Change Details

**Problem:** Policy Based Routing doesn't work on VRRP interfaces. **Reason:** PBR rules are applied to origin interface while VRRP creates another one for itself purposes. **Example:** I'm going to apply routing policy to incoming interface with VRRP feature. Let's imagine it's **eth1**: ``` high-availability { vrrp { group vrrp.1 { interface eth1 priority 220 rfc3768-compatibility virtual-address 192.0.0.1/24 vrid 1 } } } interfaces { ... ethernet eth1 { address 192.0.0.100/24 hw-id 50:00:00:01:00:01 policy { route pbr.TEST } ... } ``` In result, it creates a rule in predefined hook: ``` Chain VYATTA_FW_IN_HOOK (1 references) pkts bytes target prot opt in out source destination 21 1448 pbr.TEST all -- eth1 * 0.0.0.0/0 0.0.0.0/0 ``` But, in fact, VRRP creates another interface - **eth1v1**: ``` Name Interface VRID State Last Transition ------ ----------- ------ ------- ----------------- vrrp.1 eth1v1 1 MASTER 10m26s ``` As result, the rule above doesn't affect to real traffic flow and there is no way to add policy to the eth1v1 directly: ``` set interfaces ethernet eth1v1 policy route pbr.TEST interface ethernet eth1v1: not a valid name Value validation failed Set failed ``` **Workaround:** I can add the next rule manually and it will work: ``` sudo iptables -t mangle -A VYATTA_FW_IN_HOOK -i eth1v1 -j pbr.TEST ``` **Proposed solutions** (both aren't mutually exclusive): 1. The internal logic should check if there are PBR and VRRP on the same parent interface. If yes, additional changes in iptables' rules must be applied. 2. There should be a possibility to add rule directly to VRRP interface. P.S. I see slightly different behavior on 1.2.5 and 1.3, when last one doesn't propose to specify **eth1v1** in the //set interfaces ethernet// command white the first one (1.2.5) does. Anyway, there is no rule to handle the traffic on the both versions.

**Problem:** Policy Based Routing doesn't work on VRRP interfaces. **Reason:** PBR rules are applied to origin interface while VRRP creates another one for itself purposes. **Example:** I'm going to apply routing policy to incoming interface with VRRP feature. Let's imagine it's **eth1**: ``` high-availability { vrrp { group vrrp.1 { interface eth1 priority 220 rfc3768-compatibility virtual-address 192.0.0.1/24 vrid 1 } } } interfaces { ... ethernet eth1 { address 192.0.0.100/24 hw-id 50:00:00:01:00:01 policy { route pbr.TEST } ... } ``` In result, it creates a rule in predefined hook: ``` Chain VYATTA_FW_IN_HOOK (1 references) pkts bytes target prot opt in out source destination 21 1448 pbr.TEST all -- eth1 * 0.0.0.0/0 0.0.0.0/0 ``` But, in fact, VRRP creates another interface - **eth1v1**: ``` Name Interface VRID State Last Transition ------ ----------- ------ ------- ----------------- vrrp.1 eth1v1 1 MASTER 10m26s ``` As result, the rule above doesn't affect to real traffic flow and there is no way to add policy to the eth1v1 directly: ``` set interfaces ethernet eth1v1 policy route pbr.TEST interface ethernet eth1v1: not a valid name Value validation failed Set failed ``` **Workaround:** I can add the next rule manually and it will work: ``` sudo iptables -t mangle -A VYATTA_FW_IN_HOOK -i eth1v1 -j pbr.TEST ``` **Proposed solutions** (both aren't mutually exclusive): 1. The internal logic should check if there are PBR and VRRP on the same parent interface. If yes, additional changes in iptables' rules must be applied. 2. There should be a possibility to add policy directly to VRRP interface. P.S. I see slightly different behavior on 1.2.5 and 1.3, when last one doesn't propose to specify **eth1v1** in the //set interfaces ethernet// command white the first one (1.2.5) does. Anyway, there is no rule to handle the traffic on the both versions.

**Problem:** Policy Based Routing doesn't work on VRRP interfaces. **Reason:** PBR rules are applied to origin interface while VRRP creates another one for itself purposes. **Example:** I'm going to apply routing policy to incoming interface with VRRP feature. Let's imagine it's **eth1**: ``` high-availability { vrrp { group vrrp.1 { interface eth1 priority 220 rfc3768-compatibility virtual-address 192.0.0.1/24 vrid 1 } } } interfaces { ... ethernet eth1 { address 192.0.0.100/24 hw-id 50:00:00:01:00:01 policy { route pbr.TEST } ... } ``` In result, it creates a rule in predefined hook: ``` Chain VYATTA_FW_IN_HOOK (1 references) pkts bytes target prot opt in out source destination 21 1448 pbr.TEST all -- eth1 * 0.0.0.0/0 0.0.0.0/0 ``` But, in fact, VRRP creates another interface - **eth1v1**: ``` Name Interface VRID State Last Transition ------ ----------- ------ ------- ----------------- vrrp.1 eth1v1 1 MASTER 10m26s ``` As result, the rule above doesn't affect to real traffic flow and there is no way to add policy to the eth1v1 directly: ``` set interfaces ethernet eth1v1 policy route pbr.TEST interface ethernet eth1v1: not a valid name Value validation failed Set failed ``` **Workaround:** I can add the next rule manually and it will work: ``` sudo iptables -t mangle -A VYATTA_FW_IN_HOOK -i eth1v1 -j pbr.TEST ``` **Proposed solutions** (both aren't mutually exclusive): 1. The internal logic should check if there are PBR and VRRP on the same parent interface. If yes, additional changes in iptables' rules must be applied. 2. There should be a possibility to add rulepolicy directly to VRRP interface. P.S. I see slightly different behavior on 1.2.5 and 1.3, when last one doesn't propose to specify **eth1v1** in the //set interfaces ethernet// command white the first one (1.2.5) does. Anyway, there is no rule to handle the traffic on the both versions.