Linux iproute2 命令家族(ip / ss)
胡高寒
iproute 简介
iproute 与 内核是密切相关的,所以两者版本是一致的。
[root@LeeMumu ~]# rpm -qi iproute
Name : iproute
Version : 4.11.0
Release : 14.el7_6.2
Architecture: x86_64
Install Date: Sun 28 Jul 2019 09:28:29 AM EDT
Group : Applications/System
Size : 1793061
License : GPLv2+ and Public Domain
Signature : RSA/SHA256, Mon 29 Apr 2019 11:45:09 AM EDT, Key ID 24c6a8a7f4a80eb5
Source RPM : iproute-4.11.0-14.el7_6.2.src.rpm
Build Date : Wed 24 Apr 2019 10:03:34 AM EDT
Build Host : x86-02.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://kernel.org/pub/linux/utils/net/iproute2/
Summary : Advanced IP routing and network device configuration tools
Description :
The iproute package contains networking utilities (ip and rtmon, for example)
which are designed to use the advanced networking capabilities of the Linux
kernel.
[root@LeeMumu ~]# uname -r
3.10.0-957.el7.x86_64
[root@LeeMumu ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
ip 命令
用来显示或操纵Linux主机的路由、网络设备、策略路由和隧道,是Linux下较新的功能强大的网络配置工具。
show / manipulate routing, devices, policy routing and tunnels
语法格式:
# ip [ OPTIONS ] OBJECT { COMMAND | help }
OBJECT := { link | addr | route | netns }
注意: OBJECT可简写,各OBJECT的子命令也可简写
1、ip link
ip link: network device configuration
1.1 up / down 和 multicast
ip link set - change device attributes
dev NAME (default) # 指明要管理的设备,dev 关键字可省略
up 和 down # 对接口进行up或down
multicast on 或 multicast off # 启用或禁用多播功能
# ip link set tangtang multicast on
1.2 name
# ip link set name NAME:重命名接口
# 重命名接口时,需要对接口进行down,才能进行操作
# ip link set wlp2s0 name tangtang
RTNETLINK answers: Device or resource busy
# ip link set wlp2s0 down
# ip link set wlp2s0 name tangtang
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether e4:3a:6e:0a:9b:88 brd ff:ff:ff:ff:ff:ff
3: tangtang: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN mode DEFAULT qlen 1000
link/ether d0:c5:d3:4e:25:71 brd ff:ff:ff:ff:ff:ff
1.3 mtu
# ip link set mtu NUMBER # 设置 MTU 的大小,默认为1500
# ip link set tangtang mtu 1300
1.4 netns
netns PID # ns为namespace,用于将接口移动到指定的网络名称空间
# ip netns add neo
# ip netns list
# ip link set tangtang netns neo
1.5 show
# ip link show - display device attributes
# 看二层设备的相关属性,和 IP 地址没关系
1.6 help
# ip link help - 显示简要使用帮助
2、ip netns
manage network namespaces
# ip netns list # 列出所有的 netns
# ip netns add NAME # 创建指定的 netns
# ip netns del NAME # 删除指定的 netns
# ip netns exec NAME COMMAND # 在指定的 netns 中运行命令
3、ip address
3.1 ip address add
ip address add - add new protocol address
# ip addr add IFADDR dev IFACE
[label NAME]:为额外添加的地址指明接口别名
指定接口别名后,使用 ifconfig -a 可以查看到所有的接口名称和IP地址
不指定接口别名后,使用 ip addr list IFACE 进行查看
[broadcast ADDRESS]:广播地址;会根据IP和NETMASK自动计算得到
[scope SCOPE_VALUE]:
global:全局可用
link:接口可用
host:仅本机可用
# ip addr add 10.0.0.1/8 dev tangtang
# ip addr add 10.0.0.2/8 dev tangtang
# ip addr add 10.0.0.3/8 dev tangtang label tangtang:0
# ip addr add 192.168.0.2/24 dev tangtang label tangtang:1
# ifconfig -a
tangtang: flags=4098<BROADCAST,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.0.0.0 broadcast 0.0.0.0
ether d0:c5:d3:4e:25:71 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tangtang:0: flags=4098<BROADCAST,MULTICAST> mtu 1500
inet 10.0.0.3 netmask 255.0.0.0 broadcast 0.0.0.0
ether d0:c5:d3:4e:25:71 txqueuelen 1000 (Ethernet)
tangtang:1: flags=4098<BROADCAST,MULTICAST> mtu 1500
inet 192.168.0.2 netmask 255.255.255.0 broadcast 0.0.0.0
ether d0:c5:d3:4e:25:71 txqueuelen 1000 (Ethernet)
# ip addr list tangtang
3: tangtang: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether d0:c5:d3:4e:25:71 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/8 scope global tangtang
valid_lft forever preferred_lft forever
inet 192.168.0.2/24 scope global tangtang:1
valid_lft forever preferred_lft forever
inet 10.0.0.2/8 scope global secondary tangtang
valid_lft forever preferred_lft forever
inet 10.0.0.3/8 scope global secondary tangtang:0
valid_lft forever preferred_lft forever
3.2 ip address delete
delete protocol address
# ip addr delete IFADDR dev IFACE
# ip addr delete 10.0.0.3/8 dev tangtang
3.3 ip link show
look at protocol addresses
# ip addr list [IFACE]:显示接口的地址
# ip addr list tangtang
3: tangtang: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether d0:c5:d3:4e:25:71 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/8 scope global tangtang
valid_lft forever preferred_lft forever
inet 192.168.0.2/24 scope global tangtang:1
valid_lft forever preferred_lft forever
inet 10.0.0.2/8 scope global secondary tangtang
valid_lft forever preferred_lft forever
3.4 ip link flush
flush protocol addresses
# ip addr flush dev IFACE 清楚接口所有地址
# ip addr flush dev tangtang
4、ip route
routing table management
# ip route add - add new route
# ip route change - change route
# ip route replace - change or add new one
# ip route add TYPE PREFIX via GW [dev IFACE] [src SOURCE_IP]
IFACE 有多个地址,在配置路由时,可以指定 SOURCE_IP
GW 下一跳
# ip route delete - delete route
ip route del TYPE PRIFIX
# ip route show - list routes
TYPE PRIFIX
# ip route flush - flush routing tables # 清除路由/指定路由
TYPE PRIFIX
# ip route get - get a single route # 获取到达特定目的地址的路由条目
ip route get TYPE PRIFIX
# ip route add 192.168.0.0/24 via 10.0.0.1 dev eth1 src 10.0.20.100
## 配置带源地址的路由
# ip route add 192.168.10.0/24 via 192.168.5.100 dev eth0
## 前往目的网络 192.168.10.0/24 的下一跳是 192.168.5.100 ,接口是 eth0
# ip route add default via GW
# ip route delete 192.168.1.0/24
# ip route get 192.168.0.0/24
# ip route get 192.168.1.0/24
broadcast 192.168.1.0 dev ens33 src 192.168.1.9
cache <local,brd>
# ip route add default via 192.168.1.2 dev eth0
## 默认路由指向 192.168.1.2 ,接口是 eth0
## 只要一个默认路由就 OK
[root@Tang-1 ~]# ip route show
default via 172.16.141.1 dev enp1s0 proto static metric 100
172.16.141.0/24 dev enp1s0 proto kernel scope link src 172.16.141.209 metric 100
[root@Tang-1 ~]# ip route list
default via 172.16.141.1 dev enp1s0 proto static metric 100
172.16.141.0/24 dev enp1s0 proto kernel scope link src 172.16.141.209 metric 100
[root@Tang-1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.141.1 0.0.0.0 UG 100 0 0 enp1s0
172.16.141.0 0.0.0.0 255.255.255.0 U 100 0 0 enp1s0
5、ip link set
# ip link set eth0 up
## 启动 eth0
# ip link set eth0 down
## 关闭 eth0
# ip link set eth0 mtu 1000
## 更改 MTU 的值为 1000 bytes.使用 ifconfig 也能更新网卡的 MTU
# ip link set eth0 name vbird
SIOCSIFNAME: Device or resource busy
## 该设备目前是启动,应该先
# ip link set eth0 down mtu 900 qdisc pfifo_fast qlen 1000
link/ehter 00:40:d0:13:c3:46 brd ff:ff:ff:ff:ff:ff
## 网卡名称也可以进行改变,ifcfg-eth0 建议使用默认的接口名称
# ip link set vbird name eth0
## 设备的硬件相关信息,包括MTU、MAC及传输的模式等,都能在这里设置
## address的项目后接的可是 MAC 而不是IP
ss 命令
iproute2 包附带的一个工具,用来显示处于活动状态的套接字信息。ss命令可以用来获取socket统计信息,它可以显示和netstat类似的内容。但ss的优势在于它能够显示更多更详细的有关TCP和连接状态的信息,而且比netstat更快速更高效。
1、ss 语法格式
another utility to investigate sockets
ss [options] [ FILTER ]
OPTIONS:
-t:TCP协议的相关连接
-u:UDP相关的连接
-w:raw socket相关的连接
-l:监听状态的连接
-a:所有状态的连接
-n:数字格式
-p:相关的程序及其PID
-e:扩展格式信息
-m:内存用量
-o:计时器信息
FILTER := [ state TCP-STATE ] [ EXPRESSION ]
实现状态过滤的功能
EXPRESSION:
dport =
sport =
示例:'( dport = :22 or sport = :22)'
# ss -tan '( dport = :22 or sport = :22 )' 注意空格
# ss -tan state ESTABLISHED 只显示已连接状态的连接
[root@LeeMumu ~]# ss -tanp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:* users:(("sshd",pid=7017,fd=3))
LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=7148,fd=13))
ESTAB 0 52 192.168.1.9:22 192.168.1.199:64402 users:(("sshd",pid=7282,fd=3))
LISTEN 0 128 :::22 :::* users:(("sshd",pid=7017,fd=4))
LISTEN 0 100 ::1:25 :::* users:(("master",pid=7148,fd=14))
[root@LeeMumu ~]# ss -tan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
ESTAB 0 52 192.168.1.9:22 192.168.1.199:64402
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
2、TCP 常见状态
TCP FSM:
LISTEN # 监听
ESTABLISEHD # 建立的连接
FIN_WAIT_1 # 等待断开连接
FIN_WAIT_2 # 确认断开连接
SYN_SENT # 发送
SYN_RECV # 接收
CLOSED # 关闭
[root@LeeMumu ~]# ss -tan '( dport = :22 or sport = :22 )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
ESTAB 0 52 192.168.1.9:22 192.168.1.199:64402
LISTEN 0 128 :::22 :::*
类似资料: