Page MenuHomePhabricator

Put management traffic in separate routing table
Open, Requires assessmentPublic

Description

Hi,

I want to setup a fresh vyos based router. so I have here an empty config and at first I want give me management access through an separate interface with an separate routing table.
I tried this in vyos:

set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 vif 200 address '2a0c:a980:XXXX::X:5/64'
set interfaces bonding bond0 vif 200 policy ipv6-route 'mgnt-vlan200'
set interfaces ethernet eth0 hw-id '6c:3b:e5:b0:79:00'
set interfaces ethernet eth1 bond-group 'bond0'
set interfaces ethernet eth1 hw-id '6c:3b:e5:b0:79:04'
set interfaces ethernet eth3 hw-id 'e8:39:35:01:f7:3d'
set interfaces ethernet eth4 hw-id 'e8:39:35:01:f7:3e'
set interfaces ethernet eth5 hw-id 'e8:39:35:01:f7:3f'
set interfaces ethernet eth6 bond-group 'bond0'
set interfaces ethernet eth6 hw-id 'd4:85:64:2f:e7:08'
set interfaces ethernet eth7 hw-id 'd4:85:64:2f:e7:0c'
set interfaces loopback lo
set policy ipv6-route mgnt-vlan200 rule 1 destination address '::/0'
set policy ipv6-route mgnt-vlan200 rule 1 set table '100'
set policy ipv6-route mgnt-vlan200 rule 1 source address '2a0c:a980:XXXX::X:5'
set policy ipv6-route mgnt-vlan200 rule 2 destination address '2a0c:a980:XXXX::X:5'
set policy ipv6-route mgnt-vlan200 rule 2 set table '100'
set policy ipv6-route mgnt-vlan200 rule 2 source address '::/0'
set protocols static table 100 interface-route6 2a0c:a980:XXXX::/64 next-hop-interface bond0.200
set protocols static table 100 route6 ::/0 next-hop 2a0c:a980:XXXX::1
set service ssh
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'r1'
set system login user vyos authentication encrypted-password 'XXXXXXX'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'

But this don't work I see that vyos use ip rule but use it with fwmark instead direct.
With ip6tables-save I can see the generated rules an that no packet is hitting the chain:

:PREROUTING ACCEPT [10:672]
:INPUT ACCEPT [239:26212]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [166:23562]
:POSTROUTING ACCEPT [166:23562]
:VYATTA_FW_IN_HOOK - [0:0] <-- zero counter
:VYATTA_FW_LOCALOUT_HOOK - [0:0]
:VYATTA_FW_OUT_HOOK - [0:0]
:VYATTA_PBR_100 - [0:0]
:VYOS_DNPT_HOOK - [0:0]
:VYOS_SNPT_HOOK - [0:0]
:mgnt-vlan200 - [0:0]
-A PREROUTING -j VYATTA_FW_IN_HOOK
-A PREROUTING -j VYOS_DNPT_HOOK
-A OUTPUT -j VYATTA_FW_LOCALOUT_HOOK
-A POSTROUTING -j VYATTA_FW_OUT_HOOK
-A POSTROUTING -j VYOS_SNPT_HOOK
-A VYATTA_FW_IN_HOOK -i bond0.200 -j mgnt-vlan200
-A VYATTA_PBR_100 -j MARK --set-xmark 0x80000063/0xffffffff
-A VYATTA_PBR_100 -j ACCEPT
-A VYOS_DNPT_HOOK -j RETURN
-A VYOS_SNPT_HOOK -j RETURN
-A mgnt-vlan200 -s 2a0c:a980:XXXX::X:5/128 -m comment --comment mgnt-vlan200-1 -j VYATTA_PBR_100
-A mgnt-vlan200 -d 2a0c:a980:XXXX::X:5/128 -m comment --comment mgnt-vlan200-2 -j VYATTA_PBR_100
-A mgnt-vlan200 -m comment --comment "mgnt-vlan200-10000 default-action accept" -j RETURN
COMMIT

On an "normal" linux system I would do this functionality without fwmark:

/sbin/ip -6 route add 2a0c:a980:XXXX::/64 dev bond0.200 scope link src 2a0c:a980:XXXX::X:5 table 10
/sbin/ip -6 route add default via 2a0c:a980:XXXX::1 dev bond0.200 table 100
/sbin/ip -6 rule add from 2a0c:a980:XXXX::/64 table 100
/sbin/ip -6 rule add to 2a0c:a980:XXXX::X:5 table 100

Yes better would be to have clean vrf support but I know that this is not included in vyos 1.2.
So is there an other way to make this work?

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Will be filled on close

Event Timeline

rherold created this task.Feb 24 2019, 9:44 AM
rherold created this object in space S1 VyOS Public.
rherold updated the task description. (Show Details)Feb 24 2019, 9:57 AM
rherold added a comment.EditedFeb 24 2019, 10:11 AM

why do we use fwmark in this case? As far as I can see ip rule give us all needed selectors:

ruben@schleppy:[~] > ip rule add help
Usage: ip rule { add | del } SELECTOR ACTION
       ip rule { flush | save | restore }
       ip rule [ list [ SELECTOR ]]
SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]
            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]
            [ uidrange NUMBER-NUMBER ]
            [ ipproto PROTOCOL ]
            [ sport [ NUMBER | NUMBER-NUMBER ]
            [ dport [ NUMBER | NUMBER-NUMBER ] ]
ACTION := [ table TABLE_ID ]
          [ protocol PROTO ]
          [ nat ADDRESS ]
          [ realms [SRCREALM/]DSTREALM ]
          [ goto NUMBER ]
          SUPPRESSOR
SUPPRESSOR := [ suppress_prefixlength NUMBER ]
              [ suppress_ifgroup DEVGROUP ]
TABLE_ID := [ local | main | default | NUMBER ]
ruben@schleppy:[~] >

So all the traffic must not marked via iptables.

hi,

I added a log rule to:

-A mgnt-vlan200 -j LOG
-A mgnt-vlan200 -s 2a0c:a980:1000::1:5/128 -m comment --comment mgnt-vlan200-1 -j VYATTA_PBR_100
-A mgnt-vlan200 -d 2a0c:a980:1000::1:5/128 -m comment --comment mgnt-vlan200-2 -j VYATTA_PBR_100
-A mgnt-vlan200 -m comment --comment "mgnt-vlan200-10000 default-action accept" -j RETURN
COMMIT

The log catches only incoming packets not the answer packets seems that the outgoing flow from local generated packets not going to the generated chain, and so not going to
the right table

rherold changed Version from 1.2 to 1.2.0.Feb 26 2019, 2:27 PM
rherold added a comment.EditedFeb 26 2019, 2:48 PM

Would it be possible to add an option to bind an specific interface to an routing table?
I have tested the scenario above and create only the routing table via protocol static.
After this I manual add:

ip -6 rule add iif bond0.200 table 100
ip -6 rule add oif bond0.200 table 100

so we could use as work around a setting that allow us to bind an interface to an specific table for example

set interface bonding bond0 vif 200 policy  ipv6-table 100 
set interface bonding bond0 vif 200 policy  table 100

Which exec the above command's in background.