diff options
Diffstat (limited to 'usr/src/man/man1m/dladm.1m')
| -rw-r--r-- | usr/src/man/man1m/dladm.1m | 606 |
1 files changed, 583 insertions, 23 deletions
diff --git a/usr/src/man/man1m/dladm.1m b/usr/src/man/man1m/dladm.1m index c242d38ac2..035c5f2eb9 100644 --- a/usr/src/man/man1m/dladm.1m +++ b/usr/src/man/man1m/dladm.1m @@ -41,7 +41,7 @@ .\" .\" .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved -.\" Copyright 2016 Joyent, Inc. +.\" Copyright 2017 Joyent, Inc. .\" Copyright 2020 RackTop Systems, Inc. .\" .TH DLADM 1M "June 20, 2021" @@ -50,7 +50,7 @@ dladm \- administer data links .SH SYNOPSIS .nf \fBdladm show-link\fR [\fB-P\fR] [\fB-s\fR [\fB-i\fR \fIinterval\fR]] [[\fB-p\fR] \fB-o\fR \fIfield\fR[,...]] [\fIlink\fR] -\fBdladm rename-link\fR [\fB-R\fR \fIroot-dir\fR] \fIlink\fR \fInew-link\fR +\fBdladm rename-link\fR [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] \fIlink\fR \fInew-link\fR .fi .LP @@ -133,9 +133,11 @@ dladm \- administer data links .LP .nf -\fBdladm set-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] \fB-p\fR \fIprop\fR=\fIvalue\fR[,...] \fIlink\fR -\fBdladm reset-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-p\fR \fIprop\fR[,...]] \fIlink\fR -\fBdladm show-linkprop\fR [\fB-P\fR] [[\fB-c\fR] \fB-o\fR \fIfield\fR[,...]] [\fB-p\fR \fIprop\fR[,...]] [\fIlink\fR] +\fBdladm set-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] \fB-p\fR \fIprop\fR=\fIvalue\fR[,...] + \fIlink\fR +\fBdladm reset-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] [\fB-p\fR \fIprop\fR[,...]] \fIlink\fR +\fBdladm show-linkprop\fR [\fB-P\fR] [\fB-z\fR \fIzonename\fR] [[\fB-c\fR] \fB-o\fR \fIfield\fR[,...]] + [\fB-p\fR \fIprop\fR[,...]] [\fIlink\fR] .fi .LP @@ -150,9 +152,9 @@ dladm \- administer data links \fBdladm create-vnic\fR [\fB-t\fR] \fB-l\fR \fIlink\fR [\fB-R\fR \fIroot-dir\fR] [\fB-m\fR \fIvalue\fR | auto | {factory \fB-n\fR \fIslot-identifier\fR]} | {random [\fB-r\fR \fIprefix\fR]}] [\fB-v\fR \fIvlan-id\fR] [\fB-p\fR \fIprop\fR=\fIvalue\fR[,...]] \fIvnic-link\fR -\fBdladm delete-vnic\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] \fIvnic-link\fR +\fBdladm delete-vnic\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] \fIvnic-link\fR \fBdladm show-vnic\fR [\fB-pP\fR] [\fB-s\fR [\fB-i\fR \fIinterval\fR]] [\fB-o\fR \fIfield\fR[,...]] - [\fB-l\fR \fIlink\fR] [\fIvnic-link\fR] + [\fB-l\fR \fIlink\fR] [\fB-z\fR \fIzonename\fR] [\fIvnic-link\fR] .fi .LP @@ -174,6 +176,14 @@ dladm \- administer data links .LP .nf +\fBdladm create-overlay\fR [\fB-t\fR] \fB-e\fR \fIencap\fR \fB-s\fR \fIsearch\fR \fB-v\fR \fIvnetid\fR [\fB-p\fR \fIprop\fR=\fIvalue\fR[,...]] \fIoverlay\fR +\fBdladm delete-overlay\fR \fIoverlay\fR +\fBdladm modify-overlay\fR \fB-d\fR \fImac\fR | \fB-f\fR | \fB-s\fR \fImac=ip:port\fR \fIoverlay\fR +\fBdladm show-overlay\fR [ \fB-f\fR | \fB-t\fR ] [[\fB-p\fR] \fB-o\fR \fIfield\fR[,...]] [\fIoverlay\fR] +.fi + +.LP +.nf \fBdladm show-usage\fR [\fB-a\fR] \fB-f\fR \fIfilename\fR [\fB-p\fR \fIplotfile\fR \fB-F\fR \fIformat\fR] [\fB-s\fR \fItime\fR] [\fB-e\fR \fItime\fR] [\fIlink\fR] .fi @@ -260,9 +270,9 @@ A WiFi datalink. .ad .sp .6 .RS 4n -A virtual network interface created on a link or an \fBetherstub\fR. It is a -pseudo device that can be treated as if it were an network interface card on a -machine. +A virtual network interface created on a link, an \fBetherstub\fR, or \fBan +overlay\fR. It is a pseudo device that can be treated as if it were an network +interface card on a machine. .RE .sp @@ -330,6 +340,20 @@ use any alphanumeric characters, as well as underscore (\fB_\fR), period characters. .RE +.sp +.ne 2 +.na +.B overlay +.ad +.sp .6 +.RS 4n +An overlay instance, identified by an administratively-chosen name. An overlay +can be used to create or join an existing software defined network. +VNICs created on an overlay will appear to be connected by a local virtual +switch and will also be connected to interfaces on matching overlays provided by +other hosts. For more information on overlay devices, see \fBoverlay\fR(5). +.RE + .SS "Options" Each \fBdladm\fR subcommand has its own set of options. However, many of the subcommands have the following as a common option: @@ -431,6 +455,19 @@ A virtual network interface. The \fBshow-vnic\fR subcommand displays more detail for this class of datalink. .RE +.sp +.ne 2 +.na +\fB\fBoverlay\fR\fR +.ad +.sp .6 +.RS 4n +A virtual device that is used to create or join a software defined +network. The \fBshow-overlay\fR subcommand displays more detail for this +class of datalink. +.RE + + .RE .sp @@ -600,8 +637,7 @@ will be displayed only once. .sp .ne 2 .na -\fB\fBdladm rename-link\fR [\fB-R\fR \fIroot-dir\fR] \fIlink\fR -\fInew-link\fR\fR +\fB\fBdladm rename-link\fR [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] \fIlink\fR \fInew-link\fR\fR .ad .sp .6 .RS 4n @@ -619,6 +655,16 @@ examples of how this subcommand is used. See "Options," above. .RE +.sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR +.ad +.sp .6 +.RS 4n +A link assigned to a zone can only be renamed while the zone is in the ready state. +.RE + .RE .sp @@ -3224,8 +3270,7 @@ Extended output is displayed for \fBPTYPE\fR values of \fBcurrent\fR, .sp .ne 2 .na -\fB\fBdladm set-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] \fB-p\fR -\fIprop\fR=\fIvalue\fR[,...] \fIlink\fR\fR +\fB\fBdladm set-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] \fB-p\fR \fIprop\fR=\fIvalue\fR[,...] \fIlink\fR\fR .ad .sp .6 .RS 4n @@ -3257,6 +3302,16 @@ See "Options," above. .sp .ne 2 .na +\fB\fB-z\fR \fIzonename\fR +.ad +.sp .6 +.RS 4n +Operate on a link that has been delegated to the specified zone. +.RE + +.sp +.ne 2 +.na \fB\fB-p\fR \fIprop\fR=\fIvalue\fR[,...], \fB--prop\fR \fIprop\fR=\fIvalue\fR[,...]\fR .ad @@ -3276,8 +3331,7 @@ same value. .sp .ne 2 .na -\fB\fBdladm reset-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-p\fR -\fIprop\fR,...] \fIlink\fR\fR +\fB\fBdladm reset-linkprop\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] [\fB-p\fR \fIprop\fR,...] \fIlink\fR\fR .ad .sp .6 .RS 4n @@ -3309,6 +3363,16 @@ See "Options," above. .sp .ne 2 .na +\fB\fB-z\fR \fIzonename\fR +.ad +.sp .6 +.RS 4n +Operate on a link that has been delegated to the specified zone. +.RE + +.sp +.ne 2 +.na \fB\fB-p\fR \fIprop, ...\fR, \fB--prop\fR=\fIprop, ...\fR\fR .ad .sp .6 @@ -3323,8 +3387,7 @@ the same value. .sp .ne 2 .na -\fB\fBdladm show-linkprop\fR [\fB-P\fR] [[\fB-c\fR] \fB-o\fR -\fIfield\fR[,...]][\fB-p\fR \fIprop\fR[,...]] [\fIlink\fR]\fR +\fB\fBdladm show-linkprop\fR [\fB-P\fR] [\fB-z\fR \fIzonename\fR] [[\fB-c\fR] \fB-o\fR \fIfield\fR[,...]][\fB-p\fR \fIprop\fR[,...]] [\fIlink\fR]\fR .ad .sp .6 .RS 4n @@ -3442,6 +3505,16 @@ Display persistent link property information .sp .ne 2 .na +\fB\fB-z\fR \fIzonename\fR +.ad +.sp .6 +.RS 4n +Operate on a link that has been delegated to the specified zone. +.RE + +.sp +.ne 2 +.na \fB\fB-p\fR \fIprop, ...\fR, \fB--prop\fR=\fIprop, ...\fR\fR .ad .sp .6 @@ -3759,8 +3832,7 @@ A comma-separated list of properties to set to the specified values. .sp .ne 2 .na -\fB\fBdladm delete-vnic\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] -\fIvnic-link\fR\fR +\fB\fBdladm delete-vnic\fR [\fB-t\fR] [\fB-R\fR \fIroot-dir\fR] [\fB-z\fR \fIzonename\fR] \fIvnic-link\fR\fR .ad .sp .6 .RS 4n @@ -3786,13 +3858,22 @@ next reboot. See "Options," above. .RE +.sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR +.ad +.sp .6 +.RS 4n +Operate on a link that has been delegated to the specified zone. +.RE + .RE .sp .ne 2 .na -\fB\fBdladm show-vnic\fR [\fB-pP\fR] [\fB-s\fR [\fB-i\fR \fIinterval\fR]] -[\fB-o\fR \fIfield\fR[,...]] [\fB-l\fR \fIlink\fR] [\fIvnic-link\fR]\fR +\fB\fBdladm show-vnic\fR [\fB-pP\fR] [\fB-s\fR [\fB-i\fR \fIinterval\fR]] [\fB-o\fR \fIfield\fR[,...]] [\fB-l\fR \fIlink\fR] [\fB-z\fR \fIzonename\fR] [\fIvnic-link\fR]\fR .ad .sp .6 .RS 4n @@ -3935,6 +4016,16 @@ will be displayed only once. Display information for all VNICs on the named link. .RE +.sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR +.ad +.sp .6 +.RS 4n +Operate on a link that has been delegated to the specified zone. +.RE + .RE .sp @@ -4352,6 +4443,349 @@ The tunnel destination address. .sp .ne 2 .na +\fBdladm create-overlay\fR \fB-e\fR \fIencap\fR \fB-s\fR \fIsearch\fR +\fB-v\fR \fIvnetid\fR [\fB-p\fR \fIprop\fR=\fIvalue\fR[,...]] \fIoverlay\fR +.ad +.sp .6 +.RS 4n +Create an overlay device named \fIoverlay\fR. +.sp +Overlay devices are similar to etherstubs. VNICs can be created on top +of them. However, unlike an etherstub which is local to the system, an +overlay device can be configured to communicate to remote hosts, +providing a means for network virtualization. The way in which it does +this is described by the encapsulation module and the search plugin. For +more information on these, see \fBoverlay\fR(5). +.sp +An overlay device has a series of required and optional properties. These +properties vary based upon the search and encapsulation modules and are fully +specified in \fBoverlay\fR(5). Not every property needs to be specified - some +have default values which will be used if nothing specific is specified. For +example, the default port for VXLAN comes from its IANA standard. If a +required property is missing, the command will fail and inform you of the +missing properties. +.sp +.ne 2 +.na +\fB\fB-t\fR, \fB--temporary\fR\fR +.ad +.sp .6 +.RS 4n +Specifies that the overlay is temporary. Temporary overlays last until +the next reboot. +.RE + +.sp +.ne 2 +.na +\fB-e\fR \fIencap\fR, \fB--encap\fR=\fIencap\fR +.ad +.sp .6 +.RS 4n +Use \fIencap\fR as the encapsulation plugin for the overlay device +\fIoverlay\fR. The encapsulation plugin determines how packets are transformed +before being put on the wire. +.RE + +.sp +.ne 2 +.na +\fB-s\fR \fIsearch\fR, \fB--search\fR=\fIsearch\fR +.ad +.sp .6 +.RS 4n +Use \fIsearch\fR as the search plugin for \fIoverlay\fR. The search plugin +determines how non-local targets are found and where packets are directed to. +.RE + +.sp +.ne 2 +.na +\fB\fB-p\fR \fIprop\fR=\fIvalue\fR,..., \fB--prop\fR +\fIprop\fR=\fIvalue\fR,...\fR +.ad +.sp .6 +.RS 4n +A comma-separated list of properties to set to the specified values. +.RE + +.sp +.ne 2 +.na +\fB-v\fR \fIvnetid\fR, \fB--vnetid\fR=\fIvnetid\fR +.ad +.sp .6 +.RS 4n +Sets the virtual networking identifier to \fIvnetid\fR. A virtual network +identifier determines is similar to a VLAN identifier, in that it identifies a +unique virtual network. All overlay devices on the system share the same space +for the virtual network identifier. However, the valid range of identifiers is +determined by the encapsulation plugin specified by \fB-e\fR. +.RE + +.RE + +.sp +.ne 2 +.na +\fBdladm delete-overlay\fR \fIoverlay\fR +.ad +.sp .6 +.RS 4n +Delete the specified overlay. This will fail if there are VNICs on top of the +device. +.RE + +.sp +.ne 2 +.na +\fBdladm modify-overlay\fR \fB-d\fR \fImac\fR | \fB-f\fR | \fB-s\fR \fImac=ip:port\fR \fIoverlay\fR +.ad +.sp .6 +.RS 4n +Modifies the target tables for the specified overlay. +.sp +The different options allow for different ways of modifying the target table. +One of \fB-d\fR, \fB-f\fR, and \fB-s\fR is required. This is not applicable for +all kinds of overlay devices. For more information, see \fBoverlay\fR(5). +.sp +.ne 2 +.na +\fB-d\fR \fImac\fR, \fB--delete-entry\fR=\fImac\fR +.ad +.sp .6 +.RS 4n +Deletes the entry for \fImac\fR from the target table for \fIoverlay\fR. Note, +if a lookup is pending or outstanding, this does not cancel it or stop it from +updating the value. +.RE + +.sp +.ne 2 +.na +\fB-f\fR, \fB--flush-table\fR +.ad +.sp .6 +.RS 4n +Flushes all values in the target table for \fIoverlay\fR. +.RE + +.sp +.ne 2 +.na +\fB-s\fR \fImac\fR=\fIvalue\fR, \fB--set-entry\fR=\fImac\fR=\fIvalue\fR +.ad +.sp .6 +.RS 4n +Sets the value of \fIoverlay\fR's target table entry for \fImac\fR to +the specified value. The specified value varies upon the encapsulation +plugin. The value may be a combination of a MAC address, IP address, +and port. Generally, this looks like +[\fImac\fR,][\fIIP\fR:][\fIport\fR]. If a component is the last one, +then there is no need for a separator. eg. if just the MAC address or +IP is needed, it would look like \fImac\fR and \fIIP\fR respectively. +.RE + +.RE + +.sp +.ne 2 +.na +\fBdladm show-overlay\fR [ \fB-f\fR | \fB-t\fR ] [[\fB-p\fR] \fB-o\fR \fIfield\fR[,...]] [\fIoverlay\fR] +.ad +.sp .6 +.RS 4n +Shows overlay configuration (the default), internal target tables (\fB-t\fR), or +the FMA state (\fB-f\fR), either for all overlays or the specified overlay. +.sp +By default (with neither \fB-f\fR or \fB-t\fR specified), the following fields +will be displayed: +.sp +.ne 2 +.na +\fB\fBLINK\fR\fR +.ad +.sp .6 +.RS 4n +The name of the overlay. +.RE + +.sp +.ne 2 +.na +\fB\fBPROPERTY\fR\fR +.ad +.sp .6 +.RS 4n +The name of the property. +.RE + +.sp +.ne 2 +.na +\fB\fBPERM\fR\fR +.ad +.sp .6 +.RS 4n +The read/write permissions of the property. The value shown is one of \fBr-\fR +or \fBrw\fR. +.RE + +.sp +.ne 2 +.na +\fB\fBVALUE\fR\fR +.ad +.sp .6 +.RS 4n +The current property value. If the value is not set, it is shown as \fB--\fR. +If it is unknown, the value is shown as \fB?\fR. +.RE + +.sp +.ne 2 +.na +\fB\fBDEFAULT\fR\fR +.ad +.sp .6 +.RS 4n +The default value of the property. If the property has no default value, +\fB--\fR is shown. +.RE + +.sp +.ne 2 +.na +\fB\fBPOSSIBLE\fR\fR +.ad +.sp .6 +.RS 4n +A comma-separated list of the values the property can have. If the values span +a numeric range, \fImin\fR - \fImax\fR might be shown as shorthand. If the +possible values are unknown or unbounded, \fB--\fR is shown. +.RE + +.sp +When the \fB-f\fR option is displayed, the following fields will be displayed: +.sp +.ne 2 +.na +\fB\fBLINK\fR\fR +.ad +.sp .6 +.RS 4n +The name of the overlay. +.RE + +.sp +.ne 2 +.na +\fB\fBSTATUS\fR\fR +.ad +.sp .6 +.RS 4n +Either \fBONLINE\fR or \fBDEGRADED\fR. +.RE + +.sp +.ne 2 +.na +\fB\fBDETAILS\fR\fR +.ad +.sp .6 +.RS 4n +When the \fBoverlay\fR's status is \fBONLINE\fR, then this has the value +\fB--\fR. Otherwise, when it is \fBDEGRADED\fR, this field provides a more +detailed explanation as to why it's degraded. +.RE + +.sp +When the \fB-t\fR option is displayed, the following fields will be displayed: +.sp +.ne 2 +.na +\fB\fBLINK\fR\fR +.ad +.sp .6 +.RS 4n +The name of the overlay. +.RE + +.sp +.ne 2 +.na +\fB\fBTARGET\fR\fR +.ad +.sp .6 +.RS 4n +The target MAC address of a table entry. +.RE + +.sp +.ne 2 +.na +\fB\fBDESTINATION\fR\fR +.ad +.sp .6 +.RS 4n +The address that an encapsulated packet will be sent to when a packet has the +address specified by \fBTARGET\fR. +.RE + +The \fBshow-overlay\fR command supports the following options: + +.sp +.ne 2 +.na +\fB-f\fR, \fB--fma\fR +.ad +.sp .6 +.RS 4n +Displays information about an overlay device's FMA state. For more +information on the target table, see \fBoverlay\fR(5). +.RE + +.sp +.ne 2 +.na +\fB\fB-o\fR \fIfield\fR[,...], \fB--output\fR=\fIfield\fR\fR +.ad +.sp .6 +.RS 4n +A case-insensitive, comma-separated list of output fields to display. The field +name must be one of the fields listed above, or the special value \fBall\fR, to +display all fields. The fields applicable to the \fB-o\fR option are limited to +those listed under each output mode. For example, if using \fB-L\fR, only the +fields listed under \fB-L\fR, above, can be used with \fB-o\fR. +.RE + +.sp +.ne 2 +.na +\fB\fB-p\fR, \fB--parsable\fR\fR +.ad +.sp .6 +.RS 4n +Display using a stable machine-parsable format. The \fB-o\fR option is +required with \fB-p\fR. See "Parsable Output Format", below. +.RE + +.sp +.ne 2 +.na +\fB-t\fR, \fB--target\fR +.ad +.sp .6 +.RS 4n +Displays information about an overlay device's target table. For more +information on the target table, see \fBoverlay\fR(5). +.RE + +.RE + +.sp +.ne 2 +.na \fB\fBdladm show-usage\fR [\fB-a\fR] \fB-f\fR \fIfilename\fR [\fB-p\fR \fIplotfile\fR \fB-F\fR \fIformat\fR] [\fB-s\fR \fItime\fR] [\fB-e\fR \fItime\fR] [\fIlink\fR]\fR @@ -4454,6 +4888,43 @@ The following general link properties are supported: .sp .ne 2 .na +\fB\fBallow-all-dhcp-cids\fR\fR +.ad +.sp .6 +.RS 4n +One of \fBtrue\fR or \fBfalse\fR, to indicate whether or not all DHCP Client +Identifiers should be permitted on this interface when DHCP spoofing protection +is being used. This can be useful in cases where a DHCP client is using RFC +4361-style Client Identifiers, which are based on a value that is opaque to the +Global Zone, but enforcement of MAC addresses in DHCP packets is still desired. +.RE + +.sp +.ne 2 +.na +\fB\fBallowed-dhcp-cids\fR\fR +.ad +.sp .6 +.RS 4n +A comma-separated list of DHCP Client Identifiers that are allowed on the +interface. +.sp +Client identifiers can be written in three different formats: a string of +hexadecimal characters prefixed by \fB0x\fR, indicating the exact bytes used in +the Client Identifier; an RFC 3315 DUID of the form +"1.<hardware\ type>.<time>.<link-layer\ address>" (DUID-LLT), +"2.<enterprise\ number>.<hex\ string>" (DUID-EN), or +"3.<hardware\ type>.<link-layer\ address>" (DUID-LL); or a string of characters +whose byte values should be used as the Client Identifier. +.sp +When specifying a string of hexadecimal characters prefixed by \fB0x\fR or as +part of a DUID-EN string, an even number of hexadecimal characters must be +provided in order to fully specify each byte. +.RE + +.sp +.ne 2 +.na \fB\fBallowed-ips\fR\fR .ad .sp .6 @@ -4515,6 +4986,24 @@ is not bound to any specific processor or processor set. .sp .ne 2 .na +\fB\fBdynamic-methods\fR\fR +.ad +.sp .6 +.RS 4n +When using IP spoofing protection (see \fBprotection\fR), addresses can be +learned dynamically by monitoring certain network traffic, like DHCP +transactions or IPv6 Stateless Address Autoconfiguration (SLAAC). By default, +all learning methods are permitted, but if \fBallowed-ips\fR contains any +addresses, then all methods are disabled, and any packets sent from addresses +previously learned will be dropped. This property allows selecting which ones +are re-enabled, where valid options are \fBdhcpv4\fR, \fBdhcpv6\fR, and +\fBslaac\fR. \fBaddrconf\fR is available as an alias for enabling both +\fBdhcpv6\fR and \fBslaac\fR. +.RE + +.sp +.ne 2 +.na \fB\fBlearn_limit\fR\fR .ad .sp .6 @@ -4567,6 +5056,67 @@ tokens \fBhigh\fR, \fBmedium\fR, or \fBlow\fR. The default is \fBhigh\fR. .sp .ne 2 .na +\fB\fBprotection\fR\fR +.ad +.sp .6 +.RS 4n +This property enables various forms of link protections, which prevent sending +applicable traffic out of this link. Note that since this enforcement happens +late in the networking stack, some observability tools like \fBsnoop\fR(1M) may +still see dropped outbound packets. + +This property should be set to a comma-separated list of protections to enable +on this link, where available protections are: +.sp +.ne 2 +.na +\fBip-nospoof\fR +.ad +.sp .6 +.RS 4n +Prevents sending from IPv4 and IPv6 addresses that have not been permitted +over the NIC. Addresses can be learned dynamically (see \fBdynamic-methods\fR) +or specified explicitly (see \fBallowed-ips\fR). +.RE +.sp +.ne 2 +.na +\fBdhcp-nospoof\fR +.ad +.sp .6 +.RS 4n +Prevents sending DHCP packets whose client hardware address +(CHADDR) field differs from the link-layer address, or from using a Client +Identifier whose value cannot be confirmed to be derived from the link-layer +address. Additional Client Identifiers can be permitted through the +\fBallowed-dhcp-cids\fR and \fBallow-all-dhcp-cids\fR link properties. +.RE +.sp +.ne 2 +.na +\fBmac-nospoof\fR +.ad +.sp .6 +.RS 4n +Prevents sending packets with a link-layer address that differs from the one +associated with the NIC. Additional addresses to allow can be added using the +\fBseconday-macs\fR property. +.RE +.sp +.ne 2 +.na +\fBrestricted\fR +.ad +.sp .6 +.RS 4n +Prevents using a VLAN ID not associated with the NIC and sending packets that +are not IPv4, IPv6 or ARP. +.RE +.RE + +.sp +.ne 2 +.na \fB\fBstp\fR\fR .ad .sp .6 @@ -5588,7 +6138,17 @@ Interface Stability Committed .SH SEE ALSO \fBacctadm\fR(1M), \fBautopush\fR(1M), \fBifconfig\fR(1M), \fBipsecconf\fR(1M), \fBndd\fR(1M), \fBpsrset\fR(1M), \fBwpad\fR(1M), \fBzonecfg\fR(1M), -\fBattributes\fR(5), \fBieee802.3\fR(5), \fBdlpi\fR(7P) +\fBattributes\fR(5), \fBieee802.3\fR(5), \fBoverlay\fR(5), \fBdlpi\fR(7P) +.sp +.LP +R. Droms, Ed., J. Bound, B. Volz, T. Lemon, C. Perkins, M. Carney. \fIRFC 3315: +Dynamic Host Configuration Protocol for IPv6 (DHCPv6)\fR. The Internet Society. +July 2003. +.sp +.LP +T. Lemon, B. Sommerfeld. February 2006. \fIRFC 4361: Node-specific Client +Identifiers for Dynamic Host Configuration Protocol Version Four (DHCPv4)\fR. +The Internet Society. January 2006. .SH NOTES The preferred method of referring to an aggregation in the aggregation subcommands is by its link name. Referring to an aggregation by its integer |