Problem:
Policy Based Routing doesn't work on VRRP interfaces.
Reason:
PBR rules are applied to origin interface while VRRP creates another one for itself purposes.
Example:
I'm going to apply routing policy to incoming interface with VRRP feature. Let's imagine it's eth1:
high-availability { vrrp { group vrrp.1 { interface eth1 priority 220 rfc3768-compatibility virtual-address 192.0.0.1/24 vrid 1 } } } interfaces { ... ethernet eth1 { address 192.0.0.100/24 hw-id 50:00:00:01:00:01 policy { route pbr.TEST } ... }
In result, it creates a rule in predefined hook:
Chain VYATTA_FW_IN_HOOK (1 references) pkts bytes target prot opt in out source destination 21 1448 pbr.TEST all -- eth1 * 0.0.0.0/0 0.0.0.0/0
But, in fact, VRRP creates another interface - eth1v1:
Name Interface VRID State Last Transition ------ ----------- ------ ------- ----------------- vrrp.1 eth1v1 1 MASTER 10m26s
As result, the rule above doesn't affect to real traffic flow and there is no way to add policy to the eth1v1 directly:
set interfaces ethernet eth1v1 policy route pbr.TEST interface ethernet eth1v1: not a valid name Value validation failed Set failed
Workaround:
I can add the next rule manually and it will work:
sudo iptables -t mangle -A VYATTA_FW_IN_HOOK -i eth1v1 -j pbr.TEST
Proposed solutions (both aren't mutually exclusive):
- The internal logic should check if there are PBR and VRRP on the same parent interface. If yes, additional changes in iptables' rules must be applied.
- There should be a possibility to add policy directly to VRRP interface.
P.S. I see slightly different behavior on 1.2.5 and 1.3, when last one doesn't propose to specify eth1v1 in the set interfaces ethernet command white the first one (1.2.5) does. Anyway, there is no rule to handle the traffic on the both versions.