1789475 – RFE: NM should be able to manage iproute tables in /etc/iproute2/rt_tables

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1789475 - RFE: NM should be able to manage iproute tables in /etc/iproute2/rt_tables

Summary: RFE: NM should be able to manage iproute tables in /etc/iproute2/rt_tables

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	NetworkManager
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	sushil kulkarni
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-09 16:24 UTC by Mai Ling
Modified:	2020-04-07 15:03 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-07 15:03:26 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1652653	0	unspecified	CLOSED	[RFE] support routing rules in NetworkManager for policy-routing	2021-08-30 13:18:26 UTC

Description Mai Ling 2020-01-09 16:24:06 UTC

Description of problem:

NM has support for automatically creating an deleting routes inside iproute2 tables, as well as user-specified rule creation/deletion, but the pairs of table numbers and names are stored outside NM in /etc/iproute2/rt_tables

While you can specify the table number with ipv4.route-table, an additional step towards fully managing iproute2 rules and tables would be to be able to specify a table by it's name, and if the name does not exist in /etc/iproute2/rt_tables, to be automatically and dynamically created/deleted when the connection is up/down.

A random number or the next available number can be assigned since the number is only used to select the table. 

The existing key "ipv4.route-table" could be modified to accept string values instead of uint32, so:

- an empty string would keep meaning "disabled"

- a string containing just a number from 1 to 252 would mean a table number from rt_tables, and fail bringing up the connection if the rule number is not found

- a string matching one line from rt_tables would choose the existing table number and fail if number not found

- a string named "nm-auto-managed" would mean generate a number and a table name based on the "connection.id", "connection.uuid" or "connection.interface-name". obviously this means user would not be able to name a table "nm-auto-managed" and should be documented in iproute2 package as well

If altering "ipv4.route-table" is not desired, then a new string key name, for example "ipv4.route-table-name" could have the same above meaning.

Version-Release number of selected component (if applicable):
all

How reproducible:
see description

Steps to Reproduce:
1. nmcli connection modify some-name ipv4.route-table nm-auto-managed 
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Thomas Haller 2020-01-09 16:41:27 UTC

I don't think this should be done.


As far as kernel is concerned, a routing table is only a u32 bit number. Only iproute2 honors name mappings in /etc/iproute2/rt_tables (and tools that use iproute2).


When you configure a profile in NetworkManager, then the profile should be self contained as much as possible. Having additional name to number mappings in /etc/iproute2/rt_tables seems very bad to me, because the meaning of the profile depends on additional files.


Also, NetworkManager couldn't verify that the setting is correct. Because a missing alias in rt_tables must not fail validation of the profile entirely (it would be bad if today the profile works, then you edit a line in rt_tables, and after reboot the profil no longer validates -- meaning: it cannot be loaded). Instead, if the value is not in rt_tables, the profile would have partially invalid configuration, that is hard to handle.

Also, NM would have to load the file to resolve the names. Should it cache the file in memory, or reload it everytime when resolving the name? When a profile activates, it would have to resolve the names, but it also would have to cache the name mapping until the profile goes down again.


This makes everything complicated. Having multiple names for the same thing adds complexity. Double so, when the name mappings can change any time.



Note that since [1], for routing rules, we accept the names "main", "local", and "default". But those names are not resolved via /etc/iproute2/rt_tables, they are always hardcoded to the respective numbers that they commonly have.

[1] https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=70b23c7979566f4be46d138dedfa59e215cec44b



> If altering "ipv4.route-table" is not desired, then a new string key name, for example "ipv4.route-table-name" could have the same above meaning.

This not only applies to `ipv4.route-table`. It also applies to properties like `ipv4.routes` and `ipv4.routing-rules`, which can have tables too.

Comment 2 Mai Ling 2020-01-09 17:12:53 UTC

(In reply to Thomas Haller from comment #1)
> I don't think this should be done.
> 
> 
> As far as kernel is concerned, a routing table is only a u32 bit number.
> Only iproute2 honors name mappings in /etc/iproute2/rt_tables (and tools
> that use iproute2).
> 

I never said this is not true or something different

> 
> When you configure a profile in NetworkManager, then the profile should be
> self contained as much as possible. Having additional name to number
> mappings in /etc/iproute2/rt_tables seems very bad to me, because the
> meaning of the profile depends on additional files.
> 

all tutorials on the internet suggest editing rt_tables and giving the tables meaningful names instead of just using kernel numbers

> 
> Also, NetworkManager couldn't verify that the setting is correct. Because a
> missing alias in rt_tables must not fail validation of the profile entirely
> (it would be bad if today the profile works, then you edit a line in
> rt_tables, and after reboot the profil no longer validates -- meaning: it
> cannot be loaded). Instead, if the value is not in rt_tables, the profile
> would have partially invalid configuration, that is hard to handle.
> 

If the editing is done at connection activation, then the value is always generated so even if someone deletes it, at next boot when NM brings up the connection it also generates name and number. How can generating a name/number pair at connection startup make the connection fail validation, when valid names+number have just been generated in the process of activating the connection?

> Also, NM would have to load the file to resolve the names. Should it cache
> the file in memory, or reload it everytime when resolving the name? When a
> profile activates, it would have to resolve the names, but it also would
> have to cache the name mapping until the profile goes down again.
> 

Why should it cache? The kernel/filesystem determines if the file should be cached, I don't understand what sense it would make for NM to cache filesystem file contents.

> 
> This makes everything complicated. Having multiple names for the same thing
> adds complexity. Double so, when the name mappings can change any time.
> 

it does, but until NM can handle rt_tables the user still has to go to two places to configure policy routing, so until then NM still has not full support for policy routing.

I mean, NM does talk to kernel directly and sets up a rule priority number to a table number, but the user would still go anyway check the status with 'ip' (ip route, ip rule) because NM does not show the effective kernel rule list when you look with <nmcli connection show "connname">

Comment 3 Mai Ling 2020-01-09 17:21:49 UTC

>> Also, NM would have to load the file to resolve the names. Should it cache
>> the file in memory, or reload it everytime when resolving the name? When a
>> profile activates, it would have to resolve the names, but it also would
>> have to cache the name mapping until the profile goes down again.
>> 
>
>Why should it cache? The kernel/filesystem determines if the file should be cached, I don't understand what sense it would make for NM to cache filesystem file contents.

sorry I misunderstood this one.
it should work under the assumption that user knows what is doing like modifying the file while there are NM connections that use policy routing.
so NM should behave identically to when an user modifies the ifcfg-interface0 files.

Comment 4 Beniamino Galvani 2020-01-10 09:35:54 UTC

I agree with Thomas' comment, allowing table names that must be resolved through an external file that can change at any time makes the connection profiles not self-contained and can introduce problems hard to debug every time the file is touched externally.

Comment 5 Antonio Cardace 2020-04-07 15:03:26 UTC

I agree with Thomas and Beniamino, as this won't make it in NM closing the bz.

Note You need to log in before you can comment on or make changes to this bug.