policy-route: T8244: add suppress-prefix-length support for PBR ip rules#4974
Open
jd82k wants to merge 1 commit intovyos:currentfrom
Open
policy-route: T8244: add suppress-prefix-length support for PBR ip rules#4974jd82k wants to merge 1 commit intovyos:currentfrom
jd82k wants to merge 1 commit intovyos:currentfrom
Conversation
|
👍 |
Contributor
Author
|
I have read the CLA Document and I hereby sign the CLA |
c-po
requested changes
Feb 10, 2026
b672226 to
c2a5b75
Compare
c2a5b75 to
290b23f
Compare
Member
|
Please rebase after #4991 is merged |
ee09e3b to
461d560
Compare
c-po
requested changes
Feb 18, 2026
fc6e2d9 to
461d560
Compare
5525671 to
a4619b5
Compare
sever-sever
requested changes
Feb 19, 2026
Member
sever-sever
left a comment
There was a problem hiding this comment.
Smoketests fails
DEBUG - Running Testcase (20/90): /usr/libexec/vyos/tests/smoke/cli/test_policy_route.py
DEBUG - test_geoip (__main__.TestPolicyRoute.test_geoip) ... ok
DEBUG - test_pbr_group (__main__.TestPolicyRoute.test_pbr_group) ... ok
DEBUG - test_pbr_mark (__main__.TestPolicyRoute.test_pbr_mark) ... ok
DEBUG - test_pbr_mark_connection (__main__.TestPolicyRoute.test_pbr_mark_connection) ... ok
DEBUG - test_pbr_matching_criteria (__main__.TestPolicyRoute.test_pbr_matching_criteria) ... ok
DEBUG - test_pbr_table (__main__.TestPolicyRoute.test_pbr_table) ... ok
DEBUG - test_pbr_table_suppress_prefix_length (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length) ... FAIL
DEBUG - test_pbr_table_suppress_prefix_length_conflict (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length_conflict) ... ok
DEBUG - test_pbr_vrf (__main__.TestPolicyRoute.test_pbr_vrf) ... ok
DEBUG -
DEBUG - ======================================================================
DEBUG - FAIL: test_pbr_table_suppress_prefix_length (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_policy_route.py", line 235, in test_pbr_table_suppress_prefix_length
DEBUG - self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 276, in verify_nftables
DEBUG - self.assertTrue(not matched if inverse else matched, msg=search)
DEBUG - AssertionError: False is not true : ['meta l4proto tcp', 'th dport 443', 'meta mark set 0x7fffff01']
DEBUG -
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 9 tests in 39.922s
DEBUG -
DEBUG - FAILED (failures=1)
Add support for route suppression in policy routing by introducing
`set suppress-prefix-length` for `policy route` and `policy route6` rules.
This maps to Linux ip rule `suppress_prefixlength`, allowing operators to
reuse main-table routes while suppressing prefixes up to a configured length.
What changed:
- Added new CLI leaf:
- `set suppress-prefix-length <0-128>`
- wired into policy route common rule schema
- Extended policy route apply logic to append:
- `suppress_prefixlength <N>` to generated `ip rule add ...` commands
- Added validation:
- `suppress-prefix-length` requires `set table` or `set vrf`
- range constrained by address family:
- IPv4: 0..32
- IPv6: 0..128
- prevent conflicting suppress values for the same resolved table id
- Added smoketests:
- positive test for IPv4/IPv6 `suppress_prefixlength` rule presence
- negative test ensuring commit fails on conflicting values for same table
Files:
- `interface-definitions/include/policy/route-common.xml.i`
- `interface-definitions/policy_route.xml.in`
- `interface-definitions/include/policy/route-set-suppress-prefix-length-ipv4.xml.i`
- `interface-definitions/include/policy/route-set-suppress-prefix-length-ipv6.xml.i`
- `src/conf_mode/policy_route.py`
- `smoketest/scripts/cli/test_policy_route.py`
a4619b5 to
d2734fb
Compare
Contributor
Author
Now it works! |
|
CI integration ❌ failed! Details
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change summary
Add support for route suppression in policy routing by introducing
set suppress-prefix-lengthforpolicy routeandpolicy route6rules.This maps to Linux ip rule
suppress_prefixlength, allowing operators to reuse main-table routes while suppressing prefixes up to a configured length.What changed:
set suppress-prefix-length <0-128>suppress_prefixlength <N>to generatedip rule add ...commandssuppress-prefix-lengthrequiresset tableorset vrfsuppress_prefixlengthrule presenceFiles:
Types of changes
Related Task(s)
https://vyos.dev/T8244
Related PR(s)
How to test / Smoketest result
Checklist: