1 .TH IP\-RULE 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-rule \- routing policy database management
12 .RI " { " COMMAND " | "
18 .RB " [ " list " | " add " | " del " | " flush " ]"
30 .IR FWMARK[/MASK] " ] [ "
44 .BR prohibit " | " reject " | " unreachable " ] [ " realms
45 .RI "[" SRCREALM "/]" DSTREALM " ]"
49 .IR SUPPRESSOR " := [ "
50 .B suppress_prefixlength
57 .BR local " | " main " | " default " |"
63 in the routing policy database control the route selection algorithm.
66 Classic routing algorithms used in the Internet make routing decisions
67 based only on the destination address of packets (and in theory,
68 but not in practice, on the TOS field).
71 In some circumstances we want to route packets differently depending not only
72 on destination addresses, but also on other packet fields: source address,
73 IP protocol, transport protocol ports or even packet payload.
74 This task is called 'policy routing'.
77 To solve this task, the conventional destination based routing table, ordered
78 according to the longest match rule, is replaced with a 'routing policy
79 database' (or RPDB), which selects routes by executing some set of rules.
82 Each policy routing rule consists of a
86 The RPDB is scanned in order of decreasing priority. The selector
87 of each rule is applied to {source address, destination address, incoming
88 interface, tos, fwmark} and, if the selector matches the packet,
89 the action is performed. The action predicate may return with success.
90 In this case, it will either give a route or failure indication
91 and the RPDB lookup is terminated. Otherwise, the RPDB program
92 continues with the next rule.
95 Semantically, the natural action is to select the nexthop and the output device.
98 At startup time the kernel configures the default RPDB consisting of three
103 Priority: 0, Selector: match anything, Action: lookup routing
109 table is a special routing table containing
110 high priority control routes for local and broadcast addresses.
112 Rule 0 is special. It cannot be deleted or overridden.
116 Priority: 32766, Selector: match anything, Action: lookup routing
122 table is the normal routing table containing all non-policy
123 routes. This rule may be deleted and/or overridden with other
124 ones by the administrator.
128 Priority: 32767, Selector: match anything, Action: lookup routing
134 table is empty. It is reserved for some post-processing if no previous
135 default rules selected the packet.
136 This rule may also be deleted.
139 Each RPDB entry has additional
140 attributes. F.e. each rule has a pointer to some routing
141 table. NAT and masquerading rules have an attribute to select new IP
142 address to translate/masquerade. Besides that, rules have some
143 optional attributes, which routes have, namely
145 These values do not override those contained in the routing tables. They
146 are only used if the route did not select any attributes.
149 The RPDB may contain rules of the following types:
153 - the rule prescribes to return the route found
154 in the routing table referenced by the rule.
157 - the rule prescribes to silently drop the packet.
160 - the rule prescribes to generate a 'Network is unreachable' error.
163 - the rule prescribes to generate 'Communication is administratively
167 - the rule prescribes to translate the source address
168 of the IP packet into some other value.
172 .B ip rule add - insert a new rule
174 .B ip rule delete - delete a rule
177 .BI type " TYPE " (default)
178 the type of this rule. The list of valid types was given in the previous
183 select the source prefix to match.
187 select the destination prefix to match.
191 select the incoming device to match. If the interface is loopback,
192 the rule only matches packets originating from this host. This means
193 that you may create separate routing tables for forwarded and local
194 packets and, hence, completely segregate them.
198 select the outgoing device to match. The outgoing interface is only
199 available for packets originating from local sockets that are bound to
206 select the TOS value to match.
215 .BI priority " PREFERENCE"
216 the priority of this rule. Each rule should have an explicitly
220 The options preference and order are synonyms with priority.
224 the routing table identifier to lookup if the rule selector matches.
225 It is also possible to use lookup instead of table.
228 .BI suppress_prefixlength " NUMBER"
229 reject routing decisions that have a prefix length of NUMBER or less.
232 .BI suppress_ifgroup " GROUP"
233 reject routing decisions that use a device belonging to the interface
237 .BI realms " FROM/TO"
238 Realms to select if the rule matched and the routing table lookup
241 is only used if the route did not select any realm.
245 The base of the IP address block to translate (for source addresses).
248 may be either the start of the block of NAT addresses (selected by NAT
249 routes) or a local host address (or even zero).
250 In the last case the router does not translate the packets, but
251 masquerades them to this address.
252 Using map-to instead of nat means the same thing.
255 Changes to the RPDB made with these commands do not become active
256 immediately. It is assumed that after a script finishes a batch of
257 updates, it flushes the routing cache with
258 .BR "ip route flush cache" .
261 .B ip rule flush - also dumps all the deleted rules.
262 This command has no arguments.
264 .B ip rule show - list rules
265 This command has no arguments.
266 The options list or lst are synonyms with show.
273 Original Manpage by Michail Litvak <mci@owl.openwall.com>