Todo #13058
open
Add static routes and directly connected networks back to policy route negation rules
0%
Description
The negate_networks list for automatic policy route negation rules used to include VPNs, static routes, and directly connected networks. It was adjusted at various points over the years as people felt it was passing more than users wanted, though. See #12535 for part of that. At some point after the static route and direct network parts were removed, the logic on the rules was fixed so they wouldn't pass more than intended but the content was never put back the way it was.
We should bring back the original intent of the behavior. It should go back to including static route and directly connected networks. Since the code only triggers on a destination of 'any' it should be safe these days.
We could make this configurable by the user. Currently there is an option to disable the negation rules entirely but it could be a multiple choice:
- VPNs, static routes, and directly connected networks
- VPNs only
- Satic routes and directly connected networks only
- Disable
And on upgrade it could map unset=disabled, and set=VPNs only.
Related issues
Updated by Jim Pingle over 2 years ago
- Related to Correction #12535: Negate Rules function does not match the description added
Updated by Jim Pingle over 2 years ago
- Related to Todo #13052: Consolidate vpn_networks and negate_networks tables added