Article title: policy-based routing in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Matthew G. Marsh
Summary
Based on a large number of instances, this article introduces the powerful routing function based on Linux2.2. the routing function provided by Linux2.2 is unmatched by many vro products, its cost-performance ratio is comparable to that of no products.
Currently, the traditional routing algorithms used in computer networks are routing selection based on the IP package destination address. however, in practical applications, there is often a need to select routes based not only on the destination address of the Datagram, but also on other features of the Datagram, such as the source address, IP protocol, and transport layer port, this type of routing is called a policy-based routing.
In Linux, policy-based routing is supported since the kernel version 2.1. it uses the routing policy database (RPDB, routing policy database) it replaces the traditional route table based on the destination address. RPDB selects an appropriate IP route based on the rules contained. These rules may contain many different types of keys. Therefore, these rules do not have a specific order by default. The rule search order or rule priority is set by the network or system administrator.
In Linux, RPDB is a list of linear rules sorted by numeric priority values. RPDB can match the source address, destination address, TOS, access address, and fwmark value of the datagram. Each routing rule consists of a selector and an action indicator. RPDB is scanned in an ascending order of priority. the selector of each rule contained in RPDB is applied to the source address, destination address, access interface, TOS, and fwmark values of the datagram. If the datagram matches the rule, the action corresponding to the rule is executed. If the action is returned successfully, the rule output indicates a valid route or a failed route query. Otherwise, the next rule of RPDB is queried.
What actions will a selector perform when it matches a datagram successfully? The standard action of the routing software is generally to select the next hop address and the output interface, which can be called a "Match & set" action. However, Linux adopts a more flexible approach, and there are multiple actions available in Linux. The default action is to query a specific route table based on the destination address. Therefore, the "Match & set" action becomes the simplest option for Linux route selection. Linux supports multiple route tables. each route table contains multiple route information. That is, each route table in Linux is equivalent to the system route table of other operating systems. Linux supports as many as 255 route tables. (Linux 2.2.12 supports 255 route tables, 255 aggregation domains, and 232 policy rule priority (4294967296 decimal ).
For Linux2.1/2.2, the kernel will contain a default RPDB consisting of three policy rules at startup. One way to view these default rules is to use commands to list all system rules:
Root @ netmonster ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
The following default rules are very important for understanding how to start a complex routing system.
The first is the highest level priority rule. rule policy 0:
Rule 0: Priority 0 selector = match any datagram
Action = view the local route table (routing table local), with ID 255.
A local table is a route table that retains the route table and contains routes to the local and broadcast addresses. Rule 0 is a special rule and cannot be deleted or modified.
Rule 32766: priority 32766 selector = match all Datagram
Action = view the main route table (routing table main) with ID 254.
The main route table is the default standard route table, which contains all non-policy routes. the main table is the route created by the old route command (route command. In addition, any routes created by the ip route command without explicitly specifying the route table are added to the route table. This rule cannot be deleted or overwritten by other rules.
Rule 32767: priority 32767 selector = match all Datagram
Action = view the default route table (routing table default), with ID 253.
The default route table is empty and reserved for the final processing (post-processing). If the previous default rule does not select this data report, it is retained for the final processing. This rule can be deleted.
Do not confuse the route table with the rule. The rule points to the route table. Multiple rules may point to the same route table, and some routing tables may not be pointed to by any rules. If you delete all rules pointing to a route table, the table will not work, but the table will still exist. A route table disappears only when all route information contained in it is deleted.
As mentioned above, the actions corresponding to Linux policy rules can be different in addition to pointing to a route table. When creating a policy rule, you can select the following types of actions:
Unicast-perform a standard route query in the routing table to which the rule points. When a route table is specified, this is the default action.
Blackhole-the rule action will only discard the datagram directly.
Unreachable: The rule action generates a network inaccessible error message. an ICMP message of type 3 and code 0 is returned to the sender.
Prohibit -- a rule action generates an error message that is forbidden by communication. an ICMP message of type 3 and code 13 is returned to the sender.
Other types of actions can also be used, but they have nothing to do with policy routing. They are used to implement other advanced flow control and Datagram operations in the kernel. Because there is only one tool command: ip, all these types can be used for this command, but we only use the part related to the above, it can be to return a route or several other actions.
Before explaining the example, first look at the syntax of the ip Tool Command. Ip commands can be used in many places. here we only discuss the sections related to policy routing. All are directly run by the root in the command line.
First, check the ip addr command syntax:
Root @ netmonster # ip addr help
Usage: ip addr {add | del} IFADDR dev STRING
Ip addr {show | flush} [dev STRING] [scope SCOPE-ID]
[To PREFIX] [FLAG-LIST] [label PATTERN]
IFADDR: = PREFIX | ADDR peer PREFIX
[Broadcast ADDR] [anycast ADDR]
[Label STRING] [scope SCOPE-ID]
SCOPE-ID: = [host | link | global | NUMBER]
FLAG-LIST: = [FLAG-LIST] FLAG
FLAG: = [permanent | dynamic | secondary | primary |
Tentative | deprecated]
Example-ip addr add 192.168.1.1/24 dev eth0
This command adds the IP address 192.168.2.2/24 to the eth0 Nic.
Let's take a look at the ip route command:
Root @ netmonster # ip route help
Usage: ip route {list | flush} SELECTOR
Ip route get ADDRESS [from ADDRESS iif STRING]
[Oif STRING] [tos TOS]
Ip route {add | del | replace | change | append | replace |
Example-ip rule add from 192.168.2.0/24 prio 32777 reject
This command discards all data packets whose source address belongs to the 192.168.2.0/24 network.
After discussing the command syntax, the following are some examples of the above commands.
Example 1: access to the Internet is denied.
Suppose there is a firewall connected to the local LAN and the Internet, and you want to prohibit a subnet of the Lan from accessing the Internet. Of course, this can be achieved through the Linux datagram filtering firewall. But next we will introduce another implementation method. First, let's assume that the following
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.