diff options
Diffstat (limited to 'Documentation/networking/policy-routing.txt')
-rw-r--r-- | Documentation/networking/policy-routing.txt | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/Documentation/networking/policy-routing.txt b/Documentation/networking/policy-routing.txt new file mode 100644 index 000000000000..36f6936d7f21 --- /dev/null +++ b/Documentation/networking/policy-routing.txt | |||
@@ -0,0 +1,150 @@ | |||
1 | Classes | ||
2 | ------- | ||
3 | |||
4 | "Class" is a complete routing table in common sense. | ||
5 | I.e. it is tree of nodes (destination prefix, tos, metric) | ||
6 | with attached information: gateway, device etc. | ||
7 | This tree is looked up as specified in RFC1812 5.2.4.3 | ||
8 | 1. Basic match | ||
9 | 2. Longest match | ||
10 | 3. Weak TOS. | ||
11 | 4. Metric. (should not be in kernel space, but they are) | ||
12 | 5. Additional pruning rules. (not in kernel space). | ||
13 | |||
14 | We have two special type of nodes: | ||
15 | REJECT - abort route lookup and return an error value. | ||
16 | THROW - abort route lookup in this class. | ||
17 | |||
18 | |||
19 | Currently the number of classes is limited to 255 | ||
20 | (0 is reserved for "not specified class") | ||
21 | |||
22 | Three classes are builtin: | ||
23 | |||
24 | RT_CLASS_LOCAL=255 - local interface addresses, | ||
25 | broadcasts, nat addresses. | ||
26 | |||
27 | RT_CLASS_MAIN=254 - all normal routes are put there | ||
28 | by default. | ||
29 | |||
30 | RT_CLASS_DEFAULT=253 - if ip_fib_model==1, then | ||
31 | normal default routes are put there, if ip_fib_model==2 | ||
32 | all gateway routes are put there. | ||
33 | |||
34 | |||
35 | Rules | ||
36 | ----- | ||
37 | Rule is a record of (src prefix, src interface, tos, dst prefix) | ||
38 | with attached information. | ||
39 | |||
40 | Rule types: | ||
41 | RTP_ROUTE - lookup in attached class | ||
42 | RTP_NAT - lookup in attached class and if a match is found, | ||
43 | translate packet source address. | ||
44 | RTP_MASQUERADE - lookup in attached class and if a match is found, | ||
45 | masquerade packet as sourced by us. | ||
46 | RTP_DROP - silently drop the packet. | ||
47 | RTP_REJECT - drop the packet and send ICMP NET UNREACHABLE. | ||
48 | RTP_PROHIBIT - drop the packet and send ICMP COMM. ADM. PROHIBITED. | ||
49 | |||
50 | Rule flags: | ||
51 | RTRF_LOG - log route creations. | ||
52 | RTRF_VALVE - One way route (used with masquerading) | ||
53 | |||
54 | Default setup: | ||
55 | |||
56 | root@amber:/pub/ip-routing # iproute -r | ||
57 | Kernel routing policy rules | ||
58 | Pref Source Destination TOS Iface Cl | ||
59 | 0 default default 00 * 255 | ||
60 | 254 default default 00 * 254 | ||
61 | 255 default default 00 * 253 | ||
62 | |||
63 | |||
64 | Lookup algorithm | ||
65 | ---------------- | ||
66 | |||
67 | We scan rules list, and if a rule is matched, apply it. | ||
68 | If a route is found, return it. | ||
69 | If it is not found or a THROW node was matched, continue | ||
70 | to scan rules. | ||
71 | |||
72 | Applications | ||
73 | ------------ | ||
74 | |||
75 | 1. Just ignore classes. All the routes are put into MAIN class | ||
76 | (and/or into DEFAULT class). | ||
77 | |||
78 | HOWTO: iproute add PREFIX [ tos TOS ] [ gw GW ] [ dev DEV ] | ||
79 | [ metric METRIC ] [ reject ] ... (look at iproute utility) | ||
80 | |||
81 | or use route utility from current net-tools. | ||
82 | |||
83 | 2. Opposite case. Just forget all that you know about routing | ||
84 | tables. Every rule is supplied with its own gateway, device | ||
85 | info. record. This approach is not appropriate for automated | ||
86 | route maintenance, but it is ideal for manual configuration. | ||
87 | |||
88 | HOWTO: iproute addrule [ from PREFIX ] [ to PREFIX ] [ tos TOS ] | ||
89 | [ dev INPUTDEV] [ pref PREFERENCE ] route [ gw GATEWAY ] | ||
90 | [ dev OUTDEV ] ..... | ||
91 | |||
92 | Warning: As of now the size of the routing table in this | ||
93 | approach is limited to 256. If someone likes this model, I'll | ||
94 | relax this limitation. | ||
95 | |||
96 | 3. OSPF classes (see RFC1583, RFC1812 E.3.3) | ||
97 | Very clean, stable and robust algorithm for OSPF routing | ||
98 | domains. Unfortunately, it is not widely used in the Internet. | ||
99 | |||
100 | Proposed setup: | ||
101 | 255 local addresses | ||
102 | 254 interface routes | ||
103 | 253 ASE routes with external metric | ||
104 | 252 ASE routes with internal metric | ||
105 | 251 inter-area routes | ||
106 | 250 intra-area routes for 1st area | ||
107 | 249 intra-area routes for 2nd area | ||
108 | etc. | ||
109 | |||
110 | Rules: | ||
111 | iproute addrule class 253 | ||
112 | iproute addrule class 252 | ||
113 | iproute addrule class 251 | ||
114 | iproute addrule to a-prefix-for-1st-area class 250 | ||
115 | iproute addrule to another-prefix-for-1st-area class 250 | ||
116 | ... | ||
117 | iproute addrule to a-prefix-for-2nd-area class 249 | ||
118 | ... | ||
119 | |||
120 | Area classes must be terminated with reject record. | ||
121 | iproute add default reject class 250 | ||
122 | iproute add default reject class 249 | ||
123 | ... | ||
124 | |||
125 | 4. The Variant Router Requirements Algorithm (RFC1812 E.3.2) | ||
126 | Create 16 classes for different TOS values. | ||
127 | It is a funny, but pretty useless algorithm. | ||
128 | I listed it just to show the power of new routing code. | ||
129 | |||
130 | 5. All the variety of combinations...... | ||
131 | |||
132 | |||
133 | GATED | ||
134 | ----- | ||
135 | |||
136 | Gated does not understand classes, but it will work | ||
137 | happily in MAIN+DEFAULT. All policy routes can be set | ||
138 | and maintained manually. | ||
139 | |||
140 | IMPORTANT NOTE | ||
141 | -------------- | ||
142 | route.c has a compilation time switch CONFIG_IP_LOCAL_RT_POLICY. | ||
143 | If it is set, locally originated packets are routed | ||
144 | using all the policy list. This is not very convenient and | ||
145 | pretty ambiguous when used with NAT and masquerading. | ||
146 | I set it to FALSE by default. | ||
147 | |||
148 | |||
149 | Alexey Kuznetov | ||
150 | kuznet@ms2.inr.ac.ru | ||