ip

Documentation

Overview

Package ip implements the ip builtin command.

ip — show network interfaces, addresses, and routing

Usage: ip [GLOBAL-OPTIONS] OBJECT [COMMAND [ARGUMENTS]]

Query network interface and routing information. Only read-only subcommands are supported. All write operations (add, del, flush, change, replace, set) and dangerous execution vectors (netns exec, -batch, -force) are rejected with exit code 1.

GLOBAL OPTIONS

-o, --oneline
    Output each record on a single line; internal newlines are represented
    by a backslash followed by the continuation content (matching real ip
    -o format). Useful for machine parsing by AI agents.

--brief
    Print a compact tabular summary: interface name, state, and addresses
    only. Mutually compatible with -4/-6. (Note: the real ip command uses
    -br as a shorthand; our builtin uses --brief instead.)

-4
    Restrict output to IPv4 only (for addr/link; route always uses IPv4).

-6
    Restrict address output to IPv6 only. Not supported for route.

-h, --help
    Print this usage message to stdout and exit 0.

OBJECTS AND COMMANDS

addr [show] [dev IFNAME]
    Show IP addresses assigned to all network interfaces, or to the
    single interface named IFNAME when "dev IFNAME" is given.
    "show" is the default command when no command is specified.

link [show] [dev IFNAME]
    Show link-layer information (MTU, hardware address, flags) for all
    interfaces, or for the single interface named IFNAME.
    "show" is the default command when no command is specified.

route [show|list]
    Show the IPv4 routing table, read from /proc/net/route.
    Only supported on Linux; returns an error on other platforms.

route get ADDRESS
    Show the route that would be used to reach ADDRESS, selected by
    longest-prefix-match over the IPv4 routing table.
    Only supported on Linux; returns an error on other platforms.

BLOCKED FLAGS AND SUBCOMMANDS (exit 1 with an explanatory error)

-b, -B, -batch      Reads ip commands from FILE — arbitrary command
                    execution vector (GTFOBins).
-force              Suppresses errors; companion to -batch (GTFOBins).
-n, --netns         Switches network namespace — privilege escalation.
ip netns            Network namespace management — shell escape via
                    "ip netns exec <ns> <cmd>".
addr add/del/flush/change/replace    Write operations (blocked).
link set/add/del/change              Write operations (blocked).
route add/del/delete/change/replace  Write operations (blocked).
route flush/save/restore             Write operations (blocked).

Exit codes:

0  Query completed successfully.
1  Unknown subcommand, unsupported flag, write operation attempted,
   unsupported platform (route), or the named interface does not exist.

Network access:

addr and link use Go's net.Interfaces() for read-only enumeration of OS
network interfaces and their addresses; the AllowedPaths sandbox is not
involved. route reads /proc/net/route via builtins/internal/procnetroute using
os.Open directly (Linux only); the AllowedPaths sandbox is not involved.

Memory safety for route:

/proc/net/route is read line-by-line with a per-line cap of MaxLineBytes
(1 MiB). At most MaxRoutes (10 000) entries are loaded. All read loops
check ctx.Err() at each iteration to honour the execution timeout.

Output differences from real ip:

The qdisc field is omitted from interface header lines. For route show/list,
the proto/scope/src fields are not included (not available from
/proc/net/route alone). For route get, the src, uid, and cache fields
present in real ip-route(8) output are also omitted (not derivable from
/proc/net/route alone).

Index

• Constants
• Variables

Constants

const MaxLineBytes = procnetroute.MaxLineBytes

MaxLineBytes re-exports the procnetroute constant for test access.

Variables

var Cmd = builtins.Command{
	Name:        "ip",
	Description: "show network interface and routing information",
	MakeFlags:   registerFlags,
}

Cmd is the ip builtin command descriptor.

var ProcNetRoutePath = procnetroute.DefaultProcPath

ProcNetRoutePath is the proc filesystem root used to locate the routing table. ReadRoutes opens ProcNetRoutePath/net/route.

Concurrency contract: this variable is written only in tests (via the writeProcNetRoute helper) and is never mutated by production code after package initialization. Production callers therefore need no lock to read it. Test code that mutates ProcNetRoutePath must hold procNetRouteMu (defined in ip_linux_test.go) for the duration of the test to serialise test mutations and prevent races between concurrent test goroutines.