At least one proposal must exist in a remote configuration.

remote -info

displays the remote configurations from the configuration file racoon.conf.

PARAMETERS


PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always

2

climconfig.remote(1) climconfig.remote(1) converted to UPPER case.

-ip ip-address

Specifies the IP address in the configuration file racoon.conf for which the remote command is issued.

-ip anonymous

Indicates that no IP address is specified.

-M exchange_mode

Defines the exchange mode for phase 1 when the racoon is the initiator. This parameter also defines the acceptable exchange mode when the racoon is the responder.

exchange_mode is one or more of: main, aggressive, or base. You can specify more than one mode by separating them with a comma and enclosing them in double quotes. If you specify multiple modes, the racoon uses the first mode when it is the initiator.

-idtype Specifies the identifier sent to the remote host and the type to use in the phase 1 negotiation. The value is one of: user_fqdn, fqdn, address, keyid, or asn1dn.

-idvalue Specifies the idtype value. The value is one of: ip-address, string, file.

Note:

When the value is of type file, the entire pathname has to be specified.

-peer_idtype

Specifies the peer’s identifier to be received. If it is not defined, racoon will not verify the peer’s identifier in ID payload transmitted from the peer. If it is defined, the behavior of the verification depends on the flag of verify_identifier. The value is one of: user-fqdn, fqdn, address, keyid or asn1dn.

-peer_idvalue

Specifies the peer_idtype value. The value is one of: ip-address, string, file.

Note:

When the value is of type file, the entire pathname has to be specified.

-verify_identifier

To verify the peer’s identifier, set this to on. In this case, if the value defined by

-peer_idtype is not the same as the peer’s identifier in the ID payload, the negotiation will fail. The default is off.

-pubcert certfile

Specifies the file name of a public certificate.

-privkey privkeyfile

Specifies the file name of a private key. If you omit the -pubcert or -privkey option, the default behavior is to use the pre-shared key. The default path for pre-shared key is /etc/racoon/psk.txt.

-dpd_delay seconds

Activates Dead Peer Detection (DPD) and specifies the time, in seconds, allowed between two proof of liveliness requests. The default value is 0, which disables DPD monitoring but negotiates DPD support.

-dpd_retry seconds

Sets the delay, in seconds, to wait for a proof of liveliness before considering it as failed and send another request. The default value is 5. This is set only if dpd_delay is set.

-dpd_maxfail number

Sets the maximum number of liveliness proofs to request, without reply, before considering the peer is dead. The default value is 5. This is set only if dpd_delay is set.

3


-A authentication_method

Specifies the authentication method used for the phase 1 negotiation. This parameter is required. The method is one of the values: pre_shared_key, rsasig, or gssapi_krb.

-D dh_group

Defines the group used for the Diffie-Hellman exponentiations. This parameter is required. group is one of the values: modp768, modp1024, modp1536, modp2048,

modp3072, modp4096, modp6144, or modp8192. You can also specify one of the numerals 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. When you choose aggressive mode, you must define the same DH group in each proposal.

-E encryption_algorithm

Specifies the encryption algorithm used for the phase 1 negotiation. This parameter is required. The algorithm is one of the following: des, 3des, blowfish, cast128, aes,

aes192, or aes256 for Oakley. Do not use this parameter for other transforms.

-H hash_algorithm

Specifies the hash algorithm used for the phase 1 negotiation. This parameter is required. hash_algorithm is one of the values: md5, sha1, sha256, sha384, or

sha512 for Oakley.

-gssid string

Specifies the GSS-API endpoint name, to be included as an attribute in the SA, if the gssapi_krb authentication method is used. If gssid is not defined, the default value host/hostname’ is used, where hostname is the value returned by the hostname command.

-lifetime seconds

This option specifies an expiry time which will be proposed during phase 1 negotiation.

-tag tag-id The tag identifier that identifies the proposal of a remote configuration. Tag ids are numbered from 1 to 10.

-restart Causes the newest racoon.conf file to be loaded by restarting the racoon daemon. A warning about the restart of the racoon daemon is issued to inform users that the SAs established in the SAD will be disconnected.

-force Used with the -restart option, causes the command to bypass user confirmation.

-obeyform Displays the remote configuration in the format of add command(s).

ERROR MESSAGES

For remote -add:

Please give the correct options. (The incorrect option is displayed.)

For remote -delete:

The remote information for the matched IP-address is not found.

For remote -info:

The remote information for the IP-address is not found.

CONSIDERATIONS

The configuration information is not loaded until the racoon daemon is restarted. To restart the racoon daemon, use the restart option.

If no options are specified for the remote -info command all the remote information for the IP addresses contained in the configuration file racoon.conf are displayed.

EXAMPLES

> CLIMCMD clim1 climconfig remote -add -ip 10.1.1.2 -M main

-dpd_delay 60 -E 3des -H md5 -A pre_shared_key -D modp768

4



-E 3des -H md5 -A pre_shared_key -D modp768 -lifetime 70

> CLIMCMD 17.205.17.2 climconfig remote -add -ip anonymous -M main

-E 3des -H md5 -A pre_shared_key -D modp768 -restart

> CLIMCMD n100253 climconfig remote -add -ip anonymous -M main

-E 3des -H md5 -A pre_shared_key -D modp768 -restart -force


-pubcert pubkey.pem -privkey privkey.pem -E 3des -H md5 -A rsasig

-D modp768 -restart



-D modp768 -restart -force

> CLIMCMD n100253 climconfig remote -add -ip anonymous -M main


-D modp768

With the following command, you will be asked for confirmation that you want to restart the racoon daemon:

> CLIMCMD clim1 climconfig remote -delete -ip 10.1.1.2 -restart

The following command does not prompt for confirmation:

> CLIMCMD clim1 climconfig remote -delete -ip 10.1.1.2

-restart -force

> CLIMCMD clim1 climconfig remote -delete -ip anonymous

> CLIMCMD clim1 climconfig remote -add_proposal -ip 10.1.1.2

-E 3des -H md5 -A pre_shared_key -D modp768 -restart

> CLIMCMD clim1 climconfig remote -add_proposal -ip 10.1.1.2

-E 3des -H md5 -A pre_shared_key -D modp768 -lifetime 70 -restart

> CLIMCMD clim1 climconfig remote -delete_proposal -ip 10.1.1.2

-tag 2 -restart -force

> CLIMCMD n100253 climconfig remote -info -ip anonymous

> CLIMCMD n100253 climconfig remote -add -prov ztc0 -ip 10.1.1.2

-M main -dpd_delay 60 -E 3des -H md5 -A pre_shared_key -D modp768

> CLIMCMD n100253 climconfig remote -delete -prov ztc0

-ip 10.1.1.2 -restart

> CLIMCMD n100253 climconfig remote -add_proposal -prov zsam1

-ip 10.1.1.2 -E 3des -H md5 -A pre_shared_key -D modp768 -restart

> CLIMCMD n100253 climconfig remote -delete_proposal -prov zsam1

5


-ip 10.1.1.2 -tag 2 -restart -force

> CLIMCMD n100253 climconfig remote -info -prov zsam1

> CLIMCMD n100253 climconfig remote -info -prov ztc1 -obeyform

> CLIMCMD 17.205.17.2 climconfig remote -info

Sample display for remote info: remote 10.2.2.1 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; lifetime time 70 sec;

}

}

> CLIMCMD n100253 climconfig remote -info -ip anonymous -obeyform

> CLIMCMD 17.205.17.2 climconfig remote -info -obeyform

The sample display for a remote -info -obeyform command is: climconfig remote -add \

-ip 10.2.2.1 \

-M main \

-E 3des \

-H sha1 \

-A pre_shared_key \

-D modp1024

-lifetime 70



exit

SEE ALSO

climconfig psk, climconfig sa, climconfig sp

6

climconfig.route(1) climconfig.route(1)

NAME

climconfig.route − configure routes

SYNOPSIS

Command to add IPv4 route (non-default):

CLIMCMD {clim-name|ip-address} climconfig route -add

{eth0|eth0:0 | interface} -target ipv4-address {-host | -net}

[-netmask netmask] [-gateway gateway] [-mt metric]

[-minrto time] [-initcwnd number] [-src ipv4-address]

Command to add IPv6 route (non-default):

CLIMCMD {clim-name|ip-address} climconfig route

-add interface -target ipv6-address {-host|-net}

[-netmask netmask] [-gateway gateway] [-mt metric]

[-minrto time] [-initcwnd number]

Command to add default IPv4 route:

CLIMCMD {clim-name|ip-address} climconfig route -add

{eth0|eth0:0|interface} -default -gateway gateway

[-mt metric] [-minrto time] [-initcwnd number]

[-src ipv4-address]

Command to add default IPv6 route:


-add interface -default -gateway gateway [-mt metric]

[-minrto time] [-initcwnd number]

Command to delete IPv4/IPv6 routes:

CLIMCMD {clim-name|ip-address} climconfig route -delete

{ eth0|eth0:0 | interface} [-target ip-address] {-host|-net}

[-netmask netmask] [-gateway gateway] [-default] [-force]

Command to delete default IPv4/IPv6 routes:


-delete { eth0|eth0:0 |interface} -default -gateway gateway

1


Command to obtain info about a route:


-info [-usrconfig | -obeyform]

Command to add a route to a host in a different network:

CLIMCMD {clim-name| ip-address} climconfig route

-add {eth0|eth0:0|interface} -net -target host-ip

-gateway gateway

CLIMCONFIG.ROUTE DESCRIPTION


route -add adds a static route through an interface to specific hosts or networks.

route -delete

deletes a route from an interface.

route -info displays route information.

PARAMETERS

{-add|-delete} eth0

Specifies the dedicated service LAN interface. Valid only for IPv4 routes.

{-add|-delete} eth0:0

Specifies the maintenance Provider LAN interface. Valid only for IPv4 routes.

Note:

eth0:0 is a logical interface and is hosted on the physical interface eth0 and both the interfaces have to belong to same subnet. Climconfig will maintain the same set or routes on both the interfaces. If a route is added to either eth0 or eth0:0, climconfig will add it to both eth0 and eth0:0.

{-add|-delete} interface

Specifies one of the following interfaces:

An existing physical interface (for example, eth1 or ib0).

-host

-net

A bonding interface (for example, bond0).

A point-to-point tunnel interface (for example, mytun). Only IPv6 routes can be added to a tunnel interface.

A vlan interface name (for example e1v7, b0v8)

A vxlan interface name (for example e1xzt7, b0xzt8)

Indicates that the route is to the host within the network (within the same subnet).

The -netmask, -net, -default, and -gateway parameters are not valid with the -host parameter.

Indicates that the route is to the network or to a host in another network. The -default parameter is not valid with the -net parameter. Also:

If -netmask is not specified, the route is to a host in a different subnet.

If -netmask is specified, the route is a network route. For a network route, you can specify the -gateway parameter.

2


-target

Specifies the destination network or host. Specify a dotted-quad format IPv4 address or a colon-delimited IPv6 address.

-netmask netmask

Specifies the netmask to be used. For an IPv4 address, specify the netmask as an IPv4 address in dotted quad form; for an IPv6 address, specify the netmask as a number of bits (for example, 64). This parameter is not valid with the -default and -host options. If this parameter is omitted and -net is specified, default netmask values are

255.255.255.255 for IPv4 routes and 128 for IPv6 routes.

-gateway

Specifies a gateway address. This parameter is required if the -default parameter is specified.

-mt

Specifies the distance to the target, measured in hops. This number is used to indicate the cost of the route so that the best route, potentially among multiple routes to the same destination, is selected.

-minrto

Specifies the minimum Retransmission Timeout (RTO) value, in milliseconds, to be used with the specified destination. Specify a decimal or integer value; for example,

5.5. The minimum RTO depends on the clock interrupt frequency, and might therefore get modified when assigned to the kernel.

If the failed over route is the same as the home route, the failed over route uses the home route’s minrto value.

-initcwnd

Specifies the maximum initial congestion window (cwnd) size in MSS (Maximal Segment Size) of a TCP connection. It sets the initial congestion window size to n *

MSS. Value is from 1 to 4294967295. This option is used to improve performance on routes to SWAN concentrators, with a recommended value of 7.

-default

Specifies to use the default route if no other route matches. This option is not valid with the -host, -net, -netmask, and -target options.

-usrconfig Valid only with the route -info command. This option displays user-configured routes only. If this option is omitted, the command displays the user configured routes and the dynamic routes added by the kernel.

-obeyform Generates user-configured route (IPv4 and IPv6) information in add command format.

-force

If used without -force option, this command prompts for confirmation before deleting the route.

-src

The source IP address to use for outgoing connections or UDP packets using this route if the socket is not bound to an IP address. The option is useful if there is an interface with multiple IP Addresses and it is desired that outgoing client connection requests or UDP packets using that interface use a particular IP Address on that interface to the specified location. The -src option is valid for IPv4 routes only.

See the climconfig.route command under Parameters in the for a table that shows possible combinations for different route types.

ERROR MESSAGES

For route -add:



Configuring IPv6 route is not allowed for eth0 and eth0:0 interfaces.

The IPv4 family cannot be specified for the tunnel interface.

The specified route already exists for the interface-name.

The specified IP Address ip-address is not configured for interface-name

3


The -src parameter is not valid for an IPv6 route.

For route -delete:



The specified route is not configured for the interface-name.

CONSIDERATIONS

Valid combinations of options for different route types for route -add and route -delete are:

If the -net option is specified, then -target is required, and -netmask, -gateway, and

-mt (route -add only) are optional.

If -host is specified, then -target is required, -netmask and -gateway are not required, and -mt (route -add only) is optional.

If -default is specified, then -target and -netmask are not required, -gateway is required, and -mt (route -add only) is optional.

If -all (route -delete only) is specified, then -target, -netmask, -gateway, and -mt

(route -add only) are not valid.

A route added by the route -add command is added to the /etc/network/interfaces file, to the kernel or to both, as follows:

If the specified interface is down, the route is added to the file.

If the CLIM is in the STOPPED state, the route is added to the file.

If the specified interface is UP and CLIM is in the STARTED state and ifactivate is issued to the home resources by CLIMAGT, the route is added to the file and to the kernel.

If the specified interface is UP and CLIM is in the STARTED state and ifdeactivate is issued to the home resources by CLIMAGT, the route is added to the file.

All the options specified with climconfig route -add -net (except the -mt option) should be specified for climconfig route -delete -net.

-src is not valid for an IPv6 route.

EXAMPLES

> CLIMCMD clim1 climconfig route -add eth1 -net

-target 15.76.217.1 -netmask 255.255.255.0

-gateway 15.76.217.101

> CLIMCMD n100253 climconfig route -add eth2 -default

-gateway 23.34.34.34

> CLIMCMD n100253 climconfig route -add e1v7 default

-gateway 23.34.34.34

> CLIMCMD n100253 climconfig route -delete eth1 -net

-target 15.76.217.0 -netmask 255.255.255.0

> CLIMCMD clim1 climconfig route -delete eth2 -default

-gateway 23.34.35.1

> CLIMCMD clim1 climconfig route -delete e1v7 -default

-gateway 23.34.35.1

> CLIMCMD 17.205.15.2 climconfig route -info

4


CLIMCMD 17.205.15.2 climconfig route -info

Maintenance LAN routes

Interface : eth0

Destination : 16.107.168.0

Netmask : 255.255.252.0

Gateway : 0.0.0.0

Flags : U

Metric : 0

Ref : 0

Use : 0

MinRTO : Unspecified


Src : 16.107.168.71

Interface : eth0


Netmask : 0.0.0.0

Getway : 16.107.168.1

Flags : UG

349

Metric : 0

Ref : 0

Use : 0

MinRTO : 5ms


Src : Unspecified

Interface : lo

Destination : 1128

Gateway :

Metric : 0



Src : Unspecified

Interface : lo

Destination : fe80::128

Gateway :

Flags : U

Metric : 0

Ref : 0

Use : 2

MinRTO : 5ms


Src : Unspecified

Maintenence provider routes

Interface : eth0


Netmask : 255.255.252.0

Gateway : 0.0.0.0

Flags : U

Metric : 0

Ref : 0

Use : 0

5




Src : 16.107.168.71

Interface : eth0


Netmask : 0.0.0.0

Getway : 16.107.168.1

Flags : UG

349

Metric : 0

Ref : 0

Use : 0

MinRTO : 5ms


Src : Unspecified

Interface : lo

Destination : 1128

Gateway :

Metric : 0



Src : Unspecified

Interface : lo

Destination : fe80::128

Gateway :

Flags : U

Metric : 0

Ref : 0

Use : 2

MinRTO : 5ms


Src : Unspecified

Data Provider ZTC1 routes

Interface : eth1


Netmask : 255.255.255.0

Gateway : 16.107.170.1

Flags : U

Metric : 0

Ref : 0

Use : 0


InitCWND : 32768

Src : 16.107.170.31

Data Provider ZTC7 routes

Interface : e1v7


Netmask : 0.0.0.0

Gateway : 23.34.35.1

Flags : UG

6


Metric : 0

Ref : 0

Use : 0



Src : Unspecified

Termination Info: 0

> CLIMCMD 17.205.15.2 climconfig route -info -obeyform climconfig route \

-add eth0 \

-default \

-gateway 15.146.232.1



exit

Termination Info: 0

SEE ALSO

SCF ADD ROUTE command

7

climconfig.sa(1) climconfig.sa(1)

NAME

climconfig.sa − configure security associations

SYNOPSIS

The command for managing security associations to the configuration file ipsec-tools.conf is:

CLIMCMD {clim-name|ip-address} climconfig sa -add -manual

[-prov prov-name] -s src-ip -d dst-ip -p protocol

-i spi [-m {tunnel|transport}] algorithm [-load]

The command for adding proposals for a security association into the configuration file racoon.conf is:

CLIMCMD {clim-name|ip-address} climconfig sa -add

[-prov prov-name]{ -s src-id -d dst-id -u upperspec| anonymous} [-P pfs_group] -E encryption_algorithm

-A authentication_algorithm -C compression_algorithm

[-lifetime seconds] [-restart [-force]]

The command for deleting a security association from the configuration file ipsec-tools.conf is:

CLIMCMD {clim-name|ip-address} climconfig sa -delete -manual

[-prov prov-name] -s src-id -d dst-id -u upperspec| anonymous} -p protocol -i spi [-unload [-force]]

The command for deleting a security association from the configuration file racoon.conf is:

CLIMCMD {clim-name|ip-address} climconfig sa -delete

[-prov prov-name] {-s src-id -d dst-id -u upperspec| anonymous} [-restart [-force]]

The command for obtaining information about a security association is:

CLIMCMD {clim-name|ip-address} climconfig sa -info

[-prov {prov-name | all}] anonymous|[-s src-ip]

[-d dst-ip][-p protocol]|[-u upperspec]][-obeyform]

The command for unloading SAs from the SAD is:

CLIMCMD {clim-name|ip-address} climconfig sa -stop

[-prov prov-name][-s src-ip -d dst-ip

-p {esp|ah|ipcomp}|-i spi-value][-force]

1


CLIMCONFIG.SA DESCRIPTION

The sa command does the following:

sa -add

adds the proposals for a security association into the configuration file racoon.conf.

The command parameters are reformatted into a sainfo <...> format that the racoon daemon accepts. The SA establishment depends on the application connect.

sa -add -manual

adds a security association to the configuration file ipsec-tools.conf. The command parameters are reformatted into an add <...> type of setkey command. The SA is not loaded into the SAD unless the -load option is specified.

sa -delete

deletes the security associations from the file racoon.conf. If there are any SAs activated on the CLIM, they are not affected.

Note:

sa -delete -manual deletes the security associations from the file ipsec-tools.conf. If any SAs are activated on the CLIM, they are not affected. The SA is not unloaded from the SAD unless the -unload option is specified.

The -manual part of the command must follow sa -add and sa -delete directly.

sa -info

displays security association configurations from the file ipsec-tools.conf or

racoon.conf. If no options are selected, all the SAs are listed from both of these configuration files.

sa -stop

unloads security associations from the SAD. If you specify any of the optional parameters in the first group (-s, -p, -d, -i), you must specify all of them. sa -stop is one of the commands for deactivating VPN connections.

PARAMETERS

-manual When specified with the add subcommand, adds a security association into the ipsec-

tools.conf file. The command parameters are reformatted into an add <...> type of

setkey command. The SA is not loaded into the SAD unless the -load option is specified.

-prov

When specified with the delete subcommand, deletes a security association from the

ipsec-tools.conf file. If there are any SAs activated on the CLIM, they are not impacted. The SA is not unloaded from the SAD unless the -unload option is specified.



-s src-ip Specifies the source IP address of the secure communication as either an IPv4 or IPv6 address, and an optional port number enclosed in brackets, in the following form: address [/ prefix] [[port]]

prefix and port must be decimal numbers.

-d |dst-id Specifies the destination IP address of the secure communication as either an IPv4 or

IPv6 address, and an optional port number between square brackets, in the following form: address [/ prefix] [[port]]

-E Is the encryption algorithm. Supported algorithms are: des, 3des, des_iv64, des_iv32,

rc5, rc4, idea, 3idea, cast128, blowfish, null_enc, twofish, rijndael, aes, aes192,

aes256 (used with ESP). This option is for the sa -add commands (not sa -add -manual) for which the configurations go into the racoon.conf file.

2


-A

-C

-p

Authentication algorithm.

Supported algorithms include des, 3des, des_iv64,

des_iv32, hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384, hmac_sha512,

non_auth (used with ESP authentication and AH). This option is for the sa -add commands (not sa -add -manual) for which the configurations go into the racoon.conf file.

Compression algorithm. The supported algorithm is deflate (used with IPComp).

This option is for the sa -add commands (not sa -add -manual) for which the configurations go into the racoon.conf file.

Specifies the protocol. protocol is one of : esp, ah, or ipcomp. You must specify one of these protocols.

-u

-i spi

Upper layer protocol to be specified. Any of the protocols from the /etc/protocols file can be specified as upperspec, or icmp6, ip4, or any. any indicates any protocol. A protocol number can also be specified.

Specifies the security parameter index (SPI) for the SAD. SPI must be a decimal number or a hexadecimal number with a 0x prefix. SPI values between 0 and 255 are reserved for future use by IANA and cannot be used.

Note:

The SPI value must be unique.

-m mode Specifies the mode. Possible values are: transport or tunnel.

