说明

iproute2里面的一个命令,ip rule 路由策略数据库管理命令
进行路由时,根据路由规则来进行匹配,按优先级(pref)从低到高匹配,直到找到合适的规则,所以在应用中配置默认路由是必要的
Internet上采用的路由算法一般是基于数据包目的地址的。
而在某些情况下,我们不只是需要通过数据包的目的地址决定路由,可能还需要通过其他一些域:源地址、IP协议、传输层端口甚至数据包的负载。这就叫做:策略路由(policy routing)。
注意:策略路由(policy routing)不等于路由策略(rouing policy)。路由_路由策略和策略路由有什么区别

在这种情况下,传统的基于目的地址的路由表就无法满足要求了,需要使用路由策略数据库(routing policy database,RPDB)代替,通过它选择执行某些路由。这些规则可以由很多不同的状态,而且它们没有天生的次序,要由系统管理员决定。
RPDB可以 匹配以下的域:

  1. 数据包的源地址;
  2. 数据包的目的地址;
  3. 服务类型(Type of Service);
  4. 进入的网络接口;

匹配IP协议和传输层端口也是可能的,不过这要依靠iptables或者ipchains通过fwmark为某些数据包做标记,并重定向。
每个路由策略由一个选择符(selector)和一个操作(action)组成。系统按照顺序搜索路由策略数据库,把选择符和{源地址、目的地址、进入接口、tos、fwmark}等关键词进行匹配,如果匹配成功,就执行action定义的操作。操作或者成功返回,或者失败并且中止路由策略。否则,系统继续查询路由策略数据库。

操作如何定义?最原始的操作是选择下一跳(nexthop)和输出设备(output device)。Cisco IOS使用这种方式,我们姑且把这叫做匹配并设置(match & set)。而Linux的方式则更为灵活,Linux允许的操作包括:基于目的地址的路由表查询以及按照最长匹配的原则从路由表中选择路由。因此,匹配并 设置(match & set)的方式只是一个最简单的特例而已。
再系统启动时,内核会为路由策略数据库配置三条缺省的规则:
image.jpeg

优先级 选择符 动作 解释
0 匹配任何条件 查询路由表local(ID 255) 路由表local是一个特殊的路由表,包含对于本地和广播地址的高优先级控制路由。rule 0非常特殊,不能被删除或者覆盖。
一张表用于本地地址,存储了全部的本地地址,假设在该表中能查到匹配表项,则表明数据报是发给本机的
32766 匹配任何条件 查询路由表main(ID 254) 是一个通常的表,包含所有的无策略路由。系统管理员可以删除或者使用另外的规则覆盖这条规则。
一张表用于全部其它的路由,路由表项由用户手工静态配置(默认就是main表)或由路由协议动态配置
32767 匹配任何条件 查询路由表default(ID 253) 是一个空表,它是为一些后续处理保留的。对于前面的缺省策略没有匹配到的数据包,系统使用这个策略进行处理。这个规则也可以删除。

注:这里匹配任何条件就说明是按路由策略的优先级匹配各个路由表,如果没有匹配高优先级路由策略指定的路由表,就接着往下匹配,而不是说就直接进行丢弃了

不要混淆路由表和策略:规则指向路由表,多个规则可以引用一个路由表,而且某些路由表可以没有策略指向它。如果系统管理员删除了指向某个路由表的所有规则,这个表就没有用了,但是仍然存在,直到里面的所有路由都被删除,它才会消失。

参数

注:具体参数还是看系统命令,新版的iproute2里面又加了很多

**Usage: ip rule [ list | add | del ] SELECTOR ACTION (add 添加;del 删除; llist 列表)**

  • SELECTOR := [ from PREFIX 数据包源地址] [ to PREFIX 数据包目的地址] [ tos TOS 服务类型][ dev STRING 物理接口] [ pref NUMBER ] [fwmark MARK iptables 标签]
  • ACTION := [ table TABLE_ID 指定所使用的路由表] [ nat ADDRESS 网络地址转换][ prohibit 丢弃该表| reject 拒绝该包| unreachable 丢弃该包]
  • [ flowid CLASSID ]
  • TABLE_ID := [ local | main | default | new | NUMBER ]


可参数解析如下:
From — 源地址
To — 目的地址(这里是选择规则时使用,查找路由表时也使用)
Tos — IP包头的TOS(type of sevice)域
Dev — 物理接口
Fwmark — 防火墙参数

采取的动作除了指定路由表外,还可以指定下面的动作:
Table 指明所使用的表
Nat 透明网关
Prohibit 丢弃该包,并发送 COMM.ADM.PROHIITED的ICMP信息
Reject 单纯丢弃该包
Unreachable丢弃该包, 并发送 NET UNREACHABLE的ICMP信息

示例一

ip rule add from 192.168.1.112/32 [tos 0x10] table test2 pref 999 prohibit
#ip rule add to 192.168.1.2 pref 1000 table test1
#ip rule add from 192.168.1.0/24 pref 1001 table test1
#ip rule add [from 0/0] table test1 pref 1003
#ip rule add fwmark 1 pref 1002 table test2 此句型配合iptables -t mangle应用.如先对数据包作标记:
#iptables -t mangle -A PREROUTING -p tcp -m multiport —dports 80,8080,20,21 -s 192.168.1.0/24 -j MARK —set-mark 1

示例二

Source IP
根据来源端IP来决定数据包参考哪个路由表发送出去。以下两个示例分别指出,如果数据包的来源端IP是192.168.1.10,就参考路由表10;如果来源端IP为192.168.2.0/24网段的IP,就参考路由表20
ip rule add from 192.168.1.10 table 10 2 ip rule add from 192.168.2.0/24 table 20

Destination IP
根据目的端IP来决定数据包参考哪个路由表发送出去。以下两个示例分别指出,如果数据包的目的端IP是168.95.1.1,就参考路由表10;如果目的端IP是168.95.0.0/24网段的IP,就参考路由表20
ip rule add to 168.95.1.1 table 10 2 ip rule add to 168.96.0.0/24 table 20

ip rule show命令所显示内容的第一个字段就是优先级别,数字越小,代表优先级别越高,也代表这条规则可以排得越靠前

  1. [root@localhost ~]# ip rule show  
  2. 0: from all lookup local  
  3. 32766: from all lookup main  
  4. 32767: from all lookup default  
  6. [root@localhost ~]# ip rule add from 192.168.1.0/24 table 1 prio 10  
  7. [root@localhost ~]# ip rule add from 192.168.2.0/24 table 2 prio 20  
  8. [root@localhost ~]# ip rule show  
  9. 0: from all lookup local  
  10. 10: from 192.168.1.0/24 lookup 1  
  11. 20: from 192.168.2.0/24 lookup 2  
  12. 32766: from all lookup main  
  13. 32767: from all lookup default

删除规则

  1. ip rule del prio 10
  2. ip rule del from 192.168.1.0/24
  3. ip rule del table 1
  4. ip rule del from 192.168.1.0/24 table 1 prio 10

