netplan/systemd-networkd: route metric not applied to routes to the local subnet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
netplan.io (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
systemd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
[SRU TEMPLATE]
[DESCRIPTION]
Cloud-init introduced a feature to configure policy routing on AWS EC2 instances with multiple NICs in
https:/
Cloud-init generates the following netplan config:
```
$ cat /etc/netplan/
network:
ethernets:
ens5:
dhcp4: true
dhcp6: true
match:
ens6:
dhcp4: true
dhcp6: false
match:
routes:
- table: 101
to: 0.0.0.0/0
- table: 101
to: 192.168.0.0/20
- from: 192.168.10.212
version: 2
```
Which renders the following systemd-networkd config files:
```
$ cat 10-netplan-
[Match]
MACAddress=
[Link]
Name=ens5
WakeOnLan=off
$ cat 10-netplan-
[Match]
MACAddress=
Name=ens5
[Network]
DHCP=yes
LinkLocalAddres
[DHCP]
RouteMetric=100
UseMTU=true
$ cat 10-netplan-
[Match]
MACAddress=
[Link]
Name=ens6
WakeOnLan=off
$ cat 10-netplan-
[Match]
MACAddress=
Name=ens6
[Network]
DHCP=ipv4
LinkLocalAddres
[Route]
Destination=
Gateway=192.168.0.1
Table=101
[Route]
Destination=
Scope=link
Table=101
[RoutingPolicyRule]
From=192.168.10.212
Table=101
[DHCP]
RouteMetric=200
UseMTU=true
```
Which configures the instance with the following state in Ubuntu Focal:
```
$ ip a
1: lo: <LOOPBACK,
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,
link/ether 0a:c8:ab:90:c2:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.12.94/20 brd 192.168.15.255 scope global dynamic ens5
valid_lft 2087sec preferred_lft 2087sec
inet6 2a05:d012:
valid_lft 440sec preferred_lft 130sec
inet6 fe80::8c8:
valid_lft forever preferred_lft forever
3: ens6: <BROADCAST,
link/ether 0a:c6:55:a1:dc:3b brd ff:ff:ff:ff:ff:ff
inet 192.168.10.212/20 brd 192.168.15.255 scope global dynamic ens6
valid_lft 2083sec preferred_lft 2083sec
inet6 fe80::8c6:
valid_lft forever preferred_lft forever
$ ip route show
default via 192.168.0.1 dev ens5 proto dhcp src 192.168.12.94 metric 100
default via 192.168.0.1 dev ens6 proto dhcp src 192.168.10.212 metric 200
192.168.0.0/20 dev ens5 proto kernel scope link src 192.168.12.94
192.168.0.0/20 dev ens6 proto kernel scope link src 192.168.10.212
192.168.0.1 dev ens5 proto dhcp scope link src 192.168.12.94 metric 100
192.168.0.1 dev ens6 proto dhcp scope link src 192.168.10.212 metric 200
$ ip rule show
0: from all lookup local
0: from 192.168.10.212 lookup 101
32766: from all lookup main
32767: from all lookup default
$ ip route show table 101
default via 192.168.0.1 dev ens6 proto static onlink
192.168.0.0/20 dev ens6 proto static scope link
```
The issue here is that the instance is not reachable from the same subnet via the private ipv4 of the primary NIC,
packets are routed to egress via ens6 and dropped.
The cause is that interface metrics are not applied to local subnet routes with systemd 245 (245.4-
On newer systemd versions, as in Jammy, the metrics are correctly applied.
Correcting them manually fixes the issue in Focal.
Expected main route table:
default via 192.168.0.1 dev ens5 proto dhcp src 192.168.12.94 metric 100
default via 192.168.0.1 dev ens6 proto dhcp src 192.168.10.212 metric 200
192.168.0.0/20 dev ens5 proto kernel scope link src 192.168.12.94 metric 100
192.168.0.0/20 dev ens6 proto kernel scope link src 192.168.10.212 metric 200
192.168.0.1 dev ens5 proto dhcp scope link src 192.168.12.94 metric 100
192.168.0.1 dev ens6 proto dhcp scope link src 192.168.10.212 metric 200
It looks like the upstream systemd issue and PR fixing this problem are:
https:/
https:/
[TESTING]
As described above.
[REGRESSION POTENTIAL]
The backport targets Focal.
The fixing patches are touching network related code, regression potential would regard networking part of systemd,
especially in address configuration.
In particualar:
* https:/
This patch adds sd_netlink_
* https:/
This one just adds missing address types
* https:/
This one is adds the RouteMetric option for [Address]. Adds code to address_configure() function.
* https:/
This one adds the RouteMetric option to [DHCPv4]
[OTHER]
The upstream patches fixing this issue are the following :
https:/
https:/
https:/
https:/
They originate in PR [1] and backported for focal in MR [2].
There's also a test package in [3].
[1] https:/
[2] https:/
[3] https:/
Related branches
- Nick Rosbrook: Needs Fixing
-
Diff: 341 lines (+309/-0)5 files modifieddebian/patches/lp2055397/0001-sd-netlink-introduce-sd_netlink_message_append_s8-an.patch (+117/-0)
debian/patches/lp2055397/0002-sd-netlink-add-missing-address-types.patch (+33/-0)
debian/patches/lp2055397/0003-network-add-RouteMetric-setting-in-Address-section.patch (+132/-0)
debian/patches/lp2055397/0004-network-dhcp4-also-apply-RouteMetric-setting-in-DHCP.patch (+23/-0)
debian/patches/series (+4/-0)
no longer affects: | systemd (Ubuntu) |
no longer affects: | systemd (Ubuntu) |
no longer affects: | cloud-init (Ubuntu Focal) |
no longer affects: | netplan.io (Ubuntu Focal) |
Changed in systemd (Ubuntu): | |
status: | New → Fix Released |
Changed in cloud-init (Ubuntu): | |
status: | New → Invalid |
description: | updated |
Marking cloud-init as invalid as I think there is no workaround to fix this issue.
Adding netplan.io for reference and awareness.
After confirmation from systemd-networkd, I wonder if it would be feasible / reasonable to backport https:/ /github. com/systemd/ systemd/ pull/19344 to focal.