一、
ip rule
https://manpages.debian.org/buster/iproute2/ip-rule.8.en.html buster版本手冊
參考:ip rule 路由策略數據庫管理命令 根據這篇文章,/etc/iproute2/rt_tables中是table id和table name的對應關系,如果不使用table name只使用table id,那么rt-tables文件應該可以不用修改。
ip rule add 添加規則可以使用priority或order或preference(或者三者的簡寫pri、ord、pref)來定義優先級,不然初始第一條rule的優先級為32765
需要注意的是ip rule規則是以 優先級為唯一的key,也就說只要求優先級不能一樣,具體的規則內容卻可以一樣,這就為ip rule del刪除提供了便利(刪除指定優先級即可)。
ip rule add 的from以及to 都是以PREFIX為參數,而PREFIX可以是ip地址也可以是ip地址段
ip [ OPTIONS ] rule { COMMAND | help }
ip rule [ list [ SELECTOR ]]
ip rule { add | del } SELECTOR ACTION
ip rule { flush | save | restore }
SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ipproto PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [ NUMBER | NUMBER-NUMBER ] ] [ tun_id TUN_ID ]
ACTION := [ table TABLE_ID ] [ protocol PROTO ] [ nat ADDRESS ] [ realms [SRCREALM/]DSTREALM ] [ goto NUMBER ] SUPPRESSOR
SUPPRESSOR := [ suppress_prefixlength NUMBER ] [ suppress_ifgroup GROUP ]
TABLE_ID := [ local | main | default | NUMBER ]
這里解釋相關的參數如下:
①、iif NAME
select the incoming device to match. If the interface is loopback, the rule only matches packets originating from this host. This means that you may create separate routing tables for forwarded and local packets and, hence, completely segregate them.
如何設置iif loopback,那么規則僅僅匹配 源自本機的數據 意味着需要為forward和local 數據包分別創建rule
②、oif NAME
select the outgoing device to match. The outgoing interface is only available for packets originating from local sockets that are bound to a device. 這里已經提示的很清楚,oif 接口只能用在綁定在本機接口上的socket數據,可以理解為通過本機forward通過的出接口在這種情況下的數據,是不允許定義這種類型接口的
③、uidrange number-number指的是用戶id范圍
④、l3mdev涉及VRF
⑤、priority PREFERENCE
the priority of this rule. PREFERENCE is an unsigned integer value, higher number means lower priority, and rules get processed in order of increasing number. Each rule should have an explicitly set unique priority value. The options preference and order are synonyms with priority.
preference 和order選項和priority是近義詞 是否意味着可以使用preference 和order 來代替priority??實際驗證是這樣的
⑥、suppress_prefixlength NUMBER
reject routing decisions that have a prefix length of NUMBER or less. 當小於或等於length時,拒絕路由決策
suppress_ifgroup GROUP
reject routing decisions that use a device belonging to the interface group GROUP. 當使用了屬於接口組的接口時,拒絕路由決策,接口組應該可以在/etc/iproute2/group中定義
二、
ip route
https://manpages.debian.org/buster/iproute2/ip-route.8.en.html 查看buste版本的手冊
https://manpages.debian.org/stretch/iproute2/ip-route.8.en.html 查看stretch版本的手冊
來看看man中的參數如下:
ip route { show | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route get ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ tos TOS ] [ vrf NAME ]
ip route { add | del | change | append | replace } ROUTE
下面是參數說明,比較重要的是 SELECTOR以及ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ... 其中NH OPTIONS FLAGS看OPTIONS用法,NH就是英文下一跳的意思,實際使用時nexthop可以省略也可以不省略,舉例子:mtu 1500 nexthop dev vmbr0或者mtu 1500 features ecn dev vmbr0
