VRF: ssh port forwarding between non-vrf and vrf interface.

VRF: ssh port forwarding between non-vrf and vrf interface.

[Ben Greear]

Hello,

I have a system with a management interface that is not in any VRF, and then I have
a port that *is* in a VRF.  I'd like to be able to set up ssh port forwarding so that
when I log into the system on the management interface it will automatically forward to
an IP accessible through the VRF interface.

Is there a way to do such a thing?

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: VRF: ssh port forwarding between non-vrf and vrf interface.

[David Ahern]

On 1/22/21 8:45 AM, Ben Greear wrote:
> Hello,
> 
> I have a system with a management interface that is not in any VRF, and
> then I have
> a port that *is* in a VRF.  I'd like to be able to set up ssh port
> forwarding so that
> when I log into the system on the management interface it will
> automatically forward to
> an IP accessible through the VRF interface.
> 
> Is there a way to do such a thing?
> 

For a while I had a system setup with eth0 in a management VRF and setup
to do NAT and port forwarding of incoming ssh connections, redirecting
to VMs running in a different namespace. Crossing VRFs with netfilter
most likely will not work without some development. You might be able to
do it with XDP - rewrite packet headers and redirect. That too might
need a bit of development depending on the netdevs involved.

Re: VRF: ssh port forwarding between non-vrf and vrf interface.

[Ben Greear]

On 1/22/21 8:02 AM, David Ahern wrote:
> On 1/22/21 8:45 AM, Ben Greear wrote:
>> Hello,
>>
>> I have a system with a management interface that is not in any VRF, and
>> then I have
>> a port that *is* in a VRF.  I'd like to be able to set up ssh port
>> forwarding so that
>> when I log into the system on the management interface it will
>> automatically forward to
>> an IP accessible through the VRF interface.
>>
>> Is there a way to do such a thing?
>>
> 
> For a while I had a system setup with eth0 in a management VRF and setup
> to do NAT and port forwarding of incoming ssh connections, redirecting
> to VMs running in a different namespace. Crossing VRFs with netfilter
> most likely will not work without some development. You might be able to
> do it with XDP - rewrite packet headers and redirect. That too might
> need a bit of development depending on the netdevs involved.
> 

Maybe easier to improve ssh so that it could specify a netdev to bind to when
making the call to the redirected destination?

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: VRF: ssh port forwarding between non-vrf and vrf interface.

[David Ahern]

On 1/25/21 8:18 AM, Ben Greear wrote:
> On 1/22/21 8:02 AM, David Ahern wrote:
>> On 1/22/21 8:45 AM, Ben Greear wrote:
>>> Hello,
>>>
>>> I have a system with a management interface that is not in any VRF, and
>>> then I have
>>> a port that *is* in a VRF.  I'd like to be able to set up ssh port
>>> forwarding so that
>>> when I log into the system on the management interface it will
>>> automatically forward to
>>> an IP accessible through the VRF interface.
>>>
>>> Is there a way to do such a thing?
>>>
>>
>> For a while I had a system setup with eth0 in a management VRF and setup
>> to do NAT and port forwarding of incoming ssh connections, redirecting
>> to VMs running in a different namespace. Crossing VRFs with netfilter
>> most likely will not work without some development. You might be able to
>> do it with XDP - rewrite packet headers and redirect. That too might
>> need a bit of development depending on the netdevs involved.
>>
> 
> Maybe easier to improve ssh so that it could specify a netdev to bind to
> when
> making the call to the redirected destination?
> 

maybe. I did not realize this feature made it into ssh, but it has
supported 'rdomains' since 2017 I believe. For Linux rdomain is a VRF.