Skip to content

policy-route: T8244: add suppress-prefix-length support for PBR ip rules#4974

Open
jd82k wants to merge 1 commit intovyos:currentfrom
jd82k:policy-routing
Open

policy-route: T8244: add suppress-prefix-length support for PBR ip rules#4974
jd82k wants to merge 1 commit intovyos:currentfrom
jd82k:policy-routing

Conversation

@jd82k
Copy link
Contributor

@jd82k jd82k commented Feb 8, 2026
edited by c-po
Loading

Change summary

Add support for route suppression in policy routing by introducing set suppress-prefix-length for policy route and policy route6 rules.

This maps to Linux ip rule suppress_prefixlength, allowing operators to reuse main-table routes while suppressing prefixes up to a configured length.

What changed:

  • Added new CLI leaf:
    • set suppress-prefix-length <0-128>
    • wired into policy route common rule schema
  • Extended policy route apply logic to append:
    • suppress_prefixlength <N> to generated ip rule add ... commands
  • Added validation:
    • suppress-prefix-length requires set table or set vrf
    • range constrained by address family:
      • IPv4: 0..32
      • IPv6: 0..128
    • prevent conflicting suppress values for the same resolved table id
  • Added smoketests:
    • positive test for IPv4/IPv6 suppress_prefixlength rule presence
    • negative test ensuring commit fails on conflicting values for same table

Files:

  • interface-definitions/include/policy/route-common.xml.i
  • interface-definitions/include/policy/route-set-suppress-prefix-length.xml.i
  • src/conf_mode/policy_route.py
  • smoketest/scripts/cli/test_policy_route.py

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T8244

Related PR(s)

How to test / Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions
Copy link

github-actions bot commented Feb 8, 2026
edited
Loading

👍
No issues in PR Title / Commit Title

@jd82k
Copy link
Contributor Author

jd82k commented Feb 9, 2026

I have read the CLA Document and I hereby sign the CLA

c-po
c-po requested changes Feb 10, 2026
View reviewed changes
@jd82k jd82k force-pushed the policy-routing branch 3 times, most recently from b672226 to c2a5b75 Compare February 10, 2026 20:56
@jd82k jd82k requested a review from c-po February 11, 2026 00:16
@c-po
Copy link
Member

c-po commented Feb 15, 2026

Please rebase after #4991 is merged

c-po
c-po requested changes Feb 18, 2026
View reviewed changes
@jd82k jd82k requested a review from c-po February 18, 2026 20:28
sever-sever
sever-sever requested changes Feb 19, 2026
View reviewed changes
Copy link
Member

@sever-sever sever-sever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoketests fails

 DEBUG - Running Testcase (20/90): /usr/libexec/vyos/tests/smoke/cli/test_policy_route.py
DEBUG - test_geoip (__main__.TestPolicyRoute.test_geoip) ... ok
DEBUG - test_pbr_group (__main__.TestPolicyRoute.test_pbr_group) ... ok
DEBUG - test_pbr_mark (__main__.TestPolicyRoute.test_pbr_mark) ... ok
DEBUG - test_pbr_mark_connection (__main__.TestPolicyRoute.test_pbr_mark_connection) ... ok
DEBUG - test_pbr_matching_criteria (__main__.TestPolicyRoute.test_pbr_matching_criteria) ... ok
DEBUG - test_pbr_table (__main__.TestPolicyRoute.test_pbr_table) ... ok
DEBUG - test_pbr_table_suppress_prefix_length (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length) ... FAIL
DEBUG - test_pbr_table_suppress_prefix_length_conflict (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length_conflict) ... ok
DEBUG - test_pbr_vrf (__main__.TestPolicyRoute.test_pbr_vrf) ... ok
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_pbr_table_suppress_prefix_length (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_policy_route.py", line 235, in test_pbr_table_suppress_prefix_length
DEBUG -     self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 276, in verify_nftables
DEBUG -     self.assertTrue(not matched if inverse else matched, msg=search)
DEBUG - AssertionError: False is not true : ['meta l4proto tcp', 'th dport 443', 'meta mark set 0x7fffff01']
DEBUG - 
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 9 tests in 39.922s
DEBUG - 
DEBUG - FAILED (failures=1)

@jd82k
policy-route: T8244: add suppress-prefix-length support for PBR ip rules
d2734fb 
Add support for route suppression in policy routing by introducing
`set suppress-prefix-length` for `policy route` and `policy route6` rules.