NH := [ encap ENCAP ] [ via [ FAMILY ] ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ] rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ] [ window NUMBER ] [ cwnd NUMBER ] [ ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initcwnd NUMBER ] [ initrwnd NUMBER ] [ features FEATURES ] [ quickack BOOL ] [ congctl NAME ] [ pref PREF ] [ expires TIME ] 這里面官方man中有點錯誤,加粗部分多了小括號,具體在實際使用時,我直接省去了FLAGS,直接以mtu 1500 features ecn方式來使用,注意這里面有些選項只適合在ipv6下使用
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ]
TABLE_ID := [ local| main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
FEATURES := [ ecn | ]
PREF := [ low | medium | high ]
ENCAP := [ MPLS | IP ]
ENCAP_MPLS := mpls [ LABEL ]
ENCAP_IP := ip id TUNNEL_ID dst REMOTE_IP [ tos TOS ] [ ttl TTL ]
針對以上的man ip route輸出的使用格式錯誤的問題,我們看下ip route help的輸出對比,很清楚明了,如下:
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get [ ROUTE_GET_FLAGS ] ADDRESS
[ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
[ ttl-propagate { enabled | disabled } ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ] [ fastopen_no_cookie BOOL ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 | seg6 | seg6local ]
ENCAPHDR := [ MPLSLABEL | SEG6HDR ]
SEG6HDR := [ mode SEGMODE ] segs ADDR1,ADDRi,ADDRn [hmac HMACKEYID] [cleanup]
SEGMODE := [ encap | inline ]
ROUTE_GET_FLAGS := [ fibmatch ]
剖析下最常見的ip route add 、replace、change 后面需要接上ROUTE
①、查看ROUTE := NODE_SPEC [ INFO_SPEC ] 注意NODE_SPEC是必須的,INFO_SPEC是可選的。
②、NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ] 這里有個metric優先級定義
③、INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ... 可以有多個 其中NH OPTIONS FLAGS定義為OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ] rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ] [ window NUMBER ] [ cwnd NUMBER ] [ ssthresh REALM ] [ realms REALM ] [ rto_min TIME ] [ initcwnd NUMBER ] [ initrwnd NUMBER ] [ features FEATURES ] [ quickack BOOL ] [ congctl NAME ] [ pref PREF ] [ expires TIME ] 注意其中某些只能在ipv6時使用,比如perf以及expires等
④、NH := [ encap ENCAP ] [ via [ FAMILY ] ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS 其中NHFLAGS只有2個值可選NHFLAGS := [ onlink | pervasive ] ,weight是定義下一跳的權重,注意和metric區分。
以上舉例子 ip rule add 1.1.1.1 metric 101 FLAGS pref low nexthop dev vmbr0 onlink 提示:
fuck!!!!需要用到ip route啊,而不是ip rule,看下面的試探例子:
默認添加的規則,會默認加入到table main中,但是優先級呢是多少??? proxmox5測試如下:
三、
①、重點文章:必看
Linux系列—策略路由、ip rule、ip route https://blog.csdn.net/u012758088/article/details/76255543/
②、我們需要來看下ip route的src(這個選項從ip route help查看屬於NH OPTIONS FLAGS選項)和ip rule中的from ,到-底需要設置為網段還是網卡ip,分析如下:
單網卡pc上操作(ip設置:192.168.44.187/24 網關設置192.168.44.1)實際操作如下:
ip route add 3.3.3.3 mtu 1500 src 192.168.44.8 dev vmbr0 直接提示Error: Invalid prefsrc address.表示192.168
ip route add 3.3.3.3 mtu 1500 src 192.168.44.8/24 dev vmbr0 提示Error: inet address is expected rather than "192.168.44.8/24".表示需要設定一個ip地址而不是一個ip地址段
那么我把以上的src地址設定為192.168.44.187呢 ip route add 3.3.3.3 mtu 1500 src 192.168.44.187 dev vmbr0 ,設定成功
我們接着來看src的定義 如下:
src ADDRESS
the source address to prefer when sending to the destinations covered by the route prefix.
這里又引出 ADDRESS和PREFIX的參數區別 ADRESS是否只表示單個地址 而PREFIX可以寫成單個地址或地址段的形式呢???
ip rule的from以及to參數 可以指定具體ip地址或者ip地址段