Page MenuHomeVyOS Platform

local PBR support
Needs testing, HighPublicFEATURE REQUEST

Description

local PBR support was merged to vyatta-cfg-firewall here:
https://github.com/vyos/vyatta-cfg-firewall/commit/b30b5c66b7d6f4c12c37a642319dd39f8613f74a

and for some reason it was reverted recently in 2017/09 here:
https://github.com/vyos/vyatta-cfg-firewall/commit/c48f11fa1b0d6a7b196f9750ef82625dea1aba58

Please add local PBR feature back to vyos. It did work OK when it was merged in 2015. I'll re-test and make sure it still works OK after it has been (re)applied, and send fixes, if/where needed.

Thanks!

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

pasik created this task.Oct 29 2017, 3:18 PM

I'd also really like to have this back as I am heavily using it.

UnicronNL added subscribers: dmbaturin, UnicronNL.

@dmbaturin , why you reverted?

Yep, let's get this feature back into VyOS !

syncer triaged this task as Normal priority.Dec 21 2017, 9:23 PM

Is there any chance to get this feature back into 1.2.x? I could heavily use this for management traffic and for pinning tunnels to specific interfaces.

mjb added a subscriber: mjb.Sep 30 2019, 12:06 AM
mjb awarded a token.Sep 30 2019, 12:10 AM
Dmitry added a subscriber: Dmitry.Oct 1 2019, 8:35 AM
afics added a subscriber: afics.Feb 18 2020, 9:18 AM

I'd love for this feature to get back into VyOS. I am available for testing if needed.

zakwan added a subscriber: zakwan.Mar 10 2020, 9:16 AM

@dmbaturin Can you put it back on the rolling? We periodically have many appeals on this issue.

This is really a good feature i hope i can see this feature in LTS version soon

ronie added a subscriber: ronie.Aug 17 2020, 2:45 PM
Dmitry raised the priority of this task from Normal to High.Aug 20 2020, 10:06 AM

So I'd love to have this feature back in, but I still don't understand why it was removed. It's ok if it needs to be implemented in some other ways, but for some reason there hasn't been any communication/replies to this issue.

The feature itself is useful and solves actual problems, especially when using multiple internet connections via different operators.

I''m happy to help with the feature, as I did earlier!

Propose to use that format

https://github.com/sever-sever/vyos-1x/commit/075b8fd286771ef0b84718619092c23dda4eb871

set policy local-route priority 50 set table '10'
set policy local-route priority 50 source '100.64.0.1/32'
set policy local-route priority 50 source '100.64.0.2/32'
set policy local-route priority 50 source '100.64.0.3/32'

Commit

vyos@r4-roll# commit
[ policy local-route ]
{'priority': {'50': {'set': {'table': '10'},
                     'source': ['100.64.0.1/32',
                                '100.64.0.2/32',
                                '100.64.0.3/32']}}}

[edit]

Ip rules

vyos@r4-roll# sudo ip rule show
0:	from all lookup local 
50:	from 100.64.0.1 lookup 10 
50:	from 100.64.0.2 lookup 10 
50:	from 100.64.0.3 lookup 10 
220:	from all lookup 220 
32766:	from all lookup main 
32767:	from all lookup default 
[edit]
vyos@r4-roll#

Need to figure out how to remove it now.

PR https://github.com/vyos/vyos-1x/pull/614
Add the ability to use policy local-route

set policy local-route rule 50 set table '20'
set policy local-route rule 50 source '100.64.0.1'
set policy local-route rule 50 source '100.64.0.2'
set policy local-route rule 50 source '203.0.113.0/24'

Ip rules

vyos@r4-roll# sudo ip rule show
0:	from all lookup local 
50:	from 100.64.0.1 lookup 20 
50:	from 100.64.0.2 lookup 20 
50:	from 203.0.113.0/24 lookup 20 
32766:	from all lookup main 
32767:	from all lookup default 
[edit]
vyos@r4-roll#

Del

del policy local-route rule 50 source '203.0.113.0/24'
vyos@r4-roll# sudo ip rule show
0:	from all lookup local 
50:	from 100.64.0.1 lookup 20 
50:	from 100.64.0.2 lookup 20 
32766:	from all lookup main 
32767:	from all lookup default
Viacheslav changed the task status from Open to Needs testing.Fri, Nov 20, 4:19 PM

@pasik Can you check if it solves your expectation?

pasik added a comment.Sun, Nov 22, 8:21 PM

@Viacheslav Thanks a lot, I'll give it a go, hopefully sometime next week.