[mirror_frr.git] / doc / user / pbr.rst

.. _pbr:

***
PBR
***

:abbr:`PBR` is Policy Based Routing.  This implementation supports a very simple
interface to allow admins to influence routing on their router.  At this time
you can only match on destination and source prefixes for an incoming interface.
At this point in time, this implementation will only work on Linux.

.. _starting-pbr:

Starting PBR
============

Default configuration file for *pbrd* is :file:`pbrd.conf`.  The typical
location of :file:`pbrd.conf` is |INSTALL_PREFIX_ETC|/pbrd.conf.

If the user is using integrated config, then :file:`pbrd.conf` need not be
present and the :file:`frr.conf` is read instead.

.. program:: pbrd

:abbr:`PBR` supports all the common FRR daemon start options which are
documented elsewhere.

.. _nexthop-groups:

Nexthop Groups
==============

Nexthop groups are a way to encapsulate ECMP information together.  It's a
listing of ECMP nexthops used to forward packets for when a pbr-map is matched.

.. clicmd:: nexthop-group NAME

   Create a nexthop-group with an associated NAME.  This will put you into a
   sub-mode where you can specify individual nexthops.  To exit this mode type
   exit or end as per normal conventions for leaving a sub-mode.

.. clicmd:: nexthop [A.B.C.D|X:X::X:XX] [interface [onlink]] [nexthop-vrf NAME] [label LABELS]

   Create a v4 or v6 nexthop.  All normal rules for creating nexthops that you
   are used to are allowed here.  The syntax was intentionally kept the same as
   creating nexthops as you would for static routes.

.. clicmd:: [no] pbr table range (10000-4294966272) (10000-4294966272)

   Set or unset the range used to assign numeric table ID's to new
   nexthop-group tables. Existing tables will not be modified to fit in this
   range, so it is recommended to configure this before adding nexthop groups.

   .. seealso:: :ref:`pbr-details`

Showing Nexthop Group Information
---------------------------------

.. clicmd:: show pbr nexthop-groups [NAME] [json]

   Display information on a PBR nexthop-group. If ``NAME`` is omitted, all
   nexthop groups are shown. Setting ``json`` will provide the same
   information in an array of objects which obey the schema below:

   +-----------+----------------------------+---------+
   | Key       | Description                | Type    |
   +===========+============================+=========+
   | id        | Unique ID                  | Integer |
   +-----------+----------------------------+---------+
   | name      | Name of this group         | String  |
   +-----------+----------------------------+---------+
   | valid     | Is this group well-formed? | Boolean |
   +-----------+----------------------------+---------+
   | installed | ... and is it installed?   | Boolean |
   +-----------+----------------------------+---------+
   | nexthops  | Nexthops within this group | Array   |
   +-----------+----------------------------+---------+

   Each element within ``nexthops`` describes a single target within this
   group, and its structure is described by the JSON below:

   +---------+------------------------------+---------+
   | Key     | Description                  | Type    |
   +=========+==============================+=========+
   | nexthop | Name of this nexthop         | String  |
   +---------+------------------------------+---------+
   | valid   | Is this nexthop well-formed? | Boolean |
   +---------+------------------------------+---------+

.. _pbr-maps:

PBR Maps
========

PBR maps are a way to group policies that we would like to apply to individual
interfaces. These policies when applied are matched against incoming packets.
If matched the nexthop-group or nexthop is used to forward the packets to the
end destination.

.. clicmd:: pbr-map NAME seq (1-700)

   Create a pbr-map with NAME and sequence number specified.  This command puts
   you into a new submode for pbr-map specification.  To exit this mode type
   exit or end as per normal conventions for leaving a sub-mode.

.. clicmd:: match src-ip PREFIX

   When a incoming packet matches the source prefix specified, take the packet
   and forward according to the nexthops specified.  This command accepts both
   v4 and v6 prefixes.  This command is used in conjunction of the
   :clicmd:`match dst-ip PREFIX` command for matching.

.. clicmd:: match dst-ip PREFIX

   When a incoming packet matches the destination prefix specified, take the
   packet and forward according to the nexthops specified.  This command accepts
   both v4 and v6 prefixes.  This command is used in conjunction of the
   :clicmd:`match src-ip PREFIX` command for matching.

.. clicmd:: match mark (1-4294967295)

   Select the mark to match.  This is a linux only command and if attempted
   on another platform it will be denied.  This mark translates to the
   underlying `ip rule .... fwmark XXXX` command.

.. clicmd:: match dscp (DSCP|0-63)

   Match packets according to the specified differentiated services code point
   (DSCP) in the IP header; if this value matches then forward the packet
   according to the nexthop(s) specified. The passed DSCP value may also be a
   standard name for a differentiated service code point like cs0 or af11.

   You may only specify one dscp per route map sequence; to match on multiple
   dscp values you will need to create several sequences, one for each value.

.. clicmd:: match ecn (0-3)

   Match packets according to the specified explicit congestion notification
   (ECN) field in the IP header; if this value matches then forward the packet
   according to the nexthop(s) specified.

.. clicmd:: set nexthop-group NAME

   Use the nexthop-group NAME as the place to forward packets when the match
   commands have matched a packet.

.. clicmd:: set nexthop [A.B.C.D|X:X::X:XX] [interface] [nexthop-vrf NAME]

   Use this individual nexthop as the place to forward packets when the match
   commands have matched a packet.

.. clicmd:: set vrf unchanged|NAME

   If unchanged is set, the rule will use the vrf table the interface is in
   as its lookup. If NAME is specified, the rule will use that vrf table as
   its lookup.

   Not supported with NETNS VRF backend.

.. clicmd:: show pbr map [NAME] [detail|json]

   Display pbr maps either all or by ``NAME``. If ``detail`` is set, it will
   give information about the rules unique ID used internally and some extra
   debugging information about install state for the nexthop/nexthop group.
   Setting ``json`` will provide the same information in an array of objects
   which obey the schema below:

   +----------+--------------------------------+---------+
   | Key      | Description                    | Type    |
   +==========+================================+=========+
   | name     | Map name                       | String  |
   +----------+--------------------------------+---------+
   | valid    | Is the map well-formed?        | Boolean |
   +----------+--------------------------------+---------+
   | policies | Rules to match packets against | Array   |
   +----------+--------------------------------+---------+

   Each element of the ``policies`` array is composed of a handful of objects
   representing the policies associated with this map. Each policy is
   described as below (not all fields are required):

   +-----------------+-------------------------------------------+---------+
   | Key             | Description                               | Type    |
   +=================+===========================================+=========+
   | id              | Unique ID                                 | Integer |
   +-----------------+-------------------------------------------+---------+
   | sequenceNumber  | Order of this policy within the map       | Integer |
   +-----------------+-------------------------------------------+---------+
   | ruleNumber      | Rule number to install into               | Integer |
   +-----------------+-------------------------------------------+---------+
   | vrfUnchanged    | Use interface's VRF                       | Boolean |
   +-----------------+-------------------------------------------+---------+
   | installed       | Is this policy installed?                 | Boolean |
   +-----------------+-------------------------------------------+---------+
   | installedReason | Why (or why not?)                         | String  |
   +-----------------+-------------------------------------------+---------+
   | matchSrc        | Match packets with this source address    | String  |
   +-----------------+-------------------------------------------+---------+
   | matchDst        | ... or with this destination address      | String  |
   +-----------------+-------------------------------------------+---------+
   | matchMark       | ... or with this marker                   | Integer |
   +-----------------+-------------------------------------------+---------+
   | vrfName         | Associated VRF (if relevant)              | String  |
   +-----------------+-------------------------------------------+---------+
   | nexthopGroup    | This policy's nexthop group (if relevant) | Object  |
   +-----------------+-------------------------------------------+---------+

   Finally, the ``nexthopGroup`` object above cotains information we know
   about the configured nexthop for this policy:

   +---------------------+--------------------------------------+---------+
   | Key                 | Description                          | Type    |
   +=====================+======================================+=========+
   | tableId             | Nexthop table ID                     | Integer |
   +---------------------+--------------------------------------+---------+
   | name                | Name of the nexthop group            | String  |
   +---------------------+--------------------------------------+---------+
   | installed           | Is this nexthop group installed?     | Boolean |
   +---------------------+--------------------------------------+---------+
   | installedInternally | Do we think this group is installed? | Integer |
   +---------------------+--------------------------------------+---------+

.. _pbr-policy:

PBR Policy
==========

After you have specified a PBR map, in order for it to be turned on, you must
apply the PBR map to an interface.  This policy application to an interface
causes the policy to be installed into the kernel.

.. index:: pbr-policy
.. clicmd:: pbr-policy NAME

   This command is available under interface sub-mode.  This turns
   on the PBR map NAME and allows it to work properly.

.. note::
   This will not dynamically create PBR maps on sub-interfaces (i.e. vlans)
   even if one is on the master. Each must have the PBR map explicitly added
   to the interface.

.. clicmd:: show pbr interface [NAME] [json]

   Enumerates all interfaces which ``pbrd`` is keeping track of. Passing
   ``json`` will return an array of interfaces; each returned interface will
   adhere to the JSON schema below:

   +--------+----------------------------+---------+
   | Key    | Description                | Type    |
   +========+============================+=========+
   | name   | Interface name             | String  |
   +--------+----------------------------+---------+
   | index  | Device Index               | Integer |
   +--------+----------------------------+---------+
   | policy | PBR map for this interface | String  |
   +--------+----------------------------+---------+
   | valid  | Is the map well-formed?    | Boolean |
   +--------+----------------------------+---------+

.. _pbr-details:

PBR Details
===========

Under the covers a PBR map is translated into two separate constructs in the
Linux kernel.

.. index:: PBR Rules

The PBR map specified creates a `ip rule ...` that is inserted into the Linux
kernel that points to a table to use for forwarding once the rule matches.

.. index:: PBR Tables

The creation of a nexthop or nexthop-group is translated to a default route in a
table with the nexthops specified as the nexthops for the default route.
Commit	Line	Data
a6c93cb2 DS	1	.. _pbr:
	2
	3	***
	4	PBR
	5	***
	6
6568993b QY	7	:abbr:`PBR` is Policy Based Routing. This implementation supports a very simple
	8	interface to allow admins to influence routing on their router. At this time
	9	you can only match on destination and source prefixes for an incoming interface.
	10	At this point in time, this implementation will only work on Linux.
a6c93cb2 DS	11
	12	.. _starting-pbr:
	13
6568993b	14	Starting PBR
a6c93cb2 DS	15	============
	16
	17	Default configuration file for pbrd is :file:`pbrd.conf`. The typical
	18	location of :file:`pbrd.conf` is \|INSTALL_PREFIX_ETC\|/pbrd.conf.
	19
6568993b QY	20	If the user is using integrated config, then :file:`pbrd.conf` need not be
6568993b QY	21	present and the :file:`frr.conf` is read instead.
a6c93cb2 DS	22
	23	.. program:: pbrd
	24
	25	:abbr:`PBR` supports all the common FRR daemon start options which are
	26	documented elsewhere.
	27
	28	.. _nexthop-groups:
	29
6568993b	30	Nexthop Groups
a6c93cb2 DS	31	==============
	32
	33	Nexthop groups are a way to encapsulate ECMP information together. It's a
6568993b	34	listing of ECMP nexthops used to forward packets for when a pbr-map is matched.
a6c93cb2	35
a6c93cb2 DS	36	.. clicmd:: nexthop-group NAME
a6c93cb2 DS	37
6568993b QY	38	Create a nexthop-group with an associated NAME. This will put you into a
	39	sub-mode where you can specify individual nexthops. To exit this mode type
	40	exit or end as per normal conventions for leaving a sub-mode.
a6c93cb2	41
54c6fa8e	42	.. clicmd:: nexthop [A.B.C.D\|X:X::X:XX] [interface [onlink]] [nexthop-vrf NAME] [label LABELS]
a6c93cb2	43
6568993b QY	44	Create a v4 or v6 nexthop. All normal rules for creating nexthops that you
	45	are used to are allowed here. The syntax was intentionally kept the same as
	46	creating nexthops as you would for static routes.
	47
2e7c93ac QY	48	.. clicmd:: [no] pbr table range (10000-4294966272) (10000-4294966272)
	49
	50	Set or unset the range used to assign numeric table ID's to new
	51	nexthop-group tables. Existing tables will not be modified to fit in this
	52	range, so it is recommended to configure this before adding nexthop groups.
	53
	54	.. seealso:: :ref:`pbr-details`
	55
	56	Showing Nexthop Group Information
	57	---------------------------------
	58
010dd8ed	59	.. clicmd:: show pbr nexthop-groups [NAME] [json]
2e7c93ac QY	60
2e7c93ac QY	61	Display information on a PBR nexthop-group. If ``NAME`` is omitted, all
144fd50f WC	62	nexthop groups are shown. Setting ``json`` will provide the same
	63	information in an array of objects which obey the schema below:
	64
3e81618d WC	65	+-----------+----------------------------+---------+
	66	\| Key \| Description \| Type \|
	67	+===========+============================+=========+
	68	\| id \| Unique ID \| Integer \|
	69	+-----------+----------------------------+---------+
	70	\| name \| Name of this group \| String \|
	71	+-----------+----------------------------+---------+
	72	\| valid \| Is this group well-formed? \| Boolean \|
	73	+-----------+----------------------------+---------+
	74	\| installed \| ... and is it installed? \| Boolean \|
	75	+-----------+----------------------------+---------+
	76	\| nexthops \| Nexthops within this group \| Array \|
	77	+-----------+----------------------------+---------+
144fd50f WC	78
	79	Each element within ``nexthops`` describes a single target within this
	80	group, and its structure is described by the JSON below:
	81
	82	+---------+------------------------------+---------+
	83	\| Key \| Description \| Type \|
	84	+=========+==============================+=========+
3e81618d	85	\| nexthop \| Name of this nexthop \| String \|
144fd50f	86	+---------+------------------------------+---------+
3e81618d	87	\| valid \| Is this nexthop well-formed? \| Boolean \|
144fd50f	88	+---------+------------------------------+---------+
2e7c93ac	89
a6c93cb2 DS	90	.. _pbr-maps:
a6c93cb2 DS	91
6568993b	92	PBR Maps
a6c93cb2 DS	93	========
a6c93cb2 DS	94
2e7c93ac QY	95	PBR maps are a way to group policies that we would like to apply to individual
	96	interfaces. These policies when applied are matched against incoming packets.
	97	If matched the nexthop-group or nexthop is used to forward the packets to the
	98	end destination.
a6c93cb2	99
e5436163	100	.. clicmd:: pbr-map NAME seq (1-700)
a6c93cb2	101
