Project

General

Profile

Actions

Todo #13058

open

Add static routes and directly connected networks back to policy route negation rules

Added by Jim Pingle almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

The negate_networks list for automatic policy route negation rules used to include VPNs, static routes, and directly connected networks. It was adjusted at various points over the years as people felt it was passing more than users wanted, though. See #12535 for part of that. At some point after the static route and direct network parts were removed, the logic on the rules was fixed so they wouldn't pass more than intended but the content was never put back the way it was.

We should bring back the original intent of the behavior. It should go back to including static route and directly connected networks. Since the code only triggers on a destination of 'any' it should be safe these days.

We could make this configurable by the user. Currently there is an option to disable the negation rules entirely but it could be a multiple choice:

  • VPNs, static routes, and directly connected networks
  • VPNs only
  • Satic routes and directly connected networks only
  • Disable

And on upgrade it could map unset=disabled, and set=VPNs only.


Related issues

Related to Todo #13052: Consolidate vpn_networks and negate_networks tablesRejected

Actions
Actions #1

Updated by Jim Pingle almost 2 years ago

  • Related to Correction #12535: Negate Rules function does not match the description added
Actions #2

Updated by Jim Pingle almost 2 years ago

  • Related to Todo #13052: Consolidate vpn_networks and negate_networks tables added
Actions

Also available in: Atom PDF