ip-rule

Display the routing policy

$ ip [[ru|rule]]

$ sudo ip [[ru|rule]] [[a|add]] from all lookup [100]

$ sudo ip [[ru|rule]] [[a|add]] from [192.168.178.2/32]

$ sudo ip [[ru|rule]] [[a|add]] to [192.168.178.2/32]

$ sudo ip [[ru|rule]] [[d|delete]] from [192.168.178.2/32]

$ sudo ip [[ru|rule]] [[f|flush]]

$ ip [[ru|rule]] [[s|save]] > [path/to/ip_rules.dat]

$ sudo ip < [path/to/ip_rules.dat] [[ru|rule]] [[r|restore]]

ip rule [OPTIONS] { list [RULE_SPEC] | add RULE_SPEC | delete RULE_SPEC | flush [RULE_SPEC] | test RULE_SPEC | prepend|append|replace RULE_SPEC | save [FILE] }

list [RULE_SPEC] [order NUMBER]
    List rules matching selector or all, optionally sorted by order

add RULE_SPEC
    Add new rule with given selectors and actions

delete RULE_SPEC
    Delete rule matching selectors

flush [RULE_SPEC]
    Flush rules matching selector or all

test RULE_SPEC
    Test which rule matches given selectors

prepend RULE_SPEC
    Prepend rule as highest priority

append RULE_SPEC
    Append rule as lowest priority

replace RULE_SPEC
    Replace existing rule matching selectors

save [FILE]
    Save rules to file in iproute2 format

from PREFIX
    Match source IP prefix

to PREFIX
    Match destination IP prefix

tos TOS | dsfield TOS
    Match TOS or Differentiated Services field

fwmark MARK[/MASK]
    Match firewall mark

uidrange UIDRANGE
    Match UID range (UID1-UID2)

l3mdev
    Match Layer 3 master device

pref NUMBER | prio|priority NUMBER
    Rule priority (lower = higher precedence)

table TABLE_ID
    Use specified routing table

type {unicast|blackhole|unreachable|prohibit|throw}
    Rule type/action

protocol PROTOCOL
    Match routing protocol

realms [SRCREALM/]DSTREALM
    Match routing realms

goto NUMBER [suppress_if_zero]
    Jump to rule NUMBER

suppress_prefixlength NUMBER
    Suppress prefixes longer than NUMBER

suppress_ifgroup GROUP
    Suppress prefixes from interface group

iif NAME
    Match incoming interface

oif NAME
    Match outgoing interface

ip rule is part of the iproute2 suite for configuring policy-based routing in Linux. Unlike traditional routing that uses a single table, policy routing employs multiple routing tables selected by rules matching packet attributes like source IP, destination IP, type-of-service (TOS), firewall marks, UID, interface, or realms.

Rules are prioritized (lower pref value means higher priority) and define actions such as using a specific table (table), jumping to another rule (goto), or suppressing prefixes. Default rules include priority 0 (local), 32766 (main), and 32767 (default).

This enables advanced setups like source-based routing for multi-homed systems, traffic engineering, VPN failover, or QoS prioritization. Rules persist across reboots if saved or managed by network services like NetworkManager or systemd-networkd. Use requires root privileges; incorrect rules can disrupt connectivity.

Requires root; default rules (prio 0,32766,32767) should not be deleted as they handle local/main/default routing. Rule order matters strictly. IPv4/IPv6 separate rules. Changes immediate but persistency needs initscripts or netlink monitors.

ip rule list
ip rule add from 10.0.0.0/8 table 100 pref 10
ip rule del pref 10
ip rule show table 100

Always present: 0: from all lookup local
32766: from all lookup main
32767: from all lookup default

Introduced in iproute2 (1990s) by Alexey Kuznetsov as modern replacement for legacy route command from net-tools. Enhanced over time with selectors like fwmark (iptables era), uidrange (cgroups), l3mdev (VRF support in kernel 4.3+). Maintained by iproute2 project.

ip-route(8), ip-link(8), route(8), tc(8), ss(8)