6568993b QY	102	Create a pbr-map with NAME and sequence number specified. This command puts
	103	you into a new submode for pbr-map specification. To exit this mode type
	104	exit or end as per normal conventions for leaving a sub-mode.
a6c93cb2	105
6568993b	106	.. clicmd:: match src-ip PREFIX
a6c93cb2	107
6568993b QY	108	When a incoming packet matches the source prefix specified, take the packet
	109	and forward according to the nexthops specified. This command accepts both
	110	v4 and v6 prefixes. This command is used in conjunction of the
	111	:clicmd:`match dst-ip PREFIX` command for matching.
a6c93cb2	112
6568993b	113	.. clicmd:: match dst-ip PREFIX
a6c93cb2	114
6568993b QY	115	When a incoming packet matches the destination prefix specified, take the
6568993b QY	116	packet and forward according to the nexthops specified. This command accepts
56f0bea7	117	both v4 and v6 prefixes. This command is used in conjunction of the
6568993b	118	:clicmd:`match src-ip PREFIX` command for matching.
a6c93cb2	119
a547ef39 DS	120	.. clicmd:: match mark (1-4294967295)
	121
	122	Select the mark to match. This is a linux only command and if attempted
	123	on another platform it will be denied. This mark translates to the
	124	underlying `ip rule .... fwmark XXXX` command.
	125
116b86bd	126	.. clicmd:: match dscp (DSCP\|0-63)
01f23aff WC	127
	128	Match packets according to the specified differentiated services code point
	129	(DSCP) in the IP header; if this value matches then forward the packet
116b86bd WC	130	according to the nexthop(s) specified. The passed DSCP value may also be a
	131	standard name for a differentiated service code point like cs0 or af11.
	132
	133	You may only specify one dscp per route map sequence; to match on multiple
	134	dscp values you will need to create several sequences, one for each value.
01f23aff WC	135
	136	.. clicmd:: match ecn (0-3)
	137
	138	Match packets according to the specified explicit congestion notification
	139	(ECN) field in the IP header; if this value matches then forward the packet
	140	according to the nexthop(s) specified.
	141
a6c93cb2 DS	142	.. clicmd:: set nexthop-group NAME
a6c93cb2 DS	143
6568993b QY	144	Use the nexthop-group NAME as the place to forward packets when the match
6568993b QY	145	commands have matched a packet.
a6c93cb2 DS	146
	147	.. clicmd:: set nexthop [A.B.C.D\|X:X::X:XX] [interface] [nexthop-vrf NAME]
	148
6568993b QY	149	Use this individual nexthop as the place to forward packets when the match
6568993b QY	150	commands have matched a packet.
a6c93cb2	151
be3b67b5 SW	152	.. clicmd:: set vrf unchanged\|NAME
	153
	154	If unchanged is set, the rule will use the vrf table the interface is in
	155	as its lookup. If NAME is specified, the rule will use that vrf table as
	156	its lookup.
	157
	158	Not supported with NETNS VRF backend.
	159
1a8cafe1	160	.. clicmd:: show pbr map [NAME] [detail\|json]
b781c086 SW	161
	162	Display pbr maps either all or by ``NAME``. If ``detail`` is set, it will
	163	give information about the rules unique ID used internally and some extra
	164	debugging information about install state for the nexthop/nexthop group.
144fd50f WC	165	Setting ``json`` will provide the same information in an array of objects
	166	which obey the schema below:
	167
3e81618d WC	168	+----------+--------------------------------+---------+
	169	\| Key \| Description \| Type \|
	170	+==========+================================+=========+
	171	\| name \| Map name \| String \|
	172	+----------+--------------------------------+---------+
	173	\| valid \| Is the map well-formed? \| Boolean \|
	174	+----------+--------------------------------+---------+
	175	\| policies \| Rules to match packets against \| Array \|
	176	+----------+--------------------------------+---------+
144fd50f	177
f9368f89	178	Each element of the ``policies`` array is composed of a handful of objects
144fd50f WC	179	representing the policies associated with this map. Each policy is
	180	described as below (not all fields are required):
	181
	182	+-----------------+-------------------------------------------+---------+
	183	\| Key \| Description \| Type \|
	184	+=================+===========================================+=========+
	185	\| id \| Unique ID \| Integer \|
	186	+-----------------+-------------------------------------------+---------+
	187	\| sequenceNumber \| Order of this policy within the map \| Integer \|
	188	+-----------------+-------------------------------------------+---------+
	189	\| ruleNumber \| Rule number to install into \| Integer \|
	190	+-----------------+-------------------------------------------+---------+
	191	\| vrfUnchanged \| Use interface's VRF \| Boolean \|
	192	+-----------------+-------------------------------------------+---------+
3e81618d	193	\| installed \| Is this policy installed? \| Boolean \|
144fd50f WC	194	+-----------------+-------------------------------------------+---------+
	195	\| installedReason \| Why (or why not?) \| String \|
	196	+-----------------+-------------------------------------------+---------+
	197	\| matchSrc \| Match packets with this source address \| String \|
	198	+-----------------+-------------------------------------------+---------+
	199	\| matchDst \| ... or with this destination address \| String \|
	200	+-----------------+-------------------------------------------+---------+
	201	\| matchMark \| ... or with this marker \| Integer \|
	202	+-----------------+-------------------------------------------+---------+
	203	\| vrfName \| Associated VRF (if relevant) \| String \|
	204	+-----------------+-------------------------------------------+---------+
	205	\| nexthopGroup \| This policy's nexthop group (if relevant) \| Object \|
	206	+-----------------+-------------------------------------------+---------+
	207
	208	Finally, the ``nexthopGroup`` object above cotains information we know
	209	about the configured nexthop for this policy:
	210
3e81618d WC	211	+---------------------+--------------------------------------+---------+
	212	\| Key \| Description \| Type \|
	213	+=====================+======================================+=========+
	214	\| tableId \| Nexthop table ID \| Integer \|
	215	+---------------------+--------------------------------------+---------+
	216	\| name \| Name of the nexthop group \| String \|
	217	+---------------------+--------------------------------------+---------+
	218	\| installed \| Is this nexthop group installed? \| Boolean \|
	219	+---------------------+--------------------------------------+---------+
	220	\| installedInternally \| Do we think this group is installed? \| Integer \|
	221	+---------------------+--------------------------------------+---------+
b781c086	222
a6c93cb2 DS	223	.. _pbr-policy:
a6c93cb2 DS	224
6568993b	225	PBR Policy
a6c93cb2 DS	226	==========
a6c93cb2 DS	227
6568993b QY	228	After you have specified a PBR map, in order for it to be turned on, you must
	229	apply the PBR map to an interface. This policy application to an interface
	230	causes the policy to be installed into the kernel.
a6c93cb2	231
6568993b	232	.. index:: pbr-policy
a6c93cb2 DS	233	.. clicmd:: pbr-policy NAME
a6c93cb2 DS	234
6568993b QY	235	This command is available under interface sub-mode. This turns
6568993b QY	236	on the PBR map NAME and allows it to work properly.
a6c93cb2	237
5aad6a56 SW	238	.. note::
	239	This will not dynamically create PBR maps on sub-interfaces (i.e. vlans)
	240	even if one is on the master. Each must have the PBR map explicitly added
	241	to the interface.
	242
9667c597 WC	243	.. clicmd:: show pbr interface [NAME] [json]
	244
	245	Enumerates all interfaces which ``pbrd`` is keeping track of. Passing
	246	``json`` will return an array of interfaces; each returned interface will
	247	adhere to the JSON schema below:
	248
3e81618d WC	249	+--------+----------------------------+---------+
	250	\| Key \| Description \| Type \|
	251	+========+============================+=========+
	252	\| name \| Interface name \| String \|
	253	+--------+----------------------------+---------+
	254	\| index \| Device Index \| Integer \|
	255	+--------+----------------------------+---------+
	256	\| policy \| PBR map for this interface \| String \|
	257	+--------+----------------------------+---------+
	258	\| valid \| Is the map well-formed? \| Boolean \|
	259	+--------+----------------------------+---------+
9667c597	260
a6c93cb2 DS	261	.. _pbr-details:
a6c93cb2 DS	262
6568993b	263	PBR Details
a6c93cb2 DS	264	===========
a6c93cb2 DS	265
6568993b QY	266	Under the covers a PBR map is translated into two separate constructs in the
	267	Linux kernel.
	268
	269	.. index:: PBR Rules
a6c93cb2	270
6568993b QY	271	The PBR map specified creates a `ip rule ...` that is inserted into the Linux
6568993b QY	272	kernel that points to a table to use for forwarding once the rule matches.
a6c93cb2	273
6568993b	274	.. index:: PBR Tables
a6c93cb2	275
6568993b QY	276	The creation of a nexthop or nexthop-group is translated to a default route in a
6568993b QY	277	table with the nexthops specified as the nexthops for the default route.
a6c93cb2	278