ip rule以及ip route的使用--非常重要,需要持续研究!!
一、
ip rule
https://manpages.debian.org/buster/iproute2/ip-rule.8.en.html buster版本手册
参考:ip rule 路由策略数据库管理命令 根据这篇文章,/etc/iproute2/rt_tables中是table id和table name的对应关系,如果不使用table name只使用table id,那么rt-tables文件应该可以不用修改。
ip rule add 添加规则可以使用priority或order或preference(或者三者的简写pri、ord、pref)来定义优先级,不然初始第一条rule的优先级为32765
需要注意的是ip rule规则是以 优先级为唯一的key,也就说只要求优先级不能一样,具体的规则内容却可以一样,这就为ip rule del删除提供了便利(删除指定优先级即可)。
ip rule add 的from以及to 都是以PREFIX为参数,而PREFIX可以是ip地址也可以是ip地址段
ip [ OPTIONS ] rule { COMMAND | help }
ip rule [ list [ SELECTOR ]]
ip rule { add | del } SELECTOR ACTION
ip rule { flush | save | restore }
SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ipproto PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [ NUMBER | NUMBER-NUMBER ] ] [ tun_id TUN_ID ]
ACTION := [ table TABLE_ID ] [ protocol PROTO ] [ nat ADDRESS ] [ realms [SRCREALM/]DSTREALM ] [ goto NUMBER ] SUPPRESSOR
SUPPRESSOR := [ suppress_prefixlength NUMBER ] [ suppress_ifgroup GROUP ]
TABLE_ID := [ local | main | default | NUMBER ]
这里解释相关的参数如下:
①、iif NAME
select the incoming device to match. If the interface is loopback, the rule only matches packets originating from this host. This means that you may create separate routing tables for forwarded and local packets and, hence, completely segregate them.
如何设置iif loopback,那么规则仅仅匹配 源自本机的数据 意味着需要为forward和local 数据包分别创建rule
②、oif NAME
select the outgoing device to match. The outgoing interface is only available for packets originating from local sockets that are bound to a device. 这里已经提示的很清楚,oif 接口只能用在绑定在本机接口上的socket数据,可以理解为通过本机forward通过的出接口在这种情况下的数据,是不允许定义这种类型接口的
③、uidrange number-number指的是用户id范围
④、l3mdev涉及VRF
⑤、priority PREFERENCE
the priority of this rule. PREFERENCE is an unsigned integer value, higher number means lower priority, and rules get processed in order of increasing number. Each rule should have an explicitly set unique priority value. The options preference and order are synonyms with priority.
preference 和order选项和priority是近义词 是否意味着可以使用preference 和order 来代替priority??实际验证是这样的
⑥、suppress_prefixlength NUMBER
reject routing decisions that have a prefix length of NUMBER or less. 当小于或等于length时,拒绝路由决策
suppress_ifgroup GROUP
reject routing decisions that use a device belonging to the interface group GROUP. 当使用了属于接口组的接口时,拒绝路由决策,接口组应该可以在/etc/iproute2/group中定义
二、
ip route
https://manpages.debian.org/buster/iproute2/ip-route.8.en.html 查看buste版本的手册
https://manpages.debian.org/stretch/iproute2/ip-route.8.en.html 查看stretch版本的手册
来看看man中的参数如下:
ip route { show | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route get ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ tos TOS ] [ vrf NAME ]
ip route { add | del | change | append | replace } ROUTE
下面是参数说明,比较重要的是 SELECTOR以及ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ... 其中NH OPTIONS FLAGS看OPTIONS用法,NH就是英文下一跳的意思,实际使用时nexthop可以省略也可以不省略,举例子:mtu 1500 nexthop dev vmbr0或者mtu 1500 features ecn dev vmbr0
NH := [ encap ENCAP ] [ via [ FAMILY ] ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ] rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ] [ window NUMBER ] [ cwnd NUMBER ] [ ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initcwnd NUMBER ] [ initrwnd NUMBER ] [ features FEATURES ] [ quickack BOOL ] [ congctl NAME ] [ pref PREF ] [ expires TIME ] 这里面官方man中有点错误,加粗部分多了小括号,具体在实际使用时,我直接省去了FLAGS,直接以mtu 1500 features ecn方式来使用,注意这里面有些选项只适合在ipv6下使用
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ]
TABLE_ID := [ local| main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
FEATURES := [ ecn | ]
PREF := [ low | medium | high ]
ENCAP := [ MPLS | IP ]
ENCAP_MPLS := mpls [ LABEL ]
ENCAP_IP := ip id TUNNEL_ID dst REMOTE_IP [ tos TOS ] [ ttl TTL ]
针对以上的man ip route输出的使用格式错误的问题,我们看下ip route help的输出对比,很清楚明了,如下:
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get [ ROUTE_GET_FLAGS ] ADDRESS
[ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
[ ttl-propagate { enabled | disabled } ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ] [ fastopen_no_cookie BOOL ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 | seg6 | seg6local ]
ENCAPHDR := [ MPLSLABEL | SEG6HDR ]
SEG6HDR := [ mode SEGMODE ] segs ADDR1,ADDRi,ADDRn [hmac HMACKEYID] [cleanup]
SEGMODE := [ encap | inline ]
ROUTE_GET_FLAGS := [ fibmatch ]
剖析下最常见的ip route add 、replace、change 后面需要接上ROUTE
①、查看ROUTE := NODE_SPEC [ INFO_SPEC ] 注意NODE_SPEC是必须的,INFO_SPEC是可选的。
②、NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ] 这里有个metric优先级定义
③、INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ... 可以有多个 其中NH OPTIONS FLAGS定义为OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ] rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ] [ window NUMBER ] [ cwnd NUMBER ] [ ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initcwnd NUMBER ] [ initrwnd NUMBER ] [ features FEATURES ] [ quickack BOOL ] [ congctl NAME ] [ pref PREF ] [ expires TIME ] 注意其中某些只能在ipv6时使用,比如perf以及expires等
④、NH := [ encap ENCAP ] [ via [ FAMILY ] ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS 其中NHFLAGS只有2个值可选NHFLAGS := [ onlink | pervasive ] ,weight是定义下一跳的权重,注意和metric区分。
以上举例子 ip rule add 1.1.1.1 metric 101 FLAGS pref low nexthop dev vmbr0 onlink 提示:
fuck!!!!需要用到ip route啊,而不是ip rule,看下面的试探例子:
默认添加的规则,会默认加入到table main中,但是优先级呢是多少??? proxmox5测试如下:
三、
①、重点文章:必看
Linux系列—策略路由、ip rule、ip route https://blog.csdn.net/u012758088/article/details/76255543/
②、我们需要来看下ip route的src(这个选项从ip route help查看属于NH OPTIONS FLAGS选项)和ip rule中的from ,到-底需要设置为网段还是网卡ip,分析如下:
单网卡pc上操作(ip设置:192.168.44.187/24 网关设置192.168.44.1)实际操作如下:
ip route add 3.3.3.3 mtu 1500 src 192.168.44.8 dev vmbr0 直接提示Error: Invalid prefsrc address.表示192.168
ip route add 3.3.3.3 mtu 1500 src 192.168.44.8/24 dev vmbr0 提示Error: inet address is expected rather than "192.168.44.8/24".表示需要设定一个ip地址而不是一个ip地址段
那么我把以上的src地址设定为192.168.44.187呢 ip route add 3.3.3.3 mtu 1500 src 192.168.44.187 dev vmbr0 ,设定成功
我们接着来看src的定义 如下:
src ADDRESS
the source address to prefer when sending to the destinations covered by the route prefix.
这里又引出 ADDRESS和PREFIX的参数区别 ADRESS是否只表示单个地址 而PREFIX可以写成单个地址或地址段的形式呢???
ip rule的from以及to参数 可以指定具体ip地址或者ip地址段