Coming from EdgeOS/Vyatta I had assumed this would have carried over from the ‘firewall modify’ syntax, but there’s no way through the config to match a policy-route rule based on dscp tag.
There’s a way to work around as mentioned in the post but I’m curious why the feature is missing.
@trystan It’s one of the old mistaked we inherited with the Vyatta codebase. In Vyatta 6.5, some people (not naming names—sometimes good people get horrible ideas), decided to redesign that syntax, and disregarded a whole bunch of use cases. To add insult to injury, that change was backwards-incompatible and people had to redo their configs by hand.
To undo the damage, we’ll need to rewrite those scripts from scratch (the whole firewall subsystem needs a complete rewrite anyway), and also add a migration script to ensure compatibility.
The new, sane migration script API is already there, and we have already tested full rewrites on smaller components such as VRRP, so we hope we’ll get this done in 1.3.0
For now, we are stuck with it though.
Thanks I’m glad it’s on the radar, it’s trivial to script around but that can get messy fast.
Cheers
Another thing is our “de-nesting” campaign. PBR (or firewall) rules have no reason to be inside interfaces, so the new syntax will have everything in its own subtree.
We have already done that with VRRP, but that also takes time. Writing migration scripts is now much easier, but it’s only the poor API that is gone, not the inherent complexity.
Would it be worth mentioning in the phabricator or is there already enough of an understanding from the devs regarding the rewrite?
Whether we remember about it or not, it should be recorded in phabricator. I don’t remember if we have a task about it, if you can’t find it, please make one. If we do, you can subscribe to it.
Would it be worth adding a specific use case to Phabricator?
Specifically – route optimizers (Noction is the main one I think of) use this technique to specify which egress connection to while doing performance testing.