ip ruleRouting Policy Database Management
ip rule ” Routing Policy Database Management
This command manipulates the third part of the Policy Routing Triad: rules.
As discussed in Chapter 2, there are three parts to the implementation of the RPDB. The ip rule object allows specification and definition of the policy rules part of the RPDB.
Abbreviations: rule, ru
To understand the logic of the commands section you will want to understand the logic of the commandline. The output for ip rule help is as follows :
Usage: ip rule [ list add del ] SELECTOR ACTION SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK ] [ dev STRING ] [ pref NUMBER ] ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ prohibit reject unreachable ] [ realms [SRCREALM/]DSTREALM ] TABLE_ID := [ local main default NUMBER ]
ip rule add ” Insert New Rule
Use this command to insert a new rule.
Abbreviations: add, a; delete, del, d
Arguments
The following list of arguments to the rule command will add or delete the appropriate rule:
-
type TYPE (default) ”The type of rule. The list of valid types was specified in Chapter 2 and is summarized here for reference:
-
unicast ” The rule prescribes returning the route found in the routing table referenced by the rule.
-
blackhole ” The rule prescribes to drop a packet silently.
-
unreachable ” The rule prescribes generating the error Network is unreachable (ICMP Type 3 Code 0).
-
prohibit ” The rule prescribes generating the error Communication is administratively prohibited (ICMP Type 3 Code 13).
-
nat ” The rule prescribes translating the source address of the IP packet to some other value.
-
-
from PREFIX ”Select the source prefix to match.
-
to PREFIX ”Select the destination prefix to match.
-
iif NAME ”Select the incoming device to match. If the interface is loopback, the rule matches only packets originated by this host. It means that you may create separate routing tables for forwarded and local packets and, hence, completely segregate them.
-
tos TOS or dsfield TOS ”Select the TOS value to match.
-
fwmark MARK ”Select the value of fwmark to match.
-
priority PREFERENCE ”The priority of this rule. Each rule should have an explicitly set unique priority value. Priority is an unsigned 32-bit number, thus you have 4,294,967,296 possible rules.
-
table TABLEID ”The routing table identifier to look up if the rule selector matches.
-
realms FROM/TO ”Realms to select if the rule matches and routing table lookup succeeds. Realm TO is used only if the route returned did not select any realm.
-
nat ADDRESS ”The base IP address block to translate to a source address. The ADDRESS may be either the start of a block of nat addresses as selected by nat routes, a local host address, or even zero. In the last two cases the Linux router does not nat translate the packets but masquerades them to this address.
Changes to the RPDB made with these commands do not become active immediately. You should run ip route flush cache to flush out the routing cache after inserting rules.
Note
For historical reasons, ip rule add does not require any priority value and allows the priority value to be non-unique. If the user has not supplied a priority value, one is assigned by the kernel. If the user asked to create a rule with a priority value that already exists, the kernel did not reject the request and added the new rule before all old rules of the same priority. This is a mistake in the current design, nothing more. It should be fixed by the time you read this, so please do not rely on this feature. You should always use explicit priorities when creating rules.
ip rule add Examples
To route packets with source addresses from 192.203.80/24 according to routing table inr.ruhep:
ip rule add from 192.203.80.0/24 table inr.ruhep prio 220 To translate packet source 193.233.7.83 to 192.203.80.144 and route it according to table 1 (Table 1 is defined in /etc/iproute/rt_tables as inr.ruhep ):
ip rule add from 193.233.7.83 nat 192.203.80.144 table 1 prio 320 To delete an unused default rule:
ip rule del prio 32767 ip rule show ” List Policy Rules
Use this command to list policy rules.
Abbreviations: show, list, sh, ls, l
Good news ”This is the only command that has no arguments. Here is the example:
kuznet@amber~ $ ip rule list 0: from all lookup local 200: from 192.203.80.0/24 to 193.233.7.0/24 lookup main 210: from 192.203.80.0/24 to 192.203.80.0/24 lookup main 220: from 192.203.80.0/24 lookup inr.ruhep realms inr.ruhep/radio-msu 300: from 193.233.7.83 to 193.233.7.0/24 lookup main 310: from 193.233.7.83 to 192.203.80.0/24 lookup main 320: from 193.233.7.83 lookup inr.ruhep map-to 192.203.80.144 32766: from all lookup main In the first position is the rule priority value, followed by a colon . Then the selectors follow, with each key prefixed by the keyword used to create the rule.
The keyword lookup is followed by the routing table identifier as recorded in the file /etc/iproute2/rt_tables .
If the rule does nat , as in rule #320, it is shown by the keyword map-to , followed by the start of the block of addresses to map.
The sense of this example is pretty simple. The prefixes 192.203.80.0/24 and 193.233.7.0/24 form an internal network, but each prefix is routed differently. Additionally, the host 193.233.7.83 is translated to another prefix as 192.203.80.144 when talking to the outer world.
| Top |
