aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/networking/policy-routing.txt
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/networking/policy-routing.txt')
-rw-r--r--Documentation/networking/policy-routing.txt150
1 files changed, 150 insertions, 0 deletions
diff --git a/Documentation/networking/policy-routing.txt b/Documentation/networking/policy-routing.txt
new file mode 100644
index 000000000000..36f6936d7f21
--- /dev/null
+++ b/Documentation/networking/policy-routing.txt
@@ -0,0 +1,150 @@
1Classes
2-------
3
4 "Class" is a complete routing table in common sense.
5 I.e. it is tree of nodes (destination prefix, tos, metric)
6 with attached information: gateway, device etc.
7 This tree is looked up as specified in RFC1812 5.2.4.3
8 1. Basic match
9 2. Longest match
10 3. Weak TOS.
11 4. Metric. (should not be in kernel space, but they are)
12 5. Additional pruning rules. (not in kernel space).
13
14 We have two special type of nodes:
15 REJECT - abort route lookup and return an error value.
16 THROW - abort route lookup in this class.
17
18
19 Currently the number of classes is limited to 255
20 (0 is reserved for "not specified class")
21
22 Three classes are builtin:
23
24 RT_CLASS_LOCAL=255 - local interface addresses,
25 broadcasts, nat addresses.
26
27 RT_CLASS_MAIN=254 - all normal routes are put there
28 by default.
29
30 RT_CLASS_DEFAULT=253 - if ip_fib_model==1, then
31 normal default routes are put there, if ip_fib_model==2
32 all gateway routes are put there.
33
34
35Rules
36-----
37 Rule is a record of (src prefix, src interface, tos, dst prefix)
38 with attached information.
39
40 Rule types:
41 RTP_ROUTE - lookup in attached class
42 RTP_NAT - lookup in attached class and if a match is found,
43 translate packet source address.
44 RTP_MASQUERADE - lookup in attached class and if a match is found,
45 masquerade packet as sourced by us.
46 RTP_DROP - silently drop the packet.
47 RTP_REJECT - drop the packet and send ICMP NET UNREACHABLE.
48 RTP_PROHIBIT - drop the packet and send ICMP COMM. ADM. PROHIBITED.
49
50 Rule flags:
51 RTRF_LOG - log route creations.
52 RTRF_VALVE - One way route (used with masquerading)
53
54Default setup:
55
56root@amber:/pub/ip-routing # iproute -r
57Kernel routing policy rules
58Pref Source Destination TOS Iface Cl
59 0 default default 00 * 255
60 254 default default 00 * 254
61 255 default default 00 * 253
62
63
64Lookup algorithm
65----------------
66
67 We scan rules list, and if a rule is matched, apply it.
68 If a route is found, return it.
69 If it is not found or a THROW node was matched, continue
70 to scan rules.
71
72Applications
73------------
74
751. Just ignore classes. All the routes are put into MAIN class
76 (and/or into DEFAULT class).
77
78 HOWTO: iproute add PREFIX [ tos TOS ] [ gw GW ] [ dev DEV ]
79 [ metric METRIC ] [ reject ] ... (look at iproute utility)
80
81 or use route utility from current net-tools.
82
832. Opposite case. Just forget all that you know about routing
84 tables. Every rule is supplied with its own gateway, device
85 info. record. This approach is not appropriate for automated
86 route maintenance, but it is ideal for manual configuration.
87
88 HOWTO: iproute addrule [ from PREFIX ] [ to PREFIX ] [ tos TOS ]
89 [ dev INPUTDEV] [ pref PREFERENCE ] route [ gw GATEWAY ]
90 [ dev OUTDEV ] .....
91
92 Warning: As of now the size of the routing table in this
93 approach is limited to 256. If someone likes this model, I'll
94 relax this limitation.
95
963. OSPF classes (see RFC1583, RFC1812 E.3.3)
97 Very clean, stable and robust algorithm for OSPF routing
98 domains. Unfortunately, it is not widely used in the Internet.
99
100 Proposed setup:
101 255 local addresses
102 254 interface routes
103 253 ASE routes with external metric
104 252 ASE routes with internal metric
105 251 inter-area routes
106 250 intra-area routes for 1st area
107 249 intra-area routes for 2nd area
108 etc.
109
110 Rules:
111 iproute addrule class 253
112 iproute addrule class 252
113 iproute addrule class 251
114 iproute addrule to a-prefix-for-1st-area class 250
115 iproute addrule to another-prefix-for-1st-area class 250
116 ...
117 iproute addrule to a-prefix-for-2nd-area class 249
118 ...
119
120 Area classes must be terminated with reject record.
121 iproute add default reject class 250
122 iproute add default reject class 249
123 ...
124
1254. The Variant Router Requirements Algorithm (RFC1812 E.3.2)
126 Create 16 classes for different TOS values.
127 It is a funny, but pretty useless algorithm.
128 I listed it just to show the power of new routing code.
129
1305. All the variety of combinations......
131
132
133GATED
134-----
135
136 Gated does not understand classes, but it will work
137 happily in MAIN+DEFAULT. All policy routes can be set
138 and maintained manually.
139
140IMPORTANT NOTE
141--------------
142 route.c has a compilation time switch CONFIG_IP_LOCAL_RT_POLICY.
143 If it is set, locally originated packets are routed
144 using all the policy list. This is not very convenient and
145 pretty ambiguous when used with NAT and masquerading.
146 I set it to FALSE by default.
147
148
149Alexey Kuznetov
150kuznet@ms2.inr.ac.ru