示例三

官方参考:http://www.man7.org/linux/man-pages/man8/ip-rule.8.html

  1. IP-RULE(8)                          Linux                         IP-RULE(8)
  3. NAME         top
  4.        ip-rule - routing policy database management
  6. SYNOPSIS         top
  7.        ip [ OPTIONS ] rule { COMMAND | help }
  9.        ip rule [ list [ SELECTOR ]]
  11.        ip rule { add | del } SELECTOR ACTION
  13.        ip rule { flush | save | restore }
  15.        SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [
  16.                fwmark FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref
  17.                NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ipproto
  18.                PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [
  19.                NUMBER | NUMBER-NUMBER ] ] [ tun_id TUN_ID ]
  21.        ACTION := [ table TABLE_ID ] [ protocol PROTO ] [ nat ADDRESS ] [
  22.                realms [SRCREALM/]DSTREALM ] [ goto NUMBER ] SUPPRESSOR
  24.        SUPPRESSOR := [ suppress_prefixlength NUMBER ] [ suppress_ifgroup
  25.                GROUP ]
  27.        TABLE_ID := [ local | main | default | NUMBER ]
  29. DESCRIPTION         top
  30.        ip rule manipulates rules in the routing policy database control the
  31.        route selection algorithm.
  33.        Classic routing algorithms used in the Internet make routing
  34.        decisions based only on the destination address of packets (and in
  35.        theory, but not in practice, on the TOS field).
  37.        In some circumstances we want to route packets differently depending
  38.        not only on destination addresses, but also on other packet fields:
  39.        source address, IP protocol, transport protocol ports or even packet
  40.        payload.  This task is called 'policy routing'.
  42.        To solve this task, the conventional destination based routing table,
  43.        ordered according to the longest match rule, is replaced with a
  44.        'routing policy database' (or RPDB), which selects routes by
  45.        executing some set of rules.
  47.        Each policy routing rule consists of a selector and an action
  48.        predicate.  The RPDB is scanned in order of decreasing priority (note
  49.        that lower number means higher priority, see the description of
  50.        PREFERENCE below). The selector of each rule is applied to {source
  51.        address, destination address, incoming interface, tos, fwmark} and,
  52.        if the selector matches the packet, the action is performed. The
  53.        action predicate may return with success.  In this case, it will
  54.        either give a route or failure indication and the RPDB lookup is
  55.        terminated. Otherwise, the RPDB program continues with the next rule.
  57.        Semantically, the natural action is to select the nexthop and the
  58.        output device.
  60.        At startup time the kernel configures the default RPDB consisting of
  61.        three rules:
  63.        1.     Priority: 0, Selector: match anything, Action: lookup routing
  64.               table local (ID 255).  The local table is a special routing
  65.               table containing high priority control routes for local and
  66.               broadcast addresses.
  68.        2.     Priority: 32766, Selector: match anything, Action: lookup
  69.               routing table main (ID 254).  The main table is the normal
  70.               routing table containing all non-policy routes. This rule may
  71.               be deleted and/or overridden with other ones by the
  72.               administrator.
  74.        3.     Priority: 32767, Selector: match anything, Action: lookup
  75.               routing table default (ID 253).  The default table is empty.
  76.               It is reserved for some post-processing if no previous default
  77.               rules selected the packet.  This rule may also be deleted.
  79.        Each RPDB entry has additional attributes. F.e. each rule has a
  80.        pointer to some routing table. NAT and masquerading rules have an
  81.        attribute to select new IP address to translate/masquerade. Besides
  82.        that, rules have some optional attributes, which routes have, namely
  83.        realms.  These values do not override those contained in the routing
  84.        tables. They are only used if the route did not select any
  85.        attributes.
  87.        The RPDB may contain rules of the following types:
  89.               unicast - the rule prescribes to return the route found in the
  90.               routing table referenced by the rule.
  92.               blackhole - the rule prescribes to silently drop the packet.
  94.               unreachable - the rule prescribes to generate a 'Network is
  95.               unreachable' error.
  97.               prohibit - the rule prescribes to generate 'Communication is
  98.               administratively prohibited' error.
  100.               nat - the rule prescribes to translate the source address of
  101.               the IP packet into some other value.
  103.        ip rule add - insert a new rule
  105.        ip rule delete - delete a rule
  107.               type TYPE (default)
  108.                      the type of this rule. The list of valid types was
  109.                      given in the previous subsection.
  111.               from PREFIX
  112.                      select the source prefix to match.
  114.               to PREFIX
  115.                      select the destination prefix to match.
  117.               iif NAME
  118.                      select the incoming device to match. If the interface
  119.                      is loopback, the rule only matches packets originating
  120.                      from this host. This means that you may create separate
  121.                      routing tables for forwarded and local packets and,
