"ip rule add sport" can not work as expected

cwbsw · October 7, 2018, 8:05am

ip-full package has been installed

ip rule add sport 38123 dport 34000 table 108 pref 108
ip rule list pref 108

108:    from all lookup 108

jow · October 8, 2018, 9:16am

There are no sport and dport options for IP rule. You'll need to resort to an fwmark match together with an accompanying iptables rule which tags the traffic with a given fwmark, depending on the source and dest port.

vgaetera · October 8, 2018, 9:34am

https://man.cx/ip-rule

ip rule { add | del } SELECTOR ACTION
...
SELECTOR := ... [ sport [ NUMBER | NUMBER - NUMBER ] ] [ dport [ NUMBER | NUMBER - NUMBER ] ]

jow · October 8, 2018, 9:39am

Sorry, my fault then. At least with iproute2 4.14.1 on debian, SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] in both help an man page outputs.

Also, the underlying FRA_SPORT_RANGE and FRA_DPORT_RANGE netlink attributes are only supported with kernel 4.17 and later.

cwbsw · October 9, 2018, 2:02am

Thanks. so the problem is, the iproute2 package (4.18.0) has port match support already, but the current kernel has not supported yet.

system · October 19, 2018, 2:02am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.