Page MenuHomeVyOS Platform
Create Task
Maniphest T8129

PBR policy local-route rule Options Missing
Open, WishlistPublicENHANCEMENT
Actions

Description

The options for policy local-route rules are very limited compared to policy route rules. Below, I have the output for the toplevel options for each and two sublevel options for each. These are from a system with VyOS Stream 2015-11 installed. If needed, I can supply the differences for every option. I'm not sure that all the options for policy route rules are valid for PBR, but it would be useful to have the options that are valid for PBR to be the same for policy route and policy local-route.

Top Level Options:

# set policy route test rule 1
Possible completions:
   action               Rule action
 +  connection-mark      Connection mark
   description          Description
 > destination          Destination parameters
   disable              Disable instance
+  dscp                 DSCP value
+  dscp-exclude         DSCP value not to match
 > fragment             IP fragment match
 > icmp                 ICMP type and code information
 > ipsec                IPsec encapsulated packets
 > limit                Rate limit using a token bucket filter
   log                  Log packets hitting this rule
   mark                 Firewall mark
+  packet-length        Payload size in bytes, including header and data to match
+  packet-length-exclude
                        Payload size in bytes, including header and data not to match
   packet-type          Packet type
   protocol             Protocol to match (protocol name, number, or "all") (default:
                        all)
 > recent               Parameters for matching recently seen sources
 > set                  Packet modifications
 > source               Source parameters
+  state                Session state
 > tcp                  TCP options to match
 > time                 Time to match rule
 > ttl                  Time to live limit
# set policy local-route rule 1
Possible completions:
 > destination          Destination parameters
   fwmark               Match fwmark value
   inbound-interface    Inbound Interface
   protocol             Protocol to match (protocol name or number)
 > set                  Packet modifications
 > source               Source parameters

Sublevel Option 1:

# set policy route test rule 1 source
Possible completions:
   address              IP address, subnet, or range
 > geoip                GeoIP options - Data provided by DB-IP.com
 > group                Group
   mac-address          MAC address
   port                 Port
# set policy local-route rule 1 source
Possible completions:
+  address              IPv4 address or prefix
   port                 Port number used by connection

Sublevel Option 2:

# set policy route test rule 1 source address
Possible completions:
   <x.x.x.x>            IPv4 address to match
   <x.x.x.x/x>          IPv4 prefix to match
   <x.x.x.x>-<x.x.x.x>  IPv4 address range to match
   !<x.x.x.x>           Match everything except the specified address
   !<x.x.x.x/x>         Match everything except the specified prefix
   !<x.x.x.x>-<x.x.x.x> Match everything except the specified range
# set policy local-route rule 1 source address
Possible completions:
   <x.x.x.x>            Address to match against
   <x.x.x.x/x>          Prefix to match against

Details

Version
-
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Event Timeline

Rhongomiant created this task.Sat, Dec 27, 9:29 PM
pasik subscribed.Sat, Dec 27, 10:14 PM
Viacheslav subscribed.Mon, Dec 29, 3:50 PM

The policy local-route is based on the iproute2 package and the ip rule command.
The policy route is based on Netfilter nftables. They are completely different, though they do similar things. The iproute2 cannot work with "groups" or reverse IP/Network logic.

In case if someone want/will add/extend policy local-route the is a code https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/policy_local-route.py

Viacheslav triaged this task as Wishlist priority.Fri, Jan 2, 11:59 AM