  122.                      hence, completely segregate them.
  124.               oif NAME
  125.                      select the outgoing device to match. The outgoing
  126.                      interface is only available for packets originating
  127.                      from local sockets that are bound to a device.
  129.               tos TOS
  131.               dsfield TOS
  132.                      select the TOS value to match.
  134.               fwmark MARK
  135.                      select the fwmark value to match.
  137.               uidrange NUMBER-NUMBER
  138.                      select the uid value to match.
  140.               ipproto PROTOCOL
  141.                      select the ip protocol value to match.
  143.               sport NUMBER | NUMBER-NUMBER
  144.                      select the source port value to match. supports port
  145.                      range.
  147.               dport NUMBER | NUMBER-NUMBER
  148.                      select the destination port value to match. supports
  149.                      port range.
  151.               priority PREFERENCE
  152.                      the priority of this rule.  PREFERENCE is an unsigned
  153.                      integer value, higher number means lower priority, and
  154.                      rules get processed in order of increasing number. Each
  155.                      rule should have an explicitly set unique priority
  156.                      value.  The options preference and order are synonyms
  157.                      with priority.
  159.               table TABLEID
  160.                      the routing table identifier to lookup if the rule
  161.                      selector matches.  It is also possible to use lookup
  162.                      instead of table.
  164.               protocol PROTO
  165.                      the routing protocol who installed the rule in
  166.                      question.  As an example when zebra installs a rule it
  167.                      would get RTPROT_ZEBRA as the installing protocol.
  169.               suppress_prefixlength NUMBER
  170.                      reject routing decisions that have a prefix length of
  171.                      NUMBER or less.
  173.               suppress_ifgroup GROUP
  174.                      reject routing decisions that use a device belonging to
  175.                      the interface group GROUP.
  177.               realms FROM/TO
  178.                      Realms to select if the rule matched and the routing
  179.                      table lookup succeeded. Realm TO is only used if the
  180.                      route did not select any realm.
  182.               nat ADDRESS
  183.                      The base of the IP address block to translate (for
  184.                      source addresses).  The ADDRESS may be either the start
  185.                      of the block of NAT addresses (selected by NAT routes)
  186.                      or a local host address (or even zero).  In the last
  187.                      case the router does not translate the packets, but
  188.                      masquerades them to this address.  Using map-to instead
  189.                      of nat means the same thing.
  191.                      Warning: Changes to the RPDB made with these commands
  192.                      do not become active immediately. It is assumed that
  193.                      after a script finishes a batch of updates, it flushes
  194.                      the routing cache with ip route flush cache.
  196.        ip rule flush - also dumps all the deleted rules.
  198.               protocol PROTO
  199.                      Select the originating protocol.
  201.        ip rule show - list rules
  202.               This command has no arguments.  The options list or lst are
  203.               synonyms with show.
  205.        ip rule save
  207.               protocol PROTO
  208.                      Select the originating protocol.
  210.        save rules table information to stdout
  211.               This command behaves like ip rule show except that the output
  212.               is raw data suitable for passing to ip rule restore.
  214.        ip rule restore
  215.               restore rules table information from stdin
  216.               This command expects to read a data stream as returned from ip
  217.               rule save.  It will attempt to restore the rules table
  218.               information exactly as it was at the time of the save. Any
  219.               rules already in the table are left unchanged, and duplicates
  220.               are not ignored.
  222. SEE ALSO         top
  223.        ip(8)
  225. AUTHOR         top
  226.        Original Manpage by Michail Litvak <mci@owl.openwall.com>
  228. COLOPHON         top
  229.        This page is part of the iproute2 (utilities for controlling TCP/IP
  230.        networking and traffic) project.  Information about the project can
  231.        be found at 
  232.        http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2⟩.
  233.        If you have a bug report for this manual page, send it to
  234.        netdev@vger.kernel.org, shemminger@osdl.org.  This page was obtained
  235.        from the project's upstream Git repository
  236.        ⟨https://git.kernel.org/pub/scm/network/iproute2/iproute2.git⟩ on
  237.        2019-11-19.  (At that time, the date of the most recent commit that
  238.        was found in the repository was 2019-11-17.)  If you discover any
  239.        rendering problems in this HTML version of the page, or you believe
  240.        there is a better or more up-to-date source for the page, or you have
  241.        corrections or improvements to the information in this COLOPHON
  242.        (which is not part of the original manual page), send a mail to
  243.        man-pages@man7.org


/