This maps to Linux ip rule `suppress_prefixlength`, allowing operators to
reuse main-table routes while suppressing prefixes up to a configured length.

What changed:
- Added new CLI leaf:
  - `set suppress-prefix-length <0-128>`
  - wired into policy route common rule schema
- Extended policy route apply logic to append:
  - `suppress_prefixlength <N>` to generated `ip rule add ...` commands
- Added validation:
  - `suppress-prefix-length` requires `set table` or `set vrf`
  - range constrained by address family:
    - IPv4: 0..32
    - IPv6: 0..128
  - prevent conflicting suppress values for the same resolved table id
- Added smoketests:
  - positive test for IPv4/IPv6 `suppress_prefixlength` rule presence
  - negative test ensuring commit fails on conflicting values for same table

Files:
- `interface-definitions/include/policy/route-common.xml.i`
- `interface-definitions/policy_route.xml.in`
- `interface-definitions/include/policy/route-set-suppress-prefix-length-ipv4.xml.i`
- `interface-definitions/include/policy/route-set-suppress-prefix-length-ipv6.xml.i`
- `src/conf_mode/policy_route.py`
- `smoketest/scripts/cli/test_policy_route.py`
@jd82k jd82k requested a review from sever-sever February 19, 2026 21:04
@jd82k
Copy link
Contributor Author

jd82k commented Feb 19, 2026

Smoketests fails

 DEBUG - Running Testcase (20/90): /usr/libexec/vyos/tests/smoke/cli/test_policy_route.py
DEBUG - test_geoip (__main__.TestPolicyRoute.test_geoip) ... ok
DEBUG - test_pbr_group (__main__.TestPolicyRoute.test_pbr_group) ... ok
DEBUG - test_pbr_mark (__main__.TestPolicyRoute.test_pbr_mark) ... ok
DEBUG - test_pbr_mark_connection (__main__.TestPolicyRoute.test_pbr_mark_connection) ... ok
DEBUG - test_pbr_matching_criteria (__main__.TestPolicyRoute.test_pbr_matching_criteria) ... ok
DEBUG - test_pbr_table (__main__.TestPolicyRoute.test_pbr_table) ... ok
DEBUG - test_pbr_table_suppress_prefix_length (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length) ... FAIL
DEBUG - test_pbr_table_suppress_prefix_length_conflict (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length_conflict) ... ok
DEBUG - test_pbr_vrf (__main__.TestPolicyRoute.test_pbr_vrf) ... ok
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_pbr_table_suppress_prefix_length (__main__.TestPolicyRoute.test_pbr_table_suppress_prefix_length)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_policy_route.py", line 235, in test_pbr_table_suppress_prefix_length
DEBUG -     self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 276, in verify_nftables
DEBUG -     self.assertTrue(not matched if inverse else matched, msg=search)
DEBUG - AssertionError: False is not true : ['meta l4proto tcp', 'th dport 443', 'meta mark set 0x7fffff01']
DEBUG - 
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 9 tests in 39.922s
DEBUG - 
DEBUG - FAILED (failures=1)

Now it works!

@github-actions
Copy link

github-actions bot commented Feb 19, 2026

CI integration ❌ failed!

Details

CI logs

  • CLI Smoketests ❌ failed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • CLI Smoketests VPP 👍 passed
  • Config tests VPP 👍 passed
  • TPM tests 👍 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c-po c-po Awaiting requested review from c-po

@sever-sever sever-sever Awaiting requested review from sever-sever

Requested changes must be addressed to merge this pull request.

Assignees

@jd82k jd82k

Labels

current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jd82k @c-po @sever-sever

Comments