lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 Mar 2021 08:37:44 -0700
From:   David Ahern <dsahern@...il.com>
To:     Greesha Mikhalkin <grigoriymikhalkin@...il.com>,
        netdev@...r.kernel.org
Subject: Re: VRF leaking doesn't work

On 3/2/21 3:57 AM, Greesha Mikhalkin wrote:
> Hi. I need a help to understand why VRF leaking doesn’t work in my situation.
> I want to set up leaking between 2 VRFs, that are set up by following commands:
> 
>       # Setup bridge
>       sudo ip link add bridge type bridge
> 
>       # Setup VLANs
>       ip link add link bridge name vlan1 type vlan id 1
>       ip link add link bridge name vlan2 type vlan id 2
>       ip addr add 10.0.0.31/32 dev vlan1
>       ip addr add 10.0.0.32/32 dev vlan2
>       ip link set vlan1 up
>       ip link set vlan2 up
> 
>       # Setup VXLANs
>       ip link add vni1 type vxlan id 1 local 10.1.0.1 dev lan1 srcport
> 0 0 dstport 4789 nolearning
>       ip link add vni2 type vxlan id 2 local 10.1.0.1 dev lan1 srcport
> 0 0 dstport 4789 nolearning
>       ip link set vni1 master bridge
>       ip link set vni2 master bridge
>       bridge vlan add dev vni1 vid 1 pvid untagged
>       bridge vlan add dev vni2 vid 2 pvid untagged
>       ip link set vni1 up
>       ip link set vni2 up
> 
>       # Setup VRFs
>       ip link add vrf1 type vrf table 1000
>       ip link set dev vrf1 up
>       ip link add vrf2 type vrf table 1001
>       ip link set dev vrf2 up
> 
>     Setting routes:
> 
>       # Unreachable default routes
>       ip route add table 1000 unreachable default metric 4278198272
>       ip route add table 1001 unreachable default metric 4278198272
> 
>       # Nexthop
>       ip route add table 1000 100.255.254.3 proto bgp metric 20
> nexthop via 10.0.0.11 dev vlan1 weight 1 onlink
> 
> I'm trying to setup VRF leaking in following way:
> 
>       ip r a vrf vrf2 100.255.254.3/32 dev vrf1
>       ip r a vrf vrf2 10.0.0.31/32 dev vrf1
>       ip r a vrf vrf1 10.0.0.32/32 dev vrf2
> 
> Main goal is that 100.255.254.3 should be reachable from vrf2. But
> after this setup it doesn’t work. When i run `ping -I vrf2
> 100.255.254.3` it sends packets from source address that belongs to
> vlan1 enslaved by vrf1. I can see in tcpdump that ICMP packets are
> sent and then returned to source address but they're not returned to
> ping command for some reason. To be clear `ping -I vrf1 …` works fine.
> 

What kernel version? If you have not tried 5.10 or 5.11, please do.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