lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 2 Mar 2021 11:57:16 +0100
From:   Greesha Mikhalkin <grigoriymikhalkin@...il.com>
To:     netdev@...r.kernel.org
Subject: VRF leaking doesn't work

Hi. I need a help to understand why VRF leaking doesn’t work in my situation.
I want to set up leaking between 2 VRFs, that are set up by following commands:

      # Setup bridge
      sudo ip link add bridge type bridge

      # Setup VLANs
      ip link add link bridge name vlan1 type vlan id 1
      ip link add link bridge name vlan2 type vlan id 2
      ip addr add 10.0.0.31/32 dev vlan1
      ip addr add 10.0.0.32/32 dev vlan2
      ip link set vlan1 up
      ip link set vlan2 up

      # Setup VXLANs
      ip link add vni1 type vxlan id 1 local 10.1.0.1 dev lan1 srcport
0 0 dstport 4789 nolearning
      ip link add vni2 type vxlan id 2 local 10.1.0.1 dev lan1 srcport
0 0 dstport 4789 nolearning
      ip link set vni1 master bridge
      ip link set vni2 master bridge
      bridge vlan add dev vni1 vid 1 pvid untagged
      bridge vlan add dev vni2 vid 2 pvid untagged
      ip link set vni1 up
      ip link set vni2 up

      # Setup VRFs
      ip link add vrf1 type vrf table 1000
      ip link set dev vrf1 up
      ip link add vrf2 type vrf table 1001
      ip link set dev vrf2 up

    Setting routes:

      # Unreachable default routes
      ip route add table 1000 unreachable default metric 4278198272
      ip route add table 1001 unreachable default metric 4278198272

      # Nexthop
      ip route add table 1000 100.255.254.3 proto bgp metric 20
nexthop via 10.0.0.11 dev vlan1 weight 1 onlink

I'm trying to setup VRF leaking in following way:

      ip r a vrf vrf2 100.255.254.3/32 dev vrf1
      ip r a vrf vrf2 10.0.0.31/32 dev vrf1
      ip r a vrf vrf1 10.0.0.32/32 dev vrf2

Main goal is that 100.255.254.3 should be reachable from vrf2. But
after this setup it doesn’t work. When i run `ping -I vrf2
100.255.254.3` it sends packets from source address that belongs to
vlan1 enslaved by vrf1. I can see in tcpdump that ICMP packets are
sent and then returned to source address but they're not returned to
ping command for some reason. To be clear `ping -I vrf1 …` works fine.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