3

I found out about ip-rule's "suppress_ifgroup X" feature which seems to allow me to tell the kernel to ignore a route from the given table with an outgoing interface that belongs to that group X. But I couldn't find any information of how I would set up those groups.

How do I assign interfaces to "groups" for the purpose of using ip-rule's "suppress_ifgroup" feature?

sellibitze
  • 143
  • 7
  • 2
    the command should be `ip link set dev somedev group somegroup`, but I couldn't manage to alter the routing outcome with a rule and a group on an interface (eg prevent this interface to be used). group can be used by a few other places, like nftables' iifgroup match (or iptables' devgroup match). If you have an example that works with `suppress_ifgroup` and `ip link set ... group` please answer your question. – A.B Sep 29 '19 at 14:15

1 Answers1

1

Here's an example using ip rule ... suppress_ifgroup along ip link set ... group X, in a (ip netns-)network namespace ex:

# ip netns add ex
# ip netns exec ex sh

and entering all further commands in this interactive shell.

ip link add name e0 up type dummy
ip link add name e1 up type dummy
ip link add name e2 up type dummy
ip link add name e3 up type dummy

ip address add 192.0.2.0/32 dev e0
ip address add 192.0.2.1/32 dev e1
ip address add 192.0.2.2/32 dev e2
ip address add 192.0.2.3/32 dev e3

ip route add default dev e0
ip route add default dev e1 table 1001
ip route add default dev e2 table 1002
ip route add default dev e3 metric 1 table 1002 #same table as previous

ip rule add pref 1001 lookup 1001 suppress_ifgroup 10
ip rule add pref 1002 lookup 1002 suppress_ifgroup 10

Now one can see that once the routing outcome is evaluated from the specific table called by a rule it will be suppressed if the interface's group matches the one on the rule:

# ip route get 192.0.2.10
192.0.2.10 dev e1 table 1001 src 192.0.2.1 uid 0 
    cache 
# ip link set e1 group 10
# ip route get 192.0.2.10
192.0.2.10 dev e2 table 1002 src 192.0.2.2 uid 0 
    cache 
# ip link set e2 group 10
# ip route get 192.0.2.10
192.0.2.10 dev e0 src 192.0.2.0 uid 0 
    cache 
#
  • Initially, table 1001's result is chosen and kept.
  • Once e1 is part of group 10, the route using e1 from table 1001 gets ignored, moving to the next rule evaluation with a route using e2.
  • For the next case, lookup in table 1002 happened as the previous case, returning again the chosen interface as e2, and then was cancelled as in the previous case. e3 is never even considered as second choice, leaving e0 to be chosen in the main routing table: the suppressor happens only at the rule level after the routing table was evaluated, not during the routing table evaluation.

This example just shows how to "disable" an interface by setting it in a specific group, letting a non-"disabled" interface be used instead. I don't know of a real use for suppress_ifgroup, but it is probably used in some complex routing setups, including setups involving tunnels.

A.B
  • 11,090
  • 2
  • 24
  • 45