blob: b7008c6ab13d795c47e0bb928cd0e1457f3c69e3 [file] [log] [blame] [edit]
.TH IP\-RULE 8 "20 Dec 2011" "iproute2" "Linux"
.SH "NAME"
ip-rule \- routing policy database management
.SH "SYNOPSIS"
.sp
.ad l
.in +8
.ti -8
.B ip
.RI "[ " OPTIONS " ]"
.B rule
.RI " { " COMMAND " | "
.BR help " }"
.sp
.ti -8
.B ip rule
.RB " [ " list " | " add " | " del " | " flush " | " save " ]"
.I SELECTOR ACTION
.ti -8
.B ip rule " restore "
.ti -8
.IR SELECTOR " := [ "
.B from
.IR PREFIX " ] [ "
.B to
.IR PREFIX " ] [ "
.B tos
.IR TOS " ] [ "
.B fwmark
.IR FWMARK[/MASK] " ] [ "
.B iif
.IR STRING " ] [ "
.B oif
.IR STRING " ] [ "
.B pref
.IR NUMBER " ]"
.ti -8
.IR ACTION " := [ "
.B table
.IR TABLE_ID " ] [ "
.B nat
.IR ADDRESS " ] [ "
.B realms
.RI "[" SRCREALM "/]" DSTREALM " ]"
.I SUPPRESSOR
.ti -8
.IR SUPPRESSOR " := [ "
.B suppress_prefixlength
.IR NUMBER " ] [ "
.B suppress_ifgroup
.IR GROUP " ]"
.ti -8
.IR TABLE_ID " := [ "
.BR local " | " main " | " default " |"
.IR NUMBER " ]"
.SH DESCRIPTION
.I ip rule
manipulates rules
in the routing policy database control the route selection algorithm.
.P
Classic routing algorithms used in the Internet make routing decisions
based only on the destination address of packets (and in theory,
but not in practice, on the TOS field).
.P
In some circumstances we want to route packets differently depending not only
on destination addresses, but also on other packet fields: source address,
IP protocol, transport protocol ports or even packet payload.
This task is called 'policy routing'.
.P
To solve this task, the conventional destination based routing table, ordered
according to the longest match rule, is replaced with a 'routing policy
database' (or RPDB), which selects routes by executing some set of rules.
.P
Each policy routing rule consists of a
.B selector
and an
.B action predicate.
The RPDB is scanned in order of decreasing priority. The selector
of each rule is applied to {source address, destination address, incoming
interface, tos, fwmark} and, if the selector matches the packet,
the action is performed. The action predicate may return with success.
In this case, it will either give a route or failure indication
and the RPDB lookup is terminated. Otherwise, the RPDB program
continues with the next rule.
.P
Semantically, the natural action is to select the nexthop and the output device.
.P
At startup time the kernel configures the default RPDB consisting of three
rules:
.TP
1.
Priority: 0, Selector: match anything, Action: lookup routing
table
.B local
(ID 255).
The
.B local
table is a special routing table containing
high priority control routes for local and broadcast addresses.
.sp
Rule 0 is special. It cannot be deleted or overridden.
.TP
2.
Priority: 32766, Selector: match anything, Action: lookup routing
table
.B main
(ID 254).
The
.B main
table is the normal routing table containing all non-policy
routes. This rule may be deleted and/or overridden with other
ones by the administrator.
.TP
3.
Priority: 32767, Selector: match anything, Action: lookup routing
table
.B default
(ID 253).
The
.B default
table is empty. It is reserved for some post-processing if no previous
default rules selected the packet.
This rule may also be deleted.
.P
Each RPDB entry has additional
attributes. F.e. each rule has a pointer to some routing
table. NAT and masquerading rules have an attribute to select new IP
address to translate/masquerade. Besides that, rules have some
optional attributes, which routes have, namely
.BR "realms" .
These values do not override those contained in the routing tables. They
are only used if the route did not select any attributes.
.sp
The RPDB may contain rules of the following types:
.RS
.B unicast
- the rule prescribes to return the route found
in the routing table referenced by the rule.
.B blackhole
- the rule prescribes to silently drop the packet.
.B unreachable
- the rule prescribes to generate a 'Network is unreachable' error.
.B prohibit
- the rule prescribes to generate 'Communication is administratively
prohibited' error.
.B nat
- the rule prescribes to translate the source address
of the IP packet into some other value.
.RE
.TP
.B ip rule add - insert a new rule
.TP
.B ip rule delete - delete a rule
.RS
.TP
.BI type " TYPE " (default)
the type of this rule. The list of valid types was given in the previous
subsection.
.TP
.BI from " PREFIX"
select the source prefix to match.
.TP
.BI to " PREFIX"
select the destination prefix to match.
.TP
.BI iif " NAME"
select the incoming device to match. If the interface is loopback,
the rule only matches packets originating from this host. This means
that you may create separate routing tables for forwarded and local
packets and, hence, completely segregate them.
.TP
.BI oif " NAME"
select the outgoing device to match. The outgoing interface is only
available for packets originating from local sockets that are bound to
a device.
.TP
.BI tos " TOS"
.TP
.BI dsfield " TOS"
select the TOS value to match.
.TP
.BI fwmark " MARK"
select the
.B fwmark
value to match.
.TP
.BI priority " PREFERENCE"
the priority of this rule. Each rule should have an explicitly
set
.I unique
priority value.
The options preference and order are synonyms with priority.
.TP
.BI table " TABLEID"
the routing table identifier to lookup if the rule selector matches.
It is also possible to use lookup instead of table.
.TP
.BI suppress_prefixlength " NUMBER"
reject routing decisions that have a prefix length of NUMBER or less.
.TP
.BI suppress_ifgroup " GROUP"
reject routing decisions that use a device belonging to the interface
group GROUP.
.TP
.BI realms " FROM/TO"
Realms to select if the rule matched and the routing table lookup
succeeded. Realm
.I TO
is only used if the route did not select any realm.
.TP
.BI nat " ADDRESS"
The base of the IP address block to translate (for source addresses).
The
.I ADDRESS
may be either the start of the block of NAT addresses (selected by NAT
routes) or a local host address (or even zero).
In the last case the router does not translate the packets, but
masquerades them to this address.
Using map-to instead of nat means the same thing.
.B Warning:
Changes to the RPDB made with these commands do not become active
immediately. It is assumed that after a script finishes a batch of
updates, it flushes the routing cache with
.BR "ip route flush cache" .
.RE
.TP
.B ip rule flush - also dumps all the deleted rules.
This command has no arguments.
.TP
.B ip rule show - list rules
This command has no arguments.
The options list or lst are synonyms with show.
.TP
.B ip rule save
save rules table information to stdout
.RS
This command behaves like
.BR "ip rule show"
except that the output is raw data suitable for passing to
.BR "ip rule restore" .
.RE
.TP
.B ip rule restore
restore rules table information from stdin
.RS
This command expects to read a data stream as returned from
.BR "ip rule save" .
It will attempt to restore the rules table information exactly as
it was at the time of the save. Any rules already in the table are
left unchanged, and duplicates are not ignored.
.RE
.SH SEE ALSO
.br
.BR ip (8)
.SH AUTHOR
Original Manpage by Michail Litvak <mci@owl.openwall.com>