Page MenuHomeVyOS Platform

local PBR support
Closed, ResolvedPublicFEATURE REQUEST

Assigned To
Authored By
pasik
Oct 29 2017, 3:18 PM
Tokens
"Like" token, awarded by jack9603301."Like" token, awarded by Viacheslav."Like" token, awarded by olofl."Like" token, awarded by mjb.

Description

local PBR support was merged to vyatta-cfg-firewall here:
https://github.com/vyos/vyatta-cfg-firewall/commit/b30b5c66b7d6f4c12c37a642319dd39f8613f74a

and for some reason it was reverted recently in 2017/09 here:
https://github.com/vyos/vyatta-cfg-firewall/commit/c48f11fa1b0d6a7b196f9750ef82625dea1aba58

Please add local PBR feature back to vyos. It did work OK when it was merged in 2015. I'll re-test and make sure it still works OK after it has been (re)applied, and send fixes, if/where needed.

Thanks!

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

I'd also really like to have this back as I am heavily using it.

Yep, let's get this feature back into VyOS !

syncer triaged this task as Normal priority.Dec 21 2017, 9:23 PM

Is there any chance to get this feature back into 1.2.x? I could heavily use this for management traffic and for pinning tunnels to specific interfaces.

I'd love for this feature to get back into VyOS. I am available for testing if needed.

@dmbaturin Can you put it back on the rolling? We periodically have many appeals on this issue.

This is really a good feature i hope i can see this feature in LTS version soon

Dmitry raised the priority of this task from Normal to High.Aug 20 2020, 10:06 AM

So I'd love to have this feature back in, but I still don't understand why it was removed. It's ok if it needs to be implemented in some other ways, but for some reason there hasn't been any communication/replies to this issue.

The feature itself is useful and solves actual problems, especially when using multiple internet connections via different operators.

I''m happy to help with the feature, as I did earlier!

Propose to use that format

https://github.com/sever-sever/vyos-1x/commit/075b8fd286771ef0b84718619092c23dda4eb871

set policy local-route priority 50 set table '10'
set policy local-route priority 50 source '100.64.0.1/32'
set policy local-route priority 50 source '100.64.0.2/32'
set policy local-route priority 50 source '100.64.0.3/32'

Commit

vyos@r4-roll# commit
[ policy local-route ]
{'priority': {'50': {'set': {'table': '10'},
                     'source': ['100.64.0.1/32',
                                '100.64.0.2/32',
                                '100.64.0.3/32']}}}

[edit]

Ip rules

vyos@r4-roll# sudo ip rule show
0:	from all lookup local 
50:	from 100.64.0.1 lookup 10 
50:	from 100.64.0.2 lookup 10 
50:	from 100.64.0.3 lookup 10 
220:	from all lookup 220 
32766:	from all lookup main 
32767:	from all lookup default 
[edit]
vyos@r4-roll#

Need to figure out how to remove it now.

PR https://github.com/vyos/vyos-1x/pull/614
Add the ability to use policy local-route

set policy local-route rule 50 set table '20'
set policy local-route rule 50 source '100.64.0.1'
set policy local-route rule 50 source '100.64.0.2'
set policy local-route rule 50 source '203.0.113.0/24'

Ip rules

vyos@r4-roll# sudo ip rule show
0:	from all lookup local 
50:	from 100.64.0.1 lookup 20 
50:	from 100.64.0.2 lookup 20 
50:	from 203.0.113.0/24 lookup 20 
32766:	from all lookup main 
32767:	from all lookup default 
[edit]
vyos@r4-roll#

Del

del policy local-route rule 50 source '203.0.113.0/24'
vyos@r4-roll# sudo ip rule show
0:	from all lookup local 
50:	from 100.64.0.1 lookup 20 
50:	from 100.64.0.2 lookup 20 
32766:	from all lookup main 
32767:	from all lookup default
Viacheslav changed the task status from Open to Needs testing.Nov 20 2020, 4:19 PM

@pasik Can you check if it solves your expectation?

@Viacheslav Thanks a lot, I'll give it a go, hopefully sometime next week.

dmbaturin changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).

Hey @Viacheslav any chance of getting this merged into crux in addition to current?

@dirtycache a lot of dependences which not present in 1.2, for example, dict_merge/node_changed/leaf_node_changed/render/call/airbag.

I don't see any option to migrate it to the "crux". It looks like for 1.2 it needs to be written from scratch.

+1 if possible in VyOS 1.3 Equuleus (if cannot already in Crux)

This features is really useful when VyOS installed on Cloud providers that use 1-to-1 NAT (GCP, AWS, etc.) and multiple interfaces with multiple Public IP Addresses are attached to VyOS instance