forked from yellowman/nsh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMANUAL
1520 lines (1107 loc) · 45.1 KB
/
MANUAL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
NSH // Network Shell Manual // Chris Cappuccio <chris@nmedia.net>
Copyright (c) 2003-2013 Chris Cappuccio
Contents
--------
1. Overview
2. Installation
3. Main mode commands
4. Interface mode commands
5. Bridge mode commands
6. PF mode commands
7. Adding system users to nsh
Appendices
A. Explanation of interface types
B. Interface flags
C. Configuration examples
D. ALTQ notes
E. Interface-specific notes
Section 1 > Overview
--------------------
Network Shell is a command line interface designed to facilitate network
configuration on the OpenBSD operating system. The command line notation
is simple and terse. The command line interface is loosely modeled around
the concepts used in Cisco's popular interface. Typically, only values
changed from default get saved in the configuration, giving system/network
administrators a quick view of the unique configuration on the given,
local system.
NSH is a shell to the OpenBSD kernel's networking functions. The kernel
handles routing of packets, firewalling, network address translation,
rate limiting, bandwidth queueing, LAN bridging, IP tunneling, and
encryption (IP security). NSH provides simple wrappers around these
functions to aid you in setting up a network. The goal of this software
is to make the command syntax uniform, and bring all configuration together
with a single configuration file.
Some programs, such as ipsecctl, pfctl (and anything else handled from
ctl.c) simply have their native configuration files encapsulated within
the NSH configuration framework. No effort is made by NSH to obfuscate
their configuration in any way, the default configuration syntax
provided by these programs is already preferrable. NSH simply gives the
administrator a way to keep all configuration in one place.
Section 2 > Installation
------------------------
If you are using flashrd, please follow the NSH installation directions in the
flashrd FAQ for additional details.
NSH replaces /etc/netstart on a standard OpenBSD system. To implement NSH on
such a system, you first need to convert your standard configuration into one
which is compatible with NSH's syntax. You need to compile NSH in order
to use it. NSH currently requires OpenBSD 5.1 or a later version. It may be
partially or fully compatible with Bitrig, but is currently untested there.
To compile NSH:
$ tar xvzf nsh.tar.gz
...
$ cd nsh
$ make
...
When this is done, you will have a binary in the nsh directory named 'nsh'.
Copy this to /bin/nsh or /usr/local/bin/nsh.
# cp nsh /bin/nsh
The next step is to copy over the appropriate script which will save the
permanent configuration.
If /etc is read-only and /var/run is read-write, you need to use the
save-ro.sh script:
# cp save-ro.sh /usr/local/bin/save.sh
Make sure that save-ro.sh actually takes the appropriate actions to make
/etc a read-write partition. (Or, modify it to move nshrc to a different
location that can be written to. Of course, the nsh startup command must
reflect this location as well.)
If /etc and /var/run are read-write, you need to use the save-rw.sh script:
# cp save-rw.sh /usr/local/bin/save.sh
To create nsh's initial configuration, run nsh on your router/firewall
which is already configured, and save the running configuration to disk,
as detailed below. Nsh will merge your PF/NAT/ALTQ rules into /etc/nshrc.
When you use the 'write-config' command, NSH will learn your configurations
from the running kernel. It will enter everything that is currently configured
into the nsh startup file.
# cp /etc/pf.conf /var/run/pf.conf.0
# cp /etc/dhcpd.conf /var/run/dhcpd.conf.0
# cp /etc/ssh/sshd_config /var/run/sshd.conf.0
# mv /etc/resolv.conf /var/run/resolv.conf.0
# ln -s /var/run/resolv.conf.symlink /etc/resolv.conf
# nsh
% NSH v1.0
nsh/enable
nsh(p)/pf enable
nsh(p)/dhcp enable
nsh(p)/sshd enable
nsh(p)/dns local-control
nsh/write
% Configuration saved
nsh/quit
At this point, you should inspect and edit /etc/nshrc by hand to ensure that
it does exactly what you want. Since it reads the entire configuration out of
the kernel, you may find things that you did not intend to save permanently.
You may wish to use nsh to control sshd, pf, inetd, and other daemons that
OpenBSD normally executes out of /etc/rc and /etc/netstart. To disable the
automatic start of these daemons and services, tell OpenBSD not to load
them.
echo sshd_flags=NO >>/etc/rc.conf.local
echo pf=NO >>/etc/rc.conf.local
echo inetd=NO >>/etc/rc.conf.local
Remove any networking config from /etc/ that conflicts with nsh, such
as /etc/hostname.*, /etc/mygate, and daemons from /etc/rc.conf.local that
you wish to control via NSH. (If you start network daemons from
/etc/rc.conf.local, rather than using NSH, you will not be able to control
their configuration file through NSH.)
Add nsh's start command to the top of /etc/rc.local:
nsh -i /etc/nshrc | tee /var/run/nsh.out
You may even want verbose output to see how nsh parses its' rc file:
nsh -vi /etc/nshrc | tee /var/run/nsh.out
You are done. When NSH starts from /etc/rc.local, it will automatically load up
the network configuration into the kernel. At this point, you are free to
view and manipulate the configuration from nsh.
Section 3 > Main mode commands
------------------------------
All nsh modes give you basic command line editing features. You can
use the up arrow on most keyboards to go through the last commands
you entered and repeate them. Any command that takes action in the
system can be reversed by prefixing it with 'no '.
Any command can be abbreviated. For example, 'show interface' can
be written as 'show int'. A command like 'show i' is too much of an
abbreviation, since it matches 'show interface', 'show ipstats', 'show
icmpstats', and so on. If you enter an ambiguous command, nsh will
tell you so.
nsh/show i
% Ambiguous argument i
help
----
When you enter NSH, you will see the prompt. It starts with your
machine name and a forward slash. For simplicity, our example machine
name here is 'nsh'. At the prompt, you can enter commands detailed in this
document. The first command is simply 'help' or '?', which brings up
the main menu of commands.
nsh/?
% Commands may be abbreviated.
% Commands are:
rtable Routing table switch
show Show system information
enable Enable privileged mode
ping Send IPv4 ICMP echo request
ping6 Send IPv6 ICMP echo request
traceroute Print the route to IPv4 host
traceroute6 Print the route to IPv6 host
ssh SSH connection to remote host
telnet Telnet connection to remote host
verbose Set verbose diagnostics
editing Set command line editing
who Display system users
? Print help information
quit Close current connection
enable
------
Many commands require privileged access to execute. If you know the
correct password, you can obtain privileged access. The menu of commands
increases when you enter privileged mode.
nsh/enable
Password:
nsh(p)/?
% Commands may be abbreviated.
% Commands are:
hostname Set system hostname
interface Modify interface parameters
rtable Routing table switch
group Modify group attributes
arp Static ARP set
bridge Modify bridge parameters
show Show system information
ip Set IP networking parameters
flush Flush system tables
enable Enable privileged mode
disable Disable privileged mode
route Add a host or network route
pf Packet filter control
ospf OSPF control
ospf6 OSPF6 control
bgp BGP control
rip RIP control
ldp LDP control
relay Relay control
ipsec IPsec IKEv1 control
ike IPsec IKEv2 control
dvmrp DVMRP control
sasync SA synchronization control
dhcp DHCP server control
snmp SNMP server control
ldap LDAP server control
smtp SMTP server control
sshd SSH server control
ntp NTP synchronization control
nppp PPP server control
ifstate ifstate server control
ftp-proxy ftp-proxy server control
tftp-proxy tftp-proxy server control
tftp TFTP server control
dns DNS rule control
inet Inet super-server control
ping Send IPv4 ICMP echo request
ping6 Send IPv6 ICMP echo request
traceroute Print the route to IPv4 host
traceroute6 Print the route to IPv6 host
ssh SSH connection to remote host
telnet Telnet connection to remote host
reboot Reboot the system
halt Halt the system
write-config Save the current configuration
verbose Set verbose diagnostics
editing Set command line editing
who Display system users
! Invoke a subshell
? Print help information
quit Close current connection
enable secret
-------------
To set the password you must be in privileged mode. Set it either with
"enable secret <yourpassword>" or
"enable secret <cipher> <crypted password>".
