Page MenuHomeVyOS Platform
Create Task
Maniphest T6430

Allow larger table ids in policy route
In progress, NormalPublicBUG
Actions

Description

admin@vyos# set vrf name SECOMAT table 
Possible completions:
   <100-65535>          Routing table ID
   10001                

admin@vyos# set policy route PRIVATE_TO_SECOMAT rule 2 set table 
Possible completions:
   <1-200>              Table number
   main                 Main table

Since you can set VRF table numbers between 100 and 65535 (and soon 1-65535, see https://github.com/vyos/vyos-1x/pull/3353) one should be able to use it in a route policy.

I think the code change is necessary just in https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/policy/route-common.xml.i#L176 .

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202405310019
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

bernhardschmidt created this task.May 31 2024, 7:27 PM
bernhardschmidt updated the task description. (Show Details)May 31 2024, 7:39 PM
pasik subscribed.May 31 2024, 9:02 PM
Viacheslav triaged this task as Normal priority.Jun 1 2024, 11:20 AM
talmakion subscribed.Jun 4 2024, 9:00 AM

I've created a quick PR for this: https://github.com/vyos/vyos-1x/pull/3581

It's a tiny change but I've also asked for some clarification around how it internally uses fwmarks from people more familiar with the firewall & PBR implementation.

Viacheslav changed the task status from Open to In progress.Jun 5 2024, 7:51 AM
Viacheslav assigned this task to talmakion.
Apachez subscribed.Jun 5 2024, 9:59 AM
talmakion added a comment.Jun 14 2024, 4:38 AM

While I think the mismatch between PBR-addressable RTs and VRF RTs is a bit odd, the PR's been rejected and could be addressed differently in any case. In the meantime, VRFs with RTs 100-200 are targetable by PBR.

I'll have another run at this, adding explicit VRF syntax to the PBR set clauses, making it a "policy based route leak". Users will be clear on the intended use, they're not accidentally mixing up RT IDs and VyOS can deal with any special handling required to make PBR leaks work correctly.

Otherwise, if the intention is to simply not support PBR between VRFs at all, there's not much more to be done here and I'll drop the ticket.

talmakion added a comment.Jun 29 2024, 5:43 AM

New PR that will allow targeting VRFs directly by name, to reach higher table IDs: https://github.com/vyos/vyos-1x/pull/3740

talmakion added a comment.Aug 1 2024, 1:53 PM

@bernhardschmidt my PR for this made it into current rolling, which rather than just widening the table range, allows using 'set vrf' instead of 'set table' to policy route directly to VRFs with out-of-range RT IDs.

Does this fit your use case?

I've got a follow up PR coming that will cover policy local-route in the same way.

talmakion added a comment.Aug 3 2024, 10:05 AM

New PR created for matching functionality in policy local-route: https://github.com/vyos/vyos-1x/pull/3938