Sidebar
docs:guide-user:network:ip_rules
IP rules (policy routing)
Netifd supports IP rule declarations which are required to implement policy routing.
IPv4 rules can be defined by declaring one or more sections of type rule, IPv6 rules are denoted by sections of type rule6. Both types share the same set of defined options.
A simple IPv4 rule may look like:
config rule
option mark '0xFF'
option in 'lan'
option dest '172.16.0.0/16'
option lookup '100'
0xFFis a fwmark to be matchedlanis the incoming logical interface name172.16.0.0/16is the destination subnet to match100is the routing table ID to use for the matched traffic
Similary, an IPv6 rule looks like:
config rule6
option in 'vpn'
option dest 'fdca:1234::/64'
option action 'prohibit'
vpnis the incoming logical interface namefdca:1234::/64is the destination subnet to matchprohibitis a routing action to take
Options for IP rule (rule and rule6) sections
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
in | string | no | (none) | Specifies the incoming logical interface name |
out | string | no | (none) | Specifies the outgoing logical interface name |
src | ip subnet | no | (none) | Specifies the source subnet to match (CIDR notation) |
dest | ip subnet | no | (none) | Specifies the destination subnet to match (CIDR notation) |
tos | integer | no | (none) | Specifies the TOS value to match in IP headers |
mark | mark/mask | no | (none) | Specifies the fwmark and optionally its mask to match, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value |
invert | boolean | no | 0 | If set to 1, the meaning of the match options is inverted |
priority | integer | no | (incrementing) | Controls the order of the IP rules, by default the priority is auto-assigned so that they are processed in the same order they're declared in the config file |
lookup | routing table | at least one of | (none) | The rule target is a table lookup, the ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /etc/iproute2/rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well |
goto | rule index | The rule target is a jump to another rule specified by its priority value |
||
action | string | The rule target is one of the routing actions outlined in the table below |
Routing Actions
| Action | Description |
|---|---|
prohibit | When reaching the rule, respond with ICMP prohibited messages and abort route lookup |
unreachable | When reaching the rule, respond with ICMP unreachable messages and abort route lookup |
blackhole | When reaching the rule, drop packet and abort route lookup |
throw | Stop lookup in the current routing table even if a default route exists |
docs/guide-user/network/ip_rules.txt · Last modified: 2018/03/03 20:14 by bobafetthotmail
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
