Adding ip rules for multi table systems


#1

Hello,

When running multiple internet connections from the same router the way to allow the use of both interfaces at the same time is to create a new routing table (which Vyos makes very easy - set protocols static table …) then creating to and from rules for each interface using ip rule:
ip rule add from 50.95.12.25/32 table 2
ip rule add to 50.95.12.25/32 table 2

The above is much the same as in this thread:
http://forum.vyos.net/showthread.php?tid=8591
however I tried the suggested solution and did not find it effective. So my thought is to script in specific adding of rules using “ip rule” rather than relying on iptables configuration through vyatta-firewall.pl.

I could just script this in somewhere in a hacky fashion but I really don’t want to, I’d rather add it to the current vyatta-cfg tree so that it can be configured in a standard way.
So my question is - where would you add such config items?

My first thought was in:

policy {
    route intf-route {
        rule 10 {
            set {
                table 2
            }
            source {
                /* Would need to add an interface option for source and dest so that it could pull the required IP for the rule (such as if it is assigned by dhcp or ipcp */
                interface pppoe0
            }
            dest {
                interface pppoe0
            }

This would make sense as what I want to do is basically policy routing.
However, the route node.def hands everything off to vyatta-firewall.pl and would somehow need to check whether the rule should go to vyatta-firewall.pl or to a wrapper for ip rule.

So my other thought is in the interface config with something like:

         pppoe 0 {
             default-route auto
             firewall {
                 local {
                     name SSH_PROTECT
                 }
             }
             mtu 1492
             password Password
             /* Here: */
             rule {
                 to
                 from
             }
             user-id username
         }

but that feels too non-standard or illogical. It would make more sense just to have it in policy{} then use

policy {
      route intf-route
}

in the interface.

TL;DR:
Should I put the work into making policy routes launch a wrapper script for ‘ip rule’ when appropriate and vyatta-firewall.pl other times (or even add an ‘ip rule’ wrapper function into vyatta-firewall.pl, then figure out when to call it), or can someone think of a better way?