lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 15 Jan 2020 13:09:14 -0800
From:   Ben Greear <>
To:     David Ahern <>, Ido Schimmel <>
Cc:     "" <>
Subject: Re: vrf and multicast is broken in some cases

On 01/15/2020 12:33 PM, David Ahern wrote:
> On 1/15/20 1:23 PM, Ido Schimmel wrote:
>> I'm not sure this is the correct way (David?). Can you try to delete
>> this default route and instead add a default unreachable route with an
>> high metric according to step 3 in Documentation/networking/vrf.txt:
>> "
>> 3. Set the default route for the table (and hence default route for the VRF).
>>        ip route add table 10 unreachable default metric 4278198272
>>    This high metric value ensures that the default unreachable route can
>>    be overridden by a routing protocol suite.  FRRouting interprets
>>    kernel metrics as a combined admin distance (upper byte) and priority
>>    (lower 3 bytes).  Thus the above metric translates to [255/8192].
>> "
>> If I'm reading ip_route_output_key_hash_rcu() correctly, then the error
>> returned from fib_lookup() because of the unreachable route should allow
>> you to route the packet via the requested interface.
> yes, IPv4 is a bit goofy with multicast (at least to me, but then I have
> not done much with mcast).

For the vrf.txt referenced above, it would be nice if it mentioned that
if you do NOT add the default route, it will skip to the main table
and use it's gateway.  I was visualizing VRF as a self contained thing
that would not do such a thing.

When we are using xorp (which is our mcast router), then it automatically
takes care of dealing with replacing an unreachable route and/or metrics,
so in my case, I think the default metric on the unreachable route will
be fine.

That said, I am not sure xorp is completely working with our vrf setup
yet, so I'll keep this in mind next time I am poking at that.


Ben Greear <>
Candela Technologies Inc

Powered by blists - more mailing lists