1 .TH IP\-RULE 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-rule \- routing policy database management
12 .RI "{ " COMMAND " | "
22 .RB "{ " add " | " del " }"
27 .RB "{ " flush " | " save " | " restore " }"
39 .IR FWMARK\fR[\fB/\fIMASK "] ] [ "
54 .RI "[" SRCREALM "\fB/\fR]" DSTREALM " ] ["
56 .IR NUMBER " ] " SUPPRESSOR
59 .IR SUPPRESSOR " := [ "
60 .B suppress_prefixlength
67 .BR local " | " main " | " default " |"
73 in the routing policy database control the route selection algorithm.
76 Classic routing algorithms used in the Internet make routing decisions
77 based only on the destination address of packets (and in theory,
78 but not in practice, on the TOS field).
81 In some circumstances we want to route packets differently depending not only
82 on destination addresses, but also on other packet fields: source address,
83 IP protocol, transport protocol ports or even packet payload.
84 This task is called 'policy routing'.
87 To solve this task, the conventional destination based routing table, ordered
88 according to the longest match rule, is replaced with a 'routing policy
89 database' (or RPDB), which selects routes by executing some set of rules.
92 Each policy routing rule consists of a
96 The RPDB is scanned in order of decreasing priority. The selector
97 of each rule is applied to {source address, destination address, incoming
98 interface, tos, fwmark} and, if the selector matches the packet,
99 the action is performed. The action predicate may return with success.
100 In this case, it will either give a route or failure indication
101 and the RPDB lookup is terminated. Otherwise, the RPDB program
102 continues with the next rule.
105 Semantically, the natural action is to select the nexthop and the output device.
108 At startup time the kernel configures the default RPDB consisting of three
113 Priority: 0, Selector: match anything, Action: lookup routing
119 table is a special routing table containing
120 high priority control routes for local and broadcast addresses.
124 Priority: 32766, Selector: match anything, Action: lookup routing
130 table is the normal routing table containing all non-policy
131 routes. This rule may be deleted and/or overridden with other
132 ones by the administrator.
136 Priority: 32767, Selector: match anything, Action: lookup routing
142 table is empty. It is reserved for some post-processing if no previous
143 default rules selected the packet.
144 This rule may also be deleted.
147 Each RPDB entry has additional
148 attributes. F.e. each rule has a pointer to some routing
149 table. NAT and masquerading rules have an attribute to select new IP
150 address to translate/masquerade. Besides that, rules have some
151 optional attributes, which routes have, namely
153 These values do not override those contained in the routing tables. They
154 are only used if the route did not select any attributes.
157 The RPDB may contain rules of the following types:
161 - the rule prescribes to return the route found
162 in the routing table referenced by the rule.
165 - the rule prescribes to silently drop the packet.
168 - the rule prescribes to generate a 'Network is unreachable' error.
171 - the rule prescribes to generate 'Communication is administratively
175 - the rule prescribes to translate the source address
176 of the IP packet into some other value.
180 .B ip rule add - insert a new rule
182 .B ip rule delete - delete a rule
185 .BI type " TYPE " (default)
186 the type of this rule. The list of valid types was given in the previous
191 select the source prefix to match.
195 select the destination prefix to match.
199 select the incoming device to match. If the interface is loopback,
200 the rule only matches packets originating from this host. This means
201 that you may create separate routing tables for forwarded and local
202 packets and, hence, completely segregate them.
206 select the outgoing device to match. The outgoing interface is only
207 available for packets originating from local sockets that are bound to
214 select the TOS value to match.
223 .BI priority " PREFERENCE"
224 the priority of this rule. Each rule should have an explicitly
228 The options preference and order are synonyms with priority.
232 the routing table identifier to lookup if the rule selector matches.
233 It is also possible to use lookup instead of table.
236 .BI suppress_prefixlength " NUMBER"
237 reject routing decisions that have a prefix length of NUMBER or less.
240 .BI suppress_ifgroup " GROUP"
241 reject routing decisions that use a device belonging to the interface
245 .BI realms " FROM/TO"
246 Realms to select if the rule matched and the routing table lookup
249 is only used if the route did not select any realm.
253 The base of the IP address block to translate (for source addresses).
256 may be either the start of the block of NAT addresses (selected by NAT
257 routes) or a local host address (or even zero).
258 In the last case the router does not translate the packets, but
259 masquerades them to this address.
260 Using map-to instead of nat means the same thing.
263 Changes to the RPDB made with these commands do not become active
264 immediately. It is assumed that after a script finishes a batch of
265 updates, it flushes the routing cache with
266 .BR "ip route flush cache" .
269 .B ip rule flush - also dumps all the deleted rules.
270 This command has no arguments.
272 .B ip rule show - list rules
273 This command has no arguments.
274 The options list or lst are synonyms with show.
278 save rules table information to stdout
280 This command behaves like
282 except that the output is raw data suitable for passing to
283 .BR "ip rule restore" .
288 restore rules table information from stdin
290 This command expects to read a data stream as returned from
292 It will attempt to restore the rules table information exactly as
293 it was at the time of the save. Any rules already in the table are
294 left unchanged, and duplicates are not ignored.
302 Original Manpage by Michail Litvak <mci@owl.openwall.com>