1IP-RULE(8) Linux IP-RULE(8)
2
6 ip-rule - routing policy database management
7
9 ip [ OPTIONS ] rule { COMMAND | help }
10 ip rule [ list [ SELECTOR ]]
13 ip rule { add | del } SELECTOR ACTION
15 ip rule { flush | save | restore }
17 SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark
19 FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [
20 l3mdev ]
21 ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ realms
23 [SRCREALM/]DSTREALM ] [ goto NUMBER ] SUPPRESSOR
24 SUPPRESSOR := [ suppress_prefixlength NUMBER ] [ suppress_ifgroup GROUP
26 ]
27 TABLE_ID := [ local | main | default | NUMBER ]
29
32 ip rule manipulates rules in the routing policy database control the
33 route selection algorithm.
34 Classic routing algorithms used in the Internet make routing decisions
37 based only on the destination address of packets (and in theory, but
38 not in practice, on the TOS field).
39 In some circumstances we want to route packets differently depending
42 not only on destination addresses, but also on other packet fields:
43 source address, IP protocol, transport protocol ports or even packet
44 payload. This task is called 'policy routing'.
45 To solve this task, the conventional destination based routing table,
48 ordered according to the longest match rule, is replaced with a 'rout‐
49 ing policy database' (or RPDB), which selects routes by executing some
50 set of rules.
51 Each policy routing rule consists of a selector and an action predi‐
54 cate. The RPDB is scanned in order of decreasing priority (note that
55 lower number means higher priority, see the description of PREFERENCE
56 below). The selector of each rule is applied to {source address, desti‐
57 nation address, incoming interface, tos, fwmark} and, if the selector
58 matches the packet, the action is performed. The action predicate may
59 return with success. In this case, it will either give a route or
60 failure indication and the RPDB lookup is terminated. Otherwise, the
61 RPDB program continues with the next rule.
62 Semantically, the natural action is to select the nexthop and the out‐
65 put device.
66 At startup time the kernel configures the default RPDB consisting of
69 three rules:
70 1. Priority: 0, Selector: match anything, Action: lookup routing
73 table local (ID 255). The local table is a special routing ta‐
74 ble containing high priority control routes for local and broad‐
75 cast addresses.
76 2. Priority: 32766, Selector: match anything, Action: lookup rout‐
79 ing table main (ID 254). The main table is the normal routing
80 table containing all non-policy routes. This rule may be deleted
81 and/or overridden with other ones by the administrator.
82 3. Priority: 32767, Selector: match anything, Action: lookup rout‐
85 ing table default (ID 253). The default table is empty. It is
86 reserved for some post-processing if no previous default rules
87 selected the packet. This rule may also be deleted.
88 Each RPDB entry has additional attributes. F.e. each rule has a pointer
91 to some routing table. NAT and masquerading rules have an attribute to
92 select new IP address to translate/masquerade. Besides that, rules have
93 some optional attributes, which routes have, namely realms. These val‐
94 ues do not override those contained in the routing tables. They are
95 only used if the route did not select any attributes.
96 The RPDB may contain rules of the following types:
99 unicast - the rule prescribes to return the route found in the
101 routing table referenced by the rule.
102 blackhole - the rule prescribes to silently drop the packet.
104 unreachable - the rule prescribes to generate a 'Network is
106 unreachable' error.
107 prohibit - the rule prescribes to generate 'Communication is
109 administratively prohibited' error.
110 nat - the rule prescribes to translate the source address of the
112 IP packet into some other value.
113 ip rule add - insert a new rule
116 ip rule delete - delete a rule
118 type TYPE (default)
120 the type of this rule. The list of valid types was given
121 in the previous subsection.
122 from PREFIX
125 select the source prefix to match.
126 to PREFIX
129 select the destination prefix to match.
130 iif NAME
133 select the incoming device to match. If the interface is
134 loopback, the rule only matches packets originating from
135 this host. This means that you may create separate rout‐
136 ing tables for forwarded and local packets and, hence,
137 completely segregate them.
138 oif NAME
141 select the outgoing device to match. The outgoing inter‐
142 face is only available for packets originating from local
143 sockets that are bound to a device.
144 tos TOS
147 dsfield TOS
149 select the TOS value to match.
150 fwmark MARK
153 select the fwmark value to match.
154 priority PREFERENCE
157 the priority of this rule. PREFERENCE is an unsigned
158 integer value, higher number means lower priority, and
159 rules get processed in order of increasing number. Each
160 rule should have an explicitly set unique priority value.
161 The options preference and order are synonyms with prior‐
162 ity.
163 table TABLEID
166 the routing table identifier to lookup if the rule selec‐
167 tor matches. It is also possible to use lookup instead
168 of table.
169 suppress_prefixlength NUMBER
172 reject routing decisions that have a prefix length of
173 NUMBER or less.
174 suppress_ifgroup GROUP
177 reject routing decisions that use a device belonging to
178 the interface group GROUP.
179 realms FROM/TO
182 Realms to select if the rule matched and the routing ta‐
183 ble lookup succeeded. Realm TO is only used if the route
184 did not select any realm.
185 nat ADDRESS
188 The base of the IP address block to translate (for source
189 addresses). The ADDRESS may be either the start of the
190 block of NAT addresses (selected by NAT routes) or a
191 local host address (or even zero). In the last case the
192 router does not translate the packets, but masquerades
193 them to this address. Using map-to instead of nat means
194 the same thing.
195 Warning: Changes to the RPDB made with these commands do
197 not become active immediately. It is assumed that after a
198 script finishes a batch of updates, it flushes the rout‐
199 ing cache with ip route flush cache.
200 ip rule flush - also dumps all the deleted rules.
202 This command has no arguments.
203 ip rule show - list rules
205 This command has no arguments. The options list or lst are syn‐
206 onyms with show.
207 ip rule save
210 save rules table information to stdout
211 This command behaves like ip rule show except that the output is
212 raw data suitable for passing to ip rule restore.
213 ip rule restore
216 restore rules table information from stdin
217 This command expects to read a data stream as returned from ip
218 rule save. It will attempt to restore the rules table informa‐
219 tion exactly as it was at the time of the save. Any rules
220 already in the table are left unchanged, and duplicates are not
221 ignored.
222
225 ip(8)
226
229 Original Manpage by Michail Litvak <mci@owl.openwall.com>
230iproute2 20 Dec 2011 IP-RULE(8)