IP rules

Netifd supports IP rule declarations which are required to implement policy routing.
IPv4 rules can be defined by declaring one or more sections of type rule, IPv6 rules are denoted by sections of type rule6. Both types share the same set of defined options.

A simple IPv4 rule may look like:

config rule
	option mark   '0xFF'
        option in     'lan'
	option dest   '172.16.0.0/16'
	option lookup '100'
  • 0xFF is a fwmark to be matched
  • lan is the incoming logical interface name
  • 172.16.0.0/16 is the destination subnet to match
  • 100 is the routing table ID to use for the matched traffic

Similary, an IPv6 rule looks like:

config rule6
        option in     'vpn'
	option dest   'fdca:1234::/64'
	option action 'prohibit'
  • vpn is the incoming logical interface name
  • fdca:1234::/64 is the destination subnet to match
  • prohibit is a routing action to take

The options below are defined for IP rule (rule and rule6) sections:

Name Type Required Default Description
in string no (none) Specifies the incoming logical interface name
out string no (none) Specifies the outgoing logical interface name
src ip subnet no (none) Specifies the source subnet to match (CIDR notation)
dest ip subnet no (none) Specifies the destination subnet to match (CIDR notation)
tos integer no (none) Specifies the TOS value to match in IP headers
mark mark/mask no (none) Specifies the fwmark and optionally its mask to match, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value
invert boolean no 0 If set to 1, the meaning of the match options is inverted
priority integer no (incrementing) Controls the order of the IP rules, by default the priority is auto-assigned so that they are processed in the same order they're declared in the config file
lookup routing table at least one of (none) The rule target is a table lookup, the ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /etc/iproute2/rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well
goto rule index The rule target is a jump to another rule specified by its priority value
action string The rule target is one of the routing actions outlined in the table below

Routing Actions

Action Description
prohibit When reaching the rule, respond with ICMP prohibited messages and abort route lookup
unreachable When reaching the rule, respond with ICMP unreachable messages and abort route lookup
blackhole When reaching the rule, drop packet and abort route lookup
throw Stop lookup in the current routing table even if a default route exists