Policy routing with Network Manager?

Issues related to configuring your network
Post Reply
orever
Posts: 10
Joined: 2005/11/03 19:44:29

Policy routing with Network Manager?

Post by orever » 2015/01/01 18:04:58

I have a host that is on a few different subnets, and I need to setup a policy for correct routing of traffic depending on the source network. On CentOS 5 I was able to setup policy routing by creating routes and rules in files /etc/sysconfig/network-scripts/{rules,route}-eth0. Is there a different way to do this on CentOS 7 when using NetworkManager? So for I have found that NM seems to control the connections themselves and some basic route settings, but I have not found any mention of policy routes.

User avatar
jyoung
Posts: 102
Joined: 2014/09/22 13:40:31
Location: Nashville, TN, USA

Re: Policy routing with Network Manager?

Post by jyoung » 2015/01/01 19:37:35

NetworkManager has a nice command-line interface for doing exactly this.
http://linux.die.net/man/1/nmcli
-- Jeremy --

orever
Posts: 10
Joined: 2005/11/03 19:44:29

Re: Policy routing with Network Manager?

Post by orever » 2015/01/01 20:11:33

jyoung wrote:NetworkManager has a nice command-line interface for doing exactly this.
http://linux.die.net/man/1/nmcli
nmcli has no commands to setup policy routing, at least that I can see. Please post an example if you already know how to do it, otherwise please don't post generic links to documentation if you aren't willing to actually provide help. No one gains anything from people who post "RTFM"-type replies.

User avatar
jyoung
Posts: 102
Joined: 2014/09/22 13:40:31
Location: Nashville, TN, USA

Re: Policy routing with Network Manager?

Post by jyoung » 2015/01/01 20:35:58

Sometimes, RTFM is what people want to do, they're just not sure which manual to read.

With that said, here's an example from my Fedora 21 desktop:

List all existing connections of which NetworkManager is aware.

Code: Select all

[root@young jyoung]# nmcli con show
NAME            UUID                                  TYPE            DEVICE     
virbr0-nic      dc9abaa0-a3c3-4b61-b5a4-f2a1ccbf9b3b  generic         virbr0-nic 
virbr0          12bdfaca-99e7-4bc2-a866-ba91ea8bf02b  bridge          virbr0     
Wired Internet  f5dc9fe0-f5a5-4f55-9944-320706637835  802-3-ethernet  em1        
tun0            15fd0495-84b4-40d6-8499-6f982e0239b1  generic         --         
virbr1          d2c13d58-0bda-4444-b2f5-a6ed95c8b4a9  bridge          virbr1
Edit the desired connection, dropping you to a nmcli shell:

Code: Select all

[root@young jyoung]# nmcli con edit Wired\ Internet 

===| nmcli interactive connection editor |===

Editing existing '802-3-ethernet' connection: 'Wired Internet'

Type 'help' or '?' for available commands.
Type 'describe [<setting>.<prop>]' for detailed property description.

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6, dcb
nmcli>
Select the desired section which you'd like to edit:

Code: Select all

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6, dcb
nmcli>goto ipv4
You may edit the following properties: method, dns, dns-search, addresses, address-labels, routes, ignore-auto-routes, ignore-auto-dns, dhcp-client-id, dhcp-send-hostname, dhcp-hostname, never-default, may-fail
nmcli ipv4>
List the current settings of your selected connection:

Code: Select all

nmcli ipv4> print
['ipv4' setting values]
ipv4.method:                            auto
ipv4.dns:                               192.168.1.1
ipv4.dns-search:                        
ipv4.addresses:                         
ipv4.routes:                            
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.never-default:                     no
ipv4.may-fail:                          yes
Add (a) static route(s), comma-delimited (this example, of course, uses a completely made-up gateway):

Code: Select all

nmcli ipv4> set routes 10.10.10.0/24 172.16.34.1, 10.10.20.0/24 172.16.34.1, 10.10.45.0/23 172.16.34.1
nmcli ipv4> print
['ipv4' setting values]
ipv4.method:                            auto
ipv4.dns:                               192.168.1.1
ipv4.dns-search:                        
ipv4.addresses:                         
ipv4.routes:                            { dst = 10.10.10.0/24, nh = 172.16.34.1, mt = 0 }; { dst = 10.10.20.0/24, nh = 172.16.34.1, mt = 0 }; { dst = 10.10.45.0/23, nh = 172.16.34.1, mt = 0 }
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.never-default:                     no
ipv4.may-fail:                          yes
nmcli ipv4>
Save your changes, and exit the nmcli shell:

Code: Select all

nmcli ipv4> save
Connection 'Wired Internet' (f5dc9fe0-f5a5-4f55-9944-320706637835) successfully updated.
nmcli ipv4> quit
The connection is not saved. Do you really want to quit? (yes/no) [no] no
nmcli ipv4> save
Connection 'Wired Internet' (f5dc9fe0-f5a5-4f55-9944-320706637835) successfully updated.
nmcli ipv4> quit
Reload the connection that you've modified:

Code: Select all

nmcli con down Wired\ Internet; nmcli con up Wired\ Internet
And, here's a better reference.
http://fedoraproject.org/wiki/Networkin ... connection
-- Jeremy --

User avatar
Super Jamie
Posts: 310
Joined: 2014/01/10 23:44:51

Re: Policy routing with Network Manager?

Post by Super Jamie » 2015/01/02 00:32:19

That's a great walkthrough for adding a route via nmcli, but it's not policy routing.

NetworkManager will read existing route-ethX files, however looking through the source, there is no mention of reading rule-ethX or policy-based routing at all. There don't appear to be functions which create the separate routing tables required for policy routing.

I'm guessing you will need to disable NM and continue using the old initscripts to get persistent policy routing.

(or stop using policy routing because it's a terrible idea ;) )

User avatar
jyoung
Posts: 102
Joined: 2014/09/22 13:40:31
Location: Nashville, TN, USA

Re: Policy routing with Network Manager?

Post by jyoung » 2015/01/02 00:43:29

My apologies for the misunderstanding. That's a new concept for me (or better yet, something that I don't see much application for), and is something that I should have looked up before responding.
-- Jeremy --

User avatar
Super Jamie
Posts: 310
Joined: 2014/01/10 23:44:51

Re: Policy routing with Network Manager?

Post by Super Jamie » 2015/01/02 00:50:21

All good mate, you wrote a fantastic walkthrough, nobody can fault you for trying to be helpful :)

Policy routing is where you create separate routing tables, then use rules to assign traffic into those routing tables.

For example, you might have two network interfaces and rules like "if traffic comes in a particular interface, send any replies out that same interface".

See man ip-rule for more.

orever
Posts: 10
Joined: 2005/11/03 19:44:29

Re: Policy routing with Network Manager?

Post by orever » 2015/01/02 05:36:26

Super Jamie wrote:(or stop using policy routing because it's a terrible idea ;) )
I would like to have a better understanding of why this is a bad idea? Some (I suspect many) devices don't like it when they send a request to one IP and receive a reply from a different one. How else do you deal with this on a server with interfaces on multiple subnets?

User avatar
Super Jamie
Posts: 310
Joined: 2014/01/10 23:44:51

Re: Policy routing with Network Manager?

Post by Super Jamie » 2015/01/02 06:17:32

I dislike policy routing because it's complex, and complex systems are more difficult to troubleshoot and maintain.

All a system with policy routing needs is for you to be away sick one day, someone else to come along who uses route instead of ip and suddenly the system is a confusing source of trouble which behaves in a completely nonsensical way.

You're right, some devices don't like sending a request to one IP and getting a response from another. To that, I would say design the network in such a way that this doesn't happen. The way to traverse subnets is a router, not a multi-homed host.

I know policy routing can be a necessary evil at times, but I try my utmost to avoid it, and only use it in very limited situations where there really truly is no other alternative.

Just because you can doesn't mean you should 8-)

raatti
Posts: 1
Joined: 2015/07/27 20:16:11

Re: Policy routing with Network Manager?

Post by raatti » 2015/07/27 20:20:13

NetworkManager doesn't natively support policy routing but it can support Legacy route-[interface] files via NetworkManager-config-routing-rules package.

Usage:

Code: Select all

yum install NetworkManager-config-routing-rules
systemctl enable NetworkManager-dispatcher.service
systemctl start NetworkManager-dispatcher.service
then create /etc/sysconfig/network-scripts/route-XXX files where XXX is the interface name.

Post Reply