(1) ip - Policy-based routing (PBR)
http://baturin.org/docs/iproute2/#Add%20a%20route%20via%20interface
Policy-based routing (PBR) in Linux is designed the following way: first you create custom routing tables, then you create rules to tell the kernel it should use those tables instead of the default table for specific traffic.
Some tables are predefined:
- local (table 255)
- Contains control routes local and broadcast addresses.
- main (table 254)
- Contains all non-PBR routes. If you don't specify the table when adding a route, it goes here.
- default (table 253)
- Reserved for post processing, normally unused.
User-defined tables are created automatically when you add the first route to them.
Create a policy route
ip route add ${route options} table ${table id or name}
Examples:
ip route add 192.0.2.0/27 via 203.0.113.1 table 10
ip route add 0.0.0.0/0 via 192.168.0.1 table ISP2
ip route add 2001:db8::/48 dev eth1 table 100
Notes: You can use any route options described in "Route management" section in policy routes too, the only difference is the "table ${table id/name}" part at the end.
Numeric table identifiers and names can be used interchangeably. To create your own symbolic names, edit/etc/iproute2/rt_tables config file.
"delete", "change", "replace", or any other route actions work with any table too.
"ip route ... table main" or "ip route ... table 254" would have exact same effect to commands without a table part.
View policy routes
ip route show table ${table id or name}
Examples:
ip route show table 100
ip route show table test
Note: in this case you need the "show" word, the shorthand like "ip route table 120" do not work because the command would be ambiguous.
General rule syntax
ip rule add ${options} <lookup ${table id or name}|blackhole|prohibit|unreachable>
Traffic that matches the ${options} (described below) will be routed according to the table with specified name/id instead of the "main"/254 table if "lookup" action is used.
"blackhole", "prohibit", and "unreachable" actions that work the same way to route types with same names. In most of examples we will use "lookup" action as the most common.
For IPv6 rules, use "ip -6", the rest of the syntax is the same.
"table ${table id or name}" can be used as alias to "lookup ${table id or name}".
Create a rule to match a source network
ip rule add from ${source network} ${action}
Examples:
ip rule add from 192.0.2.0/24 lookup 10
ip -6 rule add from 2001:db8::/32 prohibit
Notes: "all" can be used as shorthand to 0.0.0.0/0 or ::/0
Create a rule to match a destination network
ip rule add to ${destination network} ${action}
Examples:
ip rule add to 192.0.2.0/24 blackhole
ip -6 rule add to 2001:db8::/32 lookup 100
Create a rule to match a ToS field value
ip rule add tos ${ToS value} ${action}
Examples:
ip rule add tos 0x10 lookup 110
Create a rule to match a firewall mark value
ip rule add fwmark ${mark} ${action}
Examples:
ip rule add fwmark 0x11 lookup 100
Note: See iptables documentation to find out how to set the mark.
Create a rule to match inbound interface
ip rule add iif ${interface name} ${action}
Examples:
ip rule add iif eth0 lookup 10
ip rule add iif lo lookup 20
Rule with "iif lo" (loopback) will match locally generated traffic.
Create a rule to match outbound interface
ip rule add oif ${interface name} ${action}
Examples:
ip rule add oif eth0 lookup 10
Note: this works only for locally generated traffic.
Set rule priority
ip rule add ${options} ${action} priority ${value}
Examples:
ip rule add from 192.0.2.0/25 lookup 10 priority 10
ip rule add from 192.0.2.0/24 lookup 20 priority 20
Note: As rules are traversed from the lowest to the highest priority and processing stops at first match, you need to put more specific rules before less specific. The above example demonstrates rules for 192.0.2.0/24 and its subnet 192.0.2.0/25. If the priorities were reversed and the rule for /25 was placed after the rule for /24, it would never be reached.
Delete a rule
ip rule del ${options} ${action}
Examples:
ip rule del 192.0.2.0/24 lookup 10
Notes: You can copy/paste from the output of "ip rule show"/"ip -6 rule show".
Delete all rules
ip rule flush
ip -6 rule flush
Notes: this operation is highly disruptive. Even if you have not configured any rules, "from all lookup main" rules are initialized by default. On an unconfigured machine you can see this:
$ ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default $ ip -6 rule show 0: from all lookup local 32766: from all lookup main
The "from all lookup local" rule is special and cannot be deleted. The "from all lookup main" is not, there may be valid reasons not to have it, e.g. if you want to route only traffic you created explicit rules for. As a side effect, if you do "ip rule flush", this rule will be deleted, which will make the system stop routing any traffic until you restore your rules.
