By mistake, I created two policy route sets and applied them to a single interface.
What is the precedence of rules in this case?
For example, if ruleset1 has rules 10, 20, 30 and ruleset2 also has rules 10, 20, 30, in what order will they be applied?
VyOS version: 1.4.1, if it matter.
It’ll be alphabetically, and then by rule number. An easy way to see this in the future is to look at nftables. For your reference, here are the commands to check the different tables:
IPv4: sudo nft list table ip vyos_filter
IPv6: sudo nft list table ip6 vyos_filter
IPv4: sudo nft list table ip vyos_nat
IPv6: sudo nft list table ip6 vyos_nat
IPv4: sudo nft list table ip vyos_mangle
IPv6: sudo nft list table ip6 vyos_mangle
For policy routes, we can create 2 policies and then look at the table:
table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority mangle; policy accept;
iifname "eth1" counter packets 0 bytes 0 jump VYOS_PBR_UD_test1
iifname "eth1" counter packets 0 bytes 0 jump VYOS_PBR_UD_test2
}
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain VYOS_PBR_UD_test1 {
counter packets 0 bytes 0 accept comment "ipv4-route-test1-10"
counter packets 0 bytes 0 accept comment "ipv4-route-test1-20"
counter packets 0 bytes 0 accept comment "ipv4-route-test1-30"
}
chain VYOS_PBR_UD_test2 {
counter packets 0 bytes 0 accept comment "ipv4-route-test2-10"
counter packets 0 bytes 0 accept comment "ipv4-route-test2-20"
counter packets 0 bytes 0 accept comment "ipv4-route-test2-30"
}
}
Traffic hits the test1 rule, and then jumps to the test1 chain, going through each rule, then hits test2, and goes through those rules. If we add another policy with an earlier letter, then it should go in front of those policies:
vyos@vyos# set policy route abc interface 'eth1'
vyos@vyos# set policy route abc rule 10 action 'accept'
vyos@vyos# set policy route abc rule 20 action 'accept'
vyos@vyos# set policy route abc rule 30 action 'accept'
vyos@vyos# commit
vyos@vyos# sudo nft list table vyos_mangle
table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority mangle; policy accept;
iifname "eth1" counter packets 0 bytes 0 jump VYOS_PBR_UD_abc
iifname "eth1" counter packets 0 bytes 0 jump VYOS_PBR_UD_test1
iifname "eth1" counter packets 0 bytes 0 jump VYOS_PBR_UD_test2
}
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain VYOS_PBR_UD_abc {
counter packets 0 bytes 0 accept comment "ipv4-route-abc-10"
counter packets 0 bytes 0 accept comment "ipv4-route-abc-20"
counter packets 0 bytes 0 accept comment "ipv4-route-abc-30"
}
chain VYOS_PBR_UD_test1 {
counter packets 0 bytes 0 accept comment "ipv4-route-test1-10"
counter packets 0 bytes 0 accept comment "ipv4-route-test1-20"
counter packets 0 bytes 0 accept comment "ipv4-route-test1-30"
}
chain VYOS_PBR_UD_test2 {
counter packets 0 bytes 0 accept comment "ipv4-route-test2-10"
counter packets 0 bytes 0 accept comment "ipv4-route-test2-20"
counter packets 0 bytes 0 accept comment "ipv4-route-test2-30"
}
}
L0crian, thanks! This is an exceptionally clear and useful answer. Thank you for going into such detail.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.