Page MenuHomeVyOS Platform

Allow larger table ids in policy route
In progress, NormalPublicBUG

Description

admin@vyos# set vrf name SECOMAT table 
Possible completions:
   <100-65535>          Routing table ID
   10001                

admin@vyos# set policy route PRIVATE_TO_SECOMAT rule 2 set table 
Possible completions:
   <1-200>              Table number
   main                 Main table

Since you can set VRF table numbers between 100 and 65535 (and soon 1-65535, see https://github.com/vyos/vyos-1x/pull/3353) one should be able to use it in a route policy.

I think the code change is necessary just in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/policy/route-common.xml.i#L176 .

Details

Version
1.5-rolling-202405310019
Is it a breaking change?
Perfectly compatible

Event Timeline

Viacheslav triaged this task as Normal priority.Jun 1 2024, 11:20 AM

I've created a quick PR for this: https://github.com/vyos/vyos-1x/pull/3581

It's a tiny change but I've also asked for some clarification around how it internally uses fwmarks from people more familiar with the firewall & PBR implementation.

Viacheslav changed the task status from Open to In progress.Jun 5 2024, 7:51 AM
Viacheslav assigned this task to talmakion.

While I think the mismatch between PBR-addressable RTs and VRF RTs is a bit odd, the PR's been rejected and could be addressed differently in any case. In the meantime, VRFs with RTs 100-200 are targetable by PBR.

I'll have another run at this, adding explicit VRF syntax to the PBR set clauses, making it a "policy based route leak". Users will be clear on the intended use, they're not accidentally mixing up RT IDs and VyOS can deal with any special handling required to make PBR leaks work correctly.

Otherwise, if the intention is to simply not support PBR between VRFs at all, there's not much more to be done here and I'll drop the ticket.

New PR that will allow targeting VRFs directly by name, to reach higher table IDs: https://github.com/vyos/vyos-1x/pull/3740

@bernhardschmidt my PR for this made it into current rolling, which rather than just widening the table range, allows using 'set vrf' instead of 'set table' to policy route directly to VRFs with out-of-range RT IDs.

Does this fit your use case?

I've got a follow up PR coming that will cover policy local-route in the same way.

New PR created for matching functionality in policy local-route: https://github.com/vyos/vyos-1x/pull/3938

dmbaturin edited projects, added VyOS Rolling; removed Restricted Project.Mon, Oct 28, 9:52 AM
dmbaturin changed Issue type from Bug (incorrect behavior) to improvement.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.