Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-124835

nmstate doesn't always validate conflicting routes in kernel mode

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.8
    • nmstate
    • None
    • None
    • Low
    • rhel-net-mgmt
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given interface eth1 has existing routes from previous state and a sysadmin applies YAML that changes interface IP but doesn't explicitly modify routes,

      When they then apply YAML that attempts to add new routes and nmstate validates the route configuration, 

      Then validation detects conflicting routes (existing and new) before attempting to apply and raises InvalidArgument error with clear message about metric conflict and suggests using state: absent to remove old routes. 

      ( ) Integration test case is available upstream

      ( ) Code is reviewed and merged upstream.

      ( ) Preliminary testing is done.

      ( ) A demo is recorded

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given interface eth1 has existing routes from previous state and a sysadmin applies YAML that changes interface IP but doesn't explicitly modify routes, When they then apply YAML that attempts to add new routes and nmstate validates the route configuration,  Then validation detects conflicting routes (existing and new) before attempting to apply and raises InvalidArgument error with clear message about metric conflict and suggests using state: absent to remove old routes.  ( ) Integration test case is available upstream ( ) Code is reviewed and merged upstream. ( ) Preliminary testing is done. ( ) A demo is recorded
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      According to fix https://github.com/nmstate/nmstate/pull/2987/ for RHEL-54558, nmstate kernel mode should validate conflicting routes. It doesn't take affect when the interface changed.

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      nmstate-2.2.54-1.el9.x86_64

      How reproducible is this bug?:

      100%

      Steps to reproduce

      #!/bin/bash -x

systemctl stop NetworkManager
ip link add eth1 type veth peer eth1_p
ip link set eth1 up
ip link set eth1_p up

cat << EOF > init-route-ip.yaml
routes:
  config:
  - destination: ::/0
    next-hop-interface: eth1
    next-hop-address: 2001:db8:1::3
    table-id: 200
  - destination: 0.0.0.0/0
    next-hop-interface: eth1
    next-hop-address: 192.0.2.1
    table-id: 200
interfaces:
- name: eth1
  type: ethernet
  state: up
  ipv4:
    enabled: true
    dhcp: false
    address:
    - ip: 192.0.2.251
      prefix-length: 24
  ipv6:
    enabled: true
    dhcp: false
    autoconf: false
    address:
    - ip: 2001:db8:1::1
      prefix-length: 64
EOF

cat << EOF > change-route-ip.yaml
interfaces: 
  - name: eth1
    type: ethernet
    state: up
    ipv4:
      address: 
      - ip: 192.0.2.253
        prefix-length: 24
      dhcp: false
      enabled: true
    ipv6:
      address: 
      - ip: 2001:db8:1::3
        prefix-length: 64
      dhcp: false
      enabled: true
      autoconf: false
routes: 
  config: 
  - destination: 0.0.0.0/0
    next-hop-address: 192.0.2.2
    next-hop-interface: eth1
    table-id: 200
  - destination: ::/0
    next-hop-address: 2001:db8:1::2
    next-hop-interface: eth1
    table-id: 200
EOF

cat << EOF > change-ip-only.yaml
interfaces:
- name: eth1
  type: ethernet
  state: up
  ipv4:
    dhcp: false
    address:
    - ip: 192.0.2.252
      prefix-length: 24
  ipv6:
    dhcp: false
    autoconf: false
    address:
    - ip: 2001:db8:1::2
      prefix-length: 64
EOF

nmstatectl apply -k init-route-ip.yaml
nmstatectl apply -k change-route-ip.yaml # <--- validate as expected
nmstatectl apply -k change-ip-only.yaml
nmstatectl apply -k change-route-ip.yaml # <--- no validating after changing iface IP, only failed on verification after applying

      Expected results

      Always validate before apply

      NmstateError: InvalidArgument: Multiple routes to 0.0.0.0/0 are sharing the same metric, please use `state: absent` to remove others.

      Actual results

      The last step only failed on verification, didn't do pre-validatiion

      [root@vm-10-0-185-30 ~]# nmstatectl apply -k init-route-ip.yaml
[2025-10-29T12:43:15Z INFO  nmstatectl] Nmstate version: 2.2.54
route-rules: {}
routes:
  config:
  - destination: ::/0
    next-hop-interface: eth1
    next-hop-address: 2001:db8:1::3
    table-id: 200
  - destination: 0.0.0.0/0
    next-hop-interface: eth1
    next-hop-address: 192.0.2.1
    table-id: 200
interfaces:
- name: eth1
  type: ethernet
  state: up
  ipv4:
    enabled: true
    dhcp: false
    address:
    - ip: 192.0.2.251
      prefix-length: 24
  ipv6:
    dhcp: false
    autoconf: false
    address:
    - ip: 2001:db8:1::1
      prefix-length: 64
ovn: {}

[root@vm-10-0-185-30 ~]# nmstatectl apply -k change-route-ip.yaml
[2025-10-29T12:43:25Z INFO  nmstatectl] Nmstate version: 2.2.54
NmstateError: InvalidArgument: Multiple routes to 0.0.0.0/0 are sharing the same metric, please use `state: absent` to remove others.
[root@vm-10-0-185-30 ~]#
[root@vm-10-0-185-30 ~]#
[root@vm-10-0-185-30 ~]# nmstatectl apply -k change-ip-only.yaml
[2025-10-29T12:43:41Z INFO  nmstatectl] Nmstate version: 2.2.54
route-rules: {}
routes: {}
interfaces:
- name: eth1
  type: ethernet
  state: up
  ipv4:
    dhcp: false
    address:
    - ip: 192.0.2.252
      prefix-length: 24
  ipv6:
    dhcp: false
    autoconf: false
    address:
    - ip: 2001:db8:1::2
      prefix-length: 64
ovn: {}

[root@vm-10-0-185-30 ~]#
[root@vm-10-0-185-30 ~]# nmstatectl apply -k change-route-ip.yaml
[2025-10-29T12:43:53Z INFO  nmstatectl] Nmstate version: 2.2.54
[2025-10-29T12:43:53Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Desired route destination: ::/0 next-hop-interface: eth1 next-hop-address: 2001:db8:1::2 table-id: 200 not found after apply
[2025-10-29T12:43:54Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Desired route destination: ::/0 next-hop-interface: eth1 next-hop-address: 2001:db8:1::2 table-id: 200 not found after apply
[2025-10-29T12:43:55Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Desired route destination: ::/0 next-hop-interface: eth1 next-hop-address: 2001:db8:1::2 table-id: 200 not found after apply
[2025-10-29T12:43:56Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Desired route destination: ::/0 next-hop-interface: eth1 next-hop-address: 2001:db8:1::2 table-id: 200 not found after apply
NmstateError: VerificationError: Desired route destination: ::/0 next-hop-interface: eth1 next-hop-address: 2001:db8:1::2 table-id: 200 not found after apply

       

              nm-team Network Management Team
              rh-ee-mshi1 Mingyu Shi
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: