One ip tool to rule them all
Core Technology
Prise the back off Linux and find out what really makes it tick.
When it comes to network configuration, Linux has several utilities collected in net-tools. Users learn to manage addresses with ifconfig
, routes with route
, and MAC addresses and the local network segment (the neighborhood) with arp
. A single tool, ip
of the iproute2 tool collection, replaces several of the classic network tools with one utility.
Making Links
The ip
tool operates on objects, which could be links, network layer addresses, routes, rules, and a few others. I'll start with Layer 2 objects (i.e., links) and advance to upper layers.
The ip
utility should already be in your Linux system. If not, install the iproute2 package. The ip(8)
man page provides generic instructions on using the command, whereas ip-link(8) and friends provide the specifics. If you have ever used Git, you understand this split. Basically, you provide ip
an object on which to operate; a command, such as add
or del
; and some options. The command ip <object> help
lists the details in each case.
Before you can use a networking interface in Linux, you need to bring it up. The following command sets up a network interface:
# ip link set up dev eth0
This command must run as root (note the #
prompt). The link
object refers to a networking device, either physical or virtual, and the set
command sets various link options. For instance, you could enable promiscuous mode (useful for sniffers such as Wireshark) with ip set promisc on
or rename the interface with ip set <name>
. The up
option tells ip
you want to set the link active, and dev eth0
specifies the device. You can check whether the command worked as expected with ip link show
(Listing 1).
Listing 1
Check a Networking Device
In the preceding command, the show
command doesn't require root permissions. If you omit it altogether (i.e., ip link
), show
is implied; adding the -s
switch collects and shows a few statistics (Figure 1). The UP flag in angle brackets tells you the link is up, and NO-CARRIER indicates that no cable is currently plugged in to the laptop. Note that MAC address is displayed as well, which you can change with:
ip link set address
In addition to configuring existing network links, ip
can create new links – or at least a new virtual Ethernet (Veth) adapter:
# ip link add veth0 type veth peer name veth1
Veth interfaces come in pairs and are much like real network cards connected with a patch cord. Entering ip link show
displays them as veth0@veth1 and vice versa. Veth interfaces were designed to simplify network communication for namespaces, and they are often seen with containerization tools such as Docker, but you can also use a virtual interface in other situations where you just want a simple network tunnel. The command ip link add
can also create bridges (acting as a brctl
substitute), VLANs, and a variety of network tunnels, including the VXLAN and Geneve options commonly used in network virtualization. You'll hardly ever need all these link types on your machine, but if you did, ip
could manage them.
If you no longer need a link for some virtual device, use ip link del
to get rid of it, but don't expect this command to work for physical devices.
Meeting Neighbors
Up the stack, you find the Network layer (aka, Layer 3) and network addresses. IPv4 is a typical specimen. The IPv4 address is a bit of information you usually supply when you bring the interface up with ifconfig
; ip
supports both IPv4 and IPv6.
Your single entry point to all address-related operations, regardless of address type, is ip address
. Adding an address is easy:
# ip addr add 192.168.1.2/24 dev eth0
Look at how 192.168.1.2/24
specifies both the IPv4 address (192.168.1.2) and the netmask (24). This information is already enough for ip
to deduce a broadcast address, which is often set explicitly with ifconfig
.
It is also completely possible to assign an interface more than one address (Listing 2). Note that ip
reuses the same "verbs" (or commands) across different objects.
Listing 2
Assign More than One Address
Older tools (like ifconfig
) provide multiple address support via interface aliases (eth0:0
). For ip
, this is not a requirement. Yet you can achieve the same effect if you assign an address label as in Listing 3.
Listing 3
Assign an Alias
For backward compatibility, the label
string must start with the interface name followed by a colon. You may delete addresses you no longer need with ip address delete
(or just ip a d
– see the "Abbreviations and Synonyms" box), whereas ip address flush
flushes all addresses assigned to the interface.
Abbreviations and Synonyms
Two things to note: First, ip
supports abbreviations. There is no minimum length, as long as the shortcut remains unambiguous. Entering ip addr
is the same as entering ip a
. Second, commands may also have synonyms: list
and lst
are the same as show
.
Once you have assigned an interface a new IP address, how do other computers know about it? Neighborhood protocols are the answer. For IPv4, it's ARP (LV031); IPv6 calls the equivalent mechanism Neighborhood Discovery (ND), which is a part of ICMPv6. ip
handles both ARP and IPv6 ND via the neighbour
object. In practice, ip neigh
is the prevalent command form.
The most common operation is to list ARP/ND entries. The old-school arp
command lists IPv4 addresses only, yet ip
happily handles both families (Listing 4).
Listing 4
List ARP/NC Entries
You can instruct ip
to show IPv4 or IPv6 entries only with the -4
and -6
switches. You can also add new neighbor entries and change, replace, or delete existing ones. The ip-neighbour(8)
man page covers the necessary commands.
Finding Routes
Network layer protocols (IPv4 or IPv6) are all about routing. Routing is how packets reach their destinations beyond the local network segment. In the simplest case, routing information boils down to the default gateway address, which accepts all packets destined for the outside world. In a large enterprise or provider network, complex dynamic routing protocols are employed to ensure connectivity and optimize traffic flow.
Although ip
doesn't do anything with dynamic routing protocols – separate daemons are in charge of this – it does provide all you might want for your static routing configuration, even in advanced scenarios. In a typical case, the route is chosen on the basis of the destination address, and that's the only use case the route
command covers. Not only does ip
cover this basic scenario, it provides a few additional options, as well:
# ip route add 192.168.2.0/24 via 192.168.1.1
This command adds a route to the 192.168.2.0
network via the 192.168.1.1
gateway. A special keyword, default
, which is equivalent to 0.0.0.0/0
, can be used to specify the default gateway. You can delete a route with ip route delete
and modify existing routes with ip route modify
. As usual ip route show
(or list
) displays the routing table:
$ ip route list default via 192.168.101.1 dev wlan0 proto static metric 600...
For a complex routing table, it might not be evident which route will apply to which destination, especially if routes involve different metric
or preference
values. The ip route get
comes to the rescue: It runs the virtual packet through the routing table and prints the result. No root privileges are required:
$ ip route get 8.8.8.8 8.8.8.8 via 192.168.101.1 dev wlan0 src 192.168.101.43 cache
ip route get
resolves the route you provide, creating so-called clones (think cache entries) as necessary. The word cache
in the last line signifies this fact. One can see what's currently in the routing cache with ip route list cache
, and flush it with ip route flush cache
. However, the IPv4 routing cache was removed in Linux 3.6 for its non-deterministic performance. So, unless you use an old kernel, ip route list cache
yields nothing. In a nutshell, the kernel still makes route clones but doesn't try to store them anymore.
The route type shown above is the most typical one, but it is not the only one ip
understands. Iptables was the traditional way to silently discard packets going to evil networks , but the blackhole
route would also work fine:
$ ip route add blackhole 8.8.8.8 # ping 8.8.8.8 connect: Invalid argument
For local sockets, the blackhole
route yields the EINVAL
error. Two similar route types, unreachable
and prohibit
, generate ICMP Host Unreachable and ICMP Communication Prohibited replies. Local senders get EHOSTUNREACH and EACCESS, respectively.
A throw
route type terminates lookup in the current routing table. Is there more than one routing table in Linux, you ask? That's a good question!
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.