{ "mode": "man", "parameter": "ip-rule", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip-rule/8/json", "generated": "2026-06-02T21:25:56Z", "synopsis": "ip [ OPTIONS ] rule { COMMAND | help }\nip rule [ list [ SELECTOR ]]\nip rule { add | del } SELECTOR ACTION\nip rule { flush | save | restore }\nSELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif\nSTRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ip‐‐\nproto PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [ NUMBER | NUMBER-NUM‐\nBER ] ] [ tunid TUNID ]\nACTION := [ table TABLEID ] [ protocol PROTO ] [ nat ADDRESS ] [ realms [SRCREALM/]DSTREALM\n] [ goto NUMBER ] SUPPRESSOR\nSUPPRESSOR := [ suppressprefixlength NUMBER ] [ suppressifgroup GROUP ]\nTABLEID := [ local | main | default | NUMBER ]", "sections": { "NAME": { "content": "ip-rule - routing policy database management\n", "subsections": [] }, "SYNOPSIS": { "content": "ip [ OPTIONS ] rule { COMMAND | help }\n\n\nip rule [ list [ SELECTOR ]]\n\nip rule { add | del } SELECTOR ACTION\n\nip rule { flush | save | restore }\n\nSELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif\nSTRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ip‐‐\nproto PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] ] [ dport [ NUMBER | NUMBER-NUM‐\nBER ] ] [ tunid TUNID ]\n\n\nACTION := [ table TABLEID ] [ protocol PROTO ] [ nat ADDRESS ] [ realms [SRCREALM/]DSTREALM\n] [ goto NUMBER ] SUPPRESSOR\n\nSUPPRESSOR := [ suppressprefixlength NUMBER ] [ suppressifgroup GROUP ]\n\nTABLEID := [ local | main | default | NUMBER ]\n\n", "subsections": [] }, "DESCRIPTION": { "content": "ip rule manipulates rules in the routing policy database control the route selection algo‐\nrithm.\n\n\nClassic routing algorithms used in the Internet make routing decisions based only on the des‐\ntination address of packets (and in theory, but not in practice, on the TOS field).\n\n\nIn some circumstances we want to route packets differently depending not only on destination\naddresses, but also on other packet fields: source address, IP protocol, transport protocol\nports or even packet payload. This task is called 'policy routing'.\n\n\nTo solve this task, the conventional destination based routing table, ordered according to\nthe longest match rule, is replaced with a 'routing policy database' (or RPDB), which selects\nroutes by executing some set of rules.\n\n\nEach policy routing rule consists of a selector and an action predicate. The RPDB is scanned\nin order of decreasing priority (note that lower number means higher priority, see the de‐\nscription of PREFERENCE below). The selector of each rule is applied to {source address, des‐\ntination address, incoming interface, tos, fwmark} and, if the selector matches the packet,\nthe action is performed. The action predicate may return with success. In this case, it will\neither give a route or failure indication and the RPDB lookup is terminated. Otherwise, the\nRPDB program continues with the next rule.\n\n\nSemantically, the natural action is to select the nexthop and the output device.\n\n\nAt startup time the kernel configures the default RPDB consisting of three rules:\n\n\n1. Priority: 0, Selector: match anything, Action: lookup routing table local (ID 255).\nThe local table is a special routing table containing high priority control routes for\nlocal and broadcast addresses.\n\n\n2. Priority: 32766, Selector: match anything, Action: lookup routing table main (ID 254).\nThe main table is the normal routing table containing all non-policy routes. This rule\nmay be deleted and/or overridden with other ones by the administrator.\n\n\n3. Priority: 32767, Selector: match anything, Action: lookup routing table default (ID\n253). The default table is empty. It is reserved for some post-processing if no pre‐\nvious default rules selected the packet. This rule may also be deleted.\n\n\nEach RPDB entry has additional attributes. F.e. each rule has a pointer to some routing ta‐\nble. NAT and masquerading rules have an attribute to select new IP address to translate/mas‐\nquerade. Besides that, rules have some optional attributes, which routes have, namely realms.\nThese values do not override those contained in the routing tables. They are only used if the\nroute did not select any attributes.\n\n\nThe RPDB may contain rules of the following types:\n\nunicast - the rule prescribes to return the route found in the routing table refer‐\nenced by the rule.\n\nblackhole - the rule prescribes to silently drop the packet.\n\nunreachable - the rule prescribes to generate a 'Network is unreachable' error.\n\nprohibit - the rule prescribes to generate 'Communication is administratively prohib‐\nited' error.\n\nnat - the rule prescribes to translate the source address of the IP packet into some\nother value.\n\n", "subsections": [ { "name": "ip rule add - insert a new rule", "content": "" }, { "name": "ip rule delete - delete a rule", "content": "type TYPE (default)\nthe type of this rule. The list of valid types was given in the previous sub‐\nsection.