logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ip-rule.8 (8329B)


  1. .TH IP\-RULE 8 "20 Dec 2011" "iproute2" "Linux"
  2. .SH "NAME"
  3. ip-rule \- routing policy database management
  4. .SH "SYNOPSIS"
  5. .sp
  6. .ad l
  7. .in +8
  8. .ti -8
  9. .B ip
  10. .RI "[ " OPTIONS " ]"
  11. .B rule
  12. .RI "{ " COMMAND " | "
  13. .BR help " }"
  14. .sp
  15. .ti -8
  16. .B ip rule
  17. .RB "[ " show
  18. .RI "[ " SELECTOR " ]]"
  19. .ti -8
  20. .B ip rule
  21. .RB "{ " add " | " del " }"
  22. .I SELECTOR ACTION
  23. .ti -8
  24. .B ip rule
  25. .RB "{ " flush " | " save " | " restore " }"
  26. .ti -8
  27. .IR SELECTOR " := [ "
  28. .BR not " ] ["
  29. .B from
  30. .IR PREFIX " ] [ "
  31. .B to
  32. .IR PREFIX " ] [ "
  33. .B tos
  34. .IR TOS " ] [ "
  35. .B fwmark
  36. .IR FWMARK\fR[\fB/\fIMASK "] ] [ "
  37. .B iif
  38. .IR STRING " ] [ "
  39. .B oif
  40. .IR STRING " ] [ "
  41. .B priority
  42. .IR PREFERENCE " ] [ "
  43. .IR l3mdev " ] [ "
  44. .B uidrange
  45. .IR NUMBER "-" NUMBER " ] [ "
  46. .B ipproto
  47. .IR PROTOCOL " ] [ "
  48. .BR sport " [ "
  49. .IR NUMBER " | "
  50. .IR NUMBER "-" NUMBER " ] ] [ "
  51. .BR dport " [ "
  52. .IR NUMBER " | "
  53. .IR NUMBER "-" NUMBER " ] ] [ "
  54. .B tun_id
  55. .IR TUN_ID " ]"
  56. .BR
  57. .ti -8
  58. .IR ACTION " := [ "
  59. .B table
  60. .IR TABLE_ID " ] [ "
  61. .B protocol
  62. .IR PROTO " ] [ "
  63. .B nat
  64. .IR ADDRESS " ] [ "
  65. .B realms
  66. .RI "[" SRCREALM "\fB/\fR]" DSTREALM " ] ["
  67. .B goto
  68. .IR NUMBER " ] " SUPPRESSOR
  69. .ti -8
  70. .IR SUPPRESSOR " := [ "
  71. .B suppress_prefixlength
  72. .IR NUMBER " ] [ "
  73. .B suppress_ifgroup
  74. .IR GROUP " ]"
  75. .ti -8
  76. .IR TABLE_ID " := [ "
  77. .BR local " | " main " | " default " |"
  78. .IR NUMBER " ]"
  79. .SH DESCRIPTION
  80. .I ip rule
  81. manipulates rules
  82. in the routing policy database that controls the route selection algorithm.
  83. .P
  84. Classic routing algorithms used in the Internet make routing decisions
  85. based only on the destination address of packets (and in theory,
  86. but not in practice, on the TOS field).
  87. .P
  88. In some circumstances, we want to route packets differently depending not only
  89. on destination addresses but also on other packet fields: source address,
  90. IP protocol, transport protocol ports or even packet payload.
  91. This task is called 'policy routing'.
  92. .P
  93. To solve this task, the conventional destination based routing table, ordered
  94. according to the longest match rule, is replaced with a 'routing policy
  95. database' (or RPDB), which selects routes by executing some set of rules.
  96. .P
  97. Each policy routing rule consists of a
  98. .B selector
  99. and an
  100. .B action predicate.
  101. The RPDB is scanned in order of decreasing priority (note that a lower number
  102. means higher priority, see the description of
  103. .I PREFERENCE
  104. below). The selector
  105. of each rule is applied to {source address, destination address, incoming
  106. interface, tos, fwmark} and, if the selector matches the packet,
  107. the action is performed. The action predicate may return with success.
  108. In this case, it will either give a route or failure indication
  109. and the RPDB lookup is terminated. Otherwise, the RPDB program
  110. continues with the next rule.
  111. .P
  112. Semantically, the natural action is to select the nexthop and the output device.
  113. .P
  114. At startup time the kernel configures the default RPDB consisting of three
  115. rules:
  116. .TP
  117. 1.
  118. Priority: 0, Selector: match anything, Action: lookup routing
  119. table
  120. .B local
  121. (ID 255).
  122. The
  123. .B local
  124. table is a special routing table containing
  125. high priority control routes for local and broadcast addresses.
  126. .TP
  127. 2.
  128. Priority: 32766, Selector: match anything, Action: lookup routing
  129. table
  130. .B main
  131. (ID 254).
  132. The
  133. .B main
  134. table is the normal routing table containing all non-policy
  135. routes. This rule may be deleted and/or overridden with other
  136. ones by the administrator.
  137. .TP
  138. 3.
  139. Priority: 32767, Selector: match anything, Action: lookup routing
  140. table
  141. .B default
  142. (ID 253).
  143. The
  144. .B default
  145. table is empty. It is reserved for some post-processing if no previous
  146. default rules selected the packet.
  147. This rule may also be deleted.
  148. .P
  149. Each RPDB entry has additional
  150. attributes. F.e. each rule has a pointer to some routing
  151. table. NAT and masquerading rules have an attribute to select new IP
  152. address to translate/masquerade. Besides that, rules have some
  153. optional attributes, which routes have, namely
  154. .BR "realms" .
  155. These values do not override those contained in the routing tables. They
  156. are only used if the route did not select any attributes.
  157. .sp
  158. The RPDB may contain rules of the following types:
  159. .RS
  160. .B unicast
  161. - the rule returns the route found
  162. in the routing table referenced by the rule.
  163. .B blackhole
  164. - the rule causes a silent drop the packet.
  165. .B unreachable
  166. - the rule generates a 'Network is unreachable' error.
  167. .B prohibit
  168. - the rule generates 'Communication is administratively
  169. prohibited' error.
  170. .B nat
  171. - the rule translates the source address
  172. of the IP packet into some other value.
  173. .RE
  174. .TP
  175. .B ip rule add - insert a new rule
  176. .TP
  177. .B ip rule delete - delete a rule
  178. .RS
  179. .TP
  180. .BI type " TYPE " (default)
  181. the type of this rule. The list of valid types was given in the previous
  182. subsection.
  183. .TP
  184. .BI from " PREFIX"
  185. select the source prefix to match.
  186. .TP
  187. .BI to " PREFIX"
  188. select the destination prefix to match.
  189. .TP
  190. .BI iif " NAME"
  191. select the incoming device to match. If the interface is loopback,
  192. the rule only matches packets originating from this host. This means
  193. that you may create separate routing tables for forwarded and local
  194. packets and, hence, completely segregate them.
  195. .TP
  196. .BI oif " NAME"
  197. select the outgoing device to match. The outgoing interface is only
  198. available for packets originating from local sockets that are bound to
  199. a device.
  200. .TP
  201. .BI tos " TOS"
  202. .TP
  203. .BI dsfield " TOS"
  204. select the TOS value to match.
  205. .TP
  206. .BI fwmark " MARK"
  207. select the
  208. .B fwmark
  209. value to match.
  210. .TP
  211. .BI uidrange " NUMBER-NUMBER"
  212. select the
  213. .B uid
  214. value to match.
  215. .TP
  216. .BI ipproto " PROTOCOL"
  217. select the ip protocol value to match.
  218. .TP
  219. .BI sport " NUMBER | NUMBER-NUMBER"
  220. select the source port value to match. supports port range.
  221. .TP
  222. .BI dport " NUMBER | NUMBER-NUMBER"
  223. select the destination port value to match. supports port range.
  224. .TP
  225. .BI priority " PREFERENCE"
  226. the priority of this rule.
  227. .I PREFERENCE
  228. is an unsigned integer value, higher number means lower priority, and rules get
  229. processed in order of increasing number. Each rule
  230. should have an explicitly set
  231. .I unique
  232. priority value.
  233. The options preference and order are synonyms with priority.
  234. .TP
  235. .BI table " TABLEID"
  236. the routing table identifier to lookup if the rule selector matches.
  237. It is also possible to use lookup instead of table.
  238. .TP
  239. .BI protocol " PROTO"
  240. the routing protocol who installed the rule in question. As an example when zebra installs a rule it would get RTPROT_ZEBRA as the installing protocol.
  241. .TP
  242. .BI suppress_prefixlength " NUMBER"
  243. reject routing decisions that have a prefix length of NUMBER or less.
  244. .TP
  245. .BI suppress_ifgroup " GROUP"
  246. reject routing decisions that use a device belonging to the interface
  247. group GROUP.
  248. .TP
  249. .BI realms " FROM/TO"
  250. Realms to select if the rule matched and the routing table lookup
  251. succeeded. Realm
  252. .I TO
  253. is only used if the route did not select any realm.
  254. .TP
  255. .BI nat " ADDRESS"
  256. The base of the IP address block to translate (for source addresses).
  257. The
  258. .I ADDRESS
  259. may be either the start of the block of NAT addresses (selected by NAT
  260. routes) or a local host address (or even zero).
  261. In the last case the router does not translate the packets, but
  262. masquerades them to this address.
  263. Using map-to instead of nat means the same thing.
  264. .B Warning:
  265. Changes to the RPDB made with these commands do not become active
  266. immediately. It is assumed that after a script finishes a batch of
  267. updates, it flushes the routing cache with
  268. .BR "ip route flush cache" .
  269. .RE
  270. .TP
  271. .B ip rule flush - also dumps all the deleted rules.
  272. .RS
  273. .TP
  274. .BI protocol " PROTO"
  275. Select the originating protocol.
  276. .RE
  277. .TP
  278. .B ip rule show - list rules
  279. This command has no arguments.
  280. The options list or lst are synonyms with show.
  281. .TP
  282. .B ip rule save
  283. .RS
  284. .TP
  285. .BI protocol " PROTO"
  286. Select the originating protocol.
  287. .RE
  288. .TP
  289. save rules table information to stdout
  290. .RS
  291. This command behaves like
  292. .BR "ip rule show"
  293. except that the output is raw data suitable for passing to
  294. .BR "ip rule restore" .
  295. .RE
  296. .TP
  297. .B ip rule restore
  298. restore rules table information from stdin
  299. .RS
  300. This command expects to read a data stream as returned from
  301. .BR "ip rule save" .
  302. It will attempt to restore the rules table information exactly as
  303. it was at the time of the save. Any rules already in the table are
  304. left unchanged, and duplicates are not ignored.
  305. .RE
  306. .SH SEE ALSO
  307. .br
  308. .BR ip (8)
  309. .SH AUTHOR
  310. Original Manpage by Michail Litvak <mci@owl.openwall.com>