Bug 1652653

Summary: [RFE] support routing rules in NetworkManager for policy-routing
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Haller <thaller>
Component: NetworkManagerAssignee: Thomas Haller <thaller>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.6CC: atragler, bgalvani, dsneddon, fgiudici, jmaxwell, lrintel, mailinglists35, pasik, rkhan, sukulkar, thaller, vbenes
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-1.18.0-1.el7 Doc Type: Enhancement
Doc Text:
.`NetworkManager` now supports configuring policy routing rules Previously, users must set up policy routing rules outside of `NetworkManager`, for example by using the dispatcher script provided by the `NetworkManager-dispatcher-routing-rules` package. With this update, users can now configure rules as part of a connection profile. As a result, `NetworkManager` adds the rules when the profile is activated and removes the rules when the profile is deactivated.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:16:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1589419, 1654714, 1709731    

Description Thomas Haller 2018-11-22 14:37:03 UTC 
NM got support to configure the routing table (policy routing).

However, that is only half the feature, because one must also configure the routing rules.

See details here: https://bugzilla.redhat.com/show_bug.cgi?id=1589419#c3
Comment 6 Thomas Haller 2019-03-27 15:37:46 UTC 
fixed upstream: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=768001473279d2ce70599ee1838eb0d594b51223
Comment 8 Vladimir Benes 2019-04-12 11:35:00 UTC 
I still see duplicates in ip rule table after executing simple test:

    @ipv4_routing_rules_manipulation
    Scenario: NM - ipv4 - routing rules manipulation
    * Add a new connection of type "ethernet" and options "ifname eth3 con-name con_ipv4 autoconnect no"
    * Bring "up" connection "con_ipv4"
    * Modify connection "con_ipv4" changing options "ipv4.routing-rules 'priority 5 table 6, priority 6 from 192.168.6.7/32 table 7'"
    * Bring "up" connection "con_ipv4"
    When "activated" is visible with command "nmcli -g GENERAL.STATE con show con_ipv4" in "20" seconds
    # * Reboot
    # When "activated" is visible with command "nmcli -g GENERAL.STATE con show con_ipv4" in "20" seconds
    When "5:\s+from all lookup 6\s+6:\s+from 192.168.6.7 lookup 7" is visible with command "ip rule"
    * Bring "down" connection "con_ipv4"
    Then "5:\s+from all lookup 6\s+6:\s+from 192.168.6.7 lookup 7" is not visible with command "ip rule"
    And "3" is visible with command "ip rule |wc -l"


[root@wsfd-netdev34-vm-1 NetworkManager-ci]# ip rule
0:	from all lookup local 
0:	from all lookup local 
0:	from all lookup local 
32766:	from all lookup main 
32766:	from all lookup main 
32766:	from all lookup main 
32767:	from all lookup default 
32767:	from all lookup default 
32767:	from all lookup default
Comment 9 Thomas Haller 2019-04-16 06:15:32 UTC 
in recent test runs, the @ipv4_routing_rules_manipulation seems to pass consistently. Why is that? Do you have a pointer to logs showing the failure?
Comment 10 Thomas Haller 2019-04-17 12:18:15 UTC 
should be fixed by https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/115
Comment 11 Thomas Haller 2019-04-18 09:25:39 UTC 
(In reply to Thomas Haller from comment #10)
> should be fixed by
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/115

fixed upstream
Comment 12 Vladimir Benes 2019-04-23 13:25:31 UTC 
Working well now.
Comment 19 Thomas Haller 2019-05-24 07:53:25 UTC 
(In reply to Vladimir Benes from comment #16)

> > like in comment #8
> >
> > > nmcli con add type ethernet ifname eth3 con-name con_ipv4 autoconnect no
> > ipv4.routing-rules 'priority 5 table 6, priority 6 from 192.168.6.7/32 table
> > 7'
>
> Thanks, but what I'm missing is how to add multiple rules. Would these be added with a single update to ipv4.routing-rules? If so, should it be comma-
> delimited, or how should multiple rules be expressed?

The example already shows 2 rules, and yes, they are separated by comma.

Hopefully, it should work just like you would expect:

  nmcli connection modify "$PROFILE"  ipv4.routing-rules   'priority 5 table 6,    priority 6 from 192.168.6.7/32 table 7'
  nmcli connection modify "$PROFILE" +ipv4.routing-rules   'priority 7 table 6,    priority 8 table 8'
  nmcli connection modify "$PROFILE" -ipv4.routing-rules   'priority 7 table 6,    priority 6 from 192.168.6.7/32 table 7'

or even

  nmcli connection modify "$PROFILE" ipv4.routing-rules 'priority 7 table 6' +ipv4.routing-rules 'priority 8 table 8'


(note that before NetworkManager 1.16, the "-" modifier did not accept a list of values. So, on older versions

  nmcli connection modify "$PROFILE" -ipv4.addresses "192.168.7.6/24,192.168.8.6/24"

would fail)


(and as always, changes to a profile only take effect after (re-)activating the profile).
Comment 22 errata-xmlrpc 2019-08-06 13:16:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2302
Comment 23 Thomas Haller 2020-01-07 15:05:59 UTC 
*** Bug 1589419 has been marked as a duplicate of this bug. ***