Bug 2136820
| Summary: | [RFE] Allow policy based routing based on marking in nmstate | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | sfaye | ||||
| Component: | nmstate | Assignee: | Fernando F. Mancera <ferferna> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Mingyu Shi <mshi> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 9.1 | CC: | ferferna, fge, jiji, jishi, network-qe, till | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged | ||||
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2023-05-09 07:31:50 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Merged upstream! The description of the bug is confusing.
This bug is asking for routing policy support based on marking which means that the user should be to specify fwmark and fwmask for each routing policy.
This is an examples desired state from Nmstate:
```
route-rules:
config:
- ip-to: 192.0.2.0/24
ip-from: 198.51.100.0/24
priority: 100
route-table: 254
fwmark: 0x30
fwmask: 0x10
```
Thanks!
Verified with:
nmstate-2.2.7-1.el9.x86_64
nispor-1.2.10-1.el9.x86_64
NetworkManager-1.42.0-1.el9.x86_64
[11:41:27@dell-per740-68 ~]0# nmstatectl set newrules.yaml
Using 'set' is deprecated, use 'apply' instead.
[2023-02-27T03:41:33Z INFO nmstate::query_apply::net_state] Created checkpoint /org/freedesktop/NetworkManager/Checkpoint/1
[2023-02-27T03:41:33Z INFO nmstate::ifaces::inter_ifaces] Ignoring interface eno3 type ethernet
[2023-02-27T03:41:33Z INFO nmstate::ifaces::inter_ifaces] Ignoring interface ens3f0np0 type ethernet
[2023-02-27T03:41:33Z INFO nmstate::ifaces::inter_ifaces] Ignoring interface eno4 type ethernet
[2023-02-27T03:41:33Z INFO nmstate::ifaces::inter_ifaces] Ignoring interface enp59s0 type ethernet
[2023-02-27T03:41:33Z INFO nmstate::ifaces::inter_ifaces] Ignoring interface ens3f1np1 type ethernet
[2023-02-27T03:41:33Z INFO nmstate::ifaces::inter_ifaces] Ignoring interface eno2 type ethernet
[2023-02-27T03:41:33Z INFO nmstate::nm::query_apply::profile] Creating connection UUID Some("1c5543c4-e80e-46b1-8101-cd37e8562003"), ID Some("veth0"), type Some("802-3-ethernet") name Some("veth0")
[2023-02-27T03:41:33Z INFO nmstate::nm::query_apply::profile] Activating connection 1c5543c4-e80e-46b1-8101-cd37e8562003: veth0/802-3-ethernet
[2023-02-27T03:41:33Z INFO nmstate::query_apply::net_state] Destroyed checkpoint /org/freedesktop/NetworkManager/Checkpoint/1
dns-resolver: {}
route-rules:
config:
- ip-from: 198.51.100.0/24
ip-to: 192.0.2.0/24
priority: 100
route-table: 254
fwmark: '0x30'
fwmask: '0x10'
iif: veth0
routes: {}
interfaces: []
ovs-db: {}
[11:41:33@dell-per740-68 ~]0# ip rule
0: from all lookup local
100: from 198.51.100.0/24 to 192.0.2.0/24 fwmark 0x30/0x10 iif veth0 lookup main proto static
32766: from all lookup main
32767: from all lookup default
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (nmstate bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2190 |
Created attachment 1919405 [details] BaselinePOC Context : The baseline is the scenario described in the attachement (BaselinePOC) : The clients are not on the same subnet of the node Reaches the node from a vlan interface different from br-ex The service’s return traffic goes via br-ex (the default gw) and doesn’t reach the client. Requirements : As a system administrator, I would like to segregate traffic between VRFs and avoid static routes on the OCP nodes while handling the overlapping scenarios. The overlapping scenarios are : Client1 / Client2 may have overlapping IPs A SVC2 may have overlapping IP with Client1 To overcome this problem, the attachement (VRFSolution) can be a solution (Wrapping the interface inside a VRF) In order to drive the return traffic via the selected interface using policy based routing based on marking. For that, we need to direct the traffic coming with the service’s ClusterIP via the veth leg on the default VRF. Nmstate should be able to : Change the priority of ip rules : We need to have the VRF ip rule have more priority over the local one Policy based routing based on marking.