Basic Policy Routing commands (Linux)

Policy routing is a more flexible packet forwarding mechanism than Routing Based on the target network. We mainly explain the commands related to policy routing configuration, so that you can have a deeper understanding of Policy Routing... 

Policy Routing

Strategy means that the IP packet routing is based on the policies set by the network administrator as needed. For example, we can have A policy like this: "select X path for all packages that come directly from Network A; select Y path for others", or "select path F for all packages whose TOS is; other selected paths K"

Linux supports a maximum of 255 route tables, of which 3 are built-in:

The file/etc/iproute2/rt_tables exists.

Table 255 the Local table Local interface address, broadcast address, and NAT address are both in this table. The route table is automatically maintained by the system and cannot be directly modified by the Administrator.

Table 254 If the Main table does not specify the table to which the router belongs, all routes are placed in this table by default. Generally, the old routing tool (such as route) all the added routes are added to this table. It is generally a common route.

Table 253 Default table generally stores all the Default routes in this table. However, if this table is specified, all the gateway routes can be used.

Table 0 Reserved

The format of the route configuration command is as follows:

Usage: ip route list SELECTOR

Ip route {change | del | add | append | replace | monitor} ROUTE

To view the content of a route table, run the following command:

Ip route list table table_number

Ip-6 route list table table_number (for IPv6)

Route operations include change, del, add, append, replace, and monitor. For example, you can add a route:

Router> # ip route add 0/0 via 192.168.0.4 table main

Router> # ip route add 192.168.3.0/24 via192.168.0.3 table 1

The first command is to add a route entry to the master route table (main table), that is, table 254. The route content is to set 192.168.0.4 as the gateway.

The second command adds a route entry to route table 1. The subnet 192.168.3.0 (subnet mask is 255.255.255.0) is 192.168.0.3.

In a multi-route table routing system, all route operations, such as adding a route to a route table or finding a specific route in the routing table, must specify the route table to be operated, if no route table is specified, the operation is performed on the master route table (table 254) by default. In a single table system, route operations do not need to specify the route table.

Rule Configuration IP Rule

In Linux, a total of 232 priority rules can be defined. A single priority level can have only one rule, that is, a total of rules can be defined theoretically. Three of the rules are default. Command usage:

Usage: ip rule [list | add | del] selectpartition tion

SELECTOR: = [from PREFIX] [to PREFIX] [tos]

[Dev STRING] [pref NUMBER]

ACTION: = [table TABLE_ID] [nat ADDRESS]

[Prohibit | reject | unreachable]

[Flowid CLASSID]

TABLE_ID: = [local | main | default | new | NUMBER

First, we can look at all the default rules of the route table:

Root @ netmonster # ip rule list

0: from all lookup local

32766: from all lookup main

32767: from all lookup default

Note: the smaller the number, the higher the priority.

Rule 0 is the highest priority rule. It specifies that all packages must be routed using the local table (254) first. This rule cannot be changed or deleted.

Rule 32766 specifies that all packages are routed using the Table main. This rule can be changed or deleted.

Rule 32767 specifies that all packages use the table default for routing. This rule can be changed or deleted.

When routing is performed by default, routes are first searched in the local routing table based on rule 0. If the destination address is the current network or broadcast address, you can find a suitable route here. If the route fails, it will match the next non-null rule. Here there is only 32766 rule, and the route will be searched in the main route table; if it fails, the 32767 rule is matched, that is, the default route table is searched. If it fails, the route will fail. Here we can see that strategic routing is forward compatible.

You can also add rules:

Router> # ip rule add [from 0/0] table 1 pref 32800

Router> # ip rule add from 192.168.3.112/32 [tos 0x10] table 2 pref 1500 prohibit

The first command adds a rule to the rule chain. The rule matches all data packets, and the action is to select the route entry in route table 1. The priority of the rule is 32800.

The second command adds a rule to the rule chain. The rule matches a packet whose IP address is 192.168.3.112 and tos is equal to 0x10. Use route table 2. The rule has a priority of 1500 and the action is. After adding the rule, we can see the changes in the system rules.

Router> # ip rule

0: from all lookup local

1500 from 192.168.3.112/32 [tos 0x10] lookup 2

32766: from all lookup main

32767: from all lookup default

32800: from all lookup 1

The preceding rule uses the source address as the keyword to determine whether to match the rule. In addition to the source address, you can also use the following information:

From -- Source Address

To -- Destination Address (used for rule selection and used for route table search)

Tos -- the TOS (type of sevice) domain of the IP Header

Dev -- physical interface

Fwmark-firewall Parameters

In addition to specifying a table, you can also specify the following actions:

Table indicates the Table used

Nat transparent gateway

Action prohibit discards the packet and sends ICMP information of COMM. ADM. PROHIITED

Reject simply discards this package

Unreachable discards the packet and sends the ICMP information of the net unreachable.