linux/Documentation/networking/policy-routing.txt
<<
>>
Prefs
   1Classes
   2-------
   3
   4        "Class" is a complete routing table in common sense.
   5        I.e. it is tree of nodes (destination prefix, tos, metric)
   6        with attached information: gateway, device etc.
   7        This tree is looked up as specified in RFC1812 5.2.4.3
   8        1. Basic match
   9        2. Longest match
  10        3. Weak TOS.
  11        4. Metric. (should not be in kernel space, but they are)
  12        5. Additional pruning rules. (not in kernel space).
  13        
  14        We have two special type of nodes:
  15        REJECT - abort route lookup and return an error value.
  16        THROW  - abort route lookup in this class.
  17
  18
  19        Currently the number of classes is limited to 255
  20        (0 is reserved for "not specified class")
  21
  22        Three classes are builtin:
  23
  24        RT_CLASS_LOCAL=255 - local interface addresses,
  25        broadcasts, nat addresses.
  26
  27        RT_CLASS_MAIN=254  - all normal routes are put there
  28        by default.
  29
  30        RT_CLASS_DEFAULT=253 - if ip_fib_model==1, then
  31        normal default routes are put there, if ip_fib_model==2
  32        all gateway routes are put there.
  33
  34
  35Rules
  36-----
  37        Rule is a record of (src prefix, src interface, tos, dst prefix)
  38        with attached information.
  39
  40        Rule types:
  41        RTP_ROUTE - lookup in attached class
  42        RTP_NAT   - lookup in attached class and if a match is found,
  43                    translate packet source address.
  44        RTP_MASQUERADE - lookup in attached class and if a match is found,
  45                    masquerade packet as sourced by us.
  46        RTP_DROP   - silently drop the packet.
  47        RTP_REJECT - drop the packet and send ICMP NET UNREACHABLE.
  48        RTP_PROHIBIT - drop the packet and send ICMP COMM. ADM. PROHIBITED.
  49
  50        Rule flags:
  51        RTRF_LOG - log route creations.
  52        RTRF_VALVE - One way route (used with masquerading)
  53
  54Default setup:
  55
  56root@amber:/pub/ip-routing # iproute -r
  57Kernel routing policy rules
  58Pref Source             Destination        TOS Iface   Cl
  59   0 default            default            00  *       255
  60 254 default            default            00  *       254
  61 255 default            default            00  *       253
  62
  63
  64Lookup algorithm
  65----------------
  66
  67        We scan rules list, and if a rule is matched, apply it.
  68        If a route is found, return it.
  69        If it is not found or a THROW node was matched, continue
  70        to scan rules.
  71
  72Applications
  73------------
  74
  751.      Just ignore classes. All the routes are put into MAIN class
  76        (and/or into DEFAULT class).
  77
  78        HOWTO:  iproute add PREFIX [ tos TOS ] [ gw GW ] [ dev DEV ]
  79                [ metric METRIC ] [ reject ] ... (look at iproute utility)
  80
  81                or use route utility from current net-tools.
  82                
  832.      Opposite case. Just forget all that you know about routing
  84        tables. Every rule is supplied with its own gateway, device
  85        info. record. This approach is not appropriate for automated
  86        route maintenance, but it is ideal for manual configuration.
  87
  88        HOWTO:  iproute addrule [ from PREFIX ] [ to PREFIX ] [ tos TOS ]
  89                [ dev INPUTDEV] [ pref PREFERENCE ] route [ gw GATEWAY ]
  90                [ dev OUTDEV ] .....
  91
  92        Warning: As of now the size of the routing table in this
  93        approach is limited to 256. If someone likes this model, I'll
  94        relax this limitation.
  95
  963.      OSPF classes (see RFC1583, RFC1812 E.3.3)
  97        Very clean, stable and robust algorithm for OSPF routing
  98        domains. Unfortunately, it is not widely used in the Internet.
  99
 100        Proposed setup:
 101        255 local addresses
 102        254 interface routes
 103        253 ASE routes with external metric
 104        252 ASE routes with internal metric
 105        251 inter-area routes
 106        250 intra-area routes for 1st area
 107        249 intra-area routes for 2nd area
 108        etc.
 109        
 110        Rules:
 111        iproute addrule class 253
 112        iproute addrule class 252
 113        iproute addrule class 251
 114        iproute addrule to a-prefix-for-1st-area class 250
 115        iproute addrule to another-prefix-for-1st-area class 250
 116        ...
 117        iproute addrule to a-prefix-for-2nd-area class 249
 118        ...
 119
 120        Area classes must be terminated with reject record.
 121        iproute add default reject class 250
 122        iproute add default reject class 249
 123        ...
 124
 1254.      The Variant Router Requirements Algorithm (RFC1812 E.3.2)
 126        Create 16 classes for different TOS values.
 127        It is a funny, but pretty useless algorithm.
 128        I listed it just to show the power of new routing code.
 129
 1305.      All the variety of combinations......
 131
 132
 133GATED
 134-----
 135
 136        Gated does not understand classes, but it will work
 137        happily in MAIN+DEFAULT. All policy routes can be set
 138        and maintained manually.
 139
 140IMPORTANT NOTE
 141--------------
 142        route.c has a compilation time switch CONFIG_IP_LOCAL_RT_POLICY.
 143        If it is set, locally originated packets are routed
 144        using all the policy list. This is not very convenient and
 145        pretty ambiguous when used with NAT and masquerading.
 146        I set it to FALSE by default.
 147
 148
 149Alexey Kuznetov
 150kuznet@ms2.inr.ac.ru
 151
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.