Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1652653

Summary: [RFE] support routing rules in NetworkManager for policy-routing
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Haller <thaller>
Component: NetworkManagerAssignee: Thomas Haller <thaller>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.6CC: atragler, bgalvani, dsneddon, fgiudici, jmaxwell, lrintel, mailinglists35, pasik, rkhan, sukulkar, thaller, vbenes
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-1.18.0-1.el7 Doc Type: Enhancement
Doc Text:
.`NetworkManager` now supports configuring policy routing rules Previously, users must set up policy routing rules outside of `NetworkManager`, for example by using the dispatcher script provided by the `NetworkManager-dispatcher-routing-rules` package. With this update, users can now configure rules as part of a connection profile. As a result, `NetworkManager` adds the rules when the profile is activated and removes the rules when the profile is deactivated.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:16:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1589419, 1654714, 1709731    

Description Thomas Haller 2018-11-22 14:37:03 UTC 
NM got support to configure the routing table (policy routing).

However, that is only half the feature, because one must also configure the routing rules.

See details here: https://bugzilla.redhat.com/show_bug.cgi?id=1589419#c3
Comment 6 Thomas Haller 2019-03-27 15:37:46 UTC 
fixed upstream: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=768001473279d2ce70599ee1838eb0d594b51223
Comment 8 Vladimir Benes 2019-04-12 11:35:00 UTC 
I still see duplicates in ip rule table after executing simple test:

    @ipv4_routing_rules_manipulation
    Scenario: NM - ipv4 - routing rules manipulation
    * Add a new connection of type "ethernet" and options "ifname eth3 con-name con_ipv4 autoconnect no"
    * Bring "up" connection "con_ipv4"
    * Modify connection "con_ipv4" changing options "ipv4.routing-rules 'priority 5 table 6, priority 6 from 192.168.6.7/32 table 7'"
    * Bring "up" connection "con_ipv4"
    When "activated" is visible with command "nmcli -g GENERAL.STATE con show con_ipv4" in "20" seconds
    # * Reboot
    # When "activated" is visible with command "nmcli -g GENERAL.STATE con show con_ipv4" in "20" seconds
    When "5:\s+from all lookup 6\s+6:\s+from 192.168.6.7 lookup 7" is visible with command "ip rule"
    * Bring "down" connection "con_ipv4"
    Then "5:\s+from all lookup 6\s+6:\s+from 192.168.6.7 lookup 7" is not visible with command "ip rule"
    And "3" is visible with command "ip rule |wc -l"


[root@wsfd-netdev34-vm-1 NetworkManager-ci]# ip rule
0:	from all lookup local 
0:	from all lookup local 
0:	from all lookup local 
32766:	from all lookup main 
32766:	from all lookup main 
32766:	from all lookup main 
32767:	from all lookup default 
32767:	from all lookup default 
32767:	from all lookup default
Comment 9 Thomas Haller 2019-04-16 06:15:32 UTC 
in recent test runs, the @ipv4_routing_rules_manipulation seems to pass consistently. Why is that? Do you have a pointer to logs showing the failure?
Comment 10 Thomas Haller 2019-04-17 12:18:15 UTC 
should be fixed by https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/115
Comment 11 Thomas Haller 2019-04-18 09:25:39 UTC 
(In reply to Thomas Haller from comment #10)
> should be fixed by
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/115

fixed upstream
Comment 12 Vladimir Benes 2019-04-23 13:25:31 UTC 
Working well now.
Comment 19 Thomas Haller 2019-05-24 07:53:25 UTC 
(In reply to Vladimir Benes from comment #16)

> > like in comment #8
> >
> > > nmcli con add type ethernet ifname eth3 con-name con_ipv4 autoconnect no
> > ipv4.routing-rules 'priority 5 table 6, priority 6 from 192.168.6.7/32 table
> > 7'
>
> Thanks, but what I'm missing is how to add multiple rules. Would these be added with a single update to ipv4.routing-rules? If so, should it be comma-
> delimited, or how should multiple rules be expressed?

The example already shows 2 rules, and yes, they are separated by comma.

Hopefully, it should work just like you would expect:

  nmcli connection modify "$PROFILE"  ipv4.routing-rules   'priority 5 table 6,    priority 6 from 192.168.6.7/32 table 7'
  nmcli connection modify "$PROFILE" +ipv4.routing-rules   'priority 7 table 6,    priority 8 table 8'
  nmcli connection modify "$PROFILE" -ipv4.routing-rules   'priority 7 table 6,    priority 6 from 192.168.6.7/32 table 7'

or even

  nmcli connection modify "$PROFILE" ipv4.routing-rules 'priority 7 table 6' +ipv4.routing-rules 'priority 8 table 8'


(note that before NetworkManager 1.16, the "-" modifier did not accept a list of values. So, on older versions

  nmcli connection modify "$PROFILE" -ipv4.addresses "192.168.7.6/24,192.168.8.6/24"

would fail)


(and as always, changes to a profile only take effect after (re-)activating the profile).
Comment 22 errata-xmlrpc 2019-08-06 13:16:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2302
Comment 23 Thomas Haller 2020-01-07 15:05:59 UTC 
*** Bug 1589419 has been marked as a duplicate of this bug. ***