-load Used with the sa add command. This is an optional parameter. If you specify this option, the SA is loaded into the SAD. For the sa add -auto command, you are warned that the racoon daemon will be restarted so as to load the newest racoon.conf file and that the restart will disconnect the SAs established in the SAD.

-P Specifies the PFS group, which defines the group of Diffie-Hellman exponentiations.

If PFS is not required, you can omit this parameter. Any proposal is accepted if this parameter is not specified. group is one of following: modp768, modp1024,

modp1536, modp2048, modp3072, modp4096, modp6144, modp8192. Or 1, 2, 5,

14, 15, 16, 17, or 18 can be used to define the DH group number.

-lifetime This option specifies an expiry time which will be proposed during IPsec-SA negotiation.

algorithm

(for sa -add -manual only) is one of: -E ealgo key, -A aalgo key, or -C calgo [-R].

-E ealgo key

Specifies the encryption algorithm for ESP. ealgo key is one of:

3des-cbc (164-bit key)

3des-deriv (192-bit key) aes-ctr (160/224/288-bit key)

Blowfish-cbc (40- to 448-bit key)

Cast128-cbc (40- to 128-bit key) des-cbc (64-bit key) des-deriv (64-bit key) null (0- to 2048-bit key) rijndael-cbc (128/192/256-bit key) twofish-cbc (0- to 256-bit key)

-A aalgo key

Specifies the authentication algorithm for ESP. aalgo key is one of:

3


Aes-xcbc-mac (128-bit key) hmac-md5 (128-bit key) hmac-sha1 (160-bit key) hmac-sha256 (256-bit key) hmac-sha384 (384-bit key) hmac-sha512 (512-bit key) hmac-ripemd160 (160-bit key) keyed-md5 (128-bit key) keyed-sha1 (160-bit key) null (0- to 2048-bit key)

Tcp-md5 (8- to 640-bit key)

-C calgo [R]

Specifies a compression algorithm for IPComp.

[R]calgo is either deflate or Algorithm.

If -R is specified, the SPI field value is used as the IPComp compression parameter index (CPI) on wire as-is. If -R is not specified, the kernel uses well-known CPI on wire, and the SPI field is used only as an index for kernel-internal usage.

key

-unload Used with the sa -delete -manual command. This is an optional parameter; if it is specified, the SA is unloaded from the SAD. The command prompts for confirmation to unload the SA from the SAD.

-restart

Must be a double-quoted character string or a series of hexadecimal digits preceded by 0x.

Used with the sa -add and sa -delete commands. This is an optional parameter; if it is specified, the racoon daemon is restarted so that the newest racoon.conf is loaded.

Note:

-force

The restart of the racoon daemon leads to the disconnection of the SAs already loaded into the SAD. A new connection established thereafter loads the SA into the SAD.

You are prompted for confirmation to restart the racoon daemon.

Used with -unload or -restart to cause the command to bypass user confirmation.

-obeyform Displays the security association configuration in the format of add command(s).

ERROR MESSAGES

For sa -add and sa -add -manual:

Please give the correct options. (The incorrect options are displayed.)

For sa -delete and sa -delete -manual:


The security association for the matched options is not found.

For sa -info:

There are no security associations with the matched options.

For sa -stop:

SA configuration(s) not unloaded from the SAD.

CONSIDERATIONS

For sa -info, if no options are specified, all the security associations in the configuration files ipsec-

tools.conf and racoon.conf are listed.

For sa -stop:

4


The src-ip and dst-ip pair, upperspec and spi value are optional parameters. If the src-ip and dst-ip pair are specified, all the SAs that match the src-ip and dst-ip are unloaded from the SAD. If no option is specified, all the SAs currently loaded in the kernel are unloaded.

Unless you specify the -force option, you are prompted for confirmation.

EXAMPLES

> CLIMCMD clim1 climconfig sa -add

-manual -s 10.1.1.2 -d 10.3.3.2

-p esp -i 0x200 -m transport

-E 3des-cbc 0x123456789123456789123456789123456789123456789123

-A hmac-md5 0x12345678912345678912345678912345

> CLIMCMD clim1 climconfig sa -add -manual -s 10.1.1.2

-d 10.3.3.2 -p esp -i 0x200 -m transport

-E 3des-cbc 0x123456789123456789123456789123456789123456789123

-A hmac-md5 0x12345678912345678912345678912345 -load

> CLIMCMD clim1 climconfig sa -add -s 10.1.1.2

-d 10.3.3.2 -u any -E 3des -A hmac_md5


-d 10.3.3.2 -u any -E 3des -A hmac_md5 -restart


-d 10.3.3.2 -u any -E 3des -A hmac_md5 -restart -force


-d 10.3.3.2 -u any -E 3des -A hmac_md5 -lifetime 60

-restart -force

> CLIMCMD clim1 climconfig sa -delete -manual

-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200 -unload


-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200


-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200 -unload -force

> CLIMCMD clim1 climconfig sa -delete -s 10.1.1.2

-d 10.3.3.2 -u any


-d 10.3.3.2 -u any -restart


-d 10.3.3.2 -u any -restart -force

> CLIMCMD clim1 climconfig sa -info

> CLIMCMD clim1 climconfig sa -stop -s 10.1.1.2

-d 10.3.3.2 -p esp -i 0x200

> CLIMCMD clim1 climconfig sa -stop -s 10.1.1.2

-d 10.3.3.2 -p esp -i 0x200 -force

5


> CLIMCMD clim1 climconfig sa -stop

> CLIMCMD clim1 climconfig sa -stop -force

> CLIMCMD clim1 climconfig sa -add -prov ztc0 -s 10.1.1.2

-d 10.3.3.2 -u any -E 3des -A hmac_md5

> CLIMCMD clim1 climconfig sa -add -manual -prov zsam1

-s 10.1.1.2

-d 10.3.3.2 -p esp -i 0x200 -m transport

-E 3des-cbc 0x123456789123456789123456789123456789123456789123

-A hmac-md5 0x12345678912345678912345678912345 -load

> CLIMCMD clim1 climconfig sa -delete -manual -prov zsam1

-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200 -unload -force

> CLIMCMD clim1 climconfig sa -delete -prov ztc0 -s 10.1.1.2

-d 10.3.3.2 -u any

> CLIMCMD clim1 climconfig sa -info -prov zsam1

> CLIMCMD clim1 climconfig sa -info -prov ztc1 -obeyform

> CLIMCMD clim1 climconfig sa -info -obeyform

The sample output for sa -info -obeyform is:

# Auto SAs: climconfig sa -add \

-s 5.5.5.7 \

-d 6.6.6.7 \

-u any \

-P 18 \

-E des_iv64 \

-A des_iv64 \

-C deflate \

-lifetime 60

# Manual SAs: climconfig sa -add -manual \

-s 1.1.1.1 \

-d 2.2.2.2 \

-p esp \

-i 1024 \

-m transport \

-E des-cbc 0x1122334455667788



exit

Termination Info: 0

6


SEE ALSO

climconfig vpn and climconfig sp

7

climconfig.slaveinterface(1) climconfig.slaveinterface(1)

NAME

climconfig.slaveinterface − configure bonding interfaces

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig slaveinterface

-configure bonding-interface-name

{ [-add interface-name ]

[ -delete interface-name ]

[ -primary interface-name ]

| none ]}}

CLIMCONFIG.SLAVEINTERFACE DESCRIPTION

This command configures existing bonding interfaces by adding or deleting slave interfaces. With this command, you can add new slave interfaces or delete existing slave interfaces. The addition or deletion of slave interfaces can be done dynamically (when the bonding interface is up). This command is not supported for InfiniBand interfaces and virtio interfaces on vCLIM.

PARAMETERS

bonding-interface-name

Is the name of the bonding interface to be configured.

-add interface

Adds a slave interface to a bonding interface. To add a slave interface to a bonding interface, specify the interface name along with the -add option.

-delete interface

Deletes a slave interface from a bonding interface. To delete a slave interface from a bonding interface, specify the interface name along with the -delete option.

-primary interface | none

Specifies a slave as a primary slave. To remove a configured primary slave, specify

-primary with the none option.

ERROR MESSAGES

The slave interface slave-interface-name specified with -add and -delete option is the same.

The interface bonding-interface-name is not configured.

The interface bonding-interface is not a bonding interface.

Slave interface slave-interface-name is not configured for this bonding interface.

The specified interface slave-interface-name is already a slave of bonding-interface-name interface.

This command is not supported for the interface eth0.

The specified interface slave-interface-name is already configured as an independent interface.

The specified interface slave-interface-name does not exist in the kernel.

The specified slave interface slave-interface-name is not a physical interface.

The interface slave-interface-name is the first slave interface of the bonding interface and the bonding interface is UP.

The slave specified with -primary is not one of the configured slaves of this bond interface.

bonding-interface-name is already configured with the specified primary slave.

bonding-interface-name is already configured without a primary slave.

Bonding is not supported for InfiniBand interfaces.

Bonding is not supported for virtio interfaces.

1


The -primary option is supported only for bonding modes 1(active-backup), 5(balance-tlb) and 6(balancealb).


For slaveinterface -add:

• For bonding mode 4(802.3ad),the line speed and duplex settings of all the slaves of a bonding interface should be same.

CONSIDERATIONS

The bonding interface should be configured using the command climconfig interface -add bonding-inter-

face before adding the slave interfaces.

eth0 cannot be configured as a slave interface of a bonding interface.

A physical interface cannot be a slave interface for more than one bonding interface.

A physical interface cannot be configured independently before being configured as the slave interface.

Dynamically deleting (that is, deleting when the bonding interface is UP) the first slave interface of a bonding interface is not allowed.

For mode 4(802.3ad), the line speed and duplex settings of all the slaves of a bonding interface should be same.

Using the -primary option:

This option is supported only for bonding modes 1(active-backup), 5(balance-tlb) and 6(balance-alb).

In active-backup mode, the primary slave will always be the active slave, if functional.

Example 1:

Bond0 is configured with eth2 and eth3, without any slave specified as primary.

If eth2 is configured as the first slave, it will be used as long as it is functional (link pulse is present and interface driver indicates that the interface is present). eth2 is active and eth3 is passive. If eth2 fails, bond0 will start using eth3. If eth2 later becomes functional, bond0 continues to use eth3 and will switch to eth2 only if eth3 fails.

Example 2:

Bond0 is configured with eth2 and eth3, with eth2 specified as primary.

eth2 will be used as long as it is functional (link pulse is present and interface driver indicates that the interface is present). If eth2 fails, bond0 will start using eth3. If eth2 later becomes functional, bond0 switches to eth2 from eth3, even though eth3 is functional.

In balance-tlb mode, outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the primary slave. Transmission of broadcasts and multicasts is done through the primary slave.

In balance-alb mode, the outgoing and incoming traffic is distributed among all slaves. Transmission of broadcasts and multicasts is through the primary slave.

Multiple instances of the -primary option are not allowed in a command line.

The -primary option can be specified regardless of the bond interface status.

If the slave interface specified as the primary is removed from the bonded interface, that interface will not have any slave configured as primary.

When the configured primary slave is deleted from the bonding interface, a warning is issued.

EXAMPLES

> climconfig slaveinterface -configure bond0 -add eth1

> climconfig slaveinterface -configure bond0 -delete eth1

2


> climconfig slaveinterface -configure bond0 -primary eth1

> climconfig slaveinterface -configure bond0 -add eth1

-delete eth2 -primary eth3

> climconfig slaveinterface -configure bond0 -delete eth1

-add eth3

SEE ALSO

climconfig interface -add

3

climconfig.snmp(1) climconfig.snmp(1)

NAME

climconfig.snmp − configure snmp

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig snmp -add trap-receiver-ipaddress

CLIMCMD {clim-name|ip-address} climconfig snmp -delete trap-receiver-ipaddress

CLIMCMD {clim-name|ip-address} climconfig snmp -start

CLIMCMD {clim-name|ip-address} climconfig snmp -stop [-force]

CLIMCMD {clim-name|ip-address} climconfig snmp -info [-obeyform]

CLIMCONFIG.SNMP DESCRIPTION


• snmp -add adds a trap receiver IP address to the /etc/snmp/snmpd.conf file and restarts the

SNMP daemon and agents. The trap receiver address defines the host that receives traps.

• snmp -delete deletes a trap receiver IP address from the /etc/snmp/snmpd.conf file and restarts the SNMP daemon and agents.

• snmp -start explicitly starts the SNMP daemon and agents.

• snmp -stop explicitly stops the SNMP daemon and agents.

• snmp -info displays SNMP configuration information. The display format is:

Trap Receiver IP Address ip-address-1

.

.

.

ip-address-n

SNMP Agent State state

SNMP Agent Listening IP Address ip-address

PARAMETERS

trap-receiver-ipaddress

Specifies the trap receiver IP address to be added to or deleted from the configuration file.

-force

Causes the command to stop the SNMP daemon and agents without confirmation.

-obeyform Displays SNMP configuration information in add command format.

ERROR MESSAGES

For climconfig snmp -add:

• Trapsink already exists in SNMP configuration.

1

climconfig.snmp(1) climconfig.snmp(1)

• Internal error cannot restart the SNMP daemon, error-code.

• Internal error cannot restart the SNMP agents, error-code.

For climconfig snmp -delete:

• Trapsink already exists in SNMP configuration.

• Internal Error cannot restart SNMP daemon, error-code.

• Internal error cannot restart the SNMP agents, error-code.

For climconfig snmp -start:

• SNMP daemon and agents are already in started state.

• Internal error cannot start SNMP daemon, error-code.

• Internal error cannot start the SNMP agents, error-code.

For climconfig snmp -stop:

• SNMP daemon and agents are already in stopped state.

• Internal Error cannot stop SNMP daemon, error-code.

• Internal error cannot stop the SNMP agents, error-code.

CONSIDERATION

• You can designate multiple hosts to receive traps by using snmp -add to add additional trap receiver IP addresses to the /etc/snmp/snmpd.conf file.

EXAMPLES

> CLIMCMD N1001253 climconfig snmp -info

Trap Receiver IP Address 192.168.1.192

192.168.1.193

192.168.1.194

SNMP Agent State STARTED

SNMP Agent Listening IP Address 192.1.1.1

> CLIMCMD N1001253 climconfig snmp -info -obeyform climconfig snmp -add 192.168.1.192



exit

2

climconfig.sp(1) climconfig.sp(1)

NAME

climconfig.sp − configure security policies

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig sp -add

[-prov prov-name] -s src-range -d dst-range -u upperspec

-dir {in|out } -policy {discard|none|ipsec}

-protocol {esp|ah|ipcomp }

-mode {tunnel -srcdst src_ip-dst_ip|transport }

-level {use|require|unique|default} [-load]

CLIMCMD {clim-name|ip-address} climconfig sp -delete

[-prov prov-name] -s src-range -d dst-range -u upperspec

-dir {in|out } [-unload [-force]]

CLIMCMD {clim-name|ip-address} climconfig -info

[-prov {prov-name | all}] [-s src-range ]

[-d dst-range] [-u upperspec][-obeyform]

CLIMCMD {clim-name|ip-address} climconfig sp -start

[-prov prov-name] [ -s src-range -d dst-range [-u upperspec]]

CLIMCMD {clim-name|ip-address} climconfig sp -stop

[-prov prov-name] [ -s src-range -d dst-range -u upperspec

-dir {in|out }] [-force]

CLIMCONFIG.SP DESCRIPTION


sp -add

adds a security policy to the configuration file ipsec-tools.conf. The command parameters are reformatted into a spdadd < ...> type setkey command. The SP is not loaded into the SPD unless the -load option is specified.

sp -delete

deletes a security policy from the configuration file ipsec-tools.conf. If any SPs were already activated, they are not impacted. The SP is not unloaded from the SPD unless the -unload option is specified.

sp -info

displays security policy information from the configuration file ipsec-tools.conf. If no options are selected, all the SPs are listed from the ipsec-tools.conf file.

sp -start

loads security policies into the SPD. sp -start is one of the commands for activating

VPN connections.

sp -stop

unloads security policies from the SPD. sp -stop is one of the commands for deactivating VPN connections.

1


PARAMETERS



-s src-range

Specifies the source of the secure communication as an IPv4 or IPv6 address and an optional port number between square brackets. This takes the form: address[/prefixlen][[port]]

-d dst-range

Specifies the destination of the secure communication as an IPv4 or IPv6 address and an optional port number between square brackets. This takes the following form: address[/prefixlen][[port]]

-u upperspec

Specifies the upper layer protocol. Any of the protocols from the /etc/protocols file can be specified as upperspec, icmp6, ip4, or any. The any option indicates any protocol. You can also specify the protocol number.

Note:

The upperspec parameter does not work in the forwarding case.

There are many protocols in /etc/protocols, but protocols other than TCP, UDP, and

ICMP may not be suitable to use with IPSec.

-dir direction

Specifies in or out.

-policy policy

Is one of the values: discard, none, or ipsec.

The discard parameter causes the packet-matching indexes to be discarded. The

none parameter causes the IPSec operation not to take place on the packet. The ipsec parameter causes the IPSec operation to take place on the packet.

-protocol protocol

One of: esp, ah, or ipcomp.

-mode mode

Either transport or tunnel.

-srcdst src_ip-dst_ip

Specifies the end-point addresses of the tunnel. This parameter is specified as two addresses separated by a hyphen (-). If -mode is transport, this option is not required. If -mode is tunnel, this parameter is required.

-level policy-level

Specifies the policy lev el. The value is one of: default, use, require, or unique. If the SA is not available in every level, the kernel requests the key-exchange daemon to establish a suitable SA.

The default option causes the kernel, when the kernel processes the packet, to consult the system-wide default for the protocol specified; for example, the esp_trans_deflev sysctl variable.

The use sysctl option causes the kernel to use an SA if it is available; otherwise the kernel continues to run in normal operation.

The require option causes the SA to be required whenever the kernel sends a packet matched with the policy.

2


-load

The unique option is the same as the require option. Additionally, the unique option allows the policy to match the unique out-bound SA. If policy lev el -level is specified as unique, racoon configures the SA for the policy.

Causes the SP to be loaded into the SPD. This parameter optional, and is used with the sp -add command.

-unload Causes the SP to be unloaded from the SPD. This parameter is optional, and is used with the sp -delete command. Unless you specify the -force parameter, you are prompted for confirmation for this command.

-force Causes the command to run without confirmation.

-obeyform Displays the security policy configuration in the format of add command(s).

ERROR MESSAGES

For sp -add:

Please give the correct options.

For sp -delete:

Please give the correct options. (The incorrect option is displayed).

The security policy for the matched options is not found.

For sp -start:

SP configuration not found.

For sp -info:


There are no security policies with the matched options.

For sp -stop:

SP configuration(s) not unloaded from the SPD.

CONSIDERATIONS

For sp -add:

The parameters protocol, mode and level are required and valid if and only if the parameter specified for policy is ipsec.

For sp -stop:

The src-ip, dst-ip and upperspec are optional parameters. If src-ip and dst-ip pair is provided, all SPs that match the src-ip and dst-ip are unloaded from the SPD. If no option is provided, all the SPs currently loaded in the kernel are unloaded.

Unless you specify -force you are prompted for confirmation to unload the SP(s) from the SPD.

You must add the SP configurations separately for different IPSec protocols ESP and

AH. However, in the file, the configuration is represented as a single configuration instead of two separate configurations. For example: spdadd 1.2.3.4 4.3.2.1 any -P in ipsec ah/transport//require esp/transport//require;

When you add the SP configuration for the second, different protocol and specify the

-load option, the IPSec tool unloads the previous old SP configuration (AH or ESP protocol) from the SPD and loads the new SP configuration (both AH and ESP protocols) into the SPD.

If you do not use the -load option, for example, if you do not load the SP configuration for the second protocol added, you must unload the old SP configuration

3


Note:

manually (climconfig sp -stop <...> command) and then load the new SP configuration manually (climconfig sp -start <...> command).

If you try to load the new SP configuration without unloading the old SP configuration, the new SP configuration is not loaded into the SPD.

For sp -info:

If no options are specified, the list of all security policies in the configuration file

ipsec-tools-conf is displayed.

EXAMPLES

> CLIMCMD clim1 climconfig sp -add

-s 10.1.1.0/24[any] -d 10.3.3.0/24[any]

-u any -dir in -policy ipsec -protocol esp -mode tunnel -srcdst 10.2.2.1-10.2.2.2 -level require -load

> CLIMCMD clim1 climconfig sp -add -s 10.1.1.2

-d 10.3.3.2 -u any -dir out -policy ipsec -protocol esp

-mode transport -level require -load

> CLIMCMD clim1 climconfig sp -delete -s 10.1.1.2

-d 10.3.3.2 -u any -dir out -unload

> CLIMCMD clim1 climconfig sp -delete -s 10.1.1.2

-d 10.3.3.2 -u any -dir out -unload -force

> CLIMCMD clim1 climconfig sp -info -s 10.1.1.0

-d 10.3.3.0 -u any

> CLIMCMD clim1 climconfig sp -info

> CLIMCMD clim1 climconfig sp -stop

> CLIMCMD clim1 climconfig sp -stop -force

> CLIMCMD clim1 climconfig sp -info -obeyform

> CLIMCMD clim1 climconfig sp -info -s 10.1.1.0

-d 10.3.3.0 -u 1 -obeyform

> CLIMCMD clim1 climconfig sp -add -prov ztc0

-s 10.1.1.2 -d 10.3.3.2 -u any -dir out -policy ipsec

-protocol esp -mode transport -level require -load

> CLIMCMD clim1 climconfig sp -delete -prov ztc0

-s 10.1.1.2 -d 10.3.3.2 -u any -dir out -unload -force

> CLIMCMD clim1 climconfig sp -info -prov zsam1

> CLIMCMD clim1 climconfig sp -info -prov ztc1 -obeyform

The sample output for sp -info -obeyform is: climconfig sp -add \

-s 10.1.1.2 \

-d 10.3.3.2 \

4


-u any \

-dir out \

-policy ipsec \

-protocol esp \

-mode transport \

-level require



exit

Termination Info: 0

SEE ALSO

climconfig.sa, climconfig.vpn

5

climconfig.sysctl(1) climconfig.sysctl(1)

NAME

climconfig.sysctl − set or display CLIM kernel parameters

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig sysctl

-update {clim-name|ip-address}

CLIMCMD {clim-name|ip-address} climconfig sysctl -info {all|param-name}[-obeyform]

CLIMCMD {clim-name|ip-address} climconfig sysctl -delete param-name param-value

CLIMCONFIG.SYSCTL DESCRIPTION

This command sets the kernel parameter param-name values specified by param-value. In addition, this command causes an entry corresponding to the parameter to be added to or updated in the configuration file

/etc/clim/kernelparam.conf. The configuration file /etc/clim/kernelparam.conf is dedicated to maintaining only the customer-configured kernel parameters.

When the CLIM is started, a script reads the /etc/clim/kernelparam.conf configuration file and sets the user configured kernel parameters in the kernel. Your changes remain persistent across CLIM reboots. To preserve changes made to the configuration file, a backup must be done, which can be restored when the

CLIM is updated or the disk is replaced.

This command also displays the user-configured kernel parameters along with their corresponding values existing in the /etc/clim/kernelparam.conf file.

This command internally invokes the Linux provided sysctl utility with the param-name and param-value as arguments. Therefore, the behavior of this command is similar to that of the Linux provided sysctl utility. For information about the sysctl parameters, see the sysctl(8) man page on the CLIM.

PARAMETERS

param-name

For sysctl -update, denotes the kernel parameter to be updated with the new value.

For sysctl -info, specifies the kernel parameter in the /etc/clim/kernelparam.conf file to be displayed.

For sysctl -delete, deletes the specified kernel parameter from the /etc/clim/kernel-

param.conf file. The parameter value remains unchanged in the kernel and is reset to its default value when the CLIM is rebooted.

param-value

Specifies the new value for the kernel parameter param-name.

all Displays all the user-configured kernel parameters along with their corresponding values as they exist in the /etc/clim/kernelparam.conf file.

-obeyform Generates the modify kernel parameter commands.

ERROR MESSAGES

The error messages are the same as those returned by the Linux sysctl utility. See the sysctl man page for information about errors.

1

climconfig.sysctl(1) climconfig.sysctl(1)

CONSIDERATIONS

• If the param-value has multiple entries, you must specify the entries as space separated values within single quotes.

• Changes to these sysctl parameters must be done for every CLIM in a Provider:

• net.core.rmem_default

• net.core.rmem_max

• net.core.wmem_default

• net.core.wmem_max

• net.ipv4.ip_local_port_range

• net.ipv4.tcp_rmem

• net.ipv4.tcp_wmem

• If a sysctl is deleted, the change will come into effect only after a CLIM reboot.

• Changes to sysctl parameters should not be made when the CLIM is in STARTED state. To change the sysctl parameters on the CLIM:

1. Stop the CLIMs and the Provider.

2. Alter the sysctl parameters.

3. Start the CLIMs and the Provider.

If the CLIM is an Open type, you must reboot it.

EXAMPLES

> CLIMCMD n100253 climconfig sysctl -update net.ipv4.conf.all.forwarding 1

> CLIMCMD n100253 climconfig sysctl -update net.ipv4.tcp_rmem ’4096 87380 1048576’

> CLIMCMD n100253 climconfig sysctl -info net.ipv4.tcp_rmem

net.ipv4.tcp_rmem = 4096 87380 1048576

> CLIMCMD n100253 climconfig sysctl -info all net.ipv4.tcp_rmem = 4096 87380 1048576 net.ipv4.conf.all.forwarding = 1

> CLIMCMD n100253 climconfig sysctl -info all -obeyform climconfig sysctl -update net.ipv4.tcp_fin_timeout 60



exit

2

climconfig.tunnel(1) climconfig.tunnel(1)

NAME

climconfig.tunnel − modify tunnel configuration

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig tunnel

-add tunnel-interface -ipaddress ipv6-address

-netmask netmask

-endpoint {ipv4-address | any}

-local ipv4-address

[-ttltime ttl-time] - intf parent-interface

[-mtu mtu-value | -jumbo { on | off } ]

CLIMCMD {clim-name|ip-address} climconfig tunnel -delete interface

CLIMCMD {clim-name|ip-address} climconfig tunnel -info

{tunnel-interface|all}[-obeyform]

CLIMCONFIG.TUNNEL DESCRIPTION


tunnel -add

adds an IPv6-over-IPv4 (point-to-point) tunnel configuration to the /etc/net-

work/interfaces file. IPv6 packets are encapsulated in IPv4 headers and sent across the IPv4 infrastructure through the configured tunnel. If the -mtu option is not specified, the tunnel interface is activated with an MTU size of 20 bytes less than its parent interface MTU size or with a value of 1280, whichever is higher.

NOTE: When adding a tunnel interface to CLIMs with MULTIPROV ON, the tunnel is added to the same provider that the parent interface belongs to and does not need to be explicitly indicated in the command line.

tunnel -delete

deletes an existing tunnel interface. If the tunnel is active, the tunnel configuration cannot be deleted.

tunnel -info

displays tunnel configuration information for a specified tunnel interface. The display format is:

Interface Name tunnel-interface

IPv6 Address ip-address

Netmask netmask

Remote Endpoint ip-address

Local Endpoint ip-address

TTL Time ttltime

MTU Size value

If the Local Endpoint, Gateway, and TTL Time fields are not configured, they do not appear in the display.

1


The -obeyform display format is: climconfig tunnel -add interface-name -ipaddress ipv6-address

-netmask ipv6-prefix -endpoint ipv4-address

-local ipv4-address -intf parent-interface

[-mtu mtu-value][-ttltime ttl-time]

PARAMETERS

tunnel-interface

Is the name of the tunnel interface to be added, deleted, or displayed. The tunnel interface name is case sensitive.

all Displays the configurations of all the interfaces.

-obeyform For a specified Tunnel interface name, displays Tunnel configuration in add command format.

-ipaddress ipv6-address

Is an IPv6 address.

-netmask netmask

Is the netmask for the IPv6 address, specified as a number of bits, for example, 64.

-endpoint {ipv4-address|any}

Is the address of the tunnel endpoint. Specify either a dotted quad IPv4 address or

any. If it is specified as any, the kernel determines the remote endpoint by examining the 6to4 address and creates a 6to4 tunnel. 6to4 tunnels do not have an IPv6 link local address like point-to-point tunnels. The local IPv4 address will be added as an IPv6 compatible IPv4 address. The kernel then encapsulates the packet and sends it to the

IPv4 address embedded in the packet.

-local ipv4-address

Is the address of the local endpoint, specified as a dotted quad IPv4 address.

-ttltime ttl-time

Is the TTL setting indicating the network time to live. The maximum value is 255.

-intf parent-interface

Specifies the parent interface name (for example, eth1 or bond1) that hosts the local endpoint IPv4 address.

-mtu Sets frame size for an interface. Allowable values are 1280 to 65508.


Specifying the mtu option overrides previous values set for jumbo.

-jumbo { on | off }

Sets or resets jumbo frames for a tunnel interface. If set to ON, the frame size is set to

9000 bytes. If reset (OFF), the frame size is set to 1500 bytes.

The jumbo option has a limited set of allowable values (1500 - OFF and 9000 - ON) for frame size, whereas the mtu option supports a range of values. The mtu option is the recommended method for setting MTU size.


Specifying jumbo overrides previous values set for mtu.

ERROR MESSAGES

For tunnel -add:

Tunnel interface interface is already configured as an independent interface.

2


parent-interface is invalid parent interface.

The interface parent-interface is not configured.

The IP address ipv4-address specified with the -local option is not configured with the specified interface parent-interface.

A tunnel for the specified endpoints exists.

Another tunnel with the same endpoints should not exist.


A value within the range of 1280 to 65508 must be specified for the -mtu option.

For tunnel -delete:

The interface tunnel-interface is not configured.

The interface tunnel-interface is UP; cannot execute this command.

For tunnel -info:

Tunnel interface interface configuration does not exist.

CONSIDERATIONS

As of J06.10 and H06.21, tunnels can be added only in upper case, but existing tunnels in lower case are supported and do not need to be deleted and re-added.

The parent interface and the local endpoint address should be configured before adding the tunnel interface.

eth0, lo, and eth0:0 are not valid parent interfaces for a tunnel interface.

A VLAN or VXLAN interface cannot be the parent interface of a tunnel interface.

A tunnel interface cannot be the parent interface of a tunnel interface.

If the Maximum Transfer Unit (MTU) value of an active interface is changed using the jumbo option, a failover of that interface might occur.

A different tunnel with the same endpoints cannot exist.

EXAMPLES

> CLIMCMD clim1 climconfig tunnel -add MYTUN1

-ipaddress 2001:0db8:fff5:6::101

-netmask 64 -endpoint 15.76.217.111 -local 15.76.217.35 -intf eth1

> CLIMCMD 100.253.17.2 climconfig tunnel -delete MYTUN1

> CLIMCMD clim1 climconfig tunnel -info MYTUN1

Interface : MYTUN1

Interface Type : Point-to-Point Tunnel Interface

MTU Size : 1280

Associated Parent Interface Name: eth5

Local Endpoint Address : 1.2.3.15

Remote Endpoint Address : 1.2.3.4

TTL value : Unspecified

IP Address : dead:beef:face::1/64

> CLIMCMD clim1 climconfig tunnel -info TUN2 -obeyform climconfig tunnel \

-add TUN2 \

-ipaddress 3ffe::218:71ff:fe79:b378 \

-netmask 64 \

3


-local 173.17.190.40 \

-endpoint 173.17.190.100 \

-intf eth4



exit

Termination Info: 0

SEE ALSO

climconfig vpn

4

climconfig.vlan(1) climconfig.vlan(1)

NAME

climconfig.vlan − configure VLAN interfaces

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig vlan

-add <tenant-interface-name> -vid <vid-value>

-hostintf <host-interface-name> [-prov <provider-name>]

[-mtu <mtu-value>]

[-pcpoutmap {/<*:out-pcp>/ |

/<input-priority:out-pcp>,<input-priority:out-pcp>,.../}]


-delete <tenant-interface-name> [-force]


-modify <tenant-interface-name> [-mtu <mtu-value>]

[-pcpoutmap { default |

/<input-priority:out-pcp>,<input-priority:out-pcp>,.../}]

[-force]

CLIMCMD {clim-name|ip-address} climconfig vlan -info

{<tenant-interface-name> | all} [-obeyform]

CLIMCONFIG.VLAN DESCRIPTION


vlan -add

adds a VLAN interface to the /etc/network/interfaces file of the CLIM.

The host brings up the VLAN interface when it is added.

If the CLIM has MULTIPROV ON and the operator specifies the -prov command with the name of an unconfigured prov object, that object is implicitly added.

The VLAN interface can be added even when the CLIM is in the STARTED state.

vlan -delete

deletes an existing VLAN interface.

If the VLAN interface is active, the vlan configuration cannot be deleted.

vlan -modify

modifies the MTU and pcpoutmap associated with the configured VLAN interface.

If any pcpoutmap already exist for the specified VLAN interface, they will be deleted and the new pcpoutmap specified with this command will be set on the VLAN interface.

It changes the existing interface configuration in the CLIM /etc/network/interfaces file.

vlan -info

displays vlan configuration information for the specified VLAN interface.

The display format is:

Interface : <tenant-interface-name>

1


Interface Type : VLAN Interface

VID : <vid-value>

Host Interface : <host-interface-name>

MTU Size : <mtu-value>

PCP Outmap

IP Address

: <pcpoutmap-value>

: <ip-address>

Netmask : <netmask>

ROUTE Details :

Route Type : <route-type>

Destination Address : <ip-address>

Netmask : <netmask>

Gateway Address : <gateway-ip-address>

Metric : <value>

Minimum RTO : <value>

InitCWND : <value>

Src : <value>

If any one of the optional parameters are not configured, they appear either as default or with the default value in the display.

