Route and Route6 Policy
IPv4 route and IPv6 route policies are defined in this section. These route policies can then be associated to interfaces.
A rule-set is a named collection of rules that can be applied to an interface. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify the criteria to match. Data packets go through the rules from 1 - 999999, at the first match the action of the rule will be executed.
Option to enable or disable log matching rule.
There are a lot of matching criteria options available, both for
policy route and
policy route6. These options are listed
in this section.
Set match criteria based on connection mark.
Set match criteria based on source or destination ipv4|ipv6 address, where <match_criteria> could be:
- For ipv4:
<x.x.x.x>: IP address to match.
<x.x.x.x/x>: Subnet to match.
<x.x.x.x>-<x.x.x.x>: IP range to match.
!<x.x.x.x>: Match everything except the specified address.
!<x.x.x.x/x>: Match everything except the specified subnet.
!<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
- And for ipv6:
<h:h:h:h:h:h:h:h>: IPv6 address to match.
<h:h:h:h:h:h:h:h/x>: IPv6 prefix to match.
<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match.
!<h:h:h:h:h:h:h:h>: Match everything except the specified address.
!<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix.
!<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range.
Set match criteria based on source or destination groups, where <text> would be the group name/identifier. Prepend character ‘!’ for inverted matching criteria.
Set match criteria based on destination port, where <match_criteria> could be:
<port name>: Named port (any name in /etc/services, e.g., http).
<1-65535>: Numbered port.
<start>-<end>: Numbered port range (e.g., 1001-1005).
Multiple destination ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: ‘!22,telnet,http,123,1001-1005’
Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported.
Set IP fragment match, where:
match-frag: Second and further fragments of fragmented packets.
match-non-frag: Head fragments or unfragmented packets.
Match based on icmp|icmpv6 type-name criteria. Use tab for information about what type-name criteria are supported.
Set IPSec inbound match criterias, where:
match-ipsec: match inbound IPsec packets.
match-none: match inbound non-IPsec packets.
Set maximum number of packets to alow in excess of rate.
Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second.
Match a protocol criteria. A protocol number or a name which is defined in:
/etc/protocols. Special names are
all for all protocols and
tcp_udp for tcp and udp based packets. The
! negates the selected
Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported.
Match based on packet type criteria.
Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds).
Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL. When specifying more than one flag, flags should be comma-separated. For example : value of ‘SYN,!ACK,!FIN,!RST’ will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
Match time to live parameter, where ‘eq’ stands for ‘equal’; ‘gt’ stands for ‘greater than’, and ‘lt’ stands for ‘less than’.
When mathcing all patterns defined in a rule, then different actions can be made. This includes droping the packet, modifying certain data, or setting a different routing table.
Set a specific connection mark.
Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
Set the routing table to forward packet with.