\n\n\nfrom PREFIX\nselect the source prefix to match.\n\n\nto PREFIX\nselect the destination prefix to match.\n\n\niif NAME\nselect the incoming device to match. If the interface is loopback, the rule\nonly matches packets originating from this host. This means that you may create\nseparate routing tables for forwarded and local packets and, hence, completely\nsegregate them.\n\n\noif NAME\nselect the outgoing device to match. The outgoing interface is only available\nfor packets originating from local sockets that are bound to a device.\n\n\ntos TOS\n\ndsfield TOS\nselect the TOS value to match.\n\n\nfwmark MARK\nselect the fwmark value to match.\n\n\nuidrange NUMBER-NUMBER\nselect the uid value to match.\n\n\nipproto PROTOCOL\nselect the ip protocol value to match.\n\n\nsport NUMBER | NUMBER-NUMBER\nselect the source port value to match. supports port range.\n\n\ndport NUMBER | NUMBER-NUMBER\nselect the destination port value to match. supports port range.\n\n\npriority PREFERENCE\nthe priority of this rule. PREFERENCE is an unsigned integer value, higher\nnumber means lower priority, and rules get processed in order of increasing\nnumber. Each rule should have an explicitly set unique priority value. The op‐\ntions preference and order are synonyms with priority.\n\n\ntable TABLEID\nthe routing table identifier to lookup if the rule selector matches. It is\nalso possible to use lookup instead of table.\n\n\nprotocol PROTO\nthe routing protocol who installed the rule in question. As an example when\nzebra installs a rule it would get RTPROTZEBRA as the installing protocol.\n\n\nsuppressprefixlength NUMBER\nreject routing decisions that have a prefix length of NUMBER or less.\n\n\nsuppressifgroup GROUP\nreject routing decisions that use a device belonging to the interface group\nGROUP.\n\n\nrealms FROM/TO\nRealms to select if the rule matched and the routing table lookup succeeded.\nRealm TO is only used if the route did not select any realm.\n\n\nnat ADDRESS\nThe base of the IP address block to translate (for source addresses). The AD‐\nDRESS may be either the start of the block of NAT addresses (selected by NAT\nroutes) or a local host address (or even zero). In the last case the router\ndoes not translate the packets, but masquerades them to this address. Using\nmap-to instead of nat means the same thing.\n\nWarning: Changes to the RPDB made with these commands do not become active im‐\nmediately. It is assumed that after a script finishes a batch of updates, it\nflushes the routing cache with ip route flush cache.\n" }, { "name": "ip rule flush - also dumps all the deleted rules.", "content": "protocol PROTO\nSelect the originating protocol.\n" }, { "name": "ip rule show - list rules", "content": "This command has no arguments. The options list or lst are synonyms with show.\n\n" }, { "name": "ip rule save", "content": "protocol PROTO\nSelect the originating protocol.\n\nsave rules table information to stdout\nThis command behaves like ip rule show except that the output is raw data suitable for\npassing to ip rule restore.\n\n" }, { "name": "ip rule restore", "content": "restore rules table information from stdin\nThis command expects to read a data stream as returned from ip rule save. It will at‐\ntempt to restore the rules table information exactly as it was at the time of the\nsave. Any rules already in the table are left unchanged, and duplicates are not ig‐\nnored.\n\n" } ] }, "SEE ALSO": { "content": "ip(8)\n\n", "subsections": [] }, "AUTHOR": { "content": "Original Manpage by Michail Litvak \n\n\n\niproute2 20 Dec 2011 IP-RULE(8)", "subsections": [] } }, "summary": "ip-rule - routing policy database management", "flags": [], "examples": [], "see_also": [ { "name": "ip", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip/8/json" } ], "tldr": { "source": "official", "description": "IP routing policy database management.", "examples": [ { "description": "Display the routing policy", "command": "ip {{ru|rule}}" }, { "description": "Create a new generic routing rule with a higher priority than `main`", "command": "sudo ip {{ru|rule}} {{a|add}} from all lookup {{table_id}}" }, { "description": "Add a new rule based on packet source addresses", "command": "sudo ip {{ru|rule}} {{a|add}} from {{192.168.178.2/32}} lookup {{table_id}}" }, { "description": "Add a new rule based on packet destination addresses", "command": "sudo ip {{ru|rule}} {{a|add}} to {{192.168.178.2/32}} lookup {{table_id}}" }, { "description": "Delete a rule based on packet source addresses", "command": "sudo ip {{ru|rule}} {{d|delete}} from {{192.168.178.2/32}}" }, { "description": "Remove all routing rules", "command": "sudo ip {{ru|rule}} {{f|flush}}" }, { "description": "Save all rules to a file", "command": "ip {{ru|rule}} {{s|save}} > {{path/to/ip_rules.dat}}" }, { "description": "Restore all rules from a file", "command": "sudo ip < {{path/to/ip_rules.dat}} {{ru|rule}} {{r|restore}}" } ] } }