Policy routing with Network Manager?
Policy routing with Network Manager?
I have a host that is on a few different subnets, and I need to setup a policy for correct routing of traffic depending on the source network. On CentOS 5 I was able to setup policy routing by creating routes and rules in files /etc/sysconfig/network-scripts/{rules,route}-eth0. Is there a different way to do this on CentOS 7 when using NetworkManager? So for I have found that NM seems to control the connections themselves and some basic route settings, but I have not found any mention of policy routes.
Re: Policy routing with Network Manager?
NetworkManager has a nice command-line interface for doing exactly this.
http://linux.die.net/man/1/nmcli
http://linux.die.net/man/1/nmcli
-- Jeremy --
Re: Policy routing with Network Manager?
nmcli has no commands to setup policy routing, at least that I can see. Please post an example if you already know how to do it, otherwise please don't post generic links to documentation if you aren't willing to actually provide help. No one gains anything from people who post "RTFM"-type replies.jyoung wrote:NetworkManager has a nice command-line interface for doing exactly this.
http://linux.die.net/man/1/nmcli
Re: Policy routing with Network Manager?
Sometimes, RTFM is what people want to do, they're just not sure which manual to read.
With that said, here's an example from my Fedora 21 desktop:
List all existing connections of which NetworkManager is aware.
Edit the desired connection, dropping you to a nmcli shell:
Select the desired section which you'd like to edit:
List the current settings of your selected connection:
Add (a) static route(s), comma-delimited (this example, of course, uses a completely made-up gateway):
Save your changes, and exit the nmcli shell:
Reload the connection that you've modified:
And, here's a better reference.
http://fedoraproject.org/wiki/Networkin ... connection
With that said, here's an example from my Fedora 21 desktop:
List all existing connections of which NetworkManager is aware.
Code: Select all
[root@young jyoung]# nmcli con show
NAME UUID TYPE DEVICE
virbr0-nic dc9abaa0-a3c3-4b61-b5a4-f2a1ccbf9b3b generic virbr0-nic
virbr0 12bdfaca-99e7-4bc2-a866-ba91ea8bf02b bridge virbr0
Wired Internet f5dc9fe0-f5a5-4f55-9944-320706637835 802-3-ethernet em1
tun0 15fd0495-84b4-40d6-8499-6f982e0239b1 generic --
virbr1 d2c13d58-0bda-4444-b2f5-a6ed95c8b4a9 bridge virbr1
Code: Select all
[root@young jyoung]# nmcli con edit Wired\ Internet
===| nmcli interactive connection editor |===
Editing existing '802-3-ethernet' connection: 'Wired Internet'
Type 'help' or '?' for available commands.
Type 'describe [<setting>.<prop>]' for detailed property description.
You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6, dcb
nmcli>
Code: Select all
You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6, dcb
nmcli>goto ipv4
You may edit the following properties: method, dns, dns-search, addresses, address-labels, routes, ignore-auto-routes, ignore-auto-dns, dhcp-client-id, dhcp-send-hostname, dhcp-hostname, never-default, may-fail
nmcli ipv4>
Code: Select all
nmcli ipv4> print
['ipv4' setting values]
ipv4.method: auto
ipv4.dns: 192.168.1.1
ipv4.dns-search:
ipv4.addresses:
ipv4.routes:
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.never-default: no
ipv4.may-fail: yes
Code: Select all
nmcli ipv4> set routes 10.10.10.0/24 172.16.34.1, 10.10.20.0/24 172.16.34.1, 10.10.45.0/23 172.16.34.1
nmcli ipv4> print
['ipv4' setting values]
ipv4.method: auto
ipv4.dns: 192.168.1.1
ipv4.dns-search:
ipv4.addresses:
ipv4.routes: { dst = 10.10.10.0/24, nh = 172.16.34.1, mt = 0 }; { dst = 10.10.20.0/24, nh = 172.16.34.1, mt = 0 }; { dst = 10.10.45.0/23, nh = 172.16.34.1, mt = 0 }
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.never-default: no
ipv4.may-fail: yes
nmcli ipv4>
Code: Select all
nmcli ipv4> save
Connection 'Wired Internet' (f5dc9fe0-f5a5-4f55-9944-320706637835) successfully updated.
nmcli ipv4> quit
The connection is not saved. Do you really want to quit? (yes/no) [no] no
nmcli ipv4> save
Connection 'Wired Internet' (f5dc9fe0-f5a5-4f55-9944-320706637835) successfully updated.
nmcli ipv4> quit
Code: Select all
nmcli con down Wired\ Internet; nmcli con up Wired\ Internet
http://fedoraproject.org/wiki/Networkin ... connection
-- Jeremy --
- Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: Policy routing with Network Manager?
That's a great walkthrough for adding a route via nmcli, but it's not policy routing.
NetworkManager will read existing route-ethX files, however looking through the source, there is no mention of reading rule-ethX or policy-based routing at all. There don't appear to be functions which create the separate routing tables required for policy routing.
I'm guessing you will need to disable NM and continue using the old initscripts to get persistent policy routing.
(or stop using policy routing because it's a terrible idea )
NetworkManager will read existing route-ethX files, however looking through the source, there is no mention of reading rule-ethX or policy-based routing at all. There don't appear to be functions which create the separate routing tables required for policy routing.
I'm guessing you will need to disable NM and continue using the old initscripts to get persistent policy routing.
(or stop using policy routing because it's a terrible idea )
Re: Policy routing with Network Manager?
My apologies for the misunderstanding. That's a new concept for me (or better yet, something that I don't see much application for), and is something that I should have looked up before responding.
-- Jeremy --
- Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: Policy routing with Network Manager?
All good mate, you wrote a fantastic walkthrough, nobody can fault you for trying to be helpful
Policy routing is where you create separate routing tables, then use rules to assign traffic into those routing tables.
For example, you might have two network interfaces and rules like "if traffic comes in a particular interface, send any replies out that same interface".
See man ip-rule for more.
Policy routing is where you create separate routing tables, then use rules to assign traffic into those routing tables.
For example, you might have two network interfaces and rules like "if traffic comes in a particular interface, send any replies out that same interface".
See man ip-rule for more.
Re: Policy routing with Network Manager?
I would like to have a better understanding of why this is a bad idea? Some (I suspect many) devices don't like it when they send a request to one IP and receive a reply from a different one. How else do you deal with this on a server with interfaces on multiple subnets?Super Jamie wrote:(or stop using policy routing because it's a terrible idea )
- Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: Policy routing with Network Manager?
I dislike policy routing because it's complex, and complex systems are more difficult to troubleshoot and maintain.
All a system with policy routing needs is for you to be away sick one day, someone else to come along who uses route instead of ip and suddenly the system is a confusing source of trouble which behaves in a completely nonsensical way.
You're right, some devices don't like sending a request to one IP and getting a response from another. To that, I would say design the network in such a way that this doesn't happen. The way to traverse subnets is a router, not a multi-homed host.
I know policy routing can be a necessary evil at times, but I try my utmost to avoid it, and only use it in very limited situations where there really truly is no other alternative.
Just because you can doesn't mean you should
All a system with policy routing needs is for you to be away sick one day, someone else to come along who uses route instead of ip and suddenly the system is a confusing source of trouble which behaves in a completely nonsensical way.
You're right, some devices don't like sending a request to one IP and getting a response from another. To that, I would say design the network in such a way that this doesn't happen. The way to traverse subnets is a router, not a multi-homed host.
I know policy routing can be a necessary evil at times, but I try my utmost to avoid it, and only use it in very limited situations where there really truly is no other alternative.
Just because you can doesn't mean you should
Re: Policy routing with Network Manager?
NetworkManager doesn't natively support policy routing but it can support Legacy route-[interface] files via NetworkManager-config-routing-rules package.
Usage:
then create /etc/sysconfig/network-scripts/route-XXX files where XXX is the interface name.
Usage:
Code: Select all
yum install NetworkManager-config-routing-rules
systemctl enable NetworkManager-dispatcher.service
systemctl start NetworkManager-dispatcher.service