summaryrefslogtreecommitdiffstats
path: root/doc/user/pbr.rst
blob: 6ea153cc35a8759c0e6e01623e85ac086a20f34e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
.. _pbr:

***
PBR
***

:abbr:`PBR` is Policy Based Routing, which means forwarding based on
packet fields other than solely the destination IP address.
This implementation currently works only on Linux. Note that some
functionality (VLAN matching, packet mangling) is not supported by
the default Linux kernel dataplane provider.

.. _starting-pbr:

Starting PBR
============

.. include:: config-include.rst

.. program:: pbrd

:abbr:`PBR` supports all the common FRR daemon start options, which are
documented elsewhere.

.. _nexthop-groups:

PBR Nexthop Groups
==================

A nexthop group is a list of ECMP nexthops used to forward packets
when a pbr-map is matched.
For details on specifying a nexthop group in the CLI, see
the nexthop-groups section.

Showing Nexthop Group Information
---------------------------------

.. clicmd:: show pbr nexthop-groups [NAME] [json]

   Display information on a PBR nexthop-group. If ``NAME`` is omitted, all
   nexthop groups are shown. Setting ``json`` will provide the same
   information in an array of objects that adhere to the schema below:

   +-----------+----------------------------+---------+
   | Key       | Description                | Type    |
   +===========+============================+=========+
   | id        | Unique ID                  | Integer |
   +-----------+----------------------------+---------+
   | name      | Name of this group         | String  |
   +-----------+----------------------------+---------+
   | valid     | Is this group well-formed? | Boolean |
   +-----------+----------------------------+---------+
   | installed | ... and is it installed?   | Boolean |
   +-----------+----------------------------+---------+
   | nexthops  | Nexthops within this group | Array   |
   +-----------+----------------------------+---------+

   Each element within ``nexthops`` describes a single target within this
   group, and its structure is described by the JSON below:

   +---------+------------------------------+---------+
   | Key     | Description                  | Type    |
   +=========+==============================+=========+
   | nexthop | Name of this nexthop         | String  |
   +---------+------------------------------+---------+
   | valid   | Is this nexthop well-formed? | Boolean |
   +---------+------------------------------+---------+

.. _pbr-maps:

PBR Maps
========

PBR maps are a way to specify a set of rules that are applied to
packets received on individual interfaces.
If a received packet matches a rule, the rule's nexthop-group or
nexthop is used to forward it; any other actions
specified in the rule are also applied to the packet.

.. clicmd:: pbr-map NAME seq (1-700)

   Create a pbr-map rule with map NAME and specified sequence number.
   This command puts the CLI into a new submode for pbr-map rule specification.
   To exit this submode, type ``exit`` or ``end``.

.. clicmd:: match src-ip PREFIX

   Match the packet's source IP address.

   This command accepts both v4 and v6 prefixes.

.. clicmd:: match dst-ip PREFIX

   Match the packet's destination IP address.

   This command accepts both v4 and v6 prefixes.

.. clicmd:: match src-port (1-65535)

   Match the packet's UDP or TCP source port.

.. clicmd:: match dst-port (1-65535)

   Match the packet's UDP or TCP destination port.

.. clicmd:: match ip-protocol PROTOCOL

   Match the packet's IP protocol.

   Protocol names are queried from the protocols database (``/etc/protocols``;
   see ``man 5 protocols`` and ``man 3 getprotobyname``).

.. clicmd:: match mark (1-4294967295)

   Match the packet's meta-information mark.
   The mark value is attached to the packet by the kernel/dataplane and
   is platform-specific.
   Currently, this field is supported only on linux and corresponds to
   the underlying `ip rule .... fwmark XXXX` command.

.. clicmd:: match dscp (DSCP|0-63)

   Match the packet's IP differentiated services code point (DSCP).
   The specified DSCP may also be a standard name for a
   differentiated service code point such as ``cs0`` or ``af11``.

   You may only specify one dscp per route map rule; to match on multiple
   dscp values you will need to create several rules, one for each value.

.. clicmd:: match ecn (0-3)

   Match the packet's IP explicit congestion notification (ECN) field.

.. clicmd:: match pcp (0-7)

   Match the packet's 802.1Q Priority Code Point.
   Zero is the default (nominally, "best effort").
   The Linux kernel dataplane provider does not currently support
   matching PCPs,
   so this field will be ignored unless other dataplane providers are used.

.. clicmd:: match vlan (1-4094)

   Match the packet's VLAN (802.1Q) identifier.
   Note that VLAN IDs 0 and 4095 are reserved.
   The Linux kernel dataplane provider does not currently support
   VLAN-matching facilities,
   so this field will be ignored unless other dataplane providers are used.

.. clicmd:: match vlan (tagged|untagged|untagged-or-zero)

   Match packets according to whether or not they have a VLAN tag.
   Use `untagged-or-zero` to also match packets with either no VLAN tag
   or with the reserved VLAN ID of 0 (indicating an untagged frame that
   includes other 802.1Q fields).
   The Linux kernel dataplane provider does not currently support
   VLAN-matching facilities,
   so this field will be ignored unless other dataplane providers are used.

.. clicmd:: set nexthop-group NAME

   Action:
   forward the packet using nexthop-group NAME.

.. clicmd:: set nexthop [A.B.C.D|X:X::X:XX|blackhole] [interface] [nexthop-vrf NAME]

   Action:
   forward the packet using the specified single nexthop.
   If `blackhole`, packets will be sent to a blackhole route and dropped.

.. clicmd:: set vrf unchanged|NAME

   Action:
   If set to ``unchanged``, the rule will use the vrf table the interface
   is in as its lookup.
   If set to NAME, the rule will use that vrf table as its lookup.

   Not supported with NETNS VRF backend.

.. clicmd:: set queue-id (1-65535)

   Action:
   set the egress port queue identifier.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set pcp (0-7)

   Action:
   set the 802.1Q priority code point (PCP).
   A PCP of zero is the default (nominally, "best effort").
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set vlan (1-4094)

   Action:
   set the VLAN tag. Identifiers 0 and 4095 are reserved.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: strip vlan

   Action:
   strip inner vlan tags.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.
   It is invalid to specify both a `strip` and `set vlan` action.

.. clicmd:: set src-ip [A.B.C.D/M|X:X::X:X/M]

   Action:
   Set the source IP address of matched packets, possibly using a mask `M`.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set dst-ip [A.B.C.D/M|X:X::X:X/M]

   Action:
   set the destination IP address of matched packets, possibly using a mask
   `M`.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set src-port (1-65535)

   Action:
   set the source port of matched packets. Note that this action only makes
   sense with layer 4 protocols that use ports, such as TCP, UDP, and SCTP.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set dst-port (1-65535)

   Action:
   set the destination port of matched packets. Note that this action only
   makes sense with layer 4 protocols that use ports, such as TCP, UDP, and
   SCTP.
   The Linux Kernel dataplane provider does not currently support
   packet mangling,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set dscp DSCP

   Action:
   set the differentiated services code point (DSCP) of matched packets.
   The Linux Kernel dataplane provider does not currently support
   this action,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: set ecn (0-3)

   Action:
   set the explicit congestion notification (ECN) of matched packets.
   The Linux Kernel dataplane provider does not currently support
   this action,
   so this field will be ignored unless another dataplane provider is used.

.. clicmd:: show pbr map [NAME] [detail] [json]

   Display pbr maps either all or by ``NAME``. If ``detail`` is set, it will
   give information about each rule's unique internal ID and some extra
   debugging information about install state for the nexthop/nexthop group.
   Setting ``json`` will provide the same information in an array of objects
   that adher to the schema below:

   +----------+--------------------------------+---------+
   | Key      | Description                    | Type    |
   +==========+================================+=========+
   | name     | Map name                       | String  |
   +----------+--------------------------------+---------+
   | valid    | Is the map well-formed?        | Boolean |
   +----------+--------------------------------+---------+
   | policies | Rules to match packets against | Array   |
   +----------+--------------------------------+---------+

   Each element of the ``policies`` array is composed of a set of objects
   representing the policies associated with this map. Each policy is
   described below (not all fields are required):

   +-----------------+-------------------------------------------+---------+
   | Key             | Description                               | Type    |
   +=================+===========================================+=========+
   | id              | Unique ID                                 | Integer |
   +-----------------+-------------------------------------------+---------+
   | sequenceNumber  | Order of this policy within the map       | Integer |
   +-----------------+-------------------------------------------+---------+
   | ruleNumber      | Rule number to install into               | Integer |
   +-----------------+-------------------------------------------+---------+
   | vrfUnchanged    | Use interface's VRF                       | Boolean |
   +-----------------+-------------------------------------------+---------+
   | installed       | Is this policy installed?                 | Boolean |
   +-----------------+-------------------------------------------+---------+
   | installedReason | Why (or why not?)                         | String  |
   +-----------------+-------------------------------------------+---------+
   | matchSrc        | Match packets with this source address    | String  |
   +-----------------+-------------------------------------------+---------+
   | matchDst        | ... or with this destination address      | String  |
   +-----------------+-------------------------------------------+---------+
   | matchMark       | ... or with this marker                   | Integer |
   +-----------------+-------------------------------------------+---------+
   | vrfName         | Associated VRF (if relevant)              | String  |
   +-----------------+-------------------------------------------+---------+
   | nexthopGroup    | This policy's nexthop group (if relevant) | Object  |
   +-----------------+-------------------------------------------+---------+

   Finally, the ``nexthopGroup`` object above contains information FRR
   knows about the configured nexthop for this policy:

   +---------------------+--------------------------------------+---------+
   | Key                 | Description                          | Type    |
   +=====================+======================================+=========+
   | tableId             | Nexthop table ID                     | Integer |
   +---------------------+--------------------------------------+---------+
   | name                | Name of the nexthop group            | String  |
   +---------------------+--------------------------------------+---------+
   | installed           | Is this nexthop group installed?     | Boolean |
   +---------------------+--------------------------------------+---------+
   | installedInternally | Does FRR think NHG is installed?     | Integer |
   +---------------------+--------------------------------------+---------+


.. index::
   pair: policy; PBR

.. _pbr-policy:

PBR Policy
==========

After you have specified a PBR map, in order for it to be enabled, it must
be applied to an interface.  This policy application to an interface
causes the policy to be installed into the kernel.

.. clicmd:: pbr-policy NAME

   This command is available under interface sub-mode.
   It enables the PBR map NAME on the interface.

.. note::
   This command will not dynamically create PBR maps on sub-interfaces
   (i.e. vlans), even if one is on the master.
   Each sub-interface must have the PBR map enabled explicitly.

.. clicmd:: show pbr interface [NAME] [json]

   Enumerates all interfaces which ``pbrd`` is keeping track of. Passing
   ``json`` will return an array of interfaces; each returned interface will
   adhere to the JSON schema below:

   +--------+----------------------------+---------+
   | Key    | Description                | Type    |
   +========+============================+=========+
   | name   | Interface name             | String  |
   +--------+----------------------------+---------+
   | index  | Device Index               | Integer |
   +--------+----------------------------+---------+
   | policy | PBR map for this interface | String  |
   +--------+----------------------------+---------+
   | valid  | Is the map well-formed?    | Boolean |
   +--------+----------------------------+---------+

.. clicmd:: pbr table range (10000-4294966272) (10000-4294966272)

   Set or unset the range used to assign numeric table IDs to new
   nexthop-group tables. Existing tables will not be modified to fit in this
   range, so this range should be configured before adding nexthop groups.

   .. seealso:: :ref:`pbr-details`


.. _pbr-debugs:

PBR Debugs
===========

.. clicmd:: debug pbr events|map|nht|zebra

   Debug pbr in pbrd daemon. You must specify what types of debugs to turn on.

.. _pbr-details:

PBR Details
===========

Internally, a PBR map is translated into two separate constructs in the
Linux kernel.


The PBR map creates an `ip rule ...` that is inserted into the Linux
kernel that points to a table to use for forwarding once the rule matches.


The creation of a nexthop or nexthop-group is translated to a
table with a default route having the specified nexthop(s).


Sample configuration
====================

.. code-block:: frr

   nexthop-group TEST
     nexthop 4.5.6.7
     nexthop 5.6.7.8
   !
   pbr-map BLUE seq 100
     match dst-ip 9.9.9.0/24
     match src-ip 10.10.10.0/24
     set nexthop-group TEST
   !
   int swp1
     pbr-policy BLUE