netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mike Manning <mmanning@vyatta.att-mail.com>
To: Maximilian Bosch <maximilian@mbosch.me>, netdev@vger.kernel.org
Cc: David Ahern <dsahern@gmail.com>
Subject: Re: VRF Issue Since kernel 5
Date: Wed, 8 Apr 2020 11:07:31 +0100	[thread overview]
Message-ID: <d81f97fe-be4b-041d-1233-7e69758d96ef@vyatta.att-mail.com> (raw)
In-Reply-To: <5e64064d-eb03-53d3-f80a-7646e71405d8@gmail.com>

Hi Maximilian,
Can you please clarify what the issue is with using 'ip vrf exec <vrf>
ssh' for running the ssh client in the vrf? This is the recommended
method for running an application in a VRF. As part of our VRF
development on this a couple of years ago, we provided a changeset for
openssh so that the vrf could be specified as an option, cf
https://bugzilla.mindrot.org/show_bug.cgi?id=2784. That was not applied
due to the ease of using 'ip vrf exec'.

Alternatively, to run the ssh client in the default VRF, you can bind it
to an address on an interface (or specify the interface) in the default
VRF using ssh -b (or -B) option, or similarly add an entry in
/etc/ssh/ssh_config for BindAddress (or BindInterface).

Then for egress, leak a route in the default table to get to the gateway
via the VRF (as you must already be doing), and for ingress, leak a
route in the VRF's table for the return path to the ssh client. For
this, get the table id for the vrf from 'ip vrf', add the route for the
client prefix with the additional 'table <tbl-id>' option, and confirm
the route with 'ip route show vrf <vrf-name>'.

I have started looking at the issue you have reported, but as you may
appreciate, it is not trivial. This client-side use-case is not typical,
as VRF config is generally applied to routers or switches, not hosts.

Thanks
Mike


On 05/04/2020 17:52, David Ahern wrote:
> On 4/2/20 5:02 PM, Maximilian Bosch wrote:
>> Hi!
>>
>>> I do not see how this worked on 4.19. My comment above is a fundamental
>>> property of VRF and has been needed since day 1. That's why 'ip vrf
>>> exec' exists.
>> I'm afraid I have to disagree here: first of all, I created a
>> regression-test in NixOS for this purpose a while ago[1]. The third test-case
>> (lines 197-208) does basically what I demonstrated in my previous emails
>> (opening SSH connetions through a local VRF). This worked fine until we
>> bumped our default kernel to 5.4.x which is the reason why this testcase
>> is temporarily commented out.
> I do not have access to a NixOS install, nor the time to create one.
> Please provide a set of ip commands to re-create the test that work with
> Ubuntu, debian or fedora.
>
>
>> After skimming through the VRF-related changes in 4.20 and 5.0 (which
>> might've had some relevant changes as you suggested previously), I
>> rebuilt the kernels 5.4.29 and 5.5.13 with
>> 3c82a21f4320c8d54cf6456b27c8d49e5ffb722e[2] reverted on top and the
>> commented-out testcase works fine again. In other words, my usecase
>> seems to have worked before and the mentioned commit appears to cause
>> the "regression".
> The vyatta folks who made the changes will take a look.



  reply	other threads:[~2020-04-08 12:27 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-09  7:46 VRF Issue Since kernel 5 Gowen
2019-09-09  9:28 ` Alexis Bauvin
     [not found]   ` <CWLP265MB1554B902B7F3B43E6E75FD0DFDB70@CWLP265MB1554.GBRP265.PROD.OUTLOOK.COM>
2019-09-09 12:01     ` Alexis Bauvin
2019-09-09 19:43       ` Gowen
2019-09-10 14:22         ` Gowen
2019-09-10 16:36       ` David Ahern
2019-09-11  5:09         ` Gowen
2019-09-11 11:19           ` Gowen
2019-09-11 11:49             ` Gowen
2019-09-11 12:15               ` Mike Manning
     [not found]                 ` <CWLP265MB155485682829AD9B66AB66FCFDB10@CWLP265MB1554.GBRP265.PROD.OUTLOOK.COM>
     [not found]                   ` <CWLP265MB155424EF95E39E98C4502F86FDB10@CWLP265MB1554.GBRP265.PROD.OUTLOOK.COM>
2019-09-11 16:09                     ` David Ahern
2019-09-12  6:54                       ` Gowen
2020-03-10 20:47                 ` Maximilian Bosch
2020-03-12  1:06                   ` David Ahern
2020-04-01 18:16                     ` Maximilian Bosch
2020-04-01 19:18                       ` David Ahern
2020-04-01 20:35                         ` Maximilian Bosch
2020-04-01 20:41                           ` David Ahern
2020-04-02 23:02                             ` Maximilian Bosch
2020-04-05 16:52                               ` David Ahern
2020-04-08 10:07                                 ` Mike Manning [this message]
2020-04-08 15:36                                   ` David Ahern
2020-04-19 20:35                                   ` Maximilian Bosch
2019-09-11 16:53   ` David Ahern
2019-09-10 16:39 ` David Ahern
2019-09-11 17:02 ` David Ahern
2019-09-12  6:50   ` Gowen
2019-09-13 17:41     ` David Ahern

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d81f97fe-be4b-041d-1233-7e69758d96ef@vyatta.att-mail.com \
    --to=mmanning@vyatta.att-mail.com \
    --cc=dsahern@gmail.com \
    --cc=maximilian@mbosch.me \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).