守望的麦子

路由策略

2015-3-29    莫斯科 /linux/2015/03/29/routing-policy.html linux route, router, routing,

本文最近更新于 2018 年 7 月 9 日

In this post, I’m going to introduce you to policy routing as implemented in recent versions of Ubuntu Linux (and possibly other Linux distributions as well, but I’ll be using Ubuntu 12.04 LTS). Policy routing actually allows us a great deal of flexibility in how we direct traffic out of a Linux host; I’ll discuss a rather practical application of this configuration in a future blog post. For now, though, let’s just focus on how to configure policy routing.

There are a couple parts involved in policy routing:

In order for us to leverage policy routing for our purposes, we need to do three things:

为了帮助我们理解路由策略,我们要做三件事:

  1. We need to create a custom policy routing table.
    自定义一个“路由策略表”。

  2. We need to create one or more custom policy routing rules.
    创建一个或多个“路由策略规则”。

  3. We need to populate the custom policy routing table with routes.
    为“路由策略表”添加路由。

Let’s look at each of these steps separately.

Creating a Custom Policy Routing Table

The first step is to create a custom policy routing table. Each table is represented by an entry in the file /etc/iproute2/rt_tables, so creating a new table is generally accomplished using a command like this:
第一步是创建一个自定义的“路由策略表”,通常以下面的指令开始:

echo 200 custom >> /etc/iproute2/rt_tables

This creates the table with the ID 200 and the name “custom”. You’ll reference this name later as you create the rules and populate the table with routes, so make note of it. Because this entry is contained in the rt_tables file, it will be persistent across reboots.
这样我们就创建了一个 ID 为 200 名字为 custom 的“路由策略表”,记住这个名字 custom,因为随后你要为这个表创建“路由策略规则”和路由。

Creating Policy Routing Rules

The next step is to create the policy routing rules that will tell the system which table to use to determine the correct route. In this particular case, I’m going to use the source address (i.e., the originating address for the traffic) as the determining factor in the rule. This is a common application of policy routing, and for that reason it’s often referred to as source routing.
接下来让我们创建“路由策略规则”(“路由策略规则”会告诉系统使用哪一张表来进行路由),在这里,我将会使用源地址来设置相应的规则。

To create the policy routing rule, use this command:
使用下面的指令来创建“路由策略规则”:

ip rule add from <source address> lookup <table name>

Let’s say that we wanted to create a rule that told the system to use the “custom” table we created earlier for all traffic originating from the source address 192.168.30.200. The command would look like this:
比如说,我们要创建一条规则,告诉系统使用 custom 这张表来处理所有来自 192.168.30.200 的流量。相应的指令应该就是这样:

ip rule add from 192.168.30.200 lookup custom

You can see all the policy routing rules that are currently in effect using this command:
你可以使用下面的指令来查看当前系统中所有的“路由策略规则”:

ip rule list

As I mentioned in the beginning of this article, there are default rules that govern the use of the local, main, and default tables (these are the built-in tables). Once you’ve added your rule, you should see it listed there as well.

There is a problem here, though: rules created this way are ephemeral and will disappear when the system is restarted (or when the networking is restarted). To make the rules persist, add a line like this to /etc/network/interfaces:

post-up ip rule add from 192.168.30.200 lookup custom

You’d want to place this line in the configuration stanza that configures the interface with the address 192.168.30.200. With this line in place, the rule should persist across reboots or across network restarts.

Populating the Routing Table

Once we have the custom policy routing table created and a rule defined that directs the system to use it, we need to populate the table with the correct routes. The generic command to do this is the ip route add command, but with a specific table parameter added.
一旦我们创建了“路由策略表”并且在其中定义了“路由策略规则”,然后我们就需要为“路由策略表”定义一个正确的路由了。通常指令为 ip route add,然后跟着一个具体的 table

Using our previous example, let’s say we wanted to add a default route that was specific to traffic originating from 192.168.30.200. We’ve already created a custom policy routing table, and we have a rule that directs the system to use that table for traffic originating from that address. To add a new default route specifically for that interface, you’d use this command:
继续以上面的例子来讲,我们可以使用下面的指令:

ip route add default via 192.168.30.1 dev eth1 table custom

Naturally, you’d want to substitute the correct default gateway for 192.168.30.1 and the correct interface for eth1 in the above command, but this should give you the right idea. Of course, you don’t have to use default routes; you could install specific routes into the custom policy routing table as well. This also works on VLAN sub-interfaces, so you could create per-VLAN routing tables:

ip route add default via 192.168.30.1 dev eth0.30 table vlan30

This command installs a default route for the 192.168.30.x interface on VLAN 30, using a table named “vlan30” (note that the table needs to created before you can add routes to it, as far as I can tell).

As with the policy routing tables, routes added this way are not persistent, so you’ll want to make them persistent by adding a line like this to your /etc/network/interfaces configuration file:

post-up ip route add default via 192.168.30.1 dev eth1 table custom

This will ensure that the appropriate routes are added to the appropriate policy routing table when the corresponding network interface is brought up.

「2015/03/29」关于 ip route 的更多解释参见这里

Summary

There’s a great deal more functionality possible in policy routing, but this at least gives you the basics you need to understand how it works. In a future post, I’ll provide a specific use case where this functionality could be put to work. In the meantime, feel free to share any corrections, clarifications, questions, or thoughts in the comments below.

via A Quick Introduction to Linux Policy Routing

关于作者
麦子,80 后,现从事通信行业。安卓玩家一个人的书房朗读者。
MRJENGLISH
jsntn
jasonwtien
jasonwtien
更多…… /about.html

最近更新: