Support for routing rules and tables

[dedene]

Feature Request

Support for routing rules and tables in the machine config

Description

For various setups on Bare Metal, more advanced routing configuration possibilities are needed. This would allow for things like

ip route add default via 46.105.135.110 dev eth0 table 100
ip rule add from 46.105.135.96/28 table 100

See this discussion for an example use case.

[smira]

Some notes from implementation point of view:

• routes already support tables, but they are not exposed in the machine config now (easy change)
• routing rules are not exposed as resources yet

[ffetech]

Would be great if also something like this would be possible: iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE … to get a talos node to work as NAT gateway.

[smira]

Would be great if also something like this would be possible: iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE … to get a talos node to work as NAT gateway.

This makes sense, but it is totally different from this issue. This should go to #4421

[rsidhaarth]

Would be great if also something like this would be possible: iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE … to get a talos node to work as NAT gateway.

@smira Please don't treat this as managing a firewall because the above command helps to route the LAN network to get internet. But his intention is to make Talos to support NAT.

Example: I have a 1Gbit Internet and 10Gbit LAN (without Internet). But in Talos, as of now there is no way to use 10Gbit LAN without a workaround. If we use a 10Gbit network for the K8s network then there will be no internet as there is no way to set up NAT in Talos.

So Talos should have the option to set up NAT so we can route the Private network traffic to the different interfaces to get Internet.

So something like

      interfaces:
        - interface: eth0
          addresses:
            - 10.10.0.2/24
          routes:
            - network: 10.10.0.0/24
              gateway: 10.10.0.1
            - network: 0.0.0.0/0
              interface: eth1
              metric: 200
          mtu: 9000
        - interface: eth1
          addresses:
            - x.x.x.x/26
          routes:
            - network: 0.0.0.0/0
              gateway: x.x.x.x
              metric: 100

eth0 - 10Gbit LAN eth1 - 1Gbit Public Network

[camrossi]

I need to set a "blackhole" route in my cluster, in general ip route support doing this:

ip route add blackhole 1.1.1.1/32

So as part of this feature request we could also add route-type support. For now I did this workaround in my cluster but would like to understand if this is ok or if I am gonna end up with issues down the road:

    network:
        interfaces:
            - interface: eth0 # The interface name.
              routes:
                - network: 10.56.0.0/16 
                  gateway: 0.0.0.0 
              dhcp: true

talosctl -n 192.168.11.90  get route | grep 10.56.0.
NODE            NAMESPACE   TYPE          ID                       VERSION       DESTINATION   GATEWAY  LINK
192.168.11.90   network     RouteStatus   inet4//10.56.0.0/16/1024  1            10.56.0.0/16            eth0 

And it seems to have done the trick but I am not really sure if this is something that is actually supported or not.

[kvaps]

Hey there, I just want to note that I'm also looking the way for doing this, I can sponsor on writing implementation.

my issue: https://github.com/siderolabs/talos/issues/8738

[maxpain]

It would be useful for Hetzner vSwitch and OVH vRack.