NSH only supports blowfish as cipher.
Examples:
nsh(p)/enable secret foo
or with an already crypted password:
nsh(p)/enable secret blowfish $2a$06$eQYswZjAHop5UFC8yle85uEqi/MCBhnWBi8IRU60LmkVvgZmtBiOm
You can generate a blowfish-crypted password using encrypt -b6.
rtable
------
The rtable command allows you to execute services, diagnostic commands
(ping, traceroute) and set routes under alternate routing tables. Routing
tables in OpenBSD number from 0 to 255. They have a 1:1 relationship with
routing domains, except that routing domain 0 can contain multiple routing
tables. In addition, routing tables initialized prior to their corresponding
routing domain will be inititalized with a routing domain of 0.
An uninitialized routing table cannot be used to execute any services
or diagnostic commands.
To add a routing table for unique use in its own routing domain, the most
common use, add a routing domain through the interface configuration first.
nsh(p)/interface fxp0
nsh(interface-fxp0)/rdomain 2
nsh(interface-fxp0)/ip 100.64.0.2/30
Now you may add routes to rtable 2 and have them tied to the fxp0
interface.
nsh(p)/rtable 2 Production network
nsh(p-rtable 2)/route 0.0.0.0/0 100.64.0.1
If you wish to add a routing table to rdomain 0, you must initialize it
without a corresponding rdomain being created. Do not set the rdomain in
any interface, and instead simply create a static route.
nsh(p)/rtable 1 Management network
nsh(p-rtable 1)/route 0.0.0.0/0 127.0.0.1
nsh(p-rtable 1)/sshd edit
nsh(p-rtable 1)/sshd enable
If you initialize a routing table in this manner, you will later be unable
to joint it to a new rdomain.
The rtable command also supports unprivileged mode usage to execute
diagnostic commands.
nsh/rtable 1
nsh(rtable 1)/ping 100.64.0.1
hostname <hostname>
-------------------
Set system hostname. Requires privileged mode.
nsh(p)/hostname firewall.xyz.com
firewall.xyz.com(p)/
verbose
-------
Verbose mode causes many nsh commands to display extra information. It is
very useful in diagnostic and troubleshooting sessions to enable this
mode.
nsh/verbose
% Diagnostic mode enabled
If you do not wish to have the extra information displayed, you may
disable verbose mode.
nsh/no verbose
% Diagnostic mode disabled
ftp-proxy
---------
This activates the ftp proxy. NSH starts ftp-proxy on 127.0.0.1 by default.
Redirect rules in pf must be used to direct outside traffic from any
rdomain to the local tftp daemon.
tftp-proxy
----------
This activates the tftp proxy. NSH starts tftp-proxy on 127.0.0.1, port 6969
by default. Redirect rules in pf must be used to direct outside traffic from
any rdomain to the local tftp proxy.
pass in quick on $int_if inet proto udp from $lan to port tftp \
divert-to 127.0.0.1 port 6969
pass out quick on $ext_if inet proto udp from $lan to port tftp \
group proxy divert-reply
tftpd
-----
This activates the tftp daemon. NSH starts tftpd on 127.0.0.1, port 69
by default. Redirect rules in pf must be used to direct outside traffic from
any rdomain to the local tftp daemon.
write-config
------------
This will save the running configuration to the permanent configuration
space. Upon the next startup of the system, the saved configuration will
be used.
nsh(p)/write-config
% Configuration saved
nsh(p)/
halt
----
This will shut down the system. Requires privileged access.
nsh(p)/halt
% Shutdown initiated
reboot
------
This will reboot the system. Requires privileged access.
nsh(p)/reboot
% Reboot initiated
show
----
The main diagnostic and informational command is 'show'.
nsh/show ?
% Commands may be abbreviated.
% 'show' commands are:
hostname Router hostname
interface Interface config
route IPv4 route table or route lookup
route6 IPv6 route table or route lookup
sadb Security Association Database
arp ARP table
kernel Kernel statistics
bgp BGP information
ospf OSPF information
ospf6 OSPF6 information
rip RIP information
ldp LDP information
ike IKE information
dvmrp DVMRP information
relay Relay server
dhcp DHCP server
smtp SMTP server
ldap LDAP server
monitor Monitor routing/arp table changes
version Software information
users System users
running-config Operating configuration
startup-config Startup configuration
? Options
show hostname
-------------
This will display the system's currently assigned hostname.
nsh/show hostname
% nsh
show interface
--------------
This command displays essential information about a system's network interfaces
and network bridges. Using 'show interface' by itself will show information
about all interfaces and bridges available on a system. Using
'show interface <ifname>' will show information about a specific interface.
nsh/show interface lo0
% lo0
Interface is up (last change 37d 11:02:55), protocol is up
Interface type Loopback
Internet address ::1/128, fe80::1%lo0/64, 127.0.0.1/8
Routing Domain 0, MTU 33196 bytes
3182 packets input, 1486429 bytes, 0 errors, 0 drops
3182 packets output, 1486429 bytes, 0 errors, 0 unsupported
467 input, 467 output (average bytes/packet)
"Interface is up" means that the interface is turned on in software.
"Protocol is up" means that the interface is configured and ready to run.
The "Interface type" explains what the interface is used for on
the system. Some interfaces are not intended to pass traffic for network
users, and instead handle internal functions on the system. See
Appendix A for more information on common interface types.
"Internet address" shows the IPv4 and IPv6 addresses configured for the
interface, if any. IPv6 addresses with a % sign are "link-local" and
not valid outside of the context of the interface name specified.
MTU describes the Maximum Transmission Unit, the largest size of
a packet which the kernel will transmit on this interface.
The statistics show the number of packets, bytes, errors, and dropped
packets in both incoming and outgoing directions. The average input/output
sizes describes the median size of packets going in and out the interface.
Note that the total bytes in and/or out may not be accurate. OpenBSD uses
an unsigned long type to hold the byte count. When the byte count exceeds
the storage limit of an unsigned long (4,294,967,295 on a 32 bit architecture
or 18,446,744,073,709,551,615 on a 64-bit architecture), the counter will
overflow, causing it to roll over to 0. The average packet size will be
inaccurate when the total byte count rolls over, because the total number of
packets will reflect bytes that are no longer counted.
With verbose mode enabled, 'show interface' will display the raw kernel
flags for an interface. See Appendix B for an explanation of these flags.
nsh/show int lo0
% lo0
Interface is up (last change 37d 11:04:41), protocol is up
Interface type Loopback
Internet address ::1/128, fe80::1%lo0/64, 127.0.0.1/8
Routing Domain 0, MTU 33196 bytes
3182 packets input, 1486429 bytes, 0 errors, 0 drops
3182 packets output, 1486429 bytes, 0 errors, 0 unsupported
467 input, 467 output (average bytes/packet)
Flags:
<UP,LOOPBACK,RUNNING,MULTICAST>
With a bridge, verbose mode will show spanning tree member states and
bridge members.
nsh/show int bridge0
% bridge0
Bridge is up (last change 00:00:21), protocol is up
Interface type Ethernet Bridge
0 packets input, 0 bytes, 0 errors, 0 drops
0 packets output, 0 bytes, 0 errors, 0 unsupported
Flags:
<UP,RUNNING>
STP member state:
sis0: listening
With an IEEE 802.11 wireless interface, verbose mode will show
the network ID, network key, and powersaving mode (if enabled).
nsh/show int athn0
% athn0
BLah blah
IEEE 802.11
network id blah
network key blah
powersaving (111 ms)
With an interface that supports media commands, including Ethernet
and IEEE 802.11 wireless interfaces, verbose mode will show which
media types are available.
nsh/show int sis0
% sis0
...
Supported media types:
media none
media 10baseT
media 10baseT, mediaopt full-duplex
media 100baseTX
media 100baseTX, mediaopt full-duplex
media autoselect
show route
----------
A dump of the routing table, including ARP entries.
nsh/show route
Flags: U - up, G - gateway, H - host, L - link layer, R - reject (unreachable),
D - dynamic, S - static
% IPv4 routing table:
Destination Gateway Flags Refs Packets Mtu Interface
0.0.0.0/0 172.20.1.1 UGS 3 57502 - sis0
127.0.0.0/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 12 33224 lo0
172.20.1.0/24 link#1 U 0 0 - sis0
172.20.1.1 8:0:20:71:22:e7 UHL 1 0 - sis0
172.20.1.2 127.0.0.1 UGHS 0 0 33224 lo0
172.20.1.23 link#1 UHL 1 1764 - sis0
172.20.1.255 link#1 UHL 2 1555 - sis0
224.0.0.0/4 127.0.0.1 URS 0 0 33224 lo0
The destination column is simply the destination network which the
route describes. The gateway is the next hop for this route to pass through.
Gateways which are described as 'link#' are local area networks or members
of local area networks.
The flags are useful to determine if the kernel is using a particular
route or not.
U - up
This route is active
G - gateway
The destination of this route is behind a gateway (next hop).
H - host
This route describes a host on the local network.
L - link layer
The destination has been or needs to be discovered through a layer 2 protocol
R - reject
This route is unreachable, and therefore marked unusable in the kernel
D - dynamic
This is a dynamic route which has is managed through routing software on
the local system (such as ripd, ospfd or bgpd)
S - static
This is a static route set by a user
show ipstats
------------
This displays a variety of statistics related to Internet Protocol usage
related to both local machine and its gateway functions.
show ahstats
------------
This displays a variety of statistics related to Authentication Header
(IPsec) usage related to both the local machine and its gateway functions.
show espstats
-------------
This displays a variety of statistics related to Encapsulated Security Payload
(IPsec) usage related to both the local machine and its gateway functions.
show tcpstats
-------------
This displays a variety of statistics related to Transmission Control Protocol
usage on the local machine.
show udpstats
-------------
This displays a variety of statistics related to User Datagram Protocol usage
on the local machine.
show icmpstats
--------------
This displays a variety of statistics related to Internet Control Message
Protocol usage on the local machine.
show igmpstats
--------------
This displays a variety of statistics related to Internet Group Message
Protocol usage on the local machine.
show ipcomptats
---------------
This displays a variety of statistics related to IP Compression Protocol
(IPComp) usage related to both the local machine and its gateway functions.
show rtstats
------------
This displays a variety of statistics kept in the kernel's routing engine.
show mbufstats
--------------
The kernel has a private pool of memory buffers called 'mbufs'. This
displays a variety of statistics kept in the kernel's memory management
show monitor
------------
This causes the user to enter monitor mode for the routing socket. The
monitor displays raw descriptions of the data passing into the kernel's
routing socket and dumps of the kernel's routing messages to the machine.
Press enter or control-C to exit this mode.
show version
------------
This displays basic information about the host and about NSH, such as
the version of NSH installed, the system's uptime and kernel version.
It also shows both the kernel that NSH was compiled under, and the
current kernel that NSH is running under. NSH should always be running
on a kernel that is of a similar version to the version of the kernel/header
files that NSH was compiled under. This ensures that NSH will talk to
the kernel properly.
nsh/show version
% NSH v1.0
Compiled 03-Jan-13 22:08 by chris@nsh
uptime: 1 week, 1 day, 1 hour, 39 minutes
system: OpenBSD/i386 version 5.2
cpu: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
memory: 255MB
kernel: OpenBSD 5.2-current (FLASHRD) #8: Thu Jan 3 21:01:39 PST 2013
root@mina.nmedia.net:/usr/src/sys/arch/i386/compile/FLASHRD
IFQ drops: ip 0 mpls 0
show running-config
-------------------
This shows the current running configuration on the system, including
interface and bridge configurations, routes, the system hostname, firewall
rules, and other information compiled by nsh. See Appendix C for
example configuration files.
show startup-config
-------------------
This shows the startup configuration on the system, read from nshrc,
including interface and bridge configurations, routes, the system hostname,
firewall rules, and other information compiled by nsh. See Appendix C for
example configuration files.
flush
-----
Flush will empty various system tables
flush routes
------------
This will empty the system routing table
flush arp
---------
This will empty the system arp cache and static arp table
flush bridge-dyn <bridge>
-------------------------
This will flush dynamically learned members from the named bridge
nsh/flush bridge-dyn bridge0
This would delete all dynamically learned members from bridge0. Any
members set manually (static members) will not be removed.
flush bridge-all <bridge>
-------------------------
This will flush dynamically and statically learned members from the named bridge
nsh/flush bridge-all bridge0
flush bridge-rule <bridge> <interface>
--------------------------------------
This will flush all rules on the named bridge for a specifc interface.
nsh/flush bridge-all bridge0 sis0
flush history
-------------
This will clear the command history
disable
-------
Leave privileged mode, use this if you want to stay logged in but to not
trust your terminal area
route <destination>[/<prefixlen | netmask>] <gateway>
-----------------------------------------------------
You can add static routes with this command. IPv4 addresses can be configured
with CIDR prefix length, or classic IP netmasks to describe routes. The IPv6
address may only be configured with a prefix length. This command only runs
in privileged mode.
nsh(p)/route 192.168.0.0/16 1.2.3.4
is equivalent to:
nsh(p)/route 192.168.0.0/255.255.0.0 1.2.3.4
This command takes the 'no ' prefix to remove a route. The gateway
is not necessary when using the 'no route' notation.
nsh(p)/no route 192.168.0.0/16
If you do not specify a mask, it will assume you are routing a host
address
nsh(p)/route 10.6.6.4 1.2.3.4
Routing flags may be defined after a route.
nsh(p)/route 127.0.0.0/8 127.0.0.1 reject
or
nsh(p)/route ::/96 ::1 reject
quit
----
Leave NSH
verbose
-------
[no] verbose
Set verbose mode on. (It defaults to off)
editing
-------
[no] editing
Set command line editing on. (If defaults to on)
!
-
Invoke a shell command (requires privileged mode.)
Your system may have this feature disabled to enhance security.
nsh(p)/!ls
helloworld.c
nsh(p)/!
$
ip
--
Enable, allow, or set system parameters or features (requires privileged mode.)
All commands in this category allow the 'no' modifier to disable the option.
nsh(p)/ip ?
% Commands may be abbreviated.
% 'ip' commands are:
forwarding Enable IPv4 Forwarding
ipip Allow IP-in-IP Encapsulation
gre Allow Generic Route Encapsulation
wccp Allow Web Cache Control Protocol
mobileip Allow Mobile IP Encapsulation
etherip Allow Ether-IP Encapsulation
ipcomp Allow IP Compression
esp Allow Encapsulated Security Payload
ah Allow Authentication Header
sourceroute Process Loose/Strict Source Route Options
encdebug Enable if_enc debugging
ifq-maxlen IP IFQ maxlen
send-redirects Send ICMP redirects
directed-broadcast Allow directed broadcasts
default-ttl Set Default IP packet TTL
? Options
[no] interface <ifname>
-----------------------
nsh(p)/interface vlan0
If vlan0 does not exist, this will create the interface. If it was possible
to create the interface, or if the named interface already exists, you
will noe be in the interface command mode, documented below in Section 4.
nsh(p)/no interface vlan0
Alternately, if vlan0 does exist, you can remove the interface with
the 'no interface' syntax. This only works for interface types which
support creation and removal.
[no] ip forwarding
------------------
nsh(p)/ip forwarding
Enable IP packet forwarding. This must be set in order to use routing,
NAT, IPsec or packet filter features.
[no] ip ipip
------------
nsh(p)/ip ipip
Allow IP-in-IP encapsulation.
[no] ip gre
-----------
nsh(p)/ip gre
Allow Generic Route Encapsulation. Must be used to enable gre interfaces.
[no] ip wccp
------------
nsh(p)/ip wccp
Allow GRE-based Web Cache Control Protocol packets to manage caching device.
Must be used to enable WCCP on gre interfaces.
[no] ip mobileip
----------------
nsh(p)/ip mobileip
Allow GRE-based MobileIP encapsulation. Must be used to enable MobileIP
operation on gre interfaces.
[no] ip etherip
---------------
nsh(p)/ip etherip
Allow Ether-IP encapsulation
[no] ip ipcomp
--------------
nsh(p)/ip ipcomp
Allow IPComp compression to be used.
[no] ip esp
-----------
nsh(p)/ip esp
Allow IPsec Encapsulated Security Payload to be used. Note this is a system
default.
[no] ip ah
----------
nsh(p)/ip ah
Allow IPsec Authentication Header to be used. Note this is a sysdem default.
[no] ip sourceroute
-------------------
nsh(p)/ip sourceroute
Process loose or strict source routing options on IP packet headers. Do
not enable this option on systems connected to the public internet.
[no] ip encdebug
----------------
nsh(p)/ip encdebug
Print debugging messages for the if_enc interface to the kernel output.
Requires a kernel compiled with option ENCDEBUG.
[no] ip ifq-maxlen <argument>
-----------------------------
nsh(p)/ip ifq-maxlen 8192
Maximum number of queued packets before they are dropped. Increasing
this option does not necessarily help with system performance. The output
of 'show version' displays the IFQ drop counter. If this counter increases,
a larger ifq-maxlen value should be set.
[no] ip send-redirects
----------------------
nsh(p)/ip send-redirects
Controls whether or not the system sends ICMP redirects to local hosts. This
option is enabled by default.
When there is a direct path on the local network from one host to another, but
one of those hosts chooses to talk through the router instead, it will
send an ICMP redirect to the originating host. This redirect tells the host
the direct path on the network to send further packets.
[no] ip default-ttl <ttl>
-------------------------
nsh(p)/ip default-ttl 128
Sets the default ttl used on IP packets originating from this system.
The TTL, or time-to-live, is decremented by one each time the packet passes
through another router on the internet. The default TTL that the system
uses is 64, therefore it allows for the packet to pass through up to 64
routers (also called hops) before reaching its destination. The main purpose
of the TTL is to avoid routing loops in the network.
?
-
nsh(p)/ip ?
Help menu
Section 4 > Interface mode commands
-----------------------------------
nsh(interface-vr0)/?
% Commands may be abbreviated.
% Press enter at a prompt to leave interface configuration mode.
% Interface configuration commands are:
ip IP address and other parameters
alias Additional IP addresses and other parameters
description Interface description
group Interface group
rdomain Interface routing domain
rtlabel Interface route labels
mtu Set Maximum Transmission Unit
metric Set routing metric
link Set link level options
arp Set Address Resolution Protocol
label Set MPLS Label