1IP-RULE(8) Linux IP-RULE(8)
2
6 ip-rule - routing policy database management
7
9 ip [ OPTIONS ] rule { COMMAND | help }
10 ip rule [ list [ SELECTOR ]]
13 ip rule { add | del } SELECTOR ACTION
15 ip rule { flush | save | restore }
17 SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark
19 FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [
20 l3mdev ] [ uidrange NUMBER-NUMBER ] [ ipproto PROTOCOL ] [
21 sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [ NUMBER | NUMBER-
22 NUMBER ] ] [ tun_id TUN_ID ]
23 ACTION := [ table TABLE_ID ] [ protocol PROTO ] [ nat ADDRESS ] [
26 realms [SRCREALM/]DSTREALM ] [ goto NUMBER ] SUPPRESSOR
27 SUPPRESSOR := [ suppress_prefixlength NUMBER ] [ suppress_ifgroup GROUP
29 ]
30 TABLE_ID := [ local | main | default | NUMBER ]
32
35 ip rule manipulates rules in the routing policy database control the
36 route selection algorithm.
37 Classic routing algorithms used in the Internet make routing decisions
40 based only on the destination address of packets (and in theory, but
41 not in practice, on the TOS field).
42 In some circumstances we want to route packets differently depending
45 not only on destination addresses, but also on other packet fields:
46 source address, IP protocol, transport protocol ports or even packet
47 payload. This task is called 'policy routing'.
48 To solve this task, the conventional destination based routing table,
51 ordered according to the longest match rule, is replaced with a 'rout‐
52 ing policy database' (or RPDB), which selects routes by executing some
53 set of rules.
54 Each policy routing rule consists of a selector and an action predi‐
57 cate. The RPDB is scanned in order of decreasing priority (note that
58 lower number means higher priority, see the description of PREFERENCE
59 below). The selector of each rule is applied to {source address, desti‐
60 nation address, incoming interface, tos, fwmark} and, if the selector
61 matches the packet, the action is performed. The action predicate may
62 return with success. In this case, it will either give a route or
63 failure indication and the RPDB lookup is terminated. Otherwise, the
64 RPDB program continues with the next rule.
65 Semantically, the natural action is to select the nexthop and the out‐
68 put device.
69 At startup time the kernel configures the default RPDB consisting of
72 three rules:
73 1. Priority: 0, Selector: match anything, Action: lookup routing
76 table local (ID 255). The local table is a special routing ta‐
77 ble containing high priority control routes for local and broad‐
78 cast addresses.
79 2. Priority: 32766, Selector: match anything, Action: lookup rout‐
82 ing table main (ID 254). The main table is the normal routing
83 table containing all non-policy routes. This rule may be deleted
84 and/or overridden with other ones by the administrator.
85 3. Priority: 32767, Selector: match anything, Action: lookup rout‐
88 ing table default (ID 253). The default table is empty. It is
89 reserved for some post-processing if no previous default rules
90 selected the packet. This rule may also be deleted.
91 Each RPDB entry has additional attributes. F.e. each rule has a pointer
94 to some routing table. NAT and masquerading rules have an attribute to
95 select new IP address to translate/masquerade. Besides that, rules have
96 some optional attributes, which routes have, namely realms. These val‐
97 ues do not override those contained in the routing tables. They are
98 only used if the route did not select any attributes.
99 The RPDB may contain rules of the following types:
102 unicast - the rule prescribes to return the route found in the
104 routing table referenced by the rule.
105 blackhole - the rule prescribes to silently drop the packet.
107 unreachable - the rule prescribes to generate a 'Network is
109 unreachable' error.
110 prohibit - the rule prescribes to generate 'Communication is
112 administratively prohibited' error.
113 nat - the rule prescribes to translate the source address of the
115 IP packet into some other value.
116 ip rule add - insert a new rule
119 ip rule delete - delete a rule
121 type TYPE (default)
123 the type of this rule. The list of valid types was given
124 in the previous subsection.
125 from PREFIX
128 select the source prefix to match.
129 to PREFIX
132 select the destination prefix to match.
133 iif NAME
136 select the incoming device to match. If the interface is
137 loopback, the rule only matches packets originating from
138 this host. This means that you may create separate rout‐
139 ing tables for forwarded and local packets and, hence,
140 completely segregate them.
141 oif NAME
144 select the outgoing device to match. The outgoing inter‐
145 face is only available for packets originating from local
146 sockets that are bound to a device.
147 tos TOS
150 dsfield TOS
152 select the TOS value to match.
153 fwmark MARK
156 select the fwmark value to match.
157 uidrange NUMBER-NUMBER
160 select the uid value to match.
161 ipproto PROTOCOL
164 select the ip protocol value to match.
165 sport NUMBER | NUMBER-NUMBER
168 select the source port value to match. supports port
169 range.
170 dport NUMBER | NUMBER-NUMBER
173 select the destination port value to match. supports port
174 range.
175 priority PREFERENCE
178 the priority of this rule. PREFERENCE is an unsigned
179 integer value, higher number means lower priority, and
180 rules get processed in order of increasing number. Each
181 rule should have an explicitly set unique priority value.
182 The options preference and order are synonyms with prior‐
183 ity.
184 table TABLEID
187 the routing table identifier to lookup if the rule selec‐
188 tor matches. It is also possible to use lookup instead
189 of table.
190 protocol PROTO
193 the routing protocol who installed the rule in question.
194 As an example when zebra installs a rule it would get
195 RTPROT_ZEBRA as the installing protocol.
196 suppress_prefixlength NUMBER
199 reject routing decisions that have a prefix length of
200 NUMBER or less.
201 suppress_ifgroup GROUP
204 reject routing decisions that use a device belonging to
205 the interface group GROUP.
206 realms FROM/TO
209 Realms to select if the rule matched and the routing ta‐
210 ble lookup succeeded. Realm TO is only used if the route
211 did not select any realm.
212 nat ADDRESS
215 The base of the IP address block to translate (for source
216 addresses). The ADDRESS may be either the start of the
217 block of NAT addresses (selected by NAT routes) or a
218 local host address (or even zero). In the last case the
219 router does not translate the packets, but masquerades
220 them to this address. Using map-to instead of nat means
221 the same thing.
222 Warning: Changes to the RPDB made with these commands do
224 not become active immediately. It is assumed that after a
225 script finishes a batch of updates, it flushes the rout‐
226 ing cache with ip route flush cache.
227 ip rule flush - also dumps all the deleted rules.
229 protocol PROTO
231 Select the originating protocol.
232 ip rule show - list rules
234 This command has no arguments. The options list or lst are syn‐
235 onyms with show.
236 ip rule save
239 protocol PROTO
241 Select the originating protocol.
242 save rules table information to stdout
244 This command behaves like ip rule show except that the output is
245 raw data suitable for passing to ip rule restore.
246 ip rule restore
249 restore rules table information from stdin
250 This command expects to read a data stream as returned from ip
251 rule save. It will attempt to restore the rules table informa‐
252 tion exactly as it was at the time of the save. Any rules
253 already in the table are left unchanged, and duplicates are not
254 ignored.
255
258 ip(8)
259
262 Original Manpage by Michail Litvak <mci@owl.openwall.com>
263iproute2 20 Dec 2011 IP-RULE(8)