Policy Route - Add load balancer capabilities
Open, WishlistPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	n.fort
	Feb 18 2023, 12:31 PM

Description

Main idea is to be able to distribute connections from a LAN to multiple WANs, using policy routes.
Something similar to Mikrotik pcc

A proposed cli could be:

set policy route <name> rule <number> connection-classifier selection-pattern <destination-address | destination-port| source-address  | source-port>
set policy route <name> rule <number> connection-classifier rule 1 probability <0-100> jump-target <jump_target_01>
set policy route <name> rule <number> connection-classifier rule 2 probability <0-100> jump-target <jump_target_02>
...

Example: matching based on src and dst ip address:

set policy route LAN rule 30 connection-classifier selection-pattern source-address
set policy route LAN rule 30 connection-classifier selection-pattern destination-address
set policy route LAN rule 30 connection-classifier rule 1 probability 50 jump-target OUT_WAN01
set policy route LAN rule 30 connection-classifier rule 2 probability 50 jump-target OUT_WAN02

# Which should lead next nft command:
sudo nft add rule ip vyos_mangle VYOS_PBR_LAN ct mark 0 counter jhash ip saddr . ip daddr mod 100 vmap { 0-49 : jump VYOS_PBR_LAN-TO-WAN01 , 50-99 : jump VYOS_PBR_LAN-TO-WAN02 }


### Then also create both chains to associate previous selection to desired routing table
# LAN-TO-WAN01
    set policy route LAN-TO-WAN01 rule 10 set table 111
# LAN-TO-WAN02
    set policy route LAN-TO-WAN02 rule 10 set table 122

References:
https://manpages.debian.org/testing/nftables/nft.8.en.html#HASH_EXPRESSIONS
https://manpages.debian.org/testing/nftables/nft.8.en.html#VMAP_STATEMENT
https://manpages.debian.org/testing/nftables/nft.8.en.html#VERDICT_STATEMENT
https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing

Details

Difficulty level: Unknown (require assessment)
Version: vyos-1.4-rolling-202302150317
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Event Timeline

n.fort created this task.Feb 18 2023, 12:31 PM

n.fort changed Version from - to vyos-1.4-rolling-202302150317.

n.fort changed Issue type from Unspecified (please specify) to Feature (new functionality).

n.fort added a comment.Feb 18 2023, 12:46 PM

This comment was removed by n.fort.

n.fort updated the task description. (Show Details)Feb 18 2023, 1:03 PM

A 2nd proposal could be:

set policy route <name> rule <number> connection-classifier selection-pattern <destination-address | destination-port| source-address  | source-port>
set policy route <name> rule <number> connection-classifier upper-boundary <number>
set policy route <name> rule <number> connection-classifier hash-result<number>
set policy route <name> rule <number> set table <number>

Same example as shown in task description:

set policy route LAN rule 30 connection-classifier selection-pattern source-address
set policy route LAN rule 30 connection-classifier selection-pattern destination-address
set policy route LAN rule 30 connection-classifier upper-boundary 2
set policy route LAN rule 30 connection-classifier hash-result 0
set policy route LAN rule 30 set table 111
    --> sudo nft add rule ip vyos_mangle VYOS_PBR_LAN counter meta mark set jhash ip saddr . ip daddr mod 2 map {0 : 0x7fffff90 }

set policy route LAN rule 40 connection-classifier selection-pattern source-address
set policy route LAN rule 40 connection-classifier selection-pattern destination-address
set policy route LAN rule 40 connection-classifier upper-boundary 2
set policy route LAN rule 40 connection-classifier hash-result 1
set policy route LAN rule 40 set table 222
    --> sudo nft add rule ip vyos_mangle VYOS_PBR_LAN counter meta mark set jhash ip saddr . ip daddr mod 2 map {1 : 0x7fffff85 }

Pros of this 2nd proposal:

Just match connection based on pattern, and then you are free to do what you want in action/set

Cons:

Needs more rules

pasik added a subscriber: pasik.Feb 19 2023, 3:50 PM

Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 11:53 AM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 1:51 PM

Policy Route - Add load balancer capabilitiesOpen, WishlistPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Policy Route - Add load balancer capabilities
Open, WishlistPublicFEATURE REQUEST
Actions