ip-rule

Display the routing policy

$ ip [[ru|rule]]

$ sudo ip [[ru|rule]] [[a|add]] from all lookup [100]

$ sudo ip [[ru|rule]] [[a|add]] from [192.168.178.2/32]

$ sudo ip [[ru|rule]] [[a|add]] to [192.168.178.2/32]

$ sudo ip [[ru|rule]] [[d|delete]] from [192.168.178.2/32]

$ sudo ip [[ru|rule]] [[f|flush]]

$ ip [[ru|rule]] [[s|save]] > [path/to/ip_rules.dat]

$ sudo ip [[ru|rule]] [[r|restore]] < [path/to/ip_rules.dat]

ip rule { command | options }
ip rule { add | del } SELECTOR ACTION OPTIONS
ip rule { show | list }

add
    Adds a new rule to the routing policy database.

del
    Deletes an existing rule from the routing policy database.

show | list
    Displays the current routing policy database rules.

flush
    Deletes all rules from the routing policy database, except the default rules.

save
    Prints all rules to standard output in a format that can be used by restore.

restore
    Restores rules from standard input, typically from a file generated by save.

priority PREFERENCE
    Sets the priority (preference) of the rule. Lower numbers mean higher priority. Rules are processed from lowest to highest priority.

from PREFIX
    Matches packets originating from the specified source IP address or network prefix.

to PREFIX
    Matches packets destined for the specified IP address or network prefix.

iif NAME
    Matches packets arriving on the specified incoming network interface.

oif NAME
    Matches packets that will exit via the specified outgoing network interface. This is typically used for locally generated packets.

tos TOS
    Matches packets with the specified Type of Service (TOS) byte value or DSCP (Differentiated Services Code Point).

fwmark MARK[/MASK]
    Matches packets marked by a firewall (e.g., using iptables) with the specified mark value. An optional mask can be used.

uidrange FIRST-LAST
    Matches packets originating from processes with a real or effective user ID within the specified range.

lookup TABLE_ID | table TABLE_ID
    Specifies which routing table to use if the rule matches. TABLE_ID can be a number or a name from /etc/iproute2/rt_tables.

nat ADDRESS
    Directs packets to a network address translation (NAT) rule. (Advanced usage, typically deprecated in favor of src_nat/dst_nat or iptables).

src_nat ADDRESS
    Performs source NAT on the packet to the specified address.

dst_nat ADDRESS
    Performs destination NAT on the packet to the specified address.

realms [FROM_REALM/]TO_REALM
    Matches packets associated with specific routing realms (e.g., for multi-homed scenarios with different policy zones).

suppress_prefixlength PLENGTH
    If this rule matches, suppresses routes from consideration if their prefix length is greater than or equal to PLENGTH.

suppress_ifgroup IFGROUP
    If this rule matches, suppresses routes associated with a specific interface group from consideration.

prefsrc ADDRESS
    Specifies a preferred source address for outgoing packets matching this rule. This address is used if no other source address is explicitly chosen by the routing table.

l3mdev
    Indicates that the rule applies to packets originating from or destined for L3 master devices (e.g., VRFs).

proto PROTOCOL
    Matches packets of a specific IP protocol (e.g., tcp, udp, icmp, or protocol number).

sport PORT
    Matches packets with the specified source port number (requires proto).

dport PORT
    Matches packets with the specified destination port number (requires proto).

The ip-rule command is a sub-command of the ip utility in Linux, used to manage the kernel's routing policy database (RPDB). The RPDB is a powerful mechanism that allows the system to make routing decisions based on more than just the destination IP address.

Instead, it uses a set of rules, each with a specific priority, to determine which routing table to use for a packet. These rules can match on various criteria, such as source address, destination address, incoming interface, Type of Service (TOS), firewall mark (fwmark), UID range, and more. When a packet arrives, the kernel traverses the RPDB rules in order of their priority (lower numbers are higher priority). The first rule that matches the packet's attributes dictates which routing table to consult for the actual route lookup.

This enables advanced routing scenarios like multi-ISP setups, VPN routing, source-based routing, and load balancing, offering far greater flexibility than traditional destination-based routing.

Incorrectly configured ip-rule rules can lead to network connectivity issues or unexpected routing behavior. The order (priority) of rules is critical, as the first matching rule takes precedence. Be cautious when using `ip rule flush` as it removes all non-default rules, potentially disrupting network services.

Rules are dynamic and do not persist across reboots by default. They must be saved and restored via system init scripts or network configuration management tools.

By default, a Linux system has three predefined rules:
0: from all lookup local (for local and broadcast addresses)
32766: from all lookup main (for main routing table)
32767: from all lookup default (for the default routing table, typically empty)
These rules ensure basic connectivity. Custom rules should be inserted with priorities between 1 and 32765.

When a packet needs to be routed, the kernel processes the rules in ascending order of their priority (lower numbers are evaluated first). As soon as a rule's selectors (from, to, iif, fwmark, etc.) match the packet, the associated action (e.g., lookup table) is performed. Subsequent rules are ignored for that packet. If a rule's action is to look up a table and no route is found in that table, the next rule in the RPDB is then consulted, unless the rule specifies a 'blackhole' or 'unreachable' route.

The ip-rule command is part of the iproute2 utilities, which largely superseded the older `net-tools` suite (e.g., `route`, `ifconfig`) in modern Linux distributions. iproute2 was developed to leverage the advanced networking capabilities of the Linux kernel, particularly its support for policy-based routing, which was not well-exposed by the older tools. Its development began in the late 1990s, driven by developers like Alexey Kuznetsov, aiming for a more robust and flexible network configuration framework.

ip(8), ip-route(8), ip-address(8), ip-link(8), iptables(8)