1 .TH IP\-RULE 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-rule \- routing policy database management
12 .RI "{ " COMMAND " | "
19 .RI "[ " SELECTOR " ]]"
23 .RB "{ " add " | " del " }"
28 .RB "{ " flush " | " save " | " restore " }"
40 .IR FWMARK\fR[\fB/\fIMASK "] ] [ "
49 .IR NUMBER "-" NUMBER " ] [ "
54 .IR NUMBER "-" NUMBER " ] ] [ "
57 .IR NUMBER "-" NUMBER " ] ]"
70 .RI "[" SRCREALM "\fB/\fR]" DSTREALM " ] ["
72 .IR NUMBER " ] " SUPPRESSOR
75 .IR SUPPRESSOR " := [ "
76 .B suppress_prefixlength
83 .BR local " | " main " | " default " |"
89 in the routing policy database control the route selection algorithm.
92 Classic routing algorithms used in the Internet make routing decisions
93 based only on the destination address of packets (and in theory,
94 but not in practice, on the TOS field).
97 In some circumstances we want to route packets differently depending not only
98 on destination addresses, but also on other packet fields: source address,
99 IP protocol, transport protocol ports or even packet payload.
100 This task is called 'policy routing'.
103 To solve this task, the conventional destination based routing table, ordered
104 according to the longest match rule, is replaced with a 'routing policy
105 database' (or RPDB), which selects routes by executing some set of rules.
108 Each policy routing rule consists of a
112 The RPDB is scanned in order of decreasing priority (note that lower number
113 means higher priority, see the description of
116 of each rule is applied to {source address, destination address, incoming
117 interface, tos, fwmark} and, if the selector matches the packet,
118 the action is performed. The action predicate may return with success.
119 In this case, it will either give a route or failure indication
120 and the RPDB lookup is terminated. Otherwise, the RPDB program
121 continues with the next rule.
124 Semantically, the natural action is to select the nexthop and the output device.
127 At startup time the kernel configures the default RPDB consisting of three
132 Priority: 0, Selector: match anything, Action: lookup routing
138 table is a special routing table containing
139 high priority control routes for local and broadcast addresses.
143 Priority: 32766, Selector: match anything, Action: lookup routing
149 table is the normal routing table containing all non-policy
150 routes. This rule may be deleted and/or overridden with other
151 ones by the administrator.
155 Priority: 32767, Selector: match anything, Action: lookup routing
161 table is empty. It is reserved for some post-processing if no previous
162 default rules selected the packet.
163 This rule may also be deleted.
166 Each RPDB entry has additional
167 attributes. F.e. each rule has a pointer to some routing
168 table. NAT and masquerading rules have an attribute to select new IP
169 address to translate/masquerade. Besides that, rules have some
170 optional attributes, which routes have, namely
172 These values do not override those contained in the routing tables. They
173 are only used if the route did not select any attributes.
176 The RPDB may contain rules of the following types:
180 - the rule prescribes to return the route found
181 in the routing table referenced by the rule.
184 - the rule prescribes to silently drop the packet.
187 - the rule prescribes to generate a 'Network is unreachable' error.
190 - the rule prescribes to generate 'Communication is administratively
194 - the rule prescribes to translate the source address
195 of the IP packet into some other value.
199 .B ip rule add - insert a new rule
201 .B ip rule delete - delete a rule
204 .BI type " TYPE " (default)
205 the type of this rule. The list of valid types was given in the previous
210 select the source prefix to match.
214 select the destination prefix to match.
218 select the incoming device to match. If the interface is loopback,
219 the rule only matches packets originating from this host. This means
220 that you may create separate routing tables for forwarded and local
221 packets and, hence, completely segregate them.
225 select the outgoing device to match. The outgoing interface is only
226 available for packets originating from local sockets that are bound to
233 select the TOS value to match.
242 .BI uidrange " NUMBER-NUMBER"
248 .BI ipproto " PROTOCOL"
249 select the ip protocol value to match.
252 .BI sport " NUMBER | NUMBER-NUMBER"
253 select the source port value to match. supports port range.
256 .BI dport " NUMBER | NUMBER-NUMBER"
257 select the destination port value to match. supports port range.
260 .BI priority " PREFERENCE"
261 the priority of this rule.
263 is an unsigned integer value, higher number means lower priority, and rules get
264 processed in order of increasing number. Each rule
265 should have an explicitly set
268 The options preference and order are synonyms with priority.
272 the routing table identifier to lookup if the rule selector matches.
273 It is also possible to use lookup instead of table.
276 .BI protocol " PROTO"
277 the routing protocol who installed the rule in question. As an example when zebra installs a rule it would get RTPROT_ZEBRA as the installing protocol.
280 .BI suppress_prefixlength " NUMBER"
281 reject routing decisions that have a prefix length of NUMBER or less.
284 .BI suppress_ifgroup " GROUP"
285 reject routing decisions that use a device belonging to the interface
289 .BI realms " FROM/TO"
290 Realms to select if the rule matched and the routing table lookup
293 is only used if the route did not select any realm.
297 The base of the IP address block to translate (for source addresses).
300 may be either the start of the block of NAT addresses (selected by NAT
301 routes) or a local host address (or even zero).
302 In the last case the router does not translate the packets, but
303 masquerades them to this address.
304 Using map-to instead of nat means the same thing.
307 Changes to the RPDB made with these commands do not become active
308 immediately. It is assumed that after a script finishes a batch of
309 updates, it flushes the routing cache with
310 .BR "ip route flush cache" .
313 .B ip rule flush - also dumps all the deleted rules.
316 .BI protocol " PROTO"
317 Select the originating protocol.
320 .B ip rule show - list rules
321 This command has no arguments.
322 The options list or lst are synonyms with show.
328 .BI protocol " PROTO"
329 Select the originating protocol.
332 save rules table information to stdout
334 This command behaves like
336 except that the output is raw data suitable for passing to
337 .BR "ip rule restore" .
342 restore rules table information from stdin
344 This command expects to read a data stream as returned from
346 It will attempt to restore the rules table information exactly as
347 it was at the time of the save. Any rules already in the table are
348 left unchanged, and duplicates are not ignored.
356 Original Manpage by Michail Litvak <mci@owl.openwall.com>