The -obeyform display format is: climconfig vlan -add <tenant-interface-name> -vid <vid-value>

-hostintf <host-interface-name> [-prov <provider-name>]

[-mtu <mtu-value>] [-pcpoutmap <pcpoutmap-value>]

PARAMETERS

<tenant-interface-name>

Is the name of the VLAN (IEEE 802.1q enabled) interface to be added, deleted, modified or displayed.

The tenant interface name is case sensitive. It must be in lower case.

The total length of a tenant interface name should not be more than 6 characters long.

It is highly recommended to use the following naming convention so that VLAN interfaces can be easily differentiated with a common convention.

-> eNvMMM - VLAN interface hosted on Ethernet interface ethN with VID MMM.

-> bNvMMM - VLAN interface hosted on bonded interface bondN with VID MMM.

all

MMM is an alphanumeric string of length between 1 and 3 characters.

Displays configurations of all the VLAN interfaces.

-obeyform For a specified VLAN interface name, displays vlan configuration in add command format.

-vid <vid-value>

The 12-bit VID field to be set in the 802.1q header, specifying the virtual LAN tag to be used by traffic through this VLAN interface. It must be an integer value in the range of 1-4094.

-hostintf <host-interface-name>

The physical Ethernet interface or bonded interface to be used for carrying the VLAN traffic.

-prov <provider-name>

The tenant provider in which the VLAN interface will be configured.

This may or may not be the same as the provider in which the host interface is

2

climconfig.vlan(1) climconfig.vlan(1) configured.

-mtu <mtu-value>

The maximum transmission unit for frames send through the VLAN interface. The

MTU of a VLAN interface must be less than or equal to the MTU of the host interface on which it is configured. By default, if unspecified, it is set to a value equal to the MTU of the host interface.

-pcpoutmap <pcpoutmap-value>

This option allows to set Layer 2 QoS in the 802.1q header for outgoing frames.

It allows to specify a mapping of packet <input-priority> to the Priority Control Point

(PCP) field in the 802.1q header for outgoing frames. So, all packets of a given <input-priority> are sent out with <out-pcp> as the value of the PCP field in the 802.1q header.

-force

The <input-priority> and <out-pcp> must be an integer value in the range 0 - 7.

If the wild character * is specified for <input-priority>, all the packets are sent out with <out-pcp> as the PCP field value in the 802.1q header.

To map traffic of different priorities, multiple mappings can be specified for the same

VLAN interface separated by comma character. No blank spaces should be used while specifying the value for pcpoutmap parameter. The <pcpoutmap-value> must be enclosed within the delimiter ’/’.

By default, if no mapping is specified, all packets are sent out with 0 as the value of the PCP field.

Applications can set the <input-priority> on packets sent out through a particular socket by setting the SO_PRIORITY socket option. The <input-priority> on outgoing packets can also be set by adding an iptable policy rule on the POSTROUTING built-in chain of the ’mangle’ table.

Causes the command to modify the VLAN interface without prompting for confirmation.

ERROR MESSAGES

For vlan -add:

A maximum combined total of only 100 VLAN and VXLAN interfaces can be configured per CLIM.

NSK system is running older version of CIP Subsystem software that does not support

VLAN and VXLAN interfaces.

The specified tenant interface name <tenant-interface-name> is more than 6 characters.

The specified tenant interface <tenant-interface-name> is already configured.

A vlan interface <tenant-interface-name> with vid <vid-value> is already configured on the host interface <host-interface>.

VLAN interface cannot be configured in <maintenance-provider-name> provider.

The vid must be an integer value in the range of 1-4094.

The specified host interface <host-interface> is not configured.

3


The specified host interface <host-interface> is neither physical nor bonded interface.

The specified mtu <mtu-value> is greater than that of its host interface host-interface.

For the "-pcpoutmap" option, The value must be enclosed within the delimiters ’/’ and

’/’.

For the "-pcpoutmap" option, The input priority must be an integer value in the range of 0 - 7.

For the "-pcpoutmap" option, The out pcp must be an integer value in the range of 0 -

7.

For the "-pcpoutmap" option, The input priority value should not be repeated.

For the "-pcpoutmap" option, The separator ’<x>’ is invalid;

’:’ is expected between input priority and out pcp.

For the "-pcpoutmap" option, The separator ’<x>’ is invalid;

’,’ is expected between different pcp maps.

This command is not supported on clim-mode CLIM.


OFF.


ON.


This command is not supported for the interface <interface-name>.

VLAN is not supported on virtio interfaces.

For vlan -delete:

The specified VLAN interface <vlan-interface> is not configured.

The VLAN interface <vlan-interface> is UP; cannot execute this command.


For vlan -modify:


For the "-pcpoutmap" option, The input priority must be an integer value in the range of 0 - 7.

For the "-pcpoutmap" option, The out pcp must be an integer value in the range of 0 -

7.

A value within the range 1280 to 9000 must be specified for -mtu option.

The specified mtu <mtu-value> is greater than that of its host interface <host-inter-

face>.

For vlan -info:


CONSIDERATIONS

As of L17.02 release, VLAN is supported only on Gen9 L-Series CLIM(s). It is not supported on Storage and IB CLIM(s).

VLAN interface cannot be added when the CLIM is in STARTED state and NSK system is running older version of CIP Subsystem software that does not support VLAN and VXLAN interfaces.

Only physical and bonded interface can be specified as host interface.

VLAN interface cannot be configured in maintenance providers (%MAINT and %MPROV).

4


VIDs 0 and 4095 are not supported as they are reserved by IEEE 802.1q specification.

A maximum combined total of only 100 VLAN and VLAN interfaces can be configured per CLIM.

Only one VLAN interface per VID per host interface is supported on the CLIM.

A VLAN interface cannot be deleted when it is active (UP).

EXAMPLES

> CLIMCMD NCLIM001 climconfig vlan -add b0v8 -vid 8 -hostintf bond0 -prov ztc8

> CLIMCMD NCLIM001 climconfig vlan -add e1v7 -vid 7 -hostintf eth1 -mtu 1400 -pcpoutmap /*:5/

> CLIMCMD NCLIM001 climconfig vlan -add e2v6 -vid 6 -hostintf eth2 -prov ztc6 -pcpoutmap /1:2,4:5/

> CLIMCMD 192.168.36.51 climconfig vlan -delete e2v6 -force

> CLIMCMD NCLIM001 climconfig vlan -modify b0v8 -mtu 1500

> CLIMCMD NCLIM001 climconfig vlan -modify e1v5 -mtu 1450 -pcpoutmap default -force

> CLIMCMD NCLIM001 climconfig vlan -info e1v7


Interface : e1v7


VID : 7

Host Interface : eth1

MTU Size : 1400

PCP Outmap

IP Address

: /*:5/

: 1.1.1.1

Netmask : 255.255.255.0

ROUTE Details :



Netmask : 0.0.0.0


Metric : 0



Src : Unspecified

> CLIMCMD NCLIM001 climconfig vlan -info all


Interface : b0v8


VID : 8

Host Interface : bond0

MTU Size : 1500

PCP Outmap

IP Address

: default

: 2.2.2.2

Netmask : 255.255.255.0

IP Address : 4.4.4.4

Netmask : 255.255.255.0


5


Interface : e1v7


VID : 7


MTU Size

PCP Outmap

: 1400

: /*:5/

IP Address : 1.1.1.1

Netmask : 255.255.255.0

ROUTE Details :



Netmask : 0.0.0.0


Metric : 0



Src : Unspecified

> CLIMCMD NCLIM001 climconfig vlan -info all -obeyform climconfig vlan \

-add b0v8 \

-vid 8 \

-hostintf bond0 \

-prov ZTC8 \

-mtu 1500 climconfig ip \

-add b0v8 \

-ipaddress 2.2.2.2 \

-netmask 255.255.255.0

climconfig ip \

-add b0v8 \


-netmask 255.255.255.0

# No route is configured on b0v8

# No ARP entry is configured on b0v8 climconfig vlan \

-add e1v7 \

-vid 7 \

-hostintf eth1 \

-prov ZTC7 \

-mtu 1400 \

-pcpoutmap /*:5/ climconfig ip \

-add e1v7 \


-netmask 255.255.255.0

climconfig route \

-add e1v7 \

-default \

-gateway 1.1.1.10

# No ARP entry is configured on e1v7



6

climconfig.vlan(1) climconfig.vlan(1) exit

Termination Info: 0

SEE ALSO

climconfig.interface(1), climconfig.arp(1), climconfig.ip(1), climconfig.route(1)

7

climconfig.vpn(1) climconfig.vpn(1)

NAME

climconfig.vpn − obtain information about virtual private networks

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig vpn -status

[-prov {prov-name | all}] [-s src-ip -d dst-ip]

CLIMCONFIG.VPN DESCRIPTION

This command displays the status of the VPN connection established between the source and destination IP addresses. The security policy and the association loaded in the Security Policy Database (SPD) and Security Association Database (SAD) are displayed in that order. -d and -s are optional parameters; if they are omitted, the status of all the VPN connections is shown.

PARAMETERS

-s src-ip Specifies the source IP address.

-d dst-ip Specifies the destination IP address.

-prov

ERROR MESSAGES

The status for the VPN connection between src-ip and dst-ip is not found. Please check for the correct options and retry again.

EXAMPLES



> CLIMCMD clim1 climconfig vpn -status

Security Policies from SPD:

10.2.2.0/24[any] 10.1.1.2[any] any in ipsec esp/tunnel/10.2.2.1-10.1.1.2/require ah/tunnel/10.2.2.1-10.1.1.2/require created: Jun 22 20:48:13 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=8 seq=2 pid=369 refcnt=1

10.1.1.2[any] 10.2.2.0/24[any] any out ipsec esp/tunnel/10.1.1.2-10.2.2.1/require ah/tunnel/10.1.1.2-10.2.2.1/require created: Jun 22 20:48:13 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=1 seq=1 pid=369 refcnt=1

Security Associations from SAD:

10.1.1.2 10.2.2.1

esp mode=tunnel spi=262906055(0x0faba0c7) reqid=0(0x00000000)

E: 3des-cbc f1eee61a f2642ace 2c89c610 c245978d 7ea13336

133d84d2

A: hmac-md5 d34b8476 cb8bda72 9d1b8e0b 059f14ad seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 22 21:03:02 2008 current: Jun 22 21:03:22 2008

1

climconfig.vpn(1) climconfig.vpn(1) diff: 20(s) hard: 28800(s) soft: 23040(s) last: Jun 22 21:03:03 2008 hard: 0(s) soft: 0(s) current: 252(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=3 pid=727 refcnt=0

10.2.2.1 10.1.1.2

esp mode=tunnel spi=7523920(0x0072ce50) reqid=0

(0x00000000)

E: 3des-cbc b5e66f7b faeb03c3 4571b6ed 5686d721 c05350ad

49e967c2

A: hmac-md5 9206a14f 0f6dfb3a a2138e04 dc1c4140 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 22 21:03:03 2008 current: Jun 22 21:03:22 2008 diff: 19(s) hard: 28800(s) soft: 23040(s) last: Jun 22 21:03:03 2008 hard: 0(s) soft: 0(s) current: 408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=1 pid=727 refcnt=0

SEE ALSO

climconfig sa -stop, climconfig sp -start, climconfig sp -stop

2

climconfig.vxlan(1) climconfig.vxlan(1)

NAME

climconfig.vxlan − configure VXLAN interfaces

SYNOPSIS

CLIMCMD {clim-name|ip-address} climconfig vxlan

-add <tenant-interface-name> -vni <vni-value>

-multicastip <ip-address>

-hostintf <interface-name> [-prov <provider-name>]

[-dstport <port-number>] [-macaddr <address>]

[-mtu <mtu-value>] [-ttl <ttl-value>] [-tos <tos-value>]

[-udpcsum on|off ] [-udp6zerocsumtx on|off]

[-udp6zerocsumrx on|off]}


-delete <tenant-interface-name> [-force]


{ -modify <tenant-interface-name>

[-macaddr <address>] [-mtu <mtu-value>] [-force]}

CLIMCMD {clim-name|ip-address} climconfig vxlan -info

{<tenant-interface-name> | all} [-obeyform]

CLIMCONFIG.VXLAN DESCRIPTION


vxlan -add

adds VXLAN interface to the /etc/network/interfaces file of the CLIM.

The host brings up the VXLAN interface when it is added.

If the CLIM has MULTIPROV ON and the operator specifies the -prov command with the name of an unconfigured prov object, that object is implicitly added.

The VXLAN interface can be added even when the CLIM is in the STARTED state.

vxlan -delete

deletes an existing VXLAN interface. If the VXLAN interface is active, the vxlan configuration cannot be deleted.

vxlan -modify

modifies the MTU and macaddr associated with a configured VXLAN interface.

It changes the existing interface configuration in the CLIM /etc/network/interfaces file.

vxlan -info

displays vxlan configuration information for a specified VXLAN interface.

The display format is:

Interface : <tenant-interface-name>

1


Interface Type : VXLAN Interface

VNI : <value>

Host Interface : <host-interface-name>

Multicast IP : <ip-address>

MTU Size

UDP Port

: <value>

: <value>

TTL value : <value>

TOS value : <value>

UDP Checksum : <value>

UDP IPv6 Checksum TX : <value>

UDP IPv6 Checksum RX : <value>

Software MAC Address : <software-mac-address>

IP Address : <ip-address>

Netmask : <netmask>

ROUTE Details

-

:

Route Type : Network Route

Destination Address : <ip-address>

Netmask : <netmask>

Gateway Address : <value>

Metric : <value>

Minimum RTO : <value>

InitCWND : <value>

Src : <value>

If any one of the optional parameters are not configured, they appear as Unspecified in the display.

The -obeyform display format is: climconfig vxlan -add <tenant-interface-name> -vni <vni-value>

-multicastip <ip-address> -hostintf <parent-interface>

[-prov <provider-name>][-dstport <port-number>]

[-macaddr <address>][-mtu <mtu-value>][-ttl <ttl-time>]

[-tos <tos-value>][-udpcsum on|off]

[-udp6zerocsumtx on|off][-udp6zerocsumrx on|off]

PARAMETERS

tenant-interface-name

Is the name of the VXLAN interface to be added, deleted, modified or displayed.

The tenant interface name is case sensitive. It must be in lower case.

The total length of tenant interface name should not be more than 6 characters long.

It is highly recommended to use the following naming convention so that VXLAN interfaces can be easily differentiated with a common convention.

-> eNxSTR - VXLAN interface hosted on Ethernet interface ethN.

-> bNxSTR - VXLAN interface hosted on bonded interface bondN.

all

STR is an alphanumeric string of length between 1 and 3 characters.

Displays the configurations of all the VXLAN interfaces.

-obeyform For a specified VXLAN interface name, displays vxlan configuration in add command format.

2


-vni vni-value

The 24-bit VNI field to be set in the VXLAN header, specifying the VXLAN segment

ID to be used by traffic through the VXLAN interface. It must be an integer value in the range of 1-16777215.

-multicastip ip-address

The IPv4 or IPv6 multicast IP address to be used by the VXLAN protocol for discovering which VXLAN endpoint holds a given tenant MAC address. The IPv4 address must be specified in dotted quad format and IPv6 address must be specified in string notation.

-hostintf interface-name

The physical Ethernet or bonded interface to be used for carrying the VXLAN traffic.

This interface must have at least one IP address configured on it.

-prov provider-name

The tenant provider in which the VXLAN interface will be configured.

This may or may not be the same as the provider in which the host interface is configured.

-dstport port-number

The UDP destination port to communicate to the remote VXLAN tunnel endpoint.

By default, if unspecified, the IANA assigned port of 4789 will be used.

-macaddr address

The MAC address that is to be used for the virtual Ethernet frames delivered inside

VXLAN encapsulated packets.

It must be specified in six groups of hexadecimal digits separated by colons.

By default, this MAC address is same as the MAC address of the host interface.

-mtu mtu-value

The maximum transmission unit for virtual LAN Ethernet frames that are tunneled through the VXLAN interface.

For a VXLAN interface with IPv4 multicast IP address, the mtu-value must be at least

50 bytes less than the MTU of the host interface on which it is configured.

By default, if unspecified, the MTU is set to a value 50 bytes less than the MTU of the host interface.

For a VXLAN interface with IPv6 multicast IP address, the mtu-value must be at least

70 bytes less than the MTU of the host interface on which it is configured.

By default, if unspecified, the MTU is set to a value 70 bytes less than the MTU of the host interface.

-ttl ttl-value

The time-to-live value that is to be used for outgoing packets.

The default value is 64.

-tos tos-value

The value to be placed into the 8-bit Differentiated Services (DS) field in the IP header for all outgoing packets.

The tos-value must be in hexadecimal format in the range of 0x00 - 0xfc.

The upper 6 bits of the DS field constitute the Differentiated Service Code Point

(DSCP) field,

3

climconfig.vxlan(1) climconfig.vxlan(1) and the lower 2 bits of the DS field are unused and must be set to 0.

The default value is 0x00.

-udpcsum on|off

This option allows to enable the UDP checksum calculation for transmitted packets over IPv4.

By default, it is “off ” i.e. the checksum is not calculated.

-udp6zerocsumtx on|off

This option allows to disable UDP checksum calculation for transmitted packets over

IPv6.

By default, it is “on” i.e. the checksum is calculated for transmitted packets over

IPv6.

-udp6zerocsumrx on|off

This option allows to disable receiving of incoming UDP packets over IPv6 with zero checksum field.

By default, it is “on” i.e. incoming packets over IPv6 with zero checksum field are allowed.

-force Causes the command to modify the VXLAN interface without prompting for confirmation.

ERROR MESSAGES

For vxlan -add:

A maximum combined total of only 100 VLAN and VXLAN interfaces can be configured per CLIM.

NSK system is running older version of CIP Subsystem software that does not support

VXLAN interfaces.

The specified tenant interface name <tenant-interface-name> is more than 6 characters.

The specified tenant interface <tenant-interface-name> is already configured.

The vxlan interface <tenant-interface-name> with vni <value> is already configured on the host interface <interface-name>.

VXLAN interface cannot be configured in <maintenance-provider-name> provider.

The vni must be an integer value in the range of 1-16777215.

The specified host interface <host-interface> is not configured.

The specified host interface <host-interface> is neither physical nor bonded interface.

The specified host interface <host-interface> has no IP addresses configured.

The specified multicast IP address <ip-address> is invalid.

The specified destination port <port-number> is invalid.

The specified mac address <MAC-address> is invalid.

For a VXLAN interface with IPv4 multicast IP address, the MTU must be at least 50 bytes less than that of its host interface <host-interface>.

For a VXLAN interface with IPv6 multicast IP address, the MTU must be at least 70 bytes less than that of its host interface <host-interface>.

The specified value <value> for <parameter-name> parameter is invalid.

This command is not supported on <clim-mode> CLIM.

4



OFF.


ON.



For vxlan -delete:

The specified VXLAN interface <vxlan-interface> is not configured.

The VXLAN interface <vxlan-interface> is UP; cannot execute this command.


For vxlan -modify:

The specified VXLAN interface <vxlan-interface> is not configured.

The specified mac address <MAC-address> is invalid.

A value within the range 1280 to 9000 must be specified for -mtu option.

The specified MTU <value> is greater than the MTU of the host interface <host-

interface>.

For vxlan -info:

The specified VXLAN interface <interface-name> is not configured.

CONSIDERATIONS

As of L17.02 release,

VXLAN is supported only on Gen9 L-Series CLIM(s). It is not supported on Storage and IB CLIM(s).

VXLAN interface cannot be added when the CLIM is in STARTED state and NSK system is running older version of CIP Subsystem software that does not support VLAN and VXLAN interfaces.

Only physical and bonded interface can be specified as host interface.

The host interface must have at least one IP address.

VXLAN interface cannot be configured in maintenance providers (%MAINT and %MPROV).

A maximum combined total of only 100 VLAN and VXLAN interfaces can be configured per CLIM.

Only one VXLAN interface per VNI per host interface is supported on the CLIM.

A VXLAN interface cannot be deleted when it is active (UP).

A MAC address can be modified only for a VXLAN interface that is DOWN (stopped).

EXAMPLES

> CLIMCMD NCLIM001 climconfig vxlan -add e1xzt8 -vni 8 -hostintf eth1 -multicastip ff12::5

-prov ztc7 -dstport 6400 -mtu 1000 -ttl 32 -udpcsum on

> CLIMCMD 100.253.17.2 climconfig vxlan -delete e1xzt8

> CLIMCMD NCLIM001 climconfig vxlan -info e1xzt8

Interface : e1xzt8

Interface Type : VXLAN Interface

VNI : 8


Multicast IP : ff12::5

MTU Size

UDP Port

: 1000

: 6400

5


TTL value : 32

TOS value : Unspecified

UDP Checksum : on

UDP IPv6 Checksum TX : Unspecified

UDP IPv6 Checksum RX : Unspecified


> CLIMCMD NCLIM001 climconfig vxlan -info e1xzt8 -obeyform climconfig vxlan -add e1xzt8 \

-vni 8 \

-hostintf eth1 \

-multicastip ff12::5\

-prov ZTC7\

-dstport 6400\

-mtu 1000



exit

Termination Info: 0

SEE ALSO

climconfig ip -add, climconfig vlan -add, climstatus -od

6

climhelp(1) climhelp(1)

NAME

climhelp - displays the list of supported Linux commands for the CLIM

SYNOPSIS climcmd {clim-name | ipaddress} man climhelp

DESCRIPTION

climhelp displays the list of supported Linux commands for the CLIM. In addition to these commands, standard non-destructive Linux commands such as cat, cd, date, free, grep, less, ls, mkdir, more, wc, who and vmstat are also supported. Any destructive Linux command should not be used as it may cause failure of the CIP subsystem.

List of supported commands: arp -a

display the Internet-to-Ethernet address translation tables used by the address resolution protocol

clim

operate, maintain, and assimilate debugging information of the CLIM software

climconfig

configure network, failover, IPSec and SNMP configuration parameters

climstatus

display CLIM specific status information

cmd

command wrapper which executes Linux command on the CLIM and logs it into system log

ethtool <interface-name>

display the ethernet card settings for the given interface

ifconfig

display the status of currently active interfaces

ifconfig <interface-name>

display the status for the given interface

ifconfig -a

display the status of all interfaces, even those that are down

ifstart

inform NonStop host system to start using an interface for all its functionalities

ifstop

inform NonStop host system to stop using an interface for all its functionalities

ip addr show

display all the IP addresses for each of the network interfaces

ip route show

display the contents of the routing tables

ip link show

lists the network interfaces

1

climhelp(1) climhelp(1)

lunmgr

manage the LUN number assignments that the CLIM uses to communicate with the NonStop host system.

man

find and display reference manual pages

netstat

print network connections, routing tables, masquerade connections, interface statistics and multicast memberships

ping

send ICMP ECHO_REQUEST to network hosts

ping6

send ICMP6 ECHO_REQUEST to network hosts

psclim

show system information about CLIM processes

tcpdump

dump traffic on a network

traceroute

print the route that packets take to the network host

traceroute6

traces path to a network host

NOTES

For details of each command listed above, see the respective man pages.

Examples:

climcmd {clim-name | ipaddress} man climconfig climcmd {clim-name | ipaddress} man climstatus climcmd {clim-name | ipaddress} man 8 ifconfig

SEE ALSO

arp(1), arp(8), clim(1), climconfig(1), climstatus(1), cmd(1), ethtool(1), ifconfig(8), ip(1), ip(8), lun-

mgr(1), man(1), netstat(8), ping(8), ping6(8), psclim(1), tcpdump(8), traceroute(8), traceroute6(8)

2

climstatus(1) climstatus(1)

NAME

climstatus − displays CLIM specific status information

SYNOPSIS

CLIMCMD {clim-name|ip-address} climstatus [-o option]

CLIMSTATUS DESCRIPTION

climstatus is a program that provides active status information about active objects on specific CLIMs: (See climconfig(1) for information on obtaining permanent configuration information.)

ServerNet

EtherNet, Local Area Network (LAN)

Kernel IP Routing Table

Secondary Storage Devices, Hard Disk Drives (HDD)

IP Security policies and associations

Interface Failover configuration

SNMP Configuration information climprep configuration information iptables and ip6tables configuration climstatus, when invoked, provides status information of all the above-mentioned components by default.

However, a user can view status information pertaining to a particular component by providing a -o option to the climstatus command, followed by a character that represents the desired component. The set of characters representing each component is listed under Parameters.

PARAMETERS

This section lists the options that can be used after the -o option.

s l r h

Primarily displays information about the Interconnect information. It includes the

CLIM mode (IP, STORAGE), CLIM model name, SCS status, Number of connection points, their fabric location ((X1, Y1) & (X2, Y2)) on NonStop Integrity systems. It includes Mode and state for InfiniBand on NonStop X systems. It also includes networking, storage and HPTE software version.

Displays the status information pertaining to Local Area Network (EtherNet) only.

Displays information specific to the Network such as the Interface name, type, status, link status, and IP addresses(both IPv4 and IPv6). The LAN information is categorized into three separate classes: Maintenance, Maintenance Provider and Data. The interface "eth0" is the onboard interface that has been reserved as the Maintenance interface and is used for clim internal housekeeping activities. The other interfaces are open for normal Data usage.

Displays the status information pertaining to Kernel IP Routing Table. Displays information specific to the Kernel IPv4 routing table such as the Interface name, Destination IP address, Gateway, and Mask. In case of the Kernel IPv6 routing table, only

Interface name, Destination IP address, and Next Hop information is displayed.

Displays the information pertaining to Filesystem Disk space usage on the CLIM.

Displays information specific to the Filesystem disk space and usage status, such as name, type, size, used and available amount of space, percentage of used space, and the mount point.

i

Displays the information pertaining to the IPSec, such as security policies and associations.

1

climstatus(1) climstatus(1)

f m c

Displays interface failover information.

Displays CLIM SNMP information.

Displays climprep information. On NonStop Integrity platform, it displays location of the CLIM in terms of Group Module Slot Port (GMSP), name of the NonStop Host to which the CLIM is connected, and the model name of the CLIM. On NonStop X platform, it displays the node number of the NonStop Host to which the CLIM is connected, IP addresses of the Infiniband X and Y ports, and the model name of the

CLIM.

t

Displays iptables and ip6tables information.

d

ERROR MESSAGES

None.

Displays the forwarding database of VXLAN interfaces.

CONSIDERATIONS

None.

EXAMPLES

> CLIMCMD NCLIM001 climstatus -o d

Data Provider ZTC7 VXLAN Forwarding Database:

VXLAN Interface b0xzt7:

00:00:00:00:00:00 dst 239.1.1.1 via ifindex 4 self permanent

56:f3:67:d8:75:2d dst 10.1.0.2 self

56:f3:67:b9:67:ef dst 10.1.0.3 self

Data Provider ZTC8 VXLAN Forwarding Database:

No forwarding database entries.

> CLIMCMD NCLIM006 climstatus -o s

--------------------------------------------------------------------------------

CLIM Configuration & Status:

Mode..................... IP

Model Name............... Gen9 CLIM with 4-ports 10G copper and 1-port 1G copper

State.................... STARTED

Last Restart Time........ Wed Dec 14 16:07:44 2016

CLIM Hostname............ NCLIM006

Network SW Version....... T0691L03_15FEB2017_DAR_CLIM_D16

Storage SW Version....... T0830L03_15FEB2017_12DEC2016_DAR

CIP SW Version........... T0853L03_15FEB2017_12DEC2016_DAR

Number of Socket Servers. 1

CIP/Linux Version:

Linux 3.16.38-clim-6-amd64 #1 SMP Debian 3.16.38-clim-6 (2016-12-05)

--------------------------------------------------------------------------------

SEE ALSO

climconfig(1)

2

cmd(1) cmd(1)

NAME

cmd - Command wrapper which executes Linux command on the CLIM and logs it into system log.

DESCRIPTION

Certain native Linux commands issued via CLIMCMD, whether destructive or not, need to be logged into system log for audit purpose. cmd is the command wrapper used for executing supported Linux commands on the CLIM. The user-entered command is logged in its entirety to the system log, along with its arguments and information on the NonStop user who issued the command. The result of the command, along with the CLIM user information, is written to the system log.

List of supported commands: rm <file-name>

deletes the given file from the CLIM

Examples:

climcmd {clim-name | ipaddress} cmd rm abc

1

ifstart(1) ifstart(1)

NAME

ifstart − start an interface

SYNOPSIS

CLIMCMD {clim-name|ip-address} ifstart <interface-name>

IFSTART DESCRIPTION

ifstart allows you to activate an interface if you have stopped the interface using the ifstop command. For all network interfaces (ethernet, ip-over-infiniband, bonding, VLAN, VXLAN and tunnel interfaces), this command activates the specified interface.

PARAMETERS

<interface-name>

Specifies the name of the network interface that is to be started and made available to the NonStop host. The interface name can be specified as a physical or bonded interface name, for example, eth1 or bond0 or ib0, or a tunnel interface (for example,

MYTUN) or a VLAN interface name (for example, e1v7) or a VXLAN interface name (for example, b0xzt8).

ERROR MESSAGES

The interface <interface-name> is not configured.

This command is not supported for this interface.

climagt process is not executing.

The interface is already in started state.

The -provider option of CLIMCMD should not be used along with ifstart.

Interface <interface-name> does not exist in the kernel.

Slave interface is not configured for this bonding interface.

CONSIDERATIONS

For a tunnel, VLAN, or VXLAN interface to get started, its associated host interface should be in started state.

EXAMPLES

> CLIMCMD N100241 ifstart eth3

SEE ALSO

Ifstop(1), climconfig(1)

1

ifstop(1) ifstop(1)

NAME

ifstop − stop an interface

SYNOPSIS

CLIMCMD {clim-name|ip-address} ifstop <interface-name> [-force]

IFSTOP DESCRIPTION

Use the ifstop command to deactivate an interface. ifstop brings down the ethernet, ip-over-infiniband, bonding, VLAN, VXLAN and tunnel interfaces and deactivates all the IP addresses and routes associated with the network interface.

PARAMETERS

<interface-name>

Specifies the name of the network interface that is to be stopped and made unavailable to the NonStop host. The interface name can be specified as a physical or bonded interface name, for example, eth1 or bond0 or ib0, or a tunnel interface (for example,

MYTUN) or a VLAN interface name (for example, e1v7) or a VXLAN interface name (for example, b0xzt8).

-force

When used without -force option, ifstop prompts for confirmation before stopping the interface. If the -force option is used, ifstop stops the interface without prompting for the confirmation.

ERROR MESSAGES

The interface <interface-name> is not configured.

This command is not supported for this interface.

climagt process is not executing.

climagt not responding for the ifstop request.

The interface is in already in stopped state.

The -provider option of CLIMCMD should not be used along with ifstop.

The interface <interface-name> is not existing in the kernel.

The interface <interface-name> has a tunnel interface associated with it. The tunnel interface should be stopped prior to stopping the specified interface.

The interface <interface-name> has a vlan interface <vlan-interface-name> associated with it, vlan interface should be stopped prior to stopping the specified interface.

The interface <interface-name> has a vxlan interface <vxlan-interface-name> associated with it, vxlan interface should be stopped prior to stopping the specified interface.

CONSIDERATIONS

If there is a tunnel or VLAN or VXLAN interface associated with the specified interface, and if the associated tunnel or VLAN or VXLAN interface is UP, CIP does not allow the interface to be stopped until all the associated interfaces are stopped.

EXAMPLES

> CLIMCMD N100242 ifstop eth3

SEE ALSO

Ifstart(1), climconfig(1)

1

psclim(1) psclim(1)

NAME

psclim − display the status of the CLIM processes

SYNOPSIS

CLIMCMD {clim-name|ip-address} psclim

PSCLIM DESCRIPTION

psclim is a derivation of the ’ps’ command. It displays system information about the CLIM processes. The

CLIM processes consist of climmon, confsync, climagt and one or more cipssrv. The information being displayed consists of process PID, memory used, percentage memory, percentage CPU time, accumulated

CPU time, start time, run status, and start command.

PARAMETERS

None

ERROR MESSAGES

None

CONSIDERATIONS

None.

EXAMPLES

CLIMCMD CLIM1:˜#psclim

PID RSS %MEM %CPU TIME START STAT CMD

6554 1648 0.0 0.0 00:00:00 14:56 S /usr/local/bin/climmon

6555 2416 0.0 0.0 00:00:00 14:56 S cipssrv --number 0

6570 1174 0.0 0.0 00:00:00 14:56 S confsync

6575 2192 0.0 0.2 00:00:00 14:56 S climagt --number 1

SEE ALSO

ps(1, clim(1), climstatus(1)

1

HPE NonStop CIP Manpages

HPE NonStop Cluster I/O

Protocols (CIP) CLIMCMD

Manpages

About This Document

Table of Contents

Intended Audience

Publishing History

Related manuals

Table of contents

HPE NonStop CIP Manpages

HPE NonStop Cluster I/O

Protocols (CIP) CLIMCMD

Manpages

About This Document

Table of Contents

Intended Audience

Publishing History

Related manuals

AUSTRALIAN MONITOR

CLIM

Moxa

IIoT Gateway Starter Kit

HP (Hewlett-Packard)

Server 545740-002

Compaq

Integrity NonStop NB54000c

Siemens

OSM

Table of contents