1652653 – [RFE] support routing rules in NetworkManager for policy-routing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1652653 - [RFE] support routing rules in NetworkManager for policy-routing

Summary: [RFE] support routing rules in NetworkManager for policy-routing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	NetworkManager
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Haller
QA Contact:	Desktop QE
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Duplicates (1):	1589419 (view as bug list)
Depends On:
Blocks:	1589419 1654714 NST_77ReleaseNotes
TreeView+	depends on / blocked

Reported:	2018-11-22 14:37 UTC by Thomas Haller
Modified:	2021-08-30 13:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:	NetworkManager-1.18.0-1.el7
Doc Type:	Enhancement
Doc Text:	.`NetworkManager` now supports configuring policy routing rules Previously, users must set up policy routing rules outside of `NetworkManager`, for example by using the dispatcher script provided by the `NetworkManager-dispatcher-routing-rules` package. With this update, users can now configure rules as part of a connection profile. As a result, `NetworkManager` adds the rules when the profile is activated and removes the rules when the profile is deactivated.
Clone Of:
Environment:
Last Closed:	2019-08-06 13:16:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	288823	0	None	None	None	2020-01-07 15:05:58 UTC
Red Hat Product Errata	RHBA-2019:2302	0	None	None	None	2019-08-06 13:16:51 UTC

Internal Links: 1645689 1789475 1789482

Description Thomas Haller 2018-11-22 14:37:03 UTC

NM got support to configure the routing table (policy routing).

However, that is only half the feature, because one must also configure the routing rules.

See details here: https://bugzilla.redhat.com/show_bug.cgi?id=1589419#c3

Comment 6 Thomas Haller 2019-03-27 15:37:46 UTC

fixed upstream: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=768001473279d2ce70599ee1838eb0d594b51223

Comment 8 Vladimir Benes 2019-04-12 11:35:00 UTC

I still see duplicates in ip rule table after executing simple test:

    @ipv4_routing_rules_manipulation
    Scenario: NM - ipv4 - routing rules manipulation
    * Add a new connection of type "ethernet" and options "ifname eth3 con-name con_ipv4 autoconnect no"
    * Bring "up" connection "con_ipv4"
    * Modify connection "con_ipv4" changing options "ipv4.routing-rules 'priority 5 table 6, priority 6 from 192.168.6.7/32 table 7'"
    * Bring "up" connection "con_ipv4"
    When "activated" is visible with command "nmcli -g GENERAL.STATE con show con_ipv4" in "20" seconds
    # * Reboot
    # When "activated" is visible with command "nmcli -g GENERAL.STATE con show con_ipv4" in "20" seconds
    When "5:\s+from all lookup 6\s+6:\s+from 192.168.6.7 lookup 7" is visible with command "ip rule"
    * Bring "down" connection "con_ipv4"
    Then "5:\s+from all lookup 6\s+6:\s+from 192.168.6.7 lookup 7" is not visible with command "ip rule"
    And "3" is visible with command "ip rule |wc -l"


[root@wsfd-netdev34-vm-1 NetworkManager-ci]# ip rule
0:	from all lookup local 
0:	from all lookup local 
0:	from all lookup local 
32766:	from all lookup main 
32766:	from all lookup main 
32766:	from all lookup main 
32767:	from all lookup default 
32767:	from all lookup default 
32767:	from all lookup default

Comment 9 Thomas Haller 2019-04-16 06:15:32 UTC

in recent test runs, the @ipv4_routing_rules_manipulation seems to pass consistently. Why is that? Do you have a pointer to logs showing the failure?

Comment 10 Thomas Haller 2019-04-17 12:18:15 UTC

should be fixed by https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/115

Comment 11 Thomas Haller 2019-04-18 09:25:39 UTC

(In reply to Thomas Haller from comment #10)
> should be fixed by
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/115

fixed upstream

Comment 12 Vladimir Benes 2019-04-23 13:25:31 UTC

Working well now.

Comment 19 Thomas Haller 2019-05-24 07:53:25 UTC

(In reply to Vladimir Benes from comment #16)

> > like in comment #8
> >
> > > nmcli con add type ethernet ifname eth3 con-name con_ipv4 autoconnect no
> > ipv4.routing-rules 'priority 5 table 6, priority 6 from 192.168.6.7/32 table
> > 7'
>
> Thanks, but what I'm missing is how to add multiple rules. Would these be added with a single update to ipv4.routing-rules? If so, should it be comma-
> delimited, or how should multiple rules be expressed?

The example already shows 2 rules, and yes, they are separated by comma.

Hopefully, it should work just like you would expect:

  nmcli connection modify "$PROFILE"  ipv4.routing-rules   'priority 5 table 6,    priority 6 from 192.168.6.7/32 table 7'
  nmcli connection modify "$PROFILE" +ipv4.routing-rules   'priority 7 table 6,    priority 8 table 8'
  nmcli connection modify "$PROFILE" -ipv4.routing-rules   'priority 7 table 6,    priority 6 from 192.168.6.7/32 table 7'

or even

  nmcli connection modify "$PROFILE" ipv4.routing-rules 'priority 7 table 6' +ipv4.routing-rules 'priority 8 table 8'


(note that before NetworkManager 1.16, the "-" modifier did not accept a list of values. So, on older versions

  nmcli connection modify "$PROFILE" -ipv4.addresses "192.168.7.6/24,192.168.8.6/24"

would fail)


(and as always, changes to a profile only take effect after (re-)activating the profile).

Comment 22 errata-xmlrpc 2019-08-06 13:16:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2302

Comment 23 Thomas Haller 2020-01-07 15:05:59 UTC

*** Bug 